05.05.22

Ubuntu LoCo Council Gone Loco or Just Cracked

Posted in Security, Ubuntu at 6:25 pm by Dr. Roy Schestowitz

Ubuntu LoCo Council

Summary: The Ubuntu LoCo Council site appears to have suffered a security breach today (screenshot is minutes old)

04.27.22

Microsoft Aggression and Deflection (Against Linux)

Posted in Deception, FUD, GNU/Linux, Microsoft, Security, Windows at 3:35 pm by Dr. Roy Schestowitz

Video download link | md5sum e6992ceaa55d089f64f07013fd228f56
Microsoft Loves Linux FUD
Creative Commons Attribution-No Derivative Works 4.0

Summary: Today we wish to take stock of a bunch of misleading, sensationalist coverage about “Linux”; as usual, Microsoft is connected to that, even more directly than one might expect…

THE TECHNICAL sabotage by Microsoft is easily demonstrable, e.g. in Mesa and in Linux (the “contributions” by Microsoft are to Microsoft, not to Linux, and they promote proprietary surveillanceware, not Software Freedom). In the video above I discuss NTFS in Linux (indirect link to bypass sites we boycott).

“Nothing Microsoft does benefits anyone else,”Ryan said moments ago in IRC, “except for a few odd cases that were usually less than 100 lines anyway. Which someone else probably would have done regardless at some point…”

“They try to minimize the usefulness of their “Linux” work to anyone else, because they don’t want to make “Linux” work better except in shackles under their Azure crap.”

More importantly, however, so far this week I’ve seen many Linux-hostile headlines, usually in Microsoft-friendly and/or Microsoft-connected sites which have historically been Linux-hostile.

Ignoring deliberate holes in Microsoft products, such sites would have you believe that Linux is the least secure thing on the entire planet!

As we put it in the latest batch of Daily Links, “while CISA admits Microsoft is full of holes that are actively exploited Microsoft and its faithful media operatives try to shift attention to “Linux” [as we demonstrated a few days ago, linking directly to CISA's site]…”

So what on Earth is going on here? “Microsoft concern-trolling Linux while putting NSA back doors in Windows,” to quote our editorial comment? Speaking of actively exploited holes, two months after a patch had been made widely available we see this article. “This was patched a very long time ago,” we noted this morning, and “meanwhile, there are dozen of zero-day flaws in Windows that are remotely exploitable, not local privilege escalation…”

So it seems like there might be distraction going on. And maybe there’s more to it than meets the eye…

Not only is it very hard for a malicious, unknown actor to actually leverage such a bug; it’s also hard to prove that Microsoft manipulates the media consciously in this case. We’d need to see leaked communications to actually prove such an assertion.

The net effect is the same and Microsoft staff now feeds the media with anti-Linux talking points. The stories are run by moles of the company, Microsoft-sympathetic ‘gurus’ who have moreover infiltrated the Linux Foundation (an organisation that nowadays ACTIVELY PARTICIPATES in such anti-Linux campaigns of semi-false talking points).

This keeps happening. We see it once in a few months, and this time it culminates in “old news” being rerun (about a bug properly patched more than 50 days ago [1, 2, 3, 4] and before it was even known to the general public).

The real problem, according to CISA, is Microsoft. But CISA’s “blog” almost never mentions “Microsoft”. It just maintains a catalogue many Microsoft flaws.

“If there is a problem affecting non-Microsoft systems,” an associate told us today, “then that is unusual and therefore news. If there is a remote exploit in the wild being actively exploited against Microsoft systems, that is the normal situation and thus not news.”

Towards the end of the video I show this new blog post from Debian’s Russell Coker, noting that Microsoft gives the NSA et al direct access to PCs, so no “security” measures from Microsoft should be taken seriously, to quote the latest Daily Links.

To quote Ryan, who is a former Microsoft MVP: “Local Privilege Escalations are bugs, yes, but they are of low concern (and do get fixed). Anyone with direct physical access to a computer can elevate their privileges eventually. And on Windows there’s a ton of them which sometimes even bypass the TPM and Bitlocker. There was one in the print spooler, for example, last summer. But it happens all the time on Windows and you don’t even see it much in “the news”. Any user on the machine could become SYSTEM and read your files, even if they were “protected”. So that’s Windows for you.”

bnchs noted that “in GNU/Linux, you would have to boot to another OS to get root.”

