Language Selection

English French German Italian Portuguese Spanish

Microsoft

Microsoft's very bad year for security: A timeline

Filed under
Microsoft
Security

So far, 2021 has proved to be somewhat of a security annus horribilis for tech giant Microsoft, with numerous vulnerabilities impacting several of its leading services, including Active Directory, Exchange, and Azure. Microsoft is no stranger to being targeted by attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the incidents it has faced since early March has put the tech giant on its back foot for at least a moment or two.

What follows is a timeline of the significant security events that have afflicted Microsoft in 2021, why it remains susceptible to serious vulnerabilities and attacks, and an assessment of its response according to experts from across the cybersecurity sector.

Read more

Former Microsoft Security Analyst Claims Office 365 Knowingly Hosted Malware For Years

Filed under
Microsoft
Security

Malware on Windows devices has become a real problem in the last few years, specifically with a recent uptick in ransomware. It appears that Microsoft has been trying to combat this issue, though, with updates to Microsoft Defender, so it has more teeth than ever before. However, what if Microsoft is part of the problem too?

On Friday, cybersecurity researcher TheAnalyst explained on Twitter how BazarLoader malware leads to ransomware that can severely affect healthcare, among other industries. He then called out Microsoft, asking if the company has “any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this,” alongside an image of what appears to be malicious files being hosted in OneDrive.

Read more

Microsoft Bailouts From the US Army Budget

Filed under
Microsoft
  • US Army slows ~$20bn project to put Microsoft's HoloLens VR headsets into the field [Ed: President Biden has already bailed out Microsoft to the tune of 22 billion dollars for something that's basically dead; Microsoft sacked all staff of HoloLens; this is worse than grifting as it's akin to Microsoft theft from taxpayers (Trump did the same with "JEDI"; latest below)]

    The US Army has delayed a massive rollout of Microsoft's HoloLens virtual reality headsets.

  • [Older] Looks like NSA now stands for Not Selecting Azure: US spy agency picks AWS over Microsoft
  • Supreme Court declines to hear Oracle's challenge to JEDI • The Register

    The US Supreme Court has brushed off Oracle’s complaint that it wasn't awarded the Pentagon's $10bn winner-takes-all Joint Enterprise Defense Infrastructure (JEDI) cloud contract.

    [...]

    Still, Big Red refused to give up. It appealed its case all the way to the Supreme Court. The US government told the justices the case ought to be rejected given that Oracle wouldn’t have won the contract anyway. The ongoing legal spats, however, were made pointless when the Pentagon scrapped JEDI in July.

    Despite this, Oracle still thought the case was worth pursuing considering the DoD had replaced the cloud project with the new “Joint Warfighter Cloud Capability (JWCC)” contract. The JWCC deal has been limited to AWS and Microsoft only. We note that Oracle says it does more than $28bn a year in cloud revenues.

Free Software Foundation claims Windows 11 will reduce user freedom

Filed under
GNU
Microsoft

The Free Software Foundation has described Windows 11, the new avatar of Microsoft's desktop operating system that was launched on 6 October, as taking "important steps in the wrong direction when it comes to user freedom".

In a blog post, the organisation's campaigns manager Greg Farough said Windows 11 did nothing to mitigate "Windows' long history of depriving users of freedom and digital autonomy".

The FSF was set up by former MIT employee Richard Stallman to try and develop an operating system and other utilities that would not impinge on the freedom of users. The word "free" refers not to the price, but the ability to change and share the software as one wishes.

Farough said Microsoft was "intentionally choosing to create an unjust power structure, in which a developer knowingly keeps users powerless and dependent by withholding information".

Read more

Proprietary Web and Vista 11 Performance Catastrophe

Filed under
Microsoft
Web
  • Client-side content scanning as an unworkable, insecure disaster for democracy • The Register

    Fourteen of the world's leading computer security and cryptography experts have released a paper arguing against the use of client-side scanning because it creates security and privacy risks.

    Client-side scanning (CSS, not to be confused with Cascading Style Sheets) involves analyzing data on a mobile device or personal computer prior to the application of encryption for secure network transit or remote storage. CSS in theory provides a way to look for unlawful content while also allowing data to be protected off-device.

    Apple in August proposed a CSS system by which it would analyze photos destined for iCloud backup on customers' devices to look for child sexual abuse material (CSAM), only to backtrack in the face of objections from the security community and many advocacy organizations.

    The paper [PDF], "Bugs in our Pockets: The Risks of Client-Side Scanning," elaborates on the concerns raised immediately following Apple's CSAM scanning announcement with an extensive analysis of the technology.

