Bonum Certa Men Certa

What the Media Overlooks in xz: Microsoft Staff 'Discovered' the Issue in a Microsoft Platform Just Before Easter and in Time to Distract From Exchange Blunder

posted by Roy Schestowitz on Mar 31, 2024

The more important news to watch today or this weekend: (it's still largely unresolved and it enables blackmail, political/industrial espionage, and further security breaches)

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

Microsoft Exchange chaos example

For many of the above servers, it's unequivocally a case of "too late". The E-mails (and beyond) got copied by hostile actors and the consequences remain to be seen for years to come. This can cause suicides and cost billions of euros/dollars in damages (over time).

Oh, forget about that!

Let's talk about the version of xz that's in Microsoft's GitHub.

Microsofters didn't invent a logo and a brand name for it this time around?

Well, we guess not. Or not yet.

So earlier on we made some remarks on the flaws that impacted mostly cutting-edge distros (which rush to adopt new and untested/unaudited stuff). We saw that before with OpenSSL and similarly security-sensitive packages, which distros typically adopt just months later (maturity required). We wrote some articles about it in 2021, rebutting the scare-mongering and hype/FUD. Microsofters played a big role in that FUD at the time. It happened again a year later (2022).

Now it's 2024. The facts still matter.

The media mostly credits Red Hat (regarding xz), but Red Hat was merely a respondent, and Red Hat formally complained about words like "backdoor" or logos and brand names being leveraged to hype up holes like "heartbleed" (which did not actually cause much damage, it just caused damage to the perception/image of Linux, owing to endless media hype that lasted many years).

As we explained at the time, and many times in fact, Microsofters were responsible to this hype campaign (even if the original discovery came from a Google employee).

So today it seems familiar. Why? Because the latest reports we've found make it clear that the disclosure came from Microsoft staff at a very strategic time (see screenshots above).

What Microsoft wants you not to notice (or resort to "whataboutism" when clients choose to move to GNU/Linux) is the stuff at the top.

Yes, Andres Freund works for Microsoft. It was not clear at first. He used his anarazel.de email instead of Microsoft email. Why?

What a timing to disclose his 'revelations' (a lot of this involves GitHub, not just systemd, which is led/run by Microsoft staff).

As noted above, Microsofters did the same with "heartbleed" over a decade ago. Because "Microsoft heart Linux".

So what exactly happened here? One can guess based on salient points of evidence.

Stockpiling holes for strategic times?

We debated this in length only a week ago in IRC because any time Microsoft has an epic security blunder the "Linux" news suddenly gets filled with FUD. And once again they're bombarding all "Linux" related news with alarming security-themed headlines (not so unprecedented a pattern). The Friday/Saturday news about "Linux" looked like this, and that's aside from the above. Pseudonymous reporters, who could even be on Microsoft's payroll, released some information about a hole just at the same time Microsoft had a lot of answering to do (and an emergency patch, which came far too late, as servers had already been breached, exposing perhaps trillions of emails, some of them very sensitive).

We need answers here. For instance, how long has Microsoft's Andres Freund known about this issue? Did someone give him a tip?

This man is in the business of selling Windows, not Linux, and at Microsoft security is never the objective. It is just another "product" or "add-on".

Other Recent Techrights' Posts

People Used to Talk
If pets can live a measurably happy life without gadgets and "apps", why can't humans?
Rust is Starting to Seem More Like Microsoft-hosted "Digital Maoism", Not a Legitimate Effort to Improve Security
Maybe this is very innocent, but they seem to have taken a solid, stable program from a high-profile Frenchman and looked for ways to marry it with GitHub, i.e. Microsoft/NSA
 