Quoting Ryan some more: “Becoming SYSTEM is an even bigger disaster than becoming ADMINISTRATOR, because in Windows, this means that you’re…well, part of the system. You can even patch and hook into things that are “secured” and off limits to ADMINISTRATOR. Stuff that normally requires digital signing no longer requires digital signing. So at this point, rootkit? Sure. And all it takes is someone running as a Guest or as a user with no administrator hat to run a file that knows where the vulnerabilities are. Microsoft was in the news (their news) recently for raising the bug bounty. It’s still less than Google’s, and way less than what those things are worth to nation state attackers, terrorists, and ransomware outfits. By a factor of $10,000:$1 sometimes.”

MinceR said it’s “still wasted money from their perspective [as] that could be better spent on corruption, ads and lawyers…”

Ryan continued: “Even if you get $40,000 out of Microsoft’s bug bounty system somehow, the ransomware gangs can just exploit it and make $20 million or more on one hit. So they’ll pay better each time and it’s simply up to the conscience of whoever found the problem in Windows as to what they want to do with it at that point. So the bug bounties are a ruse, a smoke screen, and the illusion of responsibility. In Linux, people find and fix bugs all the time. The code isn’t hidden. That leads, usually, to inevitable discovery, and quick patching.”

“People want to find bugs in Linux and report and fix hundreds of the same type, so they develop tools that can do things like that. Microsoft is annoyed that you reported one. Even over a decade ago before profiling tools were not as robust, not by a long shot, Coverity Scan admitted that “open source software, in general” was less than half as buggy as a comparable proprietary program. The proprietary software is sort of like the worst case situation for your security because they have little incentive to fix it unless there’s already malware out there and they just can’t hide the bugs any longer.”

“It’s like General Motors [GM] putting defective ignition switches in millions of cars for a decade after they knew they were shutting off the car unexpectedly and killing people in accidents. GM figured it’ll cost $1 a car to fix this problem, then come all of the recalls, and we’ll just grind them down with stall tactics and lawyers and stuff if they ever find out, and the settlement will still cost less. So that’s what we do.”

Update: Since we made the video above a bunch of other Microsoft boosters (with history) joined this FUD campaign. Of course they don’t mention what happened to Windows this past week (CISA reports). Left out from the video (3 examples) are:

And about half a dozen more. Screenshot below:

Microsoft- anti-linux FUD

But yes, Microsoft loves Linux…

Microsoft loves Linux FUD.

03.22.22

Media Blames Free Software When Microsoft Distributes Malware and Gets Cracked

Posted in Free/Libre Software, FUD, GNU/Linux, Microsoft, Security, Windows at 4:06 pm by Dr. Roy Schestowitz

Video download link | md5sum 1ed7dd3337f7ea74af647ff8ddb5bd2b
Shifting the Blame
Creative Commons Attribution-No Derivative Works 4.0

John key: Shhhhh.... Don't mention remotely-exploitable holes in proprietary softwareSummary: It seems increasingly apparent that the corporate “tech” media isn’t just misleading readers/viewers (audiences) by accident; there’s a deliberate attempt to shift attention and shift blame, so it is — in effect and in perpetuity — a campaign of disinformation (Fear, Uncertainty, Doubt), not just misinformation, and we must collectively confront this campaign, just as we tackle wartime propaganda

THE VIDEO above provides further commentary on items we added to the latest batch of Daily Links. It deals with patterns we’ve long observed and one way to break the cycle of misinformation/FUD is to rebut, respond, tell others how to do the same. If enough of us push back against such misinformation — sometimes intentional (disinformation) — perhaps it will stop. As I show in the video above, even SJVN and the Linux Foundation have begun participating in Microsoft’s FUD, maybe without even realising it! This is what happens when you get infiltrated by Microsoft (and proxies of Microsoft) or work for ZDNet — a site that’s thankfully collapsing (not much output anymore).

The short story is, Microsoft has had terrible security incidents since the start of 2021 and now Microsoft itself suffers a security breach (yes, again). But the media keeps talking about “dirty pipes” and "snaps"even as recently as this week. Why?

But Microsoft loves Linux; No, Microsoft loves MicrosoftTo frame it differently, why are some local privilege escalation bugs (patched before disclosure, at least upstream) considered more severe or more newsworthy than Microsoft back doors or remotely-exploitable zero-day flaws in Microsoft’s junkware?

Why?