  • Vivaldi Adblock is mostly Adblock Plus and ublock-origin.

    The Vivaldi browser has a built-in ad blocker.

    However, the company hasn’t been extremely forthcoming about how it works.

    However, it seems to accept any list in adblock plus format, and Vivaldi seems to have implemented Webkit Content Blockers as well.

    Vivaldi includes a list called “DuckDuckGo Tracker Radar”, which leads to what seems to be a Webkit Content Blocker format list mirrored by Vivaldi.

    In my testing, the DuckDuckGo Tracker Radar seems to largely duplicate what Fanboy’s Ultimate List already had in it.

    While Fanboy’s Ultimate List is not in Vivaldi by default, you can add it by going to Vivaldi Menu/Settings/Privacy, and then select “Block Trackers and Ads”, and then I would suggest de-selecting everything in both columns that Vivaldi defaults to having on, then clicking + under Ad Blocking Sources, then adding https://www.fanboy.co.nz/r/fanboy-ultimate.txt and then Import. It should tell you it brought in a bunch of ad blocking rules.

  • This week's Windows 11 patch didn't fix AMD performance woes • The Register

    Windows 11 received its first bundle of fixes this week, but AMD users hoping for respite from performance issues that have dogged their PCs were to be disappointed. In fact, for some, performance might have actually got a bit worse.

    It wasn't the news AMD fangirls and fanboys were hoping for. After AMD noted performance issues with Microsoft's latest operating system, a fix had been expected to drop during October. Alas, that fix didn't turn up in this week's first Cumulative Update for the GA code. In fact, according to hardware site TechPowerUp, things might have even deteriorated.

  • Microsoft’s first Windows “11” update addresses AMD CPU scheduling problems. Ends up making them worse. – BaronHK's Rants

    Microsoft released their first “Windows 11” update.

    It was deployed to try to correct the AMD CPU problems that Windows “11” created on Ryzen, which tripled L3 CPU cache latency and slowed the processor down by an average of 15%.

    The update ended up making the problem worse. Doubling the cache latency from where it already was at launch.

    “Early adopters” of Microsoft’s latest broken operating system are seeing much worse performance than they were on Windows 10, even on the Intel side, as Microsoft’s “virtualization based security” was already wreaking havoc on video game performance.

  • The "What If" Performance Cost To Kernel Page Table Isolation On AMD CPUs - Phoronix

    Made public this week by CPU security researchers at Graz University of Technology and CISPA Helmholtz Center for Information Security was the research paper published "AMD Prefetch Attacks through Power and Time". The paper points to AMD CPUs suffering from a side-channel leakage vulnerability through timing and power variations of the PREFETCH instruction. The paper argues that AMD CPUs should activate stronger page table isolation by default. AMD has now published their security response where they are not recommending any mitigation changes at this time. But what if Kernel Page Table Isolation (KPTI/PTI) proves necessary for AMD CPUs? Here are some initial benchmarks showing what that performance impact could look like.

Microsoft and CNET confuse users with fake “This PC can’t run Windows 11” errors. Suggest buying a completely new computer.

Filed under
GNU
Linux
Microsoft

Microsoft and CNET confuse users with fake “This PC can’t run Windows 11” errors. Suggest buying a completely new computer.

Mostly, if your machine doesn’t have “Security Theater Boot” and the “Toilet Paper Module” (I jest.) available to be turned on, you need to buy another computer.

Except that you don’t. You could format Windows off your computer entirely and go on happily using GNU/Linux for many more years without fake incompatibility messages from your pals at Microsoft and Intel, where sales have been in the dumps and they need fake error messages to drive new sales.

Read more

Best Free and Open Source Alternatives to Microsoft Office

Filed under
Microsoft
OSS

This series looks at the best free and open source alternatives to products and services offered by Microsoft. This article focuses on the best free and open source alternatives to Microsoft Office.

What are the best open source alternatives to Office 365? This article focuses on replacements for only some of the components of Office 365. We’ll explore other components in later articles in this series.

Read more

Openwashing of Proprietary Traps

Filed under
Microsoft
  • Broadband Forum Launches Latest Open Source Project to Bring Full Benefits of 5G to Fixed-line Services | Business Wire

    The goal of a new Broadband Forum project, Open Broadband – WWC Reference Implementation for 5G-RG (OB-5WWC) is for vendors and operators to bring products to market in a shorter timeframe and enjoy reduced development times and cycles. The Open Source project will bring the full benefits of the 5G ecosystem to fixed-line services and offer a full end-to-end solution to operators.

