--Andy Stanley
WHEN selling the soul of Linux is more profitable than actually promoting this GPL-licensed kernel it's not hard to understand how the Linux Foundation turned from a supposed 'charity' to a massive enterprise and near-monopoly in that space (e.g. events/conferences).
"You go to Google, you look for "Linux" news, a site called Linux.com then shows up with anti-Linux material (this isn't about Linux but bad devices/users)."We've meanwhile noticed lots of spammy blog posts (yesterday, Sysadmin Day) from the Linux Foundation in various "Linux" blogs. "Linux Security Blog" participated and "It's FOSS" did so too. Linux Journal said (in the headline) that "the Linux Foundation Is Having a Sysadmin Day Sale," adding a promotional link with what seems like tracking/referral code. But that in itself isn't the issue. It seems like the site in question uses Windows for the server, but we're not entirely sure. It's very well disguised (see IRC discussion at the bottom).
It would not be unprecedented for the Linux Foundation to use Windows; applicants apply for a job there using LinkedIn (Microsoft), as we've noted before and there's a lot of Microsoft stuff used by the Foundation's staff (see discussion below; I know this from my old interactions with Foundation staff). Over the past months I've had to resort to humour just to get the point across without offending the offenders, for example:
https://twitter.com/schestowitz/status/1151320656711233537
Yesterday I also noticed this text: "Have directly led revenue growth from $20MM to $50MM, from $80MM to $100MM..."
No, that's not the Foundation's chief Jim Zemlin (who sold out Linux... for his 'nonprofit' to make about $100,000,000 per year). That's what his wife's LinkedIn profile says. It's all about money and both strive to grow in just one respect: money! From 20 million to 100 million. What is being achieved? Nothing. A Windows-powered and Mac-powered 'Linux' Foundation (Linux only in name). ⬆
“Large corporations, of course, are blinded by greed. The laws under which they operate require it - their shareholders would revolt at anything less.”
--Aaron Swartz
| schestowitz | Help needed! Am I crazy or is this site WINDOWS-powered? Help me out here, geeks... https://cloud.email.thelinuxfoundation.org/SysadmindaY | Jul 17 01:52 |
|---|---|---|
| -TechrightsBot-tr/#techrights-cloud.email.thelinuxfoundation.org | NO TITLE | Jul 17 01:52 | |
| schestowitz | my initial tests say yes | Jul 17 01:52 |
| schestowitz | based on more shallow tests | Jul 17 01:52 |
| schestowitz | I might publish "Celebrates Sysadmin Day With a Microsoft Windows Site!" | Jul 17 01:52 |
| schestowitz | I mean, LF Celebrates Sysadmin Day With a Microsoft Windows Site! | Jul 17 01:52 |
| schestowitz | but I am not yet 100% sure it''s Windows at the back end | Jul 17 01:53 |
| schestowitz | could be mod-speling [sic] in Apache | Jul 17 01:53 |
| schestowitz | https://identity.linuxfoundation.org/checkout/540473 | Jul 17 01:54 |
| -TechrightsBot-tr/#techrights- ( status 404 @ https://identity.linuxfoundation.org/checkout/540473 ) | Jul 17 01:54 | |
| schestowitz | also this.. | Jul 17 01:54 |
| schestowitz | https://identity.linuxfoundation.org/checkoUt/540473 | Jul 17 01:54 |
| -TechrightsBot-tr/#techrights- ( status 404 @ https://identity.linuxfoundation.org/checkoUt/540473 ) | Jul 17 01:54 | |
| schestowitz | note case | Jul 17 01:54 |
| schestowitz | still works with the token here | Jul 17 01:54 |
| schestowitz | bloody hell! | Jul 17 01:55 |
