Bonum Certa Men Certa

Richard Stallman Was Right and What Happened in XZ Wasn't a "Linux" or Free Software Problem, It Was Social Engineering (This Happens in Proprietary Software Too and, in This Case, It Was Enabled by Microsoft's Proprietary Social Control Media Disguised as 'Codeforge')

posted by Roy Schestowitz on Apr 02, 2024

Fractal image with penguin drawing

The truth isn't convenient to snakeoil vendors and charlatans who speak of "secure" boot while using proprietary GitHub (controlled by NSA)

THE Web - and even Geminispace - is already full of articles on this topic (we caught and collected about 100 so far; obviously there's lots more, not only in English). We've had plenty of time to assess and digest the facts, not the drama, and we want to remind readers that Richard Stallman (RMS) used to include in his talks (over 10 years ago) a section on how people who worked for Microsoft in Asia put back doors in the code and then got caught. It is possible more existed and never got caught.

RMS was right. He spoke about back doors well before the Edward Snowden NSA and GCHQ leaks. Techrights already included links to such RMS talks in 2008. Maybe even 2007. This is well documented, both in text and in videos.

So headlines such as this are misleading:

Malicious xz backdoor reveals fragility of open source; This also happens in proprietary software, but unreported to us

No, it's not a "FOSS" or "Open Source" issue; "This also happens in proprietary software, but unreported to us," as the above says. They try to cover this up and we cannot see commit details/author, so who the heck knows the full, ugly truth? The PR people? Whose task is to belittle or hide embarrassments?

An associate of ours insists that the xz incident was essentially social engineering; "other projects have lone developers, meaning that the code is more vulnerable because only a single person needs to be replaced / cancelled to get at the repository."

We don't suppose that in the sea/ocean of hundreds if not thousands of blog posts people will notice, but in the first day of us writing about it the primary article got 1618 non-bot reads and in the sister site 1696 non-bot reads. Sadly the loudest and best funded sites get more visibility. The crowd in Phoronix Forums shouts down pro-Linux people now (we saw that!); Phoronix itself plays a considerable role in pro-Microsoft propaganda and some of the FUD, including the above (Phoronix increasingly sucks basically).

When it comes to xz, we've reached the point of topic fatigue, so no matter how important or valuable a contribution people have to this issue, not many people will pay attention anymore due to the volume and the perception that consensus about it is old and settled.

Our associate explains that Microsoft is "hyping xz to FUD the open source development model in general and the resulting software specifically. Though there is a problem: Debian failed to drop xz when the number of active developers on it went down to 1."

"A well-practiced preventative method would have stopped the bug in its tracks. Do like OpenBSD does and have two other developers review and audit each patch. So that sets the minimum level at 3 for any project to stay in use. Simply put, the mistake is also technical as xz is an inferior archival format compared to other compression methods. So three strikes there."

We will once again write regarding the xz incident (it's hyped up for several reasons) when the dust 'settles', but having seen several sites that borrow from old tactics ("heartbleed"), that might take weeks. "Log4j" (or Shell) was still mentioned years after it had been patched and the Linux Foundation gleefully participated in the FUD. Yes, for years! Remember what they're trying to sell (clue: not Linux).

An associate thinks it'll be a few days before it is timely to "analyze the xz incident", but maybe that's optimistic. "Mostly it is the reaction and spin which should be examined," he said. We still collect links and we will use those later (we add many "Ed" or editorial comments along the way, so it is annotated a bit).

For the time being people can see the editorial comments... (these comments try to rebut key points, repeatedly, in few words)

Other Recent Techrights' Posts

Links 14/04/2024: Tesla and OpenAI (Microsoft) Layoffs Floated in the Media
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, April 13, 2024
IRC logs for Saturday, April 13, 2024
Gemini Links 13/04/2024: SEO Spam and ‘Broadband Nutrition Label’
Links for the day
Gemini Links 13/04/2024: GmCapsule 0.7 Released
Links for the day
Links 13/04/2024: Whistleblowers, OpenAI and Microsoft Leakers
Links for the day
'Our' Technology Inside the Home is Becoming Less Reliable and It Implements the Vision of Orwell's '1984' (Microphones and Cameras Inside Almost Every Room)
Technology controlled by who exactly?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, April 12, 2024
IRC logs for Friday, April 12, 2024
Google, FSFE & Child labor
Reprinted with permission from the Free Software Fellowship
Links 13/04/2024: Huawei and Loongson PCs, IBM Layoffs
Links for the day
Gemini Links 13/04/2024: Specification Changes and Metaverse Newbie
Links for the day
Links 12/04/2024: Big Brother in the Workplace and Profectus Browser Alpha 0.3
Links for the day
[Video] Trainline Finally Issues a Refund, But It Took 9 Days and Showed How 'Modern' Systems Fail Travelers
They treat people like a bunch of animals or cattle, not like valuable customers
WIPO UDRP D2024-0770 Debian vendetta response
Reprinted with permission from Daniel Pocock
Links 12/04/2024: Reporters Without Borders Rep Kicked Out of Hong Kong
Links for the day
Gemini Links 12/04/2024: Funny Thing, Manual Scripts, and More
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, April 11, 2024
IRC logs for Thursday, April 11, 2024