Bonum Certa Men Certa

Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed€®

Dagger in the heart of OpenSSL

Heart Bleed



Summary: A serious conflict of interests that nobody in the media is talking about; Codenomicon is headed by Microsoft's Howard A. Schmidt

SOMETHING fishy was in the news today (since early this morning), including articles from GNU/Linux-oriented journalists [1] and blogs [2], some of which pointed out that a vulnerability discovered and published irresponsibly by the firm headed by Microsoft's former Chief Security Officer (we wrote about his actions before) are already "patched by all Linux distros".



Now, looking at the site set up by his firm, you might not know this. It lists the names of many GNU/Linux distributions along with a nasty picture (the one above). This coordinated release (disclosure) of a vulnerability on the last day of Windows XP security patches (they are through unless one pays Microsoft a lot of money) is rather suspicious to us. It came with a trademark-like name, a dot-com Web site (yes .com), and soon we are guaranteed to see lots of FUD saying that GNU/Linux is not secure. We already know that the vulnerabilities industry is well inside Microsoft's board and at highest level (look at John Thompson from Symantec; he is now Microsoft's new chairman).

We don't need to wait for the Microsoft press or a whisper campaign to use Heartbleed€® to tell people (again) that Free software, Linux and GNU are very "bad" and are a danger for the Web (some suspect that this bug is the result of NSA intervention in code development -- a subject we'll tackle another day for sure).

"This is a man whose high-paying job required that he beats GNU/Linux at security."Jacon Appelbaum (of Tor) says that this release was coordinated (with a date and everything) but not responsible at all because even the OpenSSL site, the FBI's official site (whom Howard Schmidt worked with) and many more remain vulnerable. It should be noted that the flaw has existed for two years, so the timing of this disclosure is interesting. Not too long ago we showed what seemed like Microsoft's role in a campaign to paint GNU/Linux insecure and dangerous becuase of Windows XP's EOL. It was a baseless campaign of FUD, media manipulation, and distortion of facts, ignoring, as always, the elephant in the room (Windows).

For those who treat it like some innocent development at a random time in the news, remember that Howard A. Schmidt, the Chairman of the Board of Codenomicon, was the Chief Security Officer for Microsoft. He joined Codenomicon a year and a half ago. This is irresponsible disclosure and journalists who ignore the conflict of interests (namely Schmidt being the head after serving Microsoft) are equally irresponsible (for irresponsible journalism). They may unwittingly be playing a role in a "Scroogled"-like campaign.

Just go to Codenomicon's Web site and find it described in large fonts as "A Member of the Microsoft Security Development Lifecycle (SDL) Pro Network" (in many pages). There are lots of pages like this one about involvement in Microsoft SDL.

So to summarise, what does Microsoft have to do with Heartbleed? We probably need to ask Howard Schmidt. This is a man whose high-paying job required that he beats GNU/Linux at security.

Related/contextual items from the news:



  1. Heartbleed: Serious OpenSSL zero day vulnerability revealed


  2. openssl heartbleed updates for Fedora 19 and 20


  3. Heartbleed, a serious OpenSSL bug; patched by all Linux distros
    A new vulnerability was announced in OpenSSL 1.0.1 that allows an attacker to reveal up to 64kB of memory to a connected client or server (CVE-2014-0160) which may consist of our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. According to OpenSSL Security Advisory report Neel Mehta from Google Security has discovered this bug.




Recent Techrights' Posts

Mass Layoffs at IBM Today, Just Like Prominent Rumours Said Upfront
past couple of hours
IBM is Acting No Better Than Patent Trolls, Preying on Smaller Companies by Suing Them With Software Patents
No Red Hat employee should tolerate this aggression by the employer
Something Has Gone Very Wrong at iTWire
"iTWire has descended into marketing spam"
 
