Bonum Certa Men Certa

What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

posted by Roy Schestowitz on Mar 31, 2024

The more important news to watch today or this weekend: (it's still largely unresolved and it enables blackmail, political/industrial espionage, and further security breaches)

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

For many of the above servers, it's unequivocally a case of "too late". The E-mails (and beyond) got copied by hostile actors and the consequences remain to be seen for years to come. This can cause suicides and cost billions of euros/dollars in damages (over time).

Oh, forget about that!

Let's talk about the version of xz that's in Microsoft's GitHub.

Microsofters didn't invent a logo and a brand name for it this time around?

Well, we guess not. Or not yet.

So earlier on we made some remarks on the flaws that impacted mostly cutting-edge distros (which rush to adopt new and untested/unaudited stuff). We saw that before with OpenSSL and similarly security-sensitive packages, which distros typically adopt just months later (maturity required). We wrote some articles about it in 2021, rebutting the scare-mongering and hype/FUD. Microsofters played a big role in that FUD at the time. It happened again a year later (2022).

Now it's 2024. The facts still matter.

The media mostly credits Red Hat (regarding xz), but Red Hat was merely a respondent, and Red Hat formally complained about words like "backdoor" or logos and brand names being leveraged to hype up holes like "heartbleed" (which did not actually cause much damage, it just caused damage to the perception/image of Linux, owing to endless media hype that lasted many years).

As we explained at the time, and many times in fact, Microsofters were responsible to this hype campaign (even if the original discovery came from a Google employee).

So today it seems familiar. Why? Because the latest reports we've found make it clear that the disclosure came from Microsoft staff at a very strategic time (see screenshots above).

What Microsoft wants you not to notice (or resort to "whataboutism" when clients choose to move to GNU/Linux) is the stuff at the top.

Yes, Andres Freund works for Microsoft. It was not clear at first. He used his anarazel.de email instead of Microsoft email. Why?

What a timing to disclose his 'revelations' (a lot of this involves GitHub, not just systemd, which is led/run by Microsoft staff).

As noted above, Microsofters did the same with "heartbleed" over a decade ago. Because "Microsoft heart Linux".

So what exactly happened here? One can guess based on salient points of evidence.

Stockpiling holes for strategic times?

We debated this in length only a week ago in IRC because any time Microsoft has an epic security blunder the "Linux" news suddenly gets filled with FUD. And once again they're bombarding all "Linux" related news with alarming security-themed headlines (not so unprecedented a pattern). The Friday/Saturday news about "Linux" looked like this, and that's aside from the above. Pseudonymous reporters, who could even be on Microsoft's payroll, released some information about a hole just at the same time Microsoft had a lot of answering to do (and an emergency patch, which came far too late, as servers had already been breached, exposing perhaps trillions of emails, some of them very sensitive).

We need answers here. For instance, how long has Microsoft's Andres Freund known about this issue? Did someone give him a tip?

This man is in the business of selling Windows, not Linux, and at Microsoft security is never the objective. It is just another "product" or "add-on".

Other Recent Techrights' Posts

FOSDEM is Called "FOSDEM" Because of Richard Stallman (RMS)
The overlap there seems timely; yesterday RMS spoke in French-speaking (in part) Switzerland where questions in French were accepted
January 20: Richard Stallman Talk in Europe
evening time in Europe, around midday in the United States and Canada
Slopwatch: Too Lazy to Write Real Articles, Offloading to Chatbots Instead (LLM Slop About "Linux")
The Web was already full of garbage before the LLM frenzy. Now it's even worse.
RMS 'Inauguration' in Montpellier (Government Administration) on January 20th
Happy hacking
 
