Language Selection

English French German Italian Portuguese Spanish

Microsoft

Microsoft Insecurity by Design

Filed under
Microsoft
Security
  • Move over, SolarWinds: 30,000 orgs’ email [cracked] via Microsoft Exchange Server flaws

    Four exploits found in Microsoft’s Exchange Server software have reportedly led to over 30,000 US governmental and commercial organizations having their emails [cracked], according to a report by KrebsOnSecurity. Wired is also reporting “tens of thousands of email servers” [cracked]. The exploits have been patched by Microsoft, but security experts talking to Krebs say that the detection and cleanup process will be a massive effort for the thousands of state and city governments, fire and police departments, school districts, financial institutions, and other organizations that were affected.

  • Microsoft [crack]: White House warns of 'active threat' of email attack

    Microsoft executive Tom Burt revealed the breach in a blog post on Tuesday and announced updates to counter security flaws which he said had allowed [attackers] to gain access to Microsoft Exchange servers.

  • More than 20,000 U.S. organizations compromised through Microsoft flaw: source [iophk: Windows TCO]

    Because installing the patch does not get rid of the back doors, U.S. officials are racing to figure out how to notify all the victims and guide them in their hunt.

    All of those affected appear to run Web versions of email client Outlook and host them on their own machines, instead of relying on cloud providers. That may have spared many of the biggest companies and federal government agencies, the records suggest.

    The federal Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.

  • Don't Breed Crows: How Big Techs Started Out As US Government Projects, And Today They Threaten Democracy

    There is an old Spanish saying that goes like this: "don't breed Crows, they'll sting your eyes," and this saying fits perfectly with the class of American tech companies, the so-called Big Techs.

    Yes, with a few exceptions, most Big Techs were born as projects of the US government, US Army, CIA or NSA. Or, they are entwined with the American government, in one way or another.

    I stress that everything that has been written in this text is not secret. It is available on several websites on the internet, and, there is nothing new here. Just search, and anyone will find this information.

    [...]

    Microsoft The company that was born in 1975 in Albuquerque, New Mexico, as a creator of BASIC interpreters for microcomputers, and then, through a series of misadventures, became the largest software company in existence, also has very deep ties to intelligence agencies.

    Microsoft has been working closely with U.S. intelligence services to allow users' communications to be intercepted, including helping the National Security Agency circumvent the company's own encryption, according to top-secret documents obtained and leaked by Edward Snowden in 2013. These documents show the complicity of several technology companies, in the so-called Prism project.

    [...]

    Now, I invite you to think a little. I've known Microsoft for many years, and this company amasses more flops than hits. Indeed, Microsoft, were it any other company, would have been bankrupt and closed for many years now. But no. It looks like they have a cash printer in Redmond, or does the American government not let the company break, to not lose its source of backdoors ? Something to think about.

    Other than these companies, In-Q-Tel invests in other, little-known companies ranging from video games and virtual reality, to big data and data capture from social networks.

Proprietary Software and Security Issues: Microsoft Serving Malware, Ransomware, and FUD

Filed under
Microsoft
Security
  • Development on Windows is Painful

    Overall, I think I can at least tolerate this development experience. It's not really the most ideal setup, but it does work and I can get things done with it. It makes me miss NixOS though. NixOS really does ruin your expectations of what a desktop operating system should be. It leaves you with kind of impossible standards, and it can be a bit hard to unlearn them.

    A lot of the software I use is closed source proprietary software. I've tried to fight that battle before. I've given up. When it works, Linux on the desktop is a fantastic experience. Everything works together there. The system is a lot more cohesive compared to the "download random programs and hope for the best" strategy that you end up taking with Windows systems. It's hard to do the "download random programs and hope for the best" strategy with Linux on the desktop because there really isn't one Linux platform to target. There's 20 or something. This is an advantage sometimes, but is a huge pain other times.

    The conclusion here is that there is no conclusion.

  • Malicious Code Bombs Target Amazon, Lyft, Slack, Zillow

    Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrate sensitive information.

    The packages weaponize a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.

    Internal developer projects typically use standard, trusted code dependencies that are housed in private repositories. Birsan decided to see what would happen if he created “copycat” packages to be housed instead in public repositories like npm, with the same names as the private legitimate code dependencies.