Coincidence it is not. It’s about the agenda and thus the priorities of the media. It’s a lingering problem and one that we certainly need to speak about.

Towards the end of the video I show a new example of technical issues in Windows being ‘spun’ as something about Linux. Because “WSL” something…

If people are losing faith in the media, this is why. That Microsoft isn’t being blamed when its own infrastructure gets compromised (Microsoft deflects blame to the victim instead) we have a highly severe media deficit, whose status is wontfix.

Our associate has noted that “misinformation == by accident [whereas] disinformation == spread on purpose” and “those that are spreading FUD are probably knowingly spreading disinformation; those falling for the FUD are probably unknowingly spreading misinformation…”

We need to stop this cycle of lies.

03.21.22

Putin’s Russia Loves It When Its Enemies Use Microsoft Windows

Posted in Microsoft, Security, Windows at 7:22 am by Dr. Roy Schestowitz

Video download link | md5sum 50e4a321b3278e7bd4cabd0abea0dcec
Russia Exploits Windows Holes
Creative Commons Attribution-No Derivative Works 4.0

Russia Uses Microsoft to Suppress DissentSummary: Putin’s Russia is taking advantage of Microsoft’s products being unsafe by design

Last week we mentioned Poland’s apparent mass adoption of GNU/Linux (at the expense of Windows).

Ukraine suffers profoundly from its use of Microsoft Windows [1] and from the past weekend and today [2-4] we gather more evidence that Microsoft is trying quite badly to ‘cash in’ on Windows amid its rapid decline.

The above video discusses what it means to be a neighbour of Putin’s Russia at times of invasions and violent conquests. Any adoption of Windows is a massive liability, as we noted in past articles, e.g. [1, 2, 3].

  1. Cyber warfare becomes part of curriculum for Ukrainian students

    Students are also working to find vulnerabilities in Russian systems that others can use to launch direct attacks. [Cracking] is not taught by the department, but Professor Afonin said his students were learning fast.

    “Not all our people are highly qualified, like second- or first-year students, but they can do things that nobody else can,” he said. “We taught them how to study, how to study quickly, how to get new knowledge and skills in a very short period of time, and how to use them. I’m really proud of them.”

  2. How experimental was Microsoft’s ‘experimental banner’ in File Explorer? [Ed: Windows is dying; the competition lowered its market value.]

    Microsoft’s hurried backpedal over advertisements in File Explorer has industry watchers concerned.

    The Windows Insider Team has form when it comes to accidental emissions. There was the surprise rollout of 20H1 in 2019, for example, and the bundling of a bug that wiped the data of some users with the October 2018 Update of Windows 10 remains seared in the memories of many.

    However, Microsoft’s statement regarding the furor over ads in File Explorer leaves more than one elephant lurking in the corner of the room.

  3. Josh Bressers: Episode 315 – Who even makes all these terrible decisions?

    Josh and Kurt talk about Microsoft accidentally letting us find out about ads in file explorer. Changing your clocks sucks. And touch on some of the security implications of the Russian invasion and sanctions. There are a lot of security lessons we can all learn. Mostly what not to do.

  4. File Explorer fiasco: Window to Microsoft’s mixed-up motivations

    Queen Elizabeth I is said to have expressed her attitude to her subjects’ private beliefs by noting: “I do not seek to open windows to men’s souls.” Microsoft Windows 11 has few such qualms. A new feature,accidentally enabled in an Insider build, not only opened a channel between the company and the quintessential tool, File Explorer, it then stuffed it with adverts.

    It is an open secret that Microsoft is increasingly keen on using Windows as an ad delivery platform, to the exasperation of users and the despair of all who have to manage the corporate computing environment.

    Windows 10 is replete with lock screen ads, suggested apps in the Start menu, nagging taskbar pop-ups, notification nudges, and even a brief excursion into third party ads in its Mail client.

Dmitry Medvedev and Bill Gates

03.16.22

Corporate, Microsoft-Connected Media Would Say Anything to Distract From Windows Holes, Exploits, and a High Total Cost of Ownership (TCO)

Posted in Deception, FUD, GNU/Linux, Microsoft, Security, Windows at 10:52 am by Dr. Roy Schestowitz

Video download link | md5sum 48d07baa0acd6ca9c3d511db9726c288
Users With Passwords Like 1234
Creative Commons Attribution-No Derivative Works 4.0

Summary: The media keeps obsessing over long-patched bugs in Linux and even blames “Linux” for bad passwords; is the media simply trying to distract from the primary culprit, which has nothing to do with Linux?