| schestowitz | LF.... you also apply for a job there using LinkedIn (Microsoft) | Jul 17 01:55 |
| XRevan86 | https://identity.linuxfoundation.org/checkoUt/540473 – Varnish | Jul 17 01:56 |
| XRevan86 | The first link is served by something else. But it won't tell by which. | Jul 17 01:57 |
| schestowitz | can you check with me? | Jul 17 01:57 |
| schestowitz | this is important | Jul 17 01:57 |
| XRevan86 | It's not HTTP/2 capable. | Jul 17 01:58 |
| XRevan86 | https://cloud.email.thelinuxfoundation.org/ | Jul 17 01:59 |
| -TechrightsBot-tr/#techrights- ( status 403 @ https://cloud.email.thelinuxfoundation.org/ ) | Jul 17 01:59 | |
| XRevan86 | The 403 page looks like something done by Apache Tomcat | Jul 17 01:59 |
| schestowitz | I did the same thing | Jul 17 02:00 |
| schestowitz | why is the site case insensitive? | Jul 17 02:00 |
| schestowitz | Also, see page source | Jul 17 02:00 |
| schestowitz | lots of "MS" bits | Jul 17 02:00 |
| schestowitz | I want to be 100% sure we don't get the story, if any at all, wrong | Jul 17 02:00 |
| XRevan86 | schestowitz: Maybe they configured case-insensitive matching | Jul 17 02:01 |
| XRevan86 | It is peculiar. | Jul 17 02:02 |
| schestowitz | no clues in http headers? | Jul 17 02:03 |
| schestowitz | Ages ago, more than 10 years, I had FF extensions for that | Jul 17 02:03 |
| schestowitz | before Mozilla killed xul | Jul 17 02:03 |
| XRevan86 | schestowitz: Not even a Server header. | Jul 17 02:03 |
| XRevan86 | schestowitz: Firefox's devtools can do the job. | Jul 17 02:04 |
| XRevan86 | but I test with curl | Jul 17 02:04 |
| schestowitz | any other tricks we can employ? | Jul 17 02:04 |
| schestowitz | This is a big deal if it turns out to be windows | Jul 17 02:04 |
| XRevan86 | If I had experience with Windows servers, maybe I'd know what to look for… | Jul 17 02:04 |
| XRevan86 | or with Java servers for that matter… | Jul 17 02:05 |
| XRevan86 | I know https://linux.org.ru/ is using Tomcat, and it is case-sensitive. | Jul 17 02:05 |
| -TechrightsBot-tr/#techrights-LINUX.ORG.RU — àÃÆÃÂÃÂúðàøýÃâþÃâ¬Ã¼Ã°Ãâ øàþñ Þá Linux | Jul 17 02:05 | |
| XRevan86 | https://www.linux.org.ru/gallery/ – Gallery | Jul 17 02:05 |
| -TechrightsBot-tr/#techrights-www.linux.org.ru | ÃâðûõÃâ¬ÃµÃ | Jul 17 02:05 | |
| XRevan86 | https://www.linux.org.ru/Gallery/ – 404 | Jul 17 02:05 |
| -TechrightsBot-tr/#techrights- ( status 404 @ https://www.linux.org.ru/Gallery/ ) | Jul 17 02:05 | |
| XRevan86 | schestowitz: But maybe it is really mod_speling | Jul 17 02:08 |
| XRevan86 | and they then just turned off HTTP headers that give away configuration | Jul 17 02:08 |
| XRevan86 | At least we know it's Java and not ASP.NET | Jul 17 02:09 |
| schestowitz | which domain? | Jul 17 02:11 |
| XRevan86 | cloud.email.thelinuxfoundation.org | Jul 17 02:11 |
| cubexyz | check with netcraft? | Jul 17 02:12 |
| -viera/#techrights-Tux Machines: Proxmox VE 6.0 released! http://www.tuxmachines.org/node/125966 [https://pleroma.site/objects/f3b82e95-d9ea-42e1-b380-6be86812a61b] | Jul 17 02:12 | |
| XRevan86 | cubexyz: Doesn't tell anything of interest. | Jul 17 02:13 |
| schestowitz | I thought about it | Jul 17 02:13 |
| schestowitz | but did not do it | Jul 17 02:13 |
| schestowitz | as I thought it might not even be on their radar yet | Jul 17 02:13 |
| cubexyz | merely says "unknown" | Jul 17 02:13 |
| schestowitz | seems like a new site or some internal "office" crap | Jul 17 02:13 |
| schestowitz | how else can we test? | Jul 17 02:14 |