  • Ryuk ransomware develops worm-like capabilities, France warns

    A new sample of Ryuk ransomware appears to have worm-like capabilities, according to an analysis from the French National Agency for the Security of Information Systems (ANSSI), France’s national cybersecurity agency.

  • FireEye finds evidence Chinese [crackers] exploited Microsoft email app flaw since January [iophk: Windows TCO]

    Cybersecurity group FireEye on Thursday night announced it had found evidence that [crackers] had exploited a flaw in a popular Microsoft email application since as early as January to target groups across a variety of sectors.

    [...]

    Since then, FireEye found evidence that the hackers had gone after an array of victims, including “US-based retailers, local governments, a university, and an engineering firm,” along with a Southeast Asian government and a Central Asian telecom.

  • Does Linux Need Antivirus? [Ed: Avast: Let's badmouth GNU/Linux to make proprietary software sales, with back doors in them, based on the supposition that crap on top of poor practices will somehow yield better results]

Linux Foundation, Microsoft, and Linux

Filed under
Linux
Microsoft
  • The Linux Foundation Continues to Expand Japanese Language Training & Certification

    Japan is one of the world’s biggest markets for open source software, which means there is a constant need for upskilling of existing talent and to bring new individuals into the community to meet hiring demand. The Linux Foundation is committed to expanding access to quality open source training and certification opportunities, which is why we have developed a number of Japanese language offerings.

    [...]

    While Hyperledger Fabric Administration is the newest Japanese course offered by Linux Foundation Training & Certification, it is far from alone. Our catalog of Japanese-language offerings includes:

  • ESET says more threat groups using Microsoft zero-days in attacks

    Slovakian security firm ESET says it has detected at least three additional threat groups using a zero-day in Microsoft Exchange Server in attacks, even as the US Government issued an emergency directive telling all US federal bodies to patch Exchange and report on exploitation by noon on Friday.

  • Radeon R600 Gallium3D Flips On OpenGL 4.5 For NIR Backend - Phoronix

    The experimental NIR back-end for the R600 Gallium3D driver as an alternative to the default TGSI code-path has now enabled OpenGL 4.5 support for capable GPUs.

    With a number of OpenGL 4.5 conformance test suite fixes that were merged on Tuesday, OpenGL 4.5 is now ultimately enabled for the NIR code path.

    This OpenGL 4.5 support is enabled for all Radeon HD 5000 "Cedar" GPUs through the Radeon HD 6000 series where the R600g driver support ends. Previously and for the non-NIR code-path this is at OpenGL 4.3 support.

  • Microsoft Sends Out Patches For Hyper-V "Isolation VMs" With Linux [Ed: Microsoft is interjecting shims for proprietary software with NSA back doors... into the Linux kernel]

    With the forthcoming Linux 5.12 kernel there is a big Redmond victory with Linux being able to boot as the root partition on Microsoft's hypervisor while moving forward the company still has more in store for the ongoing years long effort of Linux on Hyper-V.

    [...]

    At the moment there are 12 patches from Microsoft engineers under a "request for comments" banner on implementing this Hyper-V support for Isolation VMs -- both with VBS and AMD SEV-SNP. It's obviously too late for seeing in the 5.12 kernel but we'll see when this latest Hyper-V driver initiative is buttoned up and ready for mainline.

Microsoft Security Issues and Blame-Shifting

Filed under
Microsoft
Security

Refund of pre-installed Windows: Lenovo must pay 20,000 euros in damages

Filed under
GNU
Linux
Hardware
Microsoft

In a historic judgment in Italy, in a case initiated by FSFE supporter Luca Bonissi, Lenovo was ordered to pay 20,000 euros in damages for abusive behaviour in denying to refund the price of a pre-installed Windows licence. In a motivating gesture for the Free Software cause, Luca donated 15,000 euros to the FSFE.

We all know how frustrating it is to buy a brand new computer and realise that it comes with a pre-installed proprietary operating system. Some companies have adapted their unfair behaviour and established clearer procedures for consumers to obtain the refund for paid licences of software they do not want to use. However, some computer manufacturers like Lenovo still make it very hard for consumers, forcing them to assert their rights in expensive and exhausting lawsuits. This is the successful story of Luca Bonissi, an Italian developer and long-term FSFE supporter and volunteer, in his relentless quest for getting a Windows licence refund, and how Lenovo was ordered to pay 20,000 euros for its unlawful behaviour during the court proceedings.