THE use of Microsoft software, which has back doors in it, guarantees failure and high cost. At this point, the only way to ‘defend’ Windows, for instance, is to simply distract from its problems (or to make alternatives to it seem equally risky).

“The real problem is Windows, not some local privilege escalation bug that had been patched (or patches made available) before the public was even informed about it.”In the latest batch of Daily Links we included these two links [1, 2] that are only hours old. So-called ‘journalists’ want us to believe bad passwords are somehow the fault of Linux (they don’t even understand what Linux actually is (Snap is not Linux)). The real problem is Windows, not some local privilege escalation bug that had been patched (or patches made available) before the public was even informed about it.

Latest update from the Cybersecurity and Infrastructure Security Agency
Latest update from the Cybersecurity and Infrastructure Security Agency

03.08.22

This is the Media’s Equivalent of What Linus Torvalds Called “Masturbating Monkeys”

Posted in Deception, FUD, GNU/Linux, Security at 6:43 am by Dr. Roy Schestowitz

Video download link | md5sum 8ed4cfdf3592835bf34827d2120392c7
Associating Linux With Catastrophe
Creative Commons Attribution-No Derivative Works 4.0

Summary: The mainstream media seems very eager to associate "Linux" with security problems, even more so this year because that helps distract from much worse culprits (e.g. remotely exploitable system-compromising holes in Microsoft and other low-quality proprietary software); now that a patch is being offered for a bug (local privilege escalation) the Microsoft-funded media makes it sound like the sky is falling

THERE is a torrent of Linux-hostile coverage today, following more calm and more factual coverage yesterday afternoon.

The video above shows the coverage in (roughly) the order of appearance/publication. It looks like they compete over who can make the most drama/commotion/panic. We saw the same thing only weeks ago.

Torvalds attacks IT industry 'security circus' - CNETThe problem with some of the sensationalism shown above is, one needs to have a user account, so there’s already some degree of trust. Surely, without any exception, accounts aren’t being handed out to random people and if those people are clients, then the management likely has their bank account details already (hence real identity and some grip for accountability’s sake, e.g. penalty in case of sabotage). Web shells aren’t just put out there for anyone to access.

Crackers and Windows firewallIt’s worth noting that the bug was discovered by accident, by mere serendipity, and wasn’t part of some fishing expedition for severe edge cases. To exploit the bug one needs machine access, one needs to be logged in, not necessarily with physical access but a dedicated account (with ability to issue commands expressively, not through some GUI, i.e. with input sanitisation). It’s basically a privilege escalation issue, i.e. users being theoretically capable of executing things at a level higher than they were granted (or manipulation of file at a level higher than one’s own). As the fix is already available and was made available before the bug was disclosed the risk is significantly lowered. The false headline from Dan Goodin, as shown above, is probably a desperate attempt to elevate click numbers. Goodin has already been sued for defamation over his shoddy ‘reporting’ and over the years we called him out so many times. TechRadar, typically notorious for clickbait, actually had a decent headline this time around.

“Our products just aren’t engineered for security.”

Brian Valentine, Microsoft executive

Blame [China|Iran|North Korea/Russia]; Microsoft's software is perfect and security problems are the fault of those Bogeymen who exploit them
Xenophobia or scapegoating is Microsoft's face-saving tactic of choice, as it's persuasive and alluring (even more effective at times of war)

03.07.22

The ‘Studies’ of ‘Linux’ Foundation ‘Research’ Based on Data From Microsoft and Experts in Adobe, Not ‘Open Source’

Posted in FUD, GNU/Linux, Microsoft, Security at 2:11 pm by Dr. Roy Schestowitz

Video download link | md5sum 0fcb04c0e350b33457a7c6140c85368d

Fake LF Research
Creative Commons Attribution-No Derivative Works 4.0

Summary: Real research or marketing with the veneer of "research"? Let’s have a look at the perpetrators and purveyors of FUD, who aren’t even using Open Source themselves (they just talk about it).

THE Linux Foundation has just advertised this new paper about so-called ‘security’, connected to perpetrators of NSA back doors (i.e. fake security or “national security”, the doublespeak euphemism).

