Bonum Certa Men Certa

What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

posted by Roy Schestowitz on Mar 31, 2024

The more important news to watch today or this weekend: (it's still largely unresolved and it enables blackmail, political/industrial espionage, and further security breaches)

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

For many of the above servers, it's unequivocally a case of "too late". The E-mails (and beyond) got copied by hostile actors and the consequences remain to be seen for years to come. This can cause suicides and cost billions of euros/dollars in damages (over time).

Oh, forget about that!

Let's talk about the version of xz that's in Microsoft's GitHub.

Microsofters didn't invent a logo and a brand name for it this time around?

Well, we guess not. Or not yet.

So earlier on we made some remarks on the flaws that impacted mostly cutting-edge distros (which rush to adopt new and untested/unaudited stuff). We saw that before with OpenSSL and similarly security-sensitive packages, which distros typically adopt just months later (maturity required). We wrote some articles about it in 2021, rebutting the scare-mongering and hype/FUD. Microsofters played a big role in that FUD at the time. It happened again a year later (2022).

Now it's 2024. The facts still matter.

The media mostly credits Red Hat (regarding xz), but Red Hat was merely a respondent, and Red Hat formally complained about words like "backdoor" or logos and brand names being leveraged to hype up holes like "heartbleed" (which did not actually cause much damage, it just caused damage to the perception/image of Linux, owing to endless media hype that lasted many years).

As we explained at the time, and many times in fact, Microsofters were responsible to this hype campaign (even if the original discovery came from a Google employee).

So today it seems familiar. Why? Because the latest reports we've found make it clear that the disclosure came from Microsoft staff at a very strategic time (see screenshots above).

What Microsoft wants you not to notice (or resort to "whataboutism" when clients choose to move to GNU/Linux) is the stuff at the top.

Yes, Andres Freund works for Microsoft. It was not clear at first. He used his anarazel.de email instead of Microsoft email. Why?

What a timing to disclose his 'revelations' (a lot of this involves GitHub, not just systemd, which is led/run by Microsoft staff).

As noted above, Microsofters did the same with "heartbleed" over a decade ago. Because "Microsoft heart Linux".

So what exactly happened here? One can guess based on salient points of evidence.

Stockpiling holes for strategic times?

We debated this in length only a week ago in IRC because any time Microsoft has an epic security blunder the "Linux" news suddenly gets filled with FUD. And once again they're bombarding all "Linux" related news with alarming security-themed headlines (not so unprecedented a pattern). The Friday/Saturday news about "Linux" looked like this, and that's aside from the above. Pseudonymous reporters, who could even be on Microsoft's payroll, released some information about a hole just at the same time Microsoft had a lot of answering to do (and an emergency patch, which came far too late, as servers had already been breached, exposing perhaps trillions of emails, some of them very sensitive).

We need answers here. For instance, how long has Microsoft's Andres Freund known about this issue? Did someone give him a tip?

This man is in the business of selling Windows, not Linux, and at Microsoft security is never the objective. It is just another "product" or "add-on".

Other Recent Techrights' Posts

[Video] IBM Shakes Hands of Prince Mohammed bin Salman
handshake of loyalty
The SLAPPs From Microsofters Distract From Serious Copyright Infringement by Microsoft and Apparent Business Crimes
Aside from other issues, such as strangling women
 
Trolls With LLM Slop Are Disrupting Communications About Mass Layoffs at IBM
LLM slop to drown out the signal
Gemini Links 17/05/2025: Happier on Gemini and Manipulating Reddit
Links for the day
ComEd and Microsoft: A Mess of Spaghetti Held Together By Circus Clowns
Reprinted with permission from Ryan Farmer
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 16, 2025
IRC logs for Friday, May 16, 2025
Links 16/05/2025: Microsoft Sacks Pregnant Women, People Fired on Their Birthday; Adobe Censorship Failing
Links for the day
Gemini Links 16/05/2025: "Repairing Our Way out of Commodity Fetishism" and Pre-librebooted Computers
Links for the day
The Microsofters Have Just Shared Privileged Trial Data With Microsoft
There are serious ramifications for liability accountability as Microsoft salaries sponsor these SLAPPs
Enshittification is Everywhere: You Pay More, the Services Get Worse
"Enshittification" is a term coined by an online friend; I increasingly use this term to describe what's happening even outside the realm of technology (which it was adopted to describe)
Microsoft Reduces Office Space Ahead of More Waves of Mass Layoffs
"The Gerstnerisation of Microsoft"
Anti-Linux FUD Produced by Microsoft LLMs to Blame "Linux" for Microsoft's Own Failures
We call out some of the worst culprits
Gemini Links 16/05/2025: Hoking GPS, Grabovac, and Tanana
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, May 15, 2025
IRC logs for Thursday, May 15, 2025
Microsoft WARN Notices Proliferate in the United States
From what we've seen, this wave was more than 3% (a lot more) and the next wave/s will be even bigger (possible as imminent as weeks from now), based on insider leaks
Links 15/05/2025: Google Betrays Publishers Again, Openwashing by Sysdig
Links for the day
Richard Stallman Still Respected by Many in the Libre Graphics Community
Richard Stallman and Professor Moglen never harmed anyone
If You Read Techrights, Then You Probably Want to Read Tux Machines as Well
That site is more active than this one
Gemini Links 15/05/2025: Forced Music in Publicly Accessible Space and ~silv is Online
Links for the day
Links 15/05/2025: KOSA Censorship (USA Becomes More Like KSA) and More National Cuts
Links for the day
Bing Might Shut Down - Just Like Skype Did - Some Time in the Coming Months/Years (Parts of It Already Shut Down)
they try to bring the losses under control
Your Real Ally Would Not Defend the Company of SLAPP and Strangling of Women
who's left to tell us what's true?
Breakdown of Microsoft Layoffs Shows It's About Cost, Not Performance or Hype (Like "AI")
MSN (Microsoft) reposted this with some unnecessary spin
The Lawyers Working for the Serial Strangler From Microsoft on SLAPPing Techrights Have Apparently Lost Their Voice
the moment we mentioned that their media lawyer is leaving they went all quiet in social control media
At IBM, Relocation Can be a Trick or a Trap (IBM Gets Rid of Staff Under the Guise of "Relo")
IBM is not being honest with employees
Microsoft Rumours: This Week's Scale of Layoffs "Higher Than Reported" and More Coming Soon ("A Lot More Severe" Than May's)
The "3%" figure is false
Slopwatch: Sloppy Brian, Brittany Slop, and General Observations
Creative people don't need slop; there's just nothing good about it, slop appeals to lazy people careless about quality
Over at Tux Machines...
GNU/Linux news for the past day
Beyond Mass Layoffs at Microsoft: Entire Units Shut Down for Good
And it's far from over
Links 15/05/2025: Crikvenica, Analog Computer, and Slop 'Hallucinations'
Links for the day
IRC Proceedings: Wednesday, May 14, 2025
IRC logs for Wednesday, May 14, 2025