Read more

Microsoft Proprietary Software Disasters and Human Rights Abuses

Filed under
Microsoft
  • Unhappy with response, senators ask for a leader to head up cyber breach cleanup [iophk: Windows TCO]

    In a Feb. 9 letter, Sens. Mark Warner, D-Virginia, and Marco Rubio, R-Florida ― the chairman and vice chairman of the Senate Intelligence Committee, respectively — expressed their concern with the federal response to date.

  • Microsoft Vaccine Scheduling Software Deal Ended By Iowa

    In New Jersey, the system had yet to work correctly after five weeks, two administration officials who asked not to be identified said last week. That was a high-profile stumble for Redmond, Washington-based Microsoft, which is trying to build a big business by selling software to run hospitals and health care systems and has been touting its ability to aid the nationwide effort to inoculate residents against the coronavirus.

  • DNA testing source code

    The maker of the software, Cybergenetics, has insisted in lower court proceedings that the program’s source code is a trade secret.

A Post-Mortem in 5 Acts: How Microsoft Privatized Open Source And Killed JavaScript in the Process

Filed under
Development
Microsoft
OSS

Microsoft may not be able to innovate on products, and they usually fail miserably. But it is shockingly good at marketing, propaganda, and take-overs.

Microsoft has essentially deprecated JavaScript and the non-profit foundation, which governed it, by TypeScript, which is governed and controlled by the for-profit Microsoft Corporation. If Microsoft was truly interested in improving JavaScript it could have done that through the non-profit foundation. But instead, it took the ‘Evil Corp’ approach of making the foundation and JavaScript slowly irrelevant, so it could guarantee that it could monopolize and monetize the whole industry.

Read more

Use this bootable USB drive on Linux to rescue Windows users

Filed under
GNU
Linux
Microsoft

People regularly ask me to help them rescue Windows computers that have become locked or damaged. Sometimes, I can use a Linux USB boot drive to mount Windows partitions and then transfer and back up files from the damaged systems.

Other times, clients lose their passwords or otherwise lock their login account credentials. One way to unlock an account is to create a Windows boot disk to repair the computer. Microsoft allows you to download copies of Windows from its website and offers tools to create a USB boot device. But to use them, you need a Windows computer, which means, as a Linux user, I need another way to create a boot DVD or USB drive. I have found it difficult to create Windows USBs on Linux. My reliable tools, like Etcher.io, Popsicle (for Pop!_OS), and UNetbootin, or using dd from the command line to create bootable media, have not been very successful.

Read more

Microsoft Azure and Canonical Ubuntu Linux have a user privacy problem

Filed under
Microsoft
Security
Ubuntu

It was just another day for Luca Bongiorni, a security advisor for Bentley Systems. He'd just spun up an Ubuntu Linux 18.04 instance on the Microsoft Azure cloud using a corporate sandbox for testing purposes. Three hours later, on Bongiorni's LinkedIn account he received a message from a Canonical sales representative saying, "I saw that you spun up an Ubuntu image in Azure," and telling him he'd be his "point of contact for anything Ubuntu-related in the enterprise." Say what??

Actually, Bongiorni was a little more "frank" about his annoyance and surprise that a Canonical salesperson had tracked him down on an entirely different service and knew that he had just used Ubuntu on Microsoft Azure. "What the f*** is happening here? WHY [did] MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!" Customer privacy, what's that?

Read more

Proprietary Microsoft Stuff and Security Issues

Filed under
Microsoft
Security
  • What deserves firing? Asking for Excel, or ignoring the alternatives?

    The Idaho Statesman (IS) is a USA local newspaper, that is owned by a company called McClatchy. A few years ago, McClatchy decided to cut costs by, among other things, “doing away with subscriptions to Microsoft Office for new employees”. Consequentely, in late January 2021 McClatchy denied a request by a new IS reporter to have “access to Microsoft Excel”. Faced with resistance to get a software program as basic as a spreadsheet for a member of her staff, the IS top editor, Mrs Christina Lords, complained about this on Twitter.

    Eventually, it seems, the reporter was “granted access to Excel on her company laptop”. But Lords was fired, for violating McClatchy’s social media policy.

    [...]