“It’s akin to those so-called ‘studies’ and ‘surveys’ which conveniently assume that every project in the world uses Microsoft GitHub and projects that do not simply do not count, aren’t important, and should thus be ignored.”Expressing my personal views on these matters is easier in voice and video because of nuance and the need to show particular things in motion. The report is very long, but it’s mostly just a mindless inventory, sourced from Microsoft NPM — the subject of our last installment in Microsoft GitHub Exposé and the subject of future parts too. It’s akin to those so-called ‘studies’ and ‘surveys’ which conveniently assume that every project in the world uses Microsoft GitHub and projects that do not simply do not count, aren’t important, and should thus be ignored. It isn’t merely a dangerous assumption but a sinister one; those who make this assumption often do so deliberately (e.g. to make copyleft look like it is waning).

03.05.22

Alphabet/Gulag is Closing Down (Tightening the Screws in the Name of ‘Security’)

Posted in Deception, Google, Security, Standard at 5:19 pm by Dr. Roy Schestowitz

Video download link | md5sum 822522f8c3b98654d0c836a81cfa2817
Free Software Users and App-Minded Gulag
Creative Commons Attribution-No Derivative Works 4.0

Summary: Gulag (or Google) does not care about the Internet; it just wants to extend and control it, but it frames that as a matter of “security”

THE video above is about the company “Alphabet” (calling Gulag “Alphabet” is like calling Facebook “Meta”, which is mostly a form of distraction from distasteful activities, just like GitHub pretends not to be Microsoft). Alphabet as a name came up and was advertised around the time many scandals had piled up. We’re meant to be thinking YouTube, for example, has nothing to do with Gulag (even though the login is the same!) and this thing called Alphabet is looking over everything. Don’t fall for it!

“We hope that one day the Web will be less than 10% of all Internet traffic and Gemini, which is bandwidth-conserving, will reach 1%.”“Less secure apps” is what Gulag now calls traditional software, not so-called “apps” — a misnomer that typically means proprietary software that spies heavily on the users. The page speaks of “your [sic] Google Account”, which will change at the end of May. Why the change? They pretend to value security, but given how they treat users’ privacy and given the back doors (there’s some history there; see the video) only a gullible reader would fall for it.

Thankfully, some alternatives are emerging and rising fast. Gemini, for instance, needs only 2 more capsules (visible to Lupa) to reach 2,200. To quote: “There are 2198 capsules. We successfully connected recently to 1777 of them.”

We hope that one day the Web will be less than 10% of all Internet traffic and Gemini, which is bandwidth-conserving, will reach 1%. If not Gemini, then something similar to it, which scales fine on residential connections and can thus be self-hosted from people’s homes.

A few days ago a longtime GMail used [sic] told us that “Google [is] effectively pulling the plug on Thunderbird,” but Mozilla says nothing about it. Thunderbird is how millions of people access GMail, so that’s a pretty big deal and Mozilla ought to be concerned. I told this used [sic] that I “saw that [news] and do not expect even the so-called ‘media’ to cover it or for Gulag Noise (Google News) to pick up a story about it…” (for reasons explained in this previous video)

“GMail is not E-mail but an attack on E-mail as a protocol and an attack on the distributed/decentralised nature of E-mail.”With a little effort one can find that about 7 years ago Madame Baker, not yet as CEO of Mozilla, wanted to kill Thunderbird, wrongly arguing that people were moving to “GMail” anyway (yes, she mentioned GMail specifically). At the time, she was already being paid a lot by Gulag (mostly the deal with placements for the address bar and search bar in Firefox). “Maybe she will move sideways over to Alphabet officially,” the used [sic] said (he had already move away from GMail, albeit not completely). “Like de Icaza has been…”

“An additional point is that aside from helping them complete the coup,” the used [sic] concluded, “she may have little to no value.”

Mozilla has itself become a data collection company; being subsidised by Gulag and run by former Facebook managers won't help. We expect the war on E-mail to progress. GMail is not E-mail but an attack on E-mail as a protocol and an attack on the distributed/decentralised nature of E-mail. Microsoft too contributes towards this agenda and it's in Mozilla's Board.

« Previous entries Next Page » Next Page »

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channels: Come and chat with us in real time

New to This Site? Here Are Some Introductory Resources

No

Mono

ODF

Samba logo






We support

End software patents

GPLv3

GNU project

BLAG

EFF bloggers

Comcast is Blocktastic? SavetheInternet.com



Recent Posts