Links 18/01/2025: Restoring the Great Wall of China and Economic Expansion in China
Links for the day
Guardian Digital (linuxsecurity.com) is Spamming the Web With Microsoft's Promotional LLM Slop About UEFI 'Secure' Boot (Which is Against Real Security)
This is an attack on honest journalism
Links 18/01/2025: TikTok's Endgame, "Car Freedom", and Spying in Cars 'Fines' GM (Settlement)
Links for the day
Links 18/01/2025: Apple Getting Out of Hey Hi (AI) Slop (Too Much Misinformation), Chaffbots/Chatbots Try to Settle Copyright Infringement Lawsuits
Links for the day
What Fake News Sites Are Doing to GNU/Linux
The LLM slop about Linux serves two purposes
Links 18/01/2025: Microsofters Upset at Microsoft's Ridiculous Rebrands (Excuse for Massive Price Hikes), Chaffbot Company ('Open'AI) Faces More Lawsuits
Links for the day
Gemini Links 18/01/2025: Surge in Illnesses, ctags, and Gemsync
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, January 17, 2025
IRC logs for Friday, January 17, 2025
Even Technical Articles and HowTos From UNIXMen Nowadays Seem to be LLM Slop
We've just permanently removed the RSS feed of UNIXMen
The FSF's 2024 End-of-Year Fundraiser Succeeds: Over $400k to Support Software Freedom
That's worth bringing up again because the SFC is trying to 'crash' this achievement of the FSF
[Meme] Fentanylware (TikTok) Banned in the United States, Next Up European Union (EU)
And the United Kingdom (UK)
President Biden is Right, "Free Press is Crumbling" and the United States Exports Its Media-Hostile Culture to Other Continents
perhaps Biden should pay closer attention to how Donald Trump-inspired Americans take their battles to other continents
Links 17/01/2025: TikTok Banned by the United Stated (SCOTUS Rejects Appeal)
Links for the day
Software Freedom Conservancy Inc (SFC) Makes It Obvious It's Just a Copycat Trying to Exploit or Leech Off the FSF's (and GNU's) Work
They swim next to the rich people (who "match")
Links 17/01/2025: Fentanylware (TikTok) Herds Its (Drug) Users Into Even More Harmful "Apps"
Links for the day
Guardian Digital, Inc (linuxsecurity.com) Uses Microsoft-Controlled Front Groups and LLM Slop in Order to Spread Microsoft-Directed Anti-Linux FUD
Microsoft garbage likely produced by Microsoft LLMs, spewing out Microsoft FUD
Likely Fake 'Article' About Linux Mint 22.1
BetaNews fired up its plagiarism machine (LLM)
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, January 16, 2025
IRC logs for Thursday, January 16, 2025
Links 16/01/2025: Conflicts, Overpopulation, and Software Patents
Links for the day
[Meme] Lock-down With DRM Server/s (in a Nutshell)
Companies like Microsoft and Apple have a 'God complex'
Thank You, London! There Was No Way to Still Reliably Host Gemini From Home (on a Raspberry Pi 4) Due to Scale
The only regret we've long had is that we hadn't made the move earlier
The Summit of Future (Kerala, 2025): Dr. Richard Stallman (RMS) to Give Keynote Talk
promotional video was uploaded
Richard Stallman's Talk This Coming Monday (European 'Tour')
bunch of talks in Europe
Total Lock-down Ambitions - Part II - Down to the Very Core, Including the Hardware (CPU, GPU, Peripherals, and More)
instead of distinguishing themselves and antagonising these broadly reviled "antifeatures", both Canonical and IBM decided to join Microsoft in advocating lockdown
FSF, Guardian of the GNU Project, to Reach $400,000 in Winter Fundraiser Ahead of 40th Anniversary
The GNU Project Turns 42 later this year
Links 16/01/2025: "Meduza, IRL" and the Clock is Ticking on TikTok in the US
Links for the day
Gemini Links 16/01/2025: Yesterday's Gone, The Hour of the Dragon by Robert E Howard
Links for the day
Computer Users Aren't Zoo Animals
Animals don't belong inside cages in zoos, either
Links 16/01/2025: Scale and Scope of Microsoft Layoffs Revealed (Two Waves of Layoffs in 2025 Already)
Links for the day
Gemini Links 16/01/2025: Meta Has a Pixelfed Problem and Space Time Scoping
Links for the day
Anti-Linux 'Articles' in linuxsecurity.com (Guardian Digital, Inc) Are Composed by Bots, Probably Microsoft's
linuxsecurity.com has become a mindless stream of LLM slop
"New Year, New Career"
published a few hours ago
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, January 15, 2025
IRC logs for Wednesday, January 15, 2025