Bonum Certa Men Certa

Security Disinformation

Measuring electricity



Summary: Latest OpenSSL FUD and Microsoft's Howard Schmidt's role informing the public about cyber-security risks

OUR complaints about The Register have intensified recently [1, 2, 3, 4] because of poor articles like this one (see the comments).



The Register spreads FUD about OpenSSL (not the first such smear, after comparisons to "communism" too) and Bradley M. Kuhn from the SFLC has responded as follows:

Ok, Be Afraid if Someone's Got a Voltmeter Hooked to Your CPU



Boy, do I hate it when a FLOSS project is given a hard time unfairly. I was this morning greeted with news from many places that OpenSSL, one of the most common FLOSS software libraries used for cryptography, was somehow "severely vulnerable".

I had a hunch what was going on. I quickly downloaded a copy of the academic paper that was cited as the sole source for the story and read it. As I feared, OpenSSL was getting some bad press unfairly. One must really read this academic computer science article in the context it was written; most commenting about this paper probably did not.

First of all, I don't claim to be an expert on cryptography, and I think my knowledge level to opine on this subject remains limited to a little blog post like this and nothing more. Between college and graduate school, I worked as a system administrator focusing on network security. While a computer science graduate student, I did take two cryptography courses, two theory of computation courses, and one class on complexity theory. So, when compared to the general population I probably am an expert, but compared to people who actually work in cryptography regularly, I'm clearly a novice. However, I suspect many who have hitherto opined about this academic article to declare this "severe vulnerability" have even less knowledge than I do on the subject.


There are much bigger problems to worry about, such as the latest news about Windows botnets [1, 2, 3]. The authors of the Windows exploit might not even face a jail sentence, based on this report.

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.


Regarding this new article about Scott Charney's outrageous remarks [1, 2] (he worked for the US government before Microsoft hired him), Groklaw wrote 3 days ago: "First Microsoft fills the world with security issues and problems, then it wants the public to be taxed to fix them? I think Microsoft needs to fix its own software itself." Microsoft's own negligence [1, 2, 3] ought to have Microsoft bear the bill.

Howard Schmidt, the US Cyber Czar who came directly from Microsoft [1, 2, 3, 4], claims/pretends that there is no problem, even though many firms that include Google were intruded due to an Internet Explorer hole that Microsoft had knowingly ignored for 5 months [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12] (there are more security patches coming shortly). Even Google source code got grabbed. [via]

Operation Aurora continues to be a hot topic inside and outside of security circles. At this week’s RSA Conference in San Francisco many conversations are on the topic of the attacks that hit Google and dozens of other companies in January.


These reports indicate that proprietary source code got nicked from Google. Microsoft also nicks proprietary source code from companies/projects like Plurk [1, 2, 3, 4], which probably puts the Redmond-based company at the same side as the crackers.

"Cyberwar Hype Intended to Destroy the Open Internet," says this report from Wired. [via]

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net-neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering. He’s the nice-seeming guy who’s willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those who are not in the know.


And on the other hand, on the same occasion we find that "US urges 'action' needed to fight net attacks," according to the BBC.

Homeland Security secretary Janet Napolitano has admitted there is an urgent need to step up efforts to protect Americans from cyber attacks.


They seem to contradict themselves. Now they claim to be looking for ideas:

Homeland Security wants to pick your brains



[...]

The lucky winners will be invited to an event in Washington DC in late May or early June. They'll get to partner with the department to lead in the planning of the National Cybersecurity Awareness Campaign, due to launch in October.


Over at CNET, Dennis O'Reilly has this new article about "five ways to keep your [Windows] PC free of viruses and Trojans". Here is one of his suggestions.

If you can't give up Windows, you may still be able to install Linux on an old PC or in a partition of your Windows PC. Then you can use that system (or partition) whenever you engage in any sensitive computer activities. You'll find instructions for dual-booting Windows and the Ubuntu version of Linux on the Ubuntu Community Documentation site.


Thumbs up to Dennis.

"Usually Microsoft doesn't develop products, we buy products. It's not a bad product, but bits and pieces are missing."

--Arno Edelmann, Microsoft's European business security product manager

Comments

Recent Techrights' Posts

Edward Brocklesby (ejb) & Debian: Hacking expulsion cover-up in proximity to Oxford and GCHQ
Reprinted with permission from Daniel Pocock
Microsoft Windows in Nicaragua: From 98% to Less Than 25%
Operating System Market Share Nicaragua
[Meme] Debian's 'Cannon Fodder' Economics
Conflicts of interest don't matter
According to Microsoft, It's Not a Code of Conduct Violation to Troll Your Victims Whose Files You Are Purging
The group of vandals from Microsoft think it's "funny" (and for a "nominal fee") to troll Microsoft critics
Microsoft Inside Debian is Sabotaging Debian and Its Many Hundreds of Derivatives With SystemD (Microsoft/GitHub Slopware With Catastrophic Bugs is Hardly a New Problem)
What is the moral of the story about The Scorpion and the Frog?
 