| schestowitz | I don't want to get the story wrong, that's all | Jul 17 02:14 |
| XRevan86 | > OS: F5 BIG-IP | Jul 17 02:14 |
| XRevan86 | It did say that though | Jul 17 02:14 |
| schestowitz | as that can be used to discredit everything we ever said re LF | Jul 17 02:14 |
| XRevan86 | How can it tell? | Jul 17 02:14 |
| cubexyz | there's wappalyzer | Jul 17 02:14 |
| schestowitz | can you have a go at it? | Jul 17 02:14 |
| cubexyz | sure | Jul 17 02:14 |
| schestowitz | Maybe they have the OS quite well | Jul 17 02:14 |
| schestowitz | mind you, they use LOTS of MSFT internalluy | Jul 17 02:15 |
| schestowitz | I know this from their PR rep | Jul 17 02:15 |
| schestowitz | but demonstrating it, like link with proof, would help... | Jul 17 02:15 |
| cubexyz | mysql, php, wordpress, OWL, bootstrap, jquery | Jul 17 02:17 |
| XRevan86 | cubexyz: I doubt that | Jul 17 02:17 |
| XRevan86 | there's no wordpress there | Jul 17 02:17 |
| -viera/#techrights-Tux Machines: Univention Corporate Server 4.4-1/Point Release UCS 4.4-1: performance improvements, app recommendations and UDM REST API Beta http://www.tuxmachines.org/node/125967 [https://pleroma.site/objects/94f199ef-a04b-473c-a4a1-288f05bf6166] | Jul 17 02:18 | |
| schestowitz | cubexyz: does not look like wordpress | Jul 17 02:19 |
| schestowitz | even if you look at page source | Jul 17 02:19 |
| schestowitz | it looks like a really poorly-made CMS of some kind | Jul 17 02:19 |
| schestowitz | but I want to know the US | Jul 17 02:20 |
| XRevan86 | WordPress is PHP. | Jul 17 02:20 |
| schestowitz | OS | Jul 17 02:20 |
| cubexyz | no idea, just saying what wappalyzer says | Jul 17 02:20 |
| XRevan86 | This is Java. | Jul 17 02:20 |
| schestowitz | I imagine the CMS is proprietary anyway | Jul 17 02:20 |
| schestowitz | https://twitter.com/schestowitz/status/1151297943745568768 | Jul 17 02:21 |
| -TechrightsBot-tr/#techrights-@schestowitz: We are the LINUX FOUNDATION We OWN Linux dot com! We link to anti -Linux stories Because we just do (and we don't e… https://t.co/UoJrMddR6K | Jul 17 02:21 | |
| -TechrightsBot-tr/#techrights-@schestowitz: We are the LINUX FOUNDATION We OWN Linux dot com! We link to anti -Linux stories Because we just do (and we don't e… https://t.co/UoJrMddR6K | Jul 17 02:21 | |
| schestowitz | https://twitter.com/schestowitz/status/1150987858083295232 | Jul 17 02:21 |
| -TechrightsBot-tr/#techrights-@schestowitz: "swapnilbhartiya" at #zemlinpac continues using the site LINUX dot com to promote #microsoft crap. [facepalm] https://t.co/BOIY5nmFWU | Jul 17 02:21 | |
| -TechrightsBot-tr/#techrights--> Aqua Security Launches Microsoft Azure Marketplace Private Offers | Linux.com | The source for Linux information | Jul 17 02:21 | |
| XRevan86 | I don't think there's a way to tell | Jul 17 02:24 |
| cubexyz | thelinuxfoundation.org runs nginx on linux | Jul 17 02:25 |
| cubexyz | according to netcraft | Jul 17 02:25 |
| XRevan86 | Does plain Tomcat support "Content-Encoding: gzip"? | Jul 17 02:25 |
| schestowitz | That would make sense for the main site | Jul 17 02:25 |
| schestowitz | but for sales etc. | Jul 17 02:25 |
| schestowitz | not sure | Jul 17 02:25 |
| XRevan86 | And they're using AWS | Jul 17 02:27 |
| schestowitz | that's not unusual | Jul 17 02:27 |
| schestowitz | would be worse if they used MSAzure | Jul 17 02:28 |
| XRevan86 | That'd make my day | Jul 17 02:28 |
| XRevan86 | Port scanning (nmap) revealed only that whoever configured cloud.email.thelinuxfoundation.org configured the firewall restrictively | Jul 17 02:29 |
