Bonum Certa Men Certa
Dear Microsoft: Windows-Only With DirectX is Not 'Open Source' | Links 10/1/2015: Mirantis OpenStack 6.0, Linux Mint 17.1 KDE, Linux Leap Second

Another Reason to Boycott UEFI and Proprietary Software From Microsoft: Insecurity

Summary: Some blobs like Microsoft's Windows patches and the binary-level UEFI 'validation' do not and cannot provide real security, only insecurity in disguise

THE 'PROMISE' of UEFI 'secure' boot is as ludicrous as Microsoft's claims that it pursues security. UEFI does nothing real for security; in fact, it once again does the very opposite. Quoting the news:



A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.

Bromium researcher Rafal Wojtczuk and MITRE Corp's Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.


According to other news, as told (spun) by a Microsoft booster.,"Microsoft's advance security notification service no longer publicly available". The booster says that "Microsoft is taking its Advance Notification Service private, claiming the change is due to changes in the way users want their advance security notifications." Microsoft sure tells the NSA about ways to hijack/wiretap Microsoft software, so it's a matter of privilege, not some company-wide policy.

How does the above serve users? It doesn't. This is about Microsoft, not users. Users will be left even more vulnerable. As Pogson correctly points out, "There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot."

Moreover, in large corporations in particular, patching code internally is possible or even relying on third parties. Don't ever trust security at binary level, such as large blobs being sent that are supposedly 'patched' or some opaque board giving 'approval' before the running of a binary blob, mostly likely based on some cryptic signature approved by unknown people for unknown reasons (usually employees of companies that work with the NSA). Real security emanates from transparency, which breeds trust and provides to ability for one to study and patch one's own programs (or rely on others to do so using their specialised skills).

"Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it's at there's always going to be a sequel needed to fix the major bugs and security flaws in the last version?"

--Unknown

Dear Microsoft: Windows-Only With DirectX is Not 'Open Source' | Links 10/1/2015: Mirantis OpenStack 6.0, Linux Mint 17.1 KDE, Linux Leap Second

Recent Techrights' Posts

A Discussion About Suicides in Science and Technology (Including Debian and the European Patent Office)
In Debian, there is a long history of deaths, suicides, and mysterious disappearances
[Video] Why Microsoft is by Far the Biggest Foe of Computer Security (Clue: It Profits From Security Failings)
Microsoft is infiltrating policy-making bodies, ensuring real security is never pursued
Harassment Against My Wife Continues
Drug addict versus family of Techrights authors
 
Workers' Right to Disconnect Won't Matter If Such a Right Isn't Properly Enforced
I was always "on-call" and my main role or function was being "on-call" in case of incidents
[Teaser] Ubuntu Cover-up After Death
Attack the messenger
The Cyber Show Explains What CCTV is About
CCTV does not typically resolve crime
[Video] Ignore Buzzwords and Pay Attention to Attacks on Software Developers
AI in the Machine Learning sense is nothing new
Outline of Themes to Cover in the Coming Weeks
We're accelerating coverage and increasing focus on suppressed topics
[Video] Not Everyone Claiming to Protect the Vulnerable is Being Honest
"Diversity" bursaries aren't always what they seem to be
[Video] Enshittification of the Media, of the Web, and of Computing in General
It manifests itself in altered conditions and expectations
[Meme] Write Code 100% of the Time
IBM: Produce code for us till we buy the community... And never use "bad words" like "master" and "slave" (pioneered by IBM itself in the computing context)
[Video] How Much Will It Take for Most People to Realise "Open Source" Became Just Openwashing (Proprietary Giants Exploiting Cost-Free or Unpaid 'Human Resources')?
turning "Open Source" into proprietary software
Freedom of Speech... Let's Ban All Software Freedom Speeches?
There's a moral panic over people trying to actually control their computing
Richard Stallman's Talk in Spain Canceled (at Short Notice)
So it seems to have been canceled very fast
Links 29/04/2024: "AI" Hype Deflated, Economies Slow Down Further
Links for the day
Gemini Links 29/04/2024: Gopher Experiment and Profectus Alpha 0.9
Links for the day
Debian 'Cabal' (via SPI) Tried to Silence or 'Cancel' Daniel Pocock at DNS Level. It Didn't Work. It Backfired as the Material Received Even More Visibility.
know the truth about modern slavery
Lucas Nussbaum & Debian attempted exploit of OVH Hosting insider
Reprinted with permission from disguised.work
Software in the Public Interest (SPI) is Not a Friend of Freedom
We'll shortly reproduce two older articles from disguised.work
Syria, John Lennon & Debian WIPO panel appointed
Reprinted with permission from disguised.work
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, April 28, 2024
IRC logs for Sunday, April 28, 2024
[Video] GNU and Linux Everywhere (Except by Name)
In a sense, Linux already has over 50% of the world's "OS" market
[Video] Canonical Isn't (No Longer) Serious About Making GNU/Linux Succeed in Desktops/Laptops
Some of the notorious (or "controversial") policies of Canonical have been covered here for years
[Video] What We've Learned About Debian From Emeritus Debian Developer Daniel Pocock
pressure had been put on us (by Debian people and their employer/s) and as a result we did not republish Debian material for a number of years
Bruce Perens & Debian public domain trademark promise
Reprinted with permission from disguised.work
Links 28/04/2024: Shareholders Worry "AI" Hype Brings No Income, Money Down the Drain
Links for the day
Lawyer won't lie for Molly de Blanc & Chris Lamb (mollamby)
Reprinted with permission from disguised.work
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 27, 2024
IRC logs for Saturday, April 27, 2024
Links 27/04/2024: Spying Under Fire, Intel in Trouble Again
Links for the day
Lucas Kanashiro & Debian/Canonical/Ubuntu female GSoC intern relationship
Reprinted with permission from disguised.work
Pranav Jain & Debian, DebConf, unfair rent boy rumors
Reprinted with permission from disguised.work
Links 27/04/2024: Kaiser Gave Patients' Data to Microsoft, "Microsoft Lost ‘Dream Job’ Status"
Links for the day
Gemini Links 27/04/2024: Sunrise Photos and Slow Productivity
Links for the day
Microsoft: Our "Goodwill" Gained Over 51 Billion Dollars in the Past Nine Months Alone, Now "Worth" as Much as All Our Physical Assets (Property and Equipment)
The makeup of a Ponzi scheme where the balance sheet has immaterial nonsense
Almost 2,700 New Posts Since Upgrading to Static Site 7 Months Ago, Still Getting More Productive Over Time
We've come a long way since last autumn
FSFE (Ja, Das Gulag Deutschland) Has Lost Its Tongue
Articles/month
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 26, 2024
IRC logs for Friday, April 26, 2024
Overpaid lawyer & Debian miss WIPO deadline
Reprinted with permission from disguised.work
Brian Gupta & Debian: WIPO claim botched, suspended
Reprinted with permission from disguised.work