[Meme] 12 Years a Fedora Volunteer
IBM gives me a 'free' Fedora badge as recognition
IBM Slavery: Not a New Problem
When IBM got rid of Ben Cotton it showed the world how much it valued Fedora
Why They Want to Abolish Master/Slave Terminology (Because This is What They're Turned Free Software Into)
It used to be about community; GAFAM turned that into exploitation and worse
Roy and Rianne's Righteously Royalty-free RSS Reader (R.R.R.R.R.R.) Version 0.2 is Released
They say summer "officially" started some days ago
Torvalds' Number Two Quit Linux a Decade Ago and Has Since Then Earned an Honorary Doctorate
Revisiting Fuzix and Alan Cox
GNU/Linux Reaches All-Time High in Tunisia
Based on statCounter
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, June 23, 2024
IRC logs for Sunday, June 23, 2024
You Know the Microsoft Products Really Suck When...
"Qualcomm and Microsoft go 'beyond the call of duty' to stop independent Copilot+ PC reviews"
IBM and "Regime Change"
Change of regime is not the same as freedom
Techrights in the Coming Decade: The Community Angle
Somebody needs to call them out on their BS
Techrights in the Coming Decade: The Free Speech (Online) Angle
Free speech is a fundamental tenet of a free society
Techrights in the Coming Decade: The Software Angle
Gemini Protocol has just turned 5 - i.e. roughly the same age as our Git repositories
Techrights in the Coming Decade: The Patent Angle
Next month marks 10 years since we began covering EPO leaks
Wookey, Intrigeri, Cryptie & Debian pseudonyms beyond Edward Brocklesby
Reprinted with permission from Daniel Pocock
[Meme] Choice Versus Freedom
So When Do I Start Having Freedom? Freedom is choice between the GAFAMs
Digital Liberation of Society at Times of Armed Conflicts and Uncertainty
We have technical contributions, not just written output
Links 23/06/2024: More Microsoft Cancellations, Growing Repression Worldwide
Links for the day
Gemini Links 23/06/2024: The Magician and the Hacker, tmux Tips
Links for the day
Links 23/06/2024: Twitter/X Wants Your Money, Google Reports a Billion DMCA Takedowns in Four Months
Links for the day
Digital Restrictions (Like DRM) Don't Have Brands, We Need to Teach People to Hate the Underlying Restrictions, Not Companies That Typically Come and Go
Conceptually, the hens should fear humans, not the farmer who cages them
Going Above 4% Again
Maybe 4% (or above) by month's end?
Conviction, jail for Hinduja family, Debian exploitation comparison
Reprinted with permission from Daniel Pocock
Links 23/06/2024: Hey Hi (AI) Scrapers Gone Very Rogue, Software Patents Squashed at EPO
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, June 22, 2024
IRC logs for Saturday, June 22, 2024
Gemini Links 23/06/2024: LoRaWAN and Gemini Plugin for KOReade
Links for the day
Links 22/06/2024: Chat Control Vote Postponed, More Economic Perils
Links for the day
[Meme/Photography] Photos From the Tux Machines Parties
took nearly a fortnight
Uzbekistan: GNU/Linux Ascent
Uzbekistan is almost the same size as France
SLAPP as an Own Goal
We have better things to with our limited time
Independence From Monopolies
"They were ethnically GAFAM anyway..."
GNU/Linux at New Highs (Again) in Taiwan
latest numbers
Links 22/06/2024: More Layoffs and Health Scares
Links for the day
Rwanda: Windows Falls Below 30%
For the first time since 2020 Windows is measured below 30%
[Meme] IBM Lost the Case Over "Dinobabies" (and People Died)
IBM agreed to pay to keep the details (and embarrassing evidence) secret; people never forgot what IBM called its staff that wasn't young, this keeps coming up in forums
Exactly One Year Ago RHEL Became Proprietary Operating System
Oh, you want the source code of RHEL? You need to pay me money and promise not to share with anyone
Dr. John Campbell on Gates Foundation
Published two days ago
Melinda Gates Did Not Trust Bill Gates, So Why Should You?
She left him because of his ties to child sex trafficker Jeffrey Epstein
How Much IBM Really Cares About Software Freedom (Exactly One Year Ago IBM Turned RHEL Into Proprietary Software)
RHEL became proprietary software
Fedora Week of Diversity 2024 Was Powered by Proprietary Software
If instead of opening up to women and minorities we might open up to proprietary software, i.e. become less open
18 Countries in Europe Where Windows Fell Below 30% "Market Share"
Many people still use laptops with Windows, but they're outnumbered by mobile users on Android
[Meme] EPO Pensions in the UK
pensioners: looks like another EPO 'reform'
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, June 21, 2024
IRC logs for Friday, June 21, 2024
During Fedora Week of Diversity (FWD) 2024 IBM and Its Subsidiaries Dragged to Court Over Discrimination at the Corporate Level
IBM is a deplorable, racist company
Workers of the European Patent Office Take the Office to Court Over Pension
pensions still precarious
Gemini Links 22/06/2024: FreeBSD vs XFCE and Gemini Bookmarks Syncing Solution
Links for the day