| XRevan86 | At least ICMP is open | Jul 17 02:30 |
| XRevan86 | 80, 113, 443, nothing else | Jul 17 02:30 |
| -viera/#techrights-Tux Machines: Network Security Toolkit 30-11210 http://www.tuxmachines.org/node/125968 [https://pleroma.site/objects/ec0ec5d4-88eb-4a05-9512-c9c86c76140a] | Jul 17 02:31 | |
| XRevan86 | The main site has IPv6, cloud.email. doesn't. | Jul 17 02:31 |
| schestowitz | I guess we still don't know what it runs | Jul 17 02:33 |
| schestowitz | and the checkout (identity) part | Jul 17 02:33 |
| schestowitz | they got some company from the outside to do it | Jul 17 02:33 |
| schestowitz | and maybe it's not Linux | Jul 17 02:33 |
| XRevan86 | It's most likely Linux just because the odds are generally in that direction. | Jul 17 02:34 |
| XRevan86 | Who'd deploy a Java website on Windows? Some kind of insane Microsoft fan I guess. But then, why not ASP.NET? | Jul 17 02:34 |
| schestowitz | don't bet on kt! | Jul 17 02:34 |
| schestowitz | it! | Jul 17 02:34 |
| schestowitz | This is the LF | Jul 17 02:34 |
| XRevan86 | oh no | Jul 17 02:37 |
| XRevan86 | I've checked nmap's capabilities | Jul 17 02:37 |
| XRevan86 | -O: Enable OS detection | Jul 17 02:37 |
| XRevan86 | -sV: Probe open ports to determine service/version info | Jul 17 02:37 |
| XRevan86 | > 443/tcp open ssl/upnp Microsoft IIS httpd | Jul 17 02:37 |
| XRevan86 | Guess flipping what | Jul 17 02:37 |
| XRevan86 | > Running (JUST GUESSING): F5 Networks embedded (93%), F5 Networks TMOS 11.6.X (87%), OpenBSD 4.X (87%) | Jul 17 02:38 |
| XRevan86 | > OS CPE: cpe:/o:f5:tmos:11.6 cpe:/o:openbsd:openbsd:4.0 | Jul 17 02:38 |
| XRevan86 | > Aggressive OS guesses: F5 BIG-IP Edge Gateway (93%), F5 BIG-IP Local Traffic Manager load balancer (TMOS 11.6) (87%), OpenBSD 4.0 (87% | Jul 17 02:38 |
| XRevan86 | Just like netcraft, it thinks it's most likely something from F5 | Jul 17 02:38 |
| XRevan86 | but HTTP server probing gave a better idea | Jul 17 02:39 |
| XRevan86 | schestowitz: Good thing I didn't bet. | Jul 17 02:39 |
| XRevan86 | You seem speechless %) | Jul 17 02:40 |
| cubexyz | isn't port 443 just HTTP over SSL... not necessarily M$ | Jul 17 02:41 |
| XRevan86 | cubexyz: That's "-sV: Probe open ports to determine service/version info" | Jul 17 02:41 |
| XRevan86 | that's its guess | Jul 17 02:42 |
| cubexyz | hmmm, yeah | Jul 17 02:43 |
| cubexyz | doesn't look good | Jul 17 02:44 |
| schestowitz | maybe I will publish IRC noted to accompany this | Jul 17 02:44 |
| schestowitz | *IRC notes | Jul 17 02:44 |
| schestowitz | as we are not sure | Jul 17 02:44 |
| schestowitz | Get a load of this today | Jul 17 02:44 |
| schestowitz | https://www.redhat.com/en/blog/microsoft-and-red-hat-inspired | Jul 17 02:44 |
| -TechrightsBot-tr/#techrights-www.redhat.com | Microsoft and Red Hat, inspired | Jul 17 02:44 | |
| XRevan86 | schestowitz: The evidence is: | Jul 17 02:45 |
| XRevan86 | 1. case-insensitivity for no apparent reason | Jul 17 02:45 |
| XRevan86 | 2. nmap -sV cloud.email.thelinuxfoundation.org guesses HTTP is handled by "Microsoft IIS httpd" | Jul 17 02:45 |
| schestowitz | I think it is probable | Jul 17 02:46 |
| schestowitz | as soon as I saw the site and then the structure (marketing cruft appended to URL) | Jul 17 02:47 |
| schestowitz | Then I checked page source | Jul 17 02:47 |
| schestowitz | Been there, seen that... red flags | Jul 17 02:47 |
| schestowitz | Also "cloud" | Jul 17 02:47 |
| schestowitz | I know they used MS for office things | Jul 17 02:47 |