Gemini Links 08/05/2025: Practical Gemini Use Case, Shutdown of the Blanket Fort Webring
Links for the day
Links 08/05/2025: "Slop Presidency", US Government Defunds Public Broadcasting
Links for the day
Lasse Fister, Organiser of Libre Graphics Meeting, Points Out the Code of Conduct is Likely Violated by the Same People Who Promote Codes of Conduct (and Then Bully Him Into Cancelling a Keynote)
I am starting to see Lasse Fister as another victim
LLM Slop Attacks Not Only Sites of Free Software Projects But Also Bug Reporting Systems (Time-wasting, in Effect "DDoS")
Microsoft, the leading purveyor and promoter of slop, is a cancer
The Richard Stallman (RMS) "European Tour" Carries on In Spite of the Nuremberg Incident
Some people spoke about how they saw yesterday's talk
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 07, 2025
IRC logs for Wednesday, May 07, 2025
The CoC Means the Founder of GNU/Linux Cannot Talk and a 72-Year-Old Man With Cancer is Somehow a "Safety" Risk?
Those who don't like RMS are not forced to attend his talks
Gemini Links 07/05/2025: A Shopping Spree and Digital Gardening
Links for the day
Links 07/05/2025: Pegasus Guilty and a Path Towards EU Without Russian Energy
Links for the day
Outsourcing GNU/Linux to Microsoft GitHub Promoted by Microsoft LLM Slop and Army Officers
Something doesn't seem right
Weaponisation of For-Profit Dockets - Part III: No More Media Lawsuits From Brett Wilson LLP This Year, One Can Only Guess Why
People leak a lot of material to Techrights because they know, based on the track record, that the sources will be protected and whatever gets published will stay online, in full, no matter how stubborn an effort (even lawsuits and blackmail) will be sent its way
Gemini Links 07/05/2025: Adopting GrapheneOS, Further Enshittification of Flickr
Links for the day
Links 07/05/2025: CISA Gutted, Debt-Saddled (Likely Insolvent) 'Open' 'AI' (Proprietary Slop) Faking Its Financial State Again
Links for the day
Finland, Lithuania, and Latvia Fortify Their Digital Border With GNU/Linux
This month's data from statCounter is particularly interesting near the Baltic Sea
The European Patent Office (EPO) Has a Very Profound Corruption Issue, Far More Urgent an Issue Than Pronouns
a rather long document
Richard Stallman Gives Public Talk at Technical University of Liberec, Czech Republic
"For programs that you could run, and for network services that could do your own computing, under what circumstances is it reasonable to trust them?"
Today We Turn 18.5
The eighteenth "and a half" anniversary
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, May 06, 2025
IRC logs for Tuesday, May 06, 2025
Microsoft Finally Admits That XBox is ****
In this case, "enshittification" is an understatement
Another Wave of Microsoft Layoffs Comes Shortly. Microsoft Propaganda Sites and Slopforms Powered by Microsoft LLMs Already Spew Out Face-Saving Nonsense.
Based on last month's leak, some very extensive layoffs are now imminent [...] Perhaps we can expect a lot of noise, some of it spewed out by bots, to distract from or belittle the impending mass layoffs
Ubuntu Becomes Microsoft GitHub, Based on Decision Made by British Army Officer
You're hopeless, Canonical
Slopwatch: Microsoft Slop, Anti-Linux Slop, and IBM Marketing Itself as a Slop Company
Microsoft-controlled LLM spewing out garbage about "Linux"
Links 06/05/2025: Microsoft's Assassination of Skype After Years of Failure, Slop Hallucinations Are Getting Worse
Links for the day
Links 06/05/2025: Changing Places and StarGrid for PalmOS
Links for the day
Windows and Microsoft Causing Serious Data Breaches, Media Rushes to Blame That on "Linux" Somehow
While selling us some rusty old propaganda about how moving to Microsoft GitHub (Rust) will improve security
Making Site Archives More Easily Accessible (Approaching 50,000 Blog Posts)
Efforts to censor us have always backfired badly
Weaponisation of For-Profit Dockets - Part II: Hiding Behind Lawyers and Barristers Who Lack Standards so as to Engage in Classic Corporate Extortion
They're trying to scare people and they misuse their licence to operate
Links 06/05/2025: LLMs/Chatbots Attract More Scrutiny (Getting Worse Over Time), PwC Has Many Layoffs
Links for the day
Thanks for listening. How can this Morse feed be further improved?
Right now any and all feedback on the audio would be helpful
statCounter: Bing's Market Share Lower Right Now Than It Was When LLM Hype Began (With "Bing Chat")
If anybody gains at Google's expense in search, it is BRICS' alternatives such as Yandex
Gemini Links 06/05/2025: Failure and Proxmox Cluster
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, May 05, 2025
IRC logs for Monday, May 05, 2025