[Video] How the Media Blamed SSH and Linux (for Nearly a Whole Fortnight!) Instead of Microsoft's GitHub and Systemd
k Video download link | md5sum 0343d2a5fb805701dab56eb12ef302ac
How Media Failed at XZ
Coverage
Creative Commons Attribution-No Derivative Works 4.0
Introduction
THIS MORNING we made some new videos. We recorded 3 videos in total, but this one is the worst of them all for purely technical reasons. It ends after about 33 minutes even though the original plan was to go through almost 150 titles/articles, illuminating the way the media likes to smear "Linux" and illustrating the dishonesty of so-called 'journalists' (parrots and stenographers). After the technical issues I thought of recording a "part 2", but eventually it seemed like enough material had been covered and, at the very least in order to avoid repetition, it was probably OK to just leave things (fine as is). It deals with a small sub-sample of coverage we've gradually collected in a roughly chronological order, showing how FUD gets recycled and sometimes upcycled.
As noted here last week, some ludicrous articles went as far as praising Microsoft, reiterating the lie that it "loves Linux" (it loves using "Linux" for distraction) and framing Microsoft as some sort of authority/expert at security.
The Present
The "xz" (or "Xz" or "XZ
" or the name of the encapsulating package; most of the media went for more familiar "brands") story and/or the hype isn't over per se, but I saw that "XZ BS" only once yesterday and my wife also saw it once (another example, some blog in Planet Fedora). So now it's probably safe to take stock of the whole thing. Tomorrow this thing turns 14 days ("officially"). And prior Techrights articles set aside - as most of them over a week old with a high view count already - we take a fresher look at these things. This long page (no JavaScript or bloat) was updated about 50 times and some people asked why we keep updating it so often (several times per day). "What we are describing here will be covered in my upcoming video about xz," I said, "I just wait for "the news" to calm down a bit..."
So let's look back and consider what had been published until yesterday's "trickle" ('only' 2 instances in one day). The longer version of it is in the video at the top.
Microsoft Not to the Rescue
Microsoft-connected sites have said a whole bunch of lies. Some of them were covered here a week ago, so we would rather not air those lies again.
To give one example, Risky Business (RB, or Australia's RiskyBiz where Microsoft's mouthpieces like Brett Winterford [1, 2] work) had three recordings on xz [1, 2, 3], "casting aspersions at SSH in general (they hate SSH and campaign against it) and blame Linux specifically and the OSS development model in general," an associate has noted. "Again, if distros had the minimum of three developers per subproject, the Xz breach would have been harder to pull off. However, when the same technique is tried against proprietary softer, there is basically no chance at detection."
This associate keeps saying that we "need to pound the drum on the benefits of OSS (and especially FOSS) and the same attack against proprietary would slide by undetected."
Richard Stallman covered this already, even close to 2 decades ago [1, 2]. Stallman said it many times; he spoke of how someone had been arrested for trying to put backdoors from within Microsoft on behalf of Al-Qaeda. No kidding!
I spoke to another person last week. "Something that's changed culturally, at least in the US, which Microsoft seems way ahead in exploiting, is vanity and need for popularity among the new gen tech devs," he said. We have said this for years!
"Instead of coders just scratching an itch and putting up a project in case a few dozen people find it useful, Github has set up a pageant, a frenzy of egotistical self-promotion, with badges and "likes" and ways to track activity and whatnot. The recent tech layoffs and it's proximity to Linked-In is amplifying that desperation."
And the media tells them that's the right thing to do. We covered many examples in the past. Sometimes you cannot even apply for things unless you provide a GitHub (i.e. Microsoft) handle.
"Microsoft wanna set themselves up as a Dickensian workhouse with Nancy and Bill Sikes (Gates) ruling a gang of kids who will pick pockets and write code for gruel," the person told me. "When I interview young devs now, instead of giving me a a URL to their domain, or even a written CV, they just give me their GitHub ID. I say, "So you already work for Microsoft?".
That's a good line!
On the upside, those are easy to reject promptly and upfront. If this is how they develop and write code, maybe they lack a lot of basic skills.
"Anyway," the person told me, "what concerns me is the terrifying cybersecurity implications of this."
So today I will explain what this media frenzy served to distract from. I want to focus on why GitHub is actually part of the problem here. We also need to remind readers what Microsoft is ALWAYS hoping to distract from. Aside from tributes to Ross Anderson, who valued real security, Microsoft distracted from at least 3 major security blunders. We'll revisit this towards the end of this article.