| schestowitz | like in-office comms | Jul 17 02:47 |
| schestowitz | Their PR reps used that to communicate with me ages ago | Jul 17 02:47 |
| schestowitz | Dan Brown and others... | Jul 17 02:48 |
| XRevan86 | https://cloud.email.thelinuxfoundation.org/SYSADM~1/ well, at least this didn't work :D | Jul 17 02:49 |
| -TechrightsBot-tr/#techrights- ( status 400 @ https://cloud.email.thelinuxfoundation.org/SYSADM~1/ ) | Jul 17 02:49 | |
| schestowitz | joke or some element of truth to it? | Jul 17 02:50 |
| cubexyz | didn't M$ give the win7 code to russia recently? | Jul 17 02:50 |
| schestowitz | I get the joke | Jul 17 02:50 |
| cubexyz | or not recently... it may have been a while ago | Jul 17 02:50 |
| XRevan86 | https://github.com/irsdl/IIS-ShortName-Scanner some element of truth to it | Jul 17 02:51 |
| -TechrightsBot-tr/#techrights-GitHub - irsdl/IIS-ShortName-Scanner: latest version of scanners for IIS short filename (8.3) disclosure vulnerability | Jul 17 02:51 | |
| XRevan86 | Tried using https://nmap.org/nsedoc/scripts/http-iis-short-name-brute.html, no effect. | Jul 17 02:56 |
| -TechrightsBot-tr/#techrights-nmap.org | http-iis-short-name-brute NSE Script | Jul 17 02:56 | |
| XRevan86 | StackOverflow isn't either. | Jul 17 02:57 |
| XRevan86 | nmap -sV detects Varnish on StackOverflow | Jul 17 02:59 |
| XRevan86 | > via: 1.1 varnish | Jul 17 02:59 |
| XRevan86 | I thought they're on Windows Server | Jul 17 02:59 |
| schestowitz | no, not likely | Jul 17 02:59 |
| schestowitz | the (co)founder has some MSFT connections | Jul 17 02:59 |
| schestowitz | books etc. | Jul 17 02:59 |
| schestowitz | CodingHorror guy | Jul 17 03:00 |
| schestowitz | the site, however, isn't so... and he clarified to me he never worked for Microsoft directly | Jul 17 03:00 |
| XRevan86 | Wikipedia states that Stack Overflow is written in C# | Jul 17 03:00 |
| XRevan86 | Considering that .NET Core is a very new thing, it is most likely on Windows. | Jul 17 03:01 |
| XRevan86 | https://en.wikipedia.org/wiki/Stack_Overflow#Technology | Jul 17 03:01 |
| -TechrightsBot-tr/#techrights-en.wikipedia.org | Stack Overflow - Wikipedia | Jul 17 03:01 | |
| XRevan86 | I guess they have a separate server as a reverse proxy for security and reliability. | Jul 17 03:01 |
| XRevan86 | it is also case-insensitive | Jul 17 03:03 |
| XRevan86 | no Varnish will change that :) | Jul 17 03:03 |
| schestowitz | that's quite common | Jul 17 03:03 |
| XRevan86 | So yea, nmap detected it right. | Jul 17 03:03 |
| schestowitz | only hours ago at work I deat with | Jul 17 03:03 |
| XRevan86 | it figured it's Varnish, and it is | Jul 17 03:03 |
| schestowitz | apache behind nginx, on Ubuntu/Debian | Jul 17 03:04 |
| schestowitz | no varnish | Jul 17 03:04 |
| schestowitz | nginx stuff as reverse proxy | Jul 17 03:04 |
| XRevan86 | schestowitz: Apache httpd is redundant in this case in most cases. | Jul 17 03:04 |
| schestowitz | also helps hide fro probers like nmap | Jul 17 03:04 |
| XRevan86 | schestowitz: The Stack Overflow is different in that they have to get a separate server to do the job. | Jul 17 03:05 |
| XRevan86 | Because Varnish reportedly doesn't work on Windows. | Jul 17 03:05 |
| XRevan86 | * The Stack Overflow case | Jul 17 03:05 |
| XRevan86 | schestowitz: nginx in front of Apache httpd introduces almost no overhead. | Jul 17 03:06 |
| schestowitz | yes, or a VM | Jul 17 03:06 |
| schestowitz | it does not have to run on the host/backend | Jul 17 03:06 |
| XRevan86 | So… why wouldn't you, right | Jul 17 03:06 |
