Bonum Certa Men Certa

Richard Stallman Was Right and What Happened in XZ Wasn't a "Linux" or Free Software Problem, It Was Social Engineering (This Happens in Proprietary Software Too and, in This Case, It Was Enabled by Microsoft's Proprietary Social Control Media Disguised as 'Codeforge')

posted by Roy Schestowitz on Apr 02, 2024

Fractal image with penguin drawing

The truth isn't convenient to snakeoil vendors and charlatans who speak of "secure" boot while using proprietary GitHub (controlled by NSA)

THE Web - and even Geminispace - is already full of articles on this topic (we caught and collected about 100 so far; obviously there's lots more, not only in English). We've had plenty of time to assess and digest the facts, not the drama, and we want to remind readers that Richard Stallman (RMS) used to include in his talks (over 10 years ago) a section on how people who worked for Microsoft in Asia put back doors in the code and then got caught. It is possible more existed and never got caught.

RMS was right. He spoke about back doors well before the Edward Snowden NSA and GCHQ leaks. Techrights already included links to such RMS talks in 2008. Maybe even 2007. This is well documented, both in text and in videos.

So headlines such as this are misleading:

Malicious xz backdoor reveals fragility of open source; This also happens in proprietary software, but unreported to us

No, it's not a "FOSS" or "Open Source" issue; "This also happens in proprietary software, but unreported to us," as the above says. They try to cover this up and we cannot see commit details/author, so who the heck knows the full, ugly truth? The PR people? Whose task is to belittle or hide embarrassments?

An associate of ours insists that the xz incident was essentially social engineering; "other projects have lone developers, meaning that the code is more vulnerable because only a single person needs to be replaced / cancelled to get at the repository."

We don't suppose that in the sea/ocean of hundreds if not thousands of blog posts people will notice, but in the first day of us writing about it the primary article got 1618 non-bot reads and in the sister site 1696 non-bot reads. Sadly the loudest and best funded sites get more visibility. The crowd in Phoronix Forums shouts down pro-Linux people now (we saw that!); Phoronix itself plays a considerable role in pro-Microsoft propaganda and some of the FUD, including the above (Phoronix increasingly sucks basically).

When it comes to xz, we've reached the point of topic fatigue, so no matter how important or valuable a contribution people have to this issue, not many people will pay attention anymore due to the volume and the perception that consensus about it is old and settled.

Our associate explains that Microsoft is "hyping xz to FUD the open source development model in general and the resulting software specifically. Though there is a problem: Debian failed to drop xz when the number of active developers on it went down to 1."

"A well-practiced preventative method would have stopped the bug in its tracks. Do like OpenBSD does and have two other developers review and audit each patch. So that sets the minimum level at 3 for any project to stay in use. Simply put, the mistake is also technical as xz is an inferior archival format compared to other compression methods. So three strikes there."

We will once again write regarding the xz incident (it's hyped up for several reasons) when the dust 'settles', but having seen several sites that borrow from old tactics ("heartbleed"), that might take weeks. "Log4j" (or Shell) was still mentioned years after it had been patched and the Linux Foundation gleefully participated in the FUD. Yes, for years! Remember what they're trying to sell (clue: not Linux).

An associate thinks it'll be a few days before it is timely to "analyze the xz incident", but maybe that's optimistic. "Mostly it is the reaction and spin which should be examined," he said. We still collect links and we will use those later (we add many "Ed" or editorial comments along the way, so it is annotated a bit).

For the time being people can see the editorial comments... (these comments try to rebut key points, repeatedly, in few words)

Other Recent Techrights' Posts

When It Comes to Encryption, The Web (as in World Wide Web) Isn't Secure and Uses Weak Ciphers About as Often as Every Day, Even in 2024
Gemini Protocol does not
[Video] Thórhildur Sunna Ævarsdóttir (Iceland, SOC) Explains That Julian Assange Was Punished for Exposing Crimes (Instead of the Criminals Getting Published)
Thórhildur Sunna Ævarsdóttir speaks out...
Links 04/10/2024: Health, Asia, and Censorship
Links for the day
 
The Danger of Outsourcing Your Platform to Social Control Media and Getting "Information" There
Stella is probably not aware of what she has just done
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, October 04, 2024
IRC logs for Friday, October 04, 2024
Links 05/10/2024: Shift to ARM, Microsoft XBox Crisis
Links for the day
[Meme] Who to Trust on Privacy... (Not Someone Who Boasts About Breaking Into Devices Without Authorisation)
You're not even a computer scientist...
The GPL Does Not Prohibit Use of Code for Death
Windows kills even more people, but in other ways
Journalism in Europe on Life Support
Assange articulated some of the ordeals he went through
[Video] Stella Assange and Thórhildur Sunna Ævarsdóttir on Protecting Journalists Who Expose Injustice
Stella (the wife) says her husband received an invitation from the committee (PACE) while he still undergoes recovery
Links 04/10/2024: Ingrid's Back and Creative Mornings
Links for the day
[Video] The Council of Europe's Parliamentary Assembly on Julian Assange
The Council of Europe's Parliamentary Assembly has voted to confirm that Julian Assange was held as a political prisoner
Links 04/10/2024: Telegram Issues Deepen, Texas Sues TikTok
Links for the day
"The Council of Europe's Parliamentary Assembly has voted to confirm that Julian Assange was held as a political prisoner."
This stuff should not have been in Twitter (X)
Intercontinental Ballistic Missiles (ICBMs) Do Not Run Windows
The projects that deal with ICBMs are extremely unlikely to involve Microsoft
"Microsoft is asking for a handout... yet again"
Just over a month after the last bailout fell through the cracks
One Step Closer to the End of Microsoft's XBox
XBox sales are down over 50% in the past year
GNU/Linux Flaring Up in ASEAN
We said we'd not post statCounter for a few months
Gemini Links 04/10/2024: Asteroid City and Retro Gaming
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, October 03, 2024
IRC logs for Thursday, October 03, 2024
Resting Time
we deserve a short break - even if only for tomorrow
Wikileaks Revelations About the History of IBM and Its Role in the Cold War
IBM is still an ICBM company (to this very date)
Revisiting Julian Assange's Excellent Talk, His First Talk Since 2019 (Tactful and Almost Invulnerable to 'Cheap Shots')
Assange need not be politically-correct or self-censor
Windows Kills More Than Most Wars (But the Media Casually Ignores the Death Toll of Microsoft)
The bottom line is, many people are dying, they die due to Microsoft, and the media fails us by not informing us and failing to even name the principal culprit
Mozilla is GAFAM, HTTPS is Monopolies
Firefox used to boast that it would make the Web more accessible. Today's Mozilla is rowing in the opposite direction.
Gemini Links 03/10/2024: RetroChallenge and Change of Online Habits
Links for the day
Links 03/10/2024: Quantum Computer Vapourware (as Usual) and Samsung Layoffs
Links for the day
Links 03/10/2024: "Hey Hi" Scandals and Copyright/Trademark Disputes
Links for the day
Invidious Seems to be Nearing 'End of Life' After Repeated Crackdowns by Google/Alphabet/YouTube
To Free software users, YouTube ought to become a "no-no"
Links 03/10/2024: Climate Issues and Tensions in East Asia
Links for the day
Like a Marketing Department of Microsoft, Canonical Sells Back Doors and Surveillance as "Confidential" and "Hey Hi" (AI)
Notice how Canonical has made no statement critical of Microsoft for years
Gemini Links 03/10/2024: Frozen Tofu and SGI O2
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, October 02, 2024
IRC logs for Wednesday, October 02, 2024