IBM Befriends and Exploits the Biggest Enemy of Software Freedom (Software Patents)
Software Patents and IBM in Today's News
Many Workers Quietly Leave Microsoft, the Company is Running Out of Money (Too Much Debt and Now Massive Buybacks to Keep the Shares From Collapsing While Hiding Humongous Losses)
I've heard of people who just decided to quit Microsoft. They could not handle the anxiety.
Links 17/09/2024: Volkswagen Layoffs May Exceed 15,000, Sean ‘Diddy’ Combs Arrested
Links for the day
Gemini Links 17/09/2024: Re-framing of Priorities and Journalists
Links for the day
The Linux Foundation is Associating Linux With Scams and With Scam Sites Right Now (Like the Wife of Jim Zemlin Did)
they profit from the sellouts
Google's YouTube Already Blocking People Who Block Ads
YouTube feels like it's dying
Links 17/09/2024: More on Microsoft Cuts and XBox Backward Compatibility Issues
Links for the day
The Hallmark of a Dying Company Running Low on Money (But Still Trying to Hide That)
Microsoft should look into selling red markers
UEFI 'Secure' Boot Has Put Security at Risk, Suggests New Report
We're vindicated once again
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 16, 2024
IRC logs for Monday, September 16, 2024
Links 17/09/2024: China Sanctions and Breadth of Latest Microsoft Layoffs Elaborated Upon
Links for the day
Gemini Links 17/09/2024: Small Improvements in Carbon Capture and Pseudo-Productivity In Java
Links for the day
'Open'AI Looks Like a Company Headed Towards Bankruptcy, Not IPO, Losses Grew Almost Tenfold in a Year (Yes, it's Just a Bubble Facilitated by Artificial Hype)
This isn't going to end well, especially not for Microsoft
Apple is Canceling Products, Services, Even Lays Off Staff in Large Numbers Every Few Months
Apple cancelling some more things
Later on Elon Musk Wonders Why Large Nations Block His Pet 'Social Control Media' (Incitement/Radicalisation) Platform...
This isn't a question of "censorship" because there's a call to kill
Microsoft: Layoffs Are Growth
Orwell would have loved this newspeak
Links 16/09/2024: Verizon Layoffs, 'Tram Driver Olympics', and Anniversary of Mahsa Amini's Death
Links for the day
Gemini Links 16/09/2024: ROOPHLOCH and MyGemini.Space
Links for the day
Invidious Instances Explain What Google/YouTube (Alphabet/Pentagon) Did To Them This Past Week
They're unambiguous about this
Dr. Richard M. Stallman (RMS) on How to Make People Care About Free Software and Why Prohibiting Proprietary Software Would Not Work
"maybe a similar general approach could work with non-Free software as a way of discouraging it from being a successful business."
Please Quit Uploading Event Talks (Especially of Free Software) to YouTube
This is enshittification
Links 16/09/2024: Shrinking Economy, Climate Issues, Soaring Energy Costs
Links for the day
'Former' Microsofter Jason Perlow Left Linux Foundation
The "communication" people from the Linux Foundation are basically scammers
MyGem Launched to Make Adoption of Gemini Protocol (With Gemini Hosting) a Lot Easier
a new week and also a new capsule
Disregard for History is Disregard for (Computer) Science
They're killing the real entrepreneurs and innovators
Dr. Richard M. Stallman (RMS) on His Hobbies and Health
Answering a question from the audience in Germany
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, September 15, 2024
IRC logs for Sunday, September 15, 2024
Gemini Links 16/09/2024: billsmugs.com Becomes rainywhile.net, Zaurus on Internet
Links for the day
[Meme] Wrong Priorities at Universities
Because what matters isn't expertise
Science and Academia Under Attack, Imposters Inheriting or Aggressively Seizing the Top Roles
Academia has turned into a bad place
Microsoft and the Sunk Cost Fallacy
"Microsoft aims for the sunk cost fallacy"
Turning Away Unwanted and/or Predatory Bots
If no human will ever read it, what's the point serving?
Links 15/09/2024: Complicated Music Licensing Schemes and Dangers of Sleep Deprivation
Links for the day
Links 15/09/2024: Sci-fi London 2024 and Outsourcing to Proton Mail
Links for the day
Links 15/09/2024: French Teachers Quit in Droves, Why 'eSports' are Not Sports
Links for the day
[Meme] Red Hat Staff Must Learn IBM's Dark History (IBM Still Boosts Donald Trump, So No Lessons Learned)
This isn't a subject for humour
Don't Fall for Reputation Laundering and Whitewashing
Remember history, don't pay attention to PR and charm offensives
[Meme] Microsoft as a Joke That Writes Itself
"Microsoft confesses its recent security updates…broke Windows 10 security patches"
GNU Turns 41 in Just 12 Days
Can truth and science be resuscitated, please?
[Meme] Large Language Models (LLMs) Destroy the Web With an Ocean of Disinformation and Misinformation, Falsely Promoted as "Intelligence" by Microsoft et al
"Microsoft bribes the media to say 'Microsoft loves Linux'"
Dr. Richard M. Stallman (RMS) Asks People to Stop Calling Large Language Models (LLMs) "Artificial Intelligence" (AI)
"I think that the first step is stop calling them AI"
Even Microsoft Boosters Think XBox is Doomed
"Reports Say Morale At Xbox Is “Very Low”"... a Microsoft booster cited by them
Dr. Richard M. Stallman (RMS): "There are still people who make it their business to try to stop me from getting invited to speak, and it's a slow process working back from that"
From the talk he gave last month
Very Few Invidious Instances Still Work (for Video Playback)
Google has sabotaged Invidious
Sites Writing Fake News About Linux Using LLMs (Microsoft Hype That Promotes Misinformation)
RMS recently called these "bullshit machines"
Gemini Links 15/09/2024: MINIbase and Pocket Reform Experience
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, September 14, 2024
IRC logs for Saturday, September 14, 2024