| schestowitz | you could even run it as a VM under Windows | Jul 17 03:07 |
| XRevan86 | schestowitz: True, but I doubt that's very efficient either. | Jul 17 03:07 |
| XRevan86 | It's a high-load website. | Jul 17 03:08 |
| -viera/#techrights-Tux Machines: Seven Concerns Open Source Should Worry About - Part 1 http://www.tuxmachines.org/node/125969 [https://pleroma.site/objects/387bf941-25b0-41b6-be31-c401127a895f] | Jul 17 03:09 | |
| XRevan86 | 3. they don't bother this much on the main website to hide set-up information | Jul 17 03:12 |
| XRevan86 | Overall it looks like it was an outsource job, and no one cared enough to do it differently. But cared enough to cover the tracks a little bit. | Jul 17 03:14 |
| XRevan86 | If they really wanted to hide the fact that this is Windows, they'd reverse proxy it. | Jul 17 03:15 |
| XRevan86 | But I guess since it's likely not in their network (I didn't check), the overhead from proxying is unpleasant. | Jul 17 03:16 |
| -viera/#techrights-Tux Machines: Top 15 Best Forum Software For Linux in 2019 http://www.tuxmachines.org/node/125970 [https://pleroma.site/objects/f850f594-b34a-40fa-bf10-ee8544d1f956] | Jul 17 03:18 | |
| schestowitz | might be worth checking host location | Jul 17 03:24 |
| schestowitz | LF is in Portland IIRC | Jul 17 03:24 |
| schestowitz | if not SF | Jul 17 03:24 |
| schestowitz | I think it's ambiguous and some are 'home workers' | Jul 17 03:24 |
| schestowitz | I'm pretty sure Jim Zemlin isSF-based, or somewhere near in CA | Jul 17 03:24 |
Comments
Canta
2019-07-17 17:52:40
* Case insensitivity may easily be a collateral damage of drupal or other higher level framework functionality, like "friendly urls". The same goes for all the M$ compatibility crap in the html code.
* cloud.email.thelinuxfoundation.org shows reports ident port. I dont remember seeing a win machine with ident port, doesn't sound like a popular thing to do. But may be wrong on this.
* nmap thinks they're both dedicated LB devices. And there's the varnish headers.
* nmap guesses on 80 and 443 look like false positives. Easily a collateral damage of getting stuff in the middle, like dedicated balancing hardware. Should check the guess logic though.
So there COULD be a win machine behind that, as stated in the chat. But so far it looks unlikely: for that to happen, they should had to change IIS to look like something else, or installing every linux-friendly stuff in a Win machine online (when we all know win is more expensive and less reliable). I mean... It had to be done with malice, or just for the trolling fun, otherwise is just ridiculous. Different would had been the case if they're using an ASP.NET website.
HOWEVER:
* view-source:http://cloud.email.thelinuxfoundation.org/ is in iso-8859-1, and the fonts are all windows only.
* If you telnet to the server and do a bad request (note the lowercase "get"), you get a response not even in iso-8859-1, but directly in us-ascii. My local terminal (ubuntu 18.04) apache doesn't do that.
$ telnet cloud.email.thelinuxfoundation.org 80 Trying 13.111.99.28... Connected to cloud.email.thelinuxfoundation.org. Escape character is '^]'. get /index.html
Bad Request
Bad Request - Invalid Verb HTTP Error 400. The request verb is invalid.
Connection closed by foreign host.
Creepy. But still debatable.
Canta
2019-07-17 18:03:33
https://www.google.com/search?q=%22Server+Error%22+%22403+-+Forbidden:+Access+is+denied.%22+%22iis%22&channel=fs&source=lnms&tbm=isch&sa=X
This is sad.