    As far as I am concerned, I find nothing wrong in McClatchy’s decision to not pay anymore for Microsoft Office. What I find hard to accept is just their refusal to buy the most expensive variety of a software essential for daily tasks… without concretely encouraging all of their staff to use license-free alternatives, or at least allowing them. It is almost like saying “we won’t buy gold-plated Mont Blanc pens for new employees anymore, but even those employees must write only with gold-plated Mont Blanc pens”. Please tell me that there is more to this story.

  • Report: Microsoft recently sought to acquire Pinterest

    Microsoft Corp. at one point considered acquiring the social network Pinterest Inc., according to a report today in the Financial Times.

    Pinterest had a market capitalization of about $51 billion prior to the publication of the report. The company’s stock price jumped more than 5% following the Financial Times’ scoop, after previously rising more than 600% since the start of the coronavirus pandemic.

    The paper, citing people familiar with the matter, said that Microsoft had approached Pinterest about an acquisition “in recent months.” One of the tipsters was citing as saying that the negotiations are currently not active. It’s unclear whether the talks were shelved completely or simply paused.

  • Arrests in Ukraine hit Windows Egregor ransomware gang

    Law enforcement authorities in France and Ukraine have joined forces to arrest a number of people in Ukraine who were using the Windows Egregor ransomware to make money.

  • NVD - CVE-2020-24074
  • CVE - CVE-2020-24074
  • Singtel affected by cyber attack on Accellion file-sharing software

    Singapore's multinational telecommunications conglomerate Singtel has been breached by an attack on a file-sharing system from Accellion that is nearing its end-of-life, with the breach ocurring on 20 January, the telco says.

  • Open-Source Kernel Security Technologies

    Lockdown is a relatively new security feature designed specifically for the Linux kernel. Part of the Linux kernel 5.4 branch, it is a feature that must be activated. Its default mode is off, simply because it can negatively affect existing systems. However, the primary function of lockdown is to prevent root account interactions with kernel code. By strengthening this divide, Lockdown counters potentially dangerous interactions that have been possible since the launch of the Linux OS. Once lockdown has been activated, there will be limitations on kernel functionality, but these will make it significantly more difficult for root accounts that have been compromised to affect the rest of the OS.

  • Here’s why you should be wary of installing anything that sets SELinux to permissive

    In the world of Android modding, people tend to regard root access as the cornerstone of all things. It allows users to take complete control of their devices and add features that aren’t always available in the stock configuration. But as they say — “with great power comes great responsibility” — it’s not wise to bypass Android’s security model unless you know what you’re getting into. For veteran Android enthusiasts on our forums, you are probably aware of the potential for backdoors to exist on your device, and you are more likely to be running a trusted root-enabled mod on top of the latest Android version with the latest security patches. Having said that, you might know a few people who don’t really care about what root tweaks they install so long as they seemingly work for them. This is why you can still find a truckload of mods that only work when SELinux is set to permissive, which, in turn, leave their users extremely susceptible to security threats.

    [...]

    For a user to get full root access on their own device running Android 10 (or higher) with SELinux set to permissive is shockingly easy to do: All you have to do is press install, and “Magica” will automatically gain root access in a service and install Magisk to the boot image. This is something far wider in scope than just tweaking your device. According to XDA Senior Recognized Developer and Magisk maintainer topjohnwu, any arbitrary app, including malware, can permanently root your device without your consent and permission by utilizing the PoC.

Syndicate content

More in Tux Machines

Type Title Author Replies Last Postsort icon
Story today's leftovers Roy Schestowitz 08/03/2021 - 9:04pm
Story Free Software Leftovers Roy Schestowitz 08/03/2021 - 9:01pm
Story Programming Leftovers Roy Schestowitz 08/03/2021 - 8:58pm
Story Tor and Mozilla/Firefox Roy Schestowitz 08/03/2021 - 8:56pm
Story Games: Assassin’s Greed, Yorg, Wanted Raccoon and More Roy Schestowitz 08/03/2021 - 8:36pm
Story 10 Best Compression Tools for Linux Roy Schestowitz 08/03/2021 - 8:30pm
Story Security Leftovers Roy Schestowitz 08/03/2021 - 8:28pm
Story NomadBSD 1.4 is now available! Roy Schestowitz 3 08/03/2021 - 8:26pm
Story GNOME 40 Mutter Lands Wayland Presentation-Time Support Roy Schestowitz 08/03/2021 - 8:15pm
Story Use gImageReader to Extract Text From Images and PDFs on Linux Roy Schestowitz 08/03/2021 - 7:59pm