"Regarding the Xz-based FUD," an associate stresses, "the fact that many projects (curl, linux, etc) actually issue their own CVEs is a major improvement. There is an article about that and this fact should be folded somehow into the eventual Xz round-up."
Also see "Verified curl" from yesterday. "Conceivably," Daniel wrote, "the xz attackers have infiltrated more than one other Open Source project to cover their bases. Which ones?"
Daniel is the founder of curl going back 2.5 decades and he already wrote about what would happen if he "fell under a bus".
A Theory
Is there a "bigger story" here? Check where the CSO of GitHub came from! Spoiler: 20 years inside NSA. Is there a US state role in the revelation?
Hard to tell.
Here is a hypothetical possibility.
It is not at all unthinkable that the massively-staffed NSA (or sibling agency/partner in the US; they're malicious and they are as big as megacorporations), with staff dedicated to audits and back doors, informed GitHub (i.e. Microsoft) of what had happened some time earlier. The CSO of GitHub is a 20-year NSA veteran and Microsoft knew that right after Easter it would get blasted by official authorities for getting clients cracked by China, not to mention getting cracked itself (also by China). So they could pass on some details to a Microsoft employee (not high-level and not particularly well known) on Friday before the holiday and days before the release of the 'dreadful' report (to Microsoft; it knew it was coming as there was a degree of cooperation with the investigation, ultimately castigating the company), promptly weaponising sensationalist language to occupy news searches for "China" and "security" while at the same time smearing "Linux" (not GitHub or systemd), even if it's over some beta releases that few people use, casually and swiftly while having the audacity to paint Microsoft not just as security expert but also "saviour" of "Linux". Yes! All this while in fact the real China breach was the fault of Microsoft and the impending report spoke of a tall chain/cascade of failures, showing sheer incompetence and neglect at Microsoft, leading up to the actual breach that cost a lot to the US government (espionage). Microsoft tried to cover up this breach until the government demanded and pressured it to admit what had happened. It turned out to be worse than initially assumed/believed/seen on the surface. So if Microsoft used its staff as "mules" for inversion/invention of narratives, aided by lazy "media", that would need substantial proof. We might never have that.
Anyway, that's just a theory. Plausible? Needs proof.
What It Still Distracts From
Even days later the Microsoft-connected (or sponsored) publishers are spamming the media with "China" stuff that isn't the above-mentioned breach. Days ago Microsoft was accusing China of fakes (calling everything "AI"). One example is "Chinese hackers turn to AI to meddle in elections" and it misrepresents Microsoft as an authority in this domain. In reality, Microsoft is the very source (or generator) of these fakes. So Microsoft has quite some audacity weighing in on this.
This is only one way in which Microsoft is distracting from the report about how China cracked Microsoft's entire infrastructure. That's a fact and the US Government blasted it for it only days earlier until ~2 days ago (the video above covers this). Here is an example from 5 days ago:
China is ramping up use of AI-generated content and fake social control media accounts to inflame division in the United States and elsewhere, according to the latest report from Microsoft’s threat center.
In relation to Asia (it's not known if the crack in the case of xz can be attributed to China, but it's likely someone in Asia), there's also pure noise like this. The "India" stuff and lots more like this "Hey Hi" (AI) nonsense stole the thunder - to the point nobody spoke or said anything about how Microsoft failed the whole nation. Articles about India, Microsoft, Modi, and Bill Gates help distract from high usage of GNU/Linux in India.
Earlier this week we saw that Microsoft had managed to (once again!) engineer a security blunder for itself. To quote a new piece or an article by Sam Varghese:
A suspected Russian intrusion into Microsoft's corporate systems, which was disclosed in January, also affected US federal government systems, according to the US Cybersecurity and Infrastructure Security Agency.
Also see "US Cyber Safety Review Board on the 2023 Abusive Monopolist Microsoft Exchange Hack" and this morning's pick from Federal News Network, stating: "Oregon Senator fed up with data breaches, blasts Big Tech, demands mandatory standards Sen. Ron Wyden (D-Ore) cites a Cyber Safety Review Board report that blames Microsoft's inadequate cybersecurity culture."
This is what Microsoft wants nobody to pay any attention to. Please keep the eyes on the ball. █