  • .NET Foundation boss apologizes for pull request that sparked community row

    We covered Littles earlier this week, noting that after he ran for the board on a platform of making it more responsive to developers' needs – rather than Microsoft's. He later quit because, according to a post, "I didn't have the energy to put into an organization that doesn't share my views and stance on what I think the community needs, Sustainable Open Source Software."

    [...]

    The first comment on the apology described it as "a total non-apology" – a sentiment repeated in other comments. The conversation also features some discussion of how to withdraw projects from the foundation.

    The Register suspects the foundation may soon need some new volunteers. Brave new volunteers

  • Microsoft's .NET Foundation under fire as resigning board member questions its role
    [Ed: Microsoft Tim weighs in as well. It's him who helped Microsoft hijack Linux (exporting it to GitHub).]
  • Questions Raised About .NET Foundation

    Littles was elected and took on the role of chair for the Technical Steering Group, hoping to be able to achieve some progress towards Open Source sustainability. However, when he realized that his efforts were futile he resigned from the .NET Foundation board ahead of the 2021 elections which took place in August. He hadn't intended to draw attention to this, but changed his mind when the announcement of the election results reported on his resignation.

Proprietary Leftovers (Mostly Microsoft)

Filed under
Microsoft
  • US Rolls Out New Cybersecurity Requirements for Rail, Air [iophk: Windows TCO]

    Homeland Security Secretary Alejandro Mayorkas announced the measures Tuesday at a virtual cybersecurity conference, warning that recent incidents such as the SolarWinds [crack] and the Colonial Pipeline ransomware attack showed that "what is at stake is not simply the way we communicate or the way we work, but the way we live."

    The new security directives target what the Department of Homeland Security and the Transportation Security Administration describe as "higher risk" rail companies, "critical" airport operators, and air passenger and air cargo companies.

  • Bill requiring companies report cyber incidents moves forward in the Senate [iophk: Windows TCO]

    The bill would require owners and operators of critical infrastructure groups to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It would also require critical infrastructure groups, nonprofits and most medium to large businesses to report making ransomware attack payments within 24 hours.

  • TSA to issue regulations to secure rail, aviation groups against cyber threats [iophk: Windows TCO]

    According to Mayorkas, the directive will require these groups to “identify a cybersecurity point person” charged with reporting cybersecurity incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), along with establishing “contingency and recovery plans” in the case of cyberattacks.

  • U.S. to tell critical rail, air companies to report [breaches], name cyber chiefs [iophk: Windows TCO]

    The upcoming changes will make it mandatory for “higher-risk” rail transit companies and “critical” U.S. airport and aircraft operators to do three things: name a chief cyber official, disclose [breaches] to the government and draft recovery plans for if an attack were to occur.

  • The Gates Foundation Avoids a Reckoning on Race and Power

    Over the last year, Doctors Without Borders has faced a major scandal, as more than 1,000 current and former employees signed on to a letter accusing the Nobel Peace Prize-winning humanitarian organization of institutional racism, citing a colonial mentality in how the group’s European managers view the developing world.1

    Such an allegation would be serious in any field, but it deserves another level of scrutiny in the context of global health and humanitarianism, two fields built on a paternalistic premise: rich white people from wealthy nations setting themselves up as saviors of poor people of color. The assumptions embedded in this model have provoked increasingly popular calls to “decolonize” the sector, and many organizations have responded by invoking social justice rhetoric, claiming, for instance, that their work intersects with the Black Lives Matter movement.2

  • Canopy Parental Control App Wide Open to Unpatched XSS Bugs

    The vulnerability arises because the system is failing to sanitize user inputs. The input field allows 50 characters, Young found, “which was plenty to source an external script.”

    He said there are multiple ways to exploit the issue.

Syndicate content

More in Tux Machines

Plasma 5.23 available for Kubuntu 21.10 (Impish Indri) in backports PPA

We are pleased to announce that Plasma 5.23.1 is now available in our backports PPA for Kubuntu 21.10 (Impish Indri). The release announcement detailing the new features and improvements in Plasma 5.23 can be found here. Read more

Pumpkins, markets, and one bad Apple

Imagine your local farmers market: every Saturday the whole town comes together to purchase fresh and homemade goods, enjoy the entertainment, and find that there is always something for everyone. Whatever you need, you can find it here, and anyone can sign up to have their own little stand. It is a wonderful place, or so it seems. Now, imagine starting out as a pumpkin farmer, and you want to sell your pumpkins at this market. The market owner asks 30% of every pumpkin that you sell. It's steep, but the market owner -- we'll call him Mr. Apple -- owns all the markets in your area, so you have little choice. Let's continue this analogy and imagine that, since it is a little hard for you to make ends meet, you decide to tell your customers that they can come visit you at your farm to purchase pumpkins. Mr. Apple overhears and shuts your stand down. You explain that your business cannot be profitable this way, but the grumpy market owner says that you can either comply or find another place. At the end of your rope, you look for information about starting your own farmers market, but it seems Mr. Apple owns every building in town. In the midst of Apple announcing its new products, attention is drawn away from its ongoing battle to maintain its subjugation over users globally. The Netherlands’ Authority for Consumers and Markets (ACM) last month informed the U.S. technology giant of its decision that the rules around the in-app payment system are anticompetitive, making it the first antitrust regulator to conclude that the company has abused market power in the App Store. And while Apple is appealing this verdict, the European Union is charging the company with another antitrust claim concerning the App Store. Read more

today's howtos

  • How To Install PostgreSQL 14 on Ubuntu 20.04 - howtodojo

    In this tutorial, we learn how to install PostgreSQL 14 on Ubuntu 20.04 (Focal Fossa). PostgreSQL, or usually called Postgres, is an open-source object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. PostgreSQL is ACID-compliant and transactional. It is developed by PostgreSQL Global Development Group (PGDG) that consists of many companies and individual contributors. PostgreSQL released under the terms of PostgreSQL license.

  • How to Install Minikube on CentOS 8 - Unixcop

    Minikube is open source software for setting up a single-node Kubernetes cluster on your local machine. The software starts up a virtual machine and runs a Kubernetes cluster inside of it, allowing you to test in a Kubernetes environment locally. Minikube is a tool that runs a single-node Kubernetes cluster in a virtual machine on your laptop. In this tutorial we will show you how to install Minikube on CentOS 8.

  • How to Install and Secure Redis on Ubuntu 20.04 | RoseHosting

    Redis (short for Remote Dictionary Server), is an open-source in-memory data structure store. It’s used as a flexible, highly available key-value database that maintains a high level of performance. It helps to reduce time delays and increase the performance of your application by accessing in microseconds.

  • How to Upgrade to Ubuntu 21.10 - OMG! Ubuntu!

    If the glowing reviews for the Ubuntu 21.10 release have you intrigued, here’s how to upgrade to Ubuntu 21.10 from an earlier version. Fair warning: this tutorial is super straightforward (the benefits of upgrading after a stable release, rather than a little bit before). Meaning no, you don’t need to be a Linux guru to get going! There are plenty of good reasons to upgrade from Ubuntu 21.04 to Ubuntu 21.10, such as benefiting from a newer Linux kernel, enjoying a new GNOME desktop, sampling the new Yaru Light theme, and getting to go hands-on with an able assortment of updated apps.

  • How to install Adobe Flash Player on a Chromebook

    Today we are looking at how to install Adobe Flash Player on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to install OnlyOffice on Linux Lite 5.4 - Invidious

    In this video, we are looking at how to install OnlyOffice on Linux Lite 5.4. Enjoy!

  • Jenkins: How to add a JDK version - Anto ./ Online

    This guide will show you how to add a JDK version to Jenkins. If you plan to run a Java build requiring a specific version of the Java Development Kit, you need to do this.

  • Sending EmailsSend them from Linux Terminal? | Linux Journal

    Does your job require sending a lot of emails on a daily basis? And you often wonder if or how you can send email messages from the Linux terminal. This article explains about 6 different ways of sending emails using the Linux terminal. Let’s go through them.

Development version: GIMP 2.99.8 Released

GIMP 2.99.8 is our new development version, once again coming with a huge set of improvements. Read more Some early coverage:

  • GIMP 2.99.8 Released with Clone Tool Tweaks, Support for Windows Ink

    A new development version of GIMP is available to download and it carries some interesting new features. While this isn’t a new stable release — GIMP 2.10.28 is the most recent stable release (and the version you’ll find in Ubuntu 21.10’s archives) — the release of GIMP 2.99.8 is yet another brick in the road to the long-fabled GIMP 3.0 release. And it’s a fairly substantial brick, at that.

  • GIMP 2.99.8 Released As Another Step Toward The Long Overdue GIMP 3.0

    GIMP 3.0 as the GTK3 port of this open-source Adobe Photoshop alternative has been talked about for nearly a decade now and the work remains ongoing. However, out today is GIMP 2.99.8 as the newest development snapshot.