Bonum Certa Men Certa

Richard Stallman Was Right and What Happened in XZ Wasn't a "Linux" or Free Software Problem, It Was Social Engineering (This Happens in Proprietary Software Too and, in This Case, It Was Enabled by Microsoft's Proprietary Social Control Media Disguised as 'Codeforge')

posted by Roy Schestowitz on Apr 02, 2024

Fractal image with penguin drawing

The truth isn't convenient to snakeoil vendors and charlatans who speak of "secure" boot while using proprietary GitHub (controlled by NSA)

THE Web - and even Geminispace - is already full of articles on this topic (we caught and collected about 100 so far; obviously there's lots more, not only in English). We've had plenty of time to assess and digest the facts, not the drama, and we want to remind readers that Richard Stallman (RMS) used to include in his talks (over 10 years ago) a section on how people who worked for Microsoft in Asia put back doors in the code and then got caught. It is possible more existed and never got caught.

RMS was right. He spoke about back doors well before the Edward Snowden NSA and GCHQ leaks. Techrights already included links to such RMS talks in 2008. Maybe even 2007. This is well documented, both in text and in videos.

So headlines such as this are misleading:

Malicious xz backdoor reveals fragility of open source; This also happens in proprietary software, but unreported to us

No, it's not a "FOSS" or "Open Source" issue; "This also happens in proprietary software, but unreported to us," as the above says. They try to cover this up and we cannot see commit details/author, so who the heck knows the full, ugly truth? The PR people? Whose task is to belittle or hide embarrassments?

An associate of ours insists that the xz incident was essentially social engineering; "other projects have lone developers, meaning that the code is more vulnerable because only a single person needs to be replaced / cancelled to get at the repository."

We don't suppose that in the sea/ocean of hundreds if not thousands of blog posts people will notice, but in the first day of us writing about it the primary article got 1618 non-bot reads and in the sister site 1696 non-bot reads. Sadly the loudest and best funded sites get more visibility. The crowd in Phoronix Forums shouts down pro-Linux people now (we saw that!); Phoronix itself plays a considerable role in pro-Microsoft propaganda and some of the FUD, including the above (Phoronix increasingly sucks basically).

When it comes to xz, we've reached the point of topic fatigue, so no matter how important or valuable a contribution people have to this issue, not many people will pay attention anymore due to the volume and the perception that consensus about it is old and settled.

Our associate explains that Microsoft is "hyping xz to FUD the open source development model in general and the resulting software specifically. Though there is a problem: Debian failed to drop xz when the number of active developers on it went down to 1."

"A well-practiced preventative method would have stopped the bug in its tracks. Do like OpenBSD does and have two other developers review and audit each patch. So that sets the minimum level at 3 for any project to stay in use. Simply put, the mistake is also technical as xz is an inferior archival format compared to other compression methods. So three strikes there."

We will once again write regarding the xz incident (it's hyped up for several reasons) when the dust 'settles', but having seen several sites that borrow from old tactics ("heartbleed"), that might take weeks. "Log4j" (or Shell) was still mentioned years after it had been patched and the Linux Foundation gleefully participated in the FUD. Yes, for years! Remember what they're trying to sell (clue: not Linux).

An associate thinks it'll be a few days before it is timely to "analyze the xz incident", but maybe that's optimistic. "Mostly it is the reaction and spin which should be examined," he said. We still collect links and we will use those later (we add many "Ed" or editorial comments along the way, so it is annotated a bit).

For the time being people can see the editorial comments... (these comments try to rebut key points, repeatedly, in few words)

Other Recent Techrights' Posts

Richard Stallman's Next Public Talk is on Friday, 17:30 in Córdoba (Spain), FSF Cannot Mention It
Any attempt to marginalise founders isn't unprecedented as a strategy
Stefano Maffulli's (and Microsoft's) Openwashing Slant Initiative (OSI) Report Was Finalised a Few Months Ago, Revealing Only 3% of the Money Comes From Members/People
Microsoft's role remains prominent (for OSI to help the attack on the GPL and constantly engage in promotion of proprietary GitHub)
[Video] Online Brigade Demands That the Person Who Started GNU/Linux is Denied Public Speaking (and Why FSF Cannot Mention His Speeches)
So basically the attack on RMS did not stop; even when he's ill with cancer the cancel culture will try to cancel him, preventing him from talking (or be heard) about what he started in 1983
 
Bruce Perens & Debian: swiping the Open Source trademark
Reprinted with permission from disguised.work
Ean Schuessler & Debian SPI OSI trademark disputes
Reprinted with permission from disguised.work
Windows in Sudan: From 99.15% to 2.12%
With conflict in Sudan, plus the occasional escalation/s, buying a laptop with Vista 11 isn't a high priority
Anatomy of a Cancel Mob Campaign
how they go about
[Meme] The 'Cancel Culture' and Its 'Hit List'
organisers are being contacted by the 'cancel mob'
IRC Proceedings: Monday, April 22, 2024
IRC logs for Monday, April 22, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Don't trust me. Trust the voters.
Reprinted with permission from Daniel Pocock
Chris Lamb & Debian demanded Ubuntu censor my blog
Reprinted with permission from disguised.work
Ean Schuessler, Branden Robinson & Debian SPI accounting crisis
Reprinted with permission from disguised.work
William Lee Irwin III, Michael Schultheiss & Debian, Oracle, Russian kernel scandal
Reprinted with permission from disguised.work
Microsoft's Windows Down to 8% in Afghanistan According to statCounter Data
in Vietnam Windows is at 8%, in Iraq 4.9%, Syria 3.7%, and Yemen 2.2%
[Meme] Only Criminals Would Want to Use Printers?
The EPO's war on paper
EPO: We and Microsoft Will Spy on Everything (No Physical Copies)
The letter is dated last Thursday
Links 22/04/2024: Windows Getting Worse, Oligarch-Owned Media Attacking Assange Again
Links for the day
Links 21/04/2024: LINUX Unplugged and 'Screen Time' as the New Tobacco
Links for the day
Gemini Links 22/04/2024: Health Issues and Online Documentation
Links for the day
What Fake News or Botspew From Microsoft Looks Like... (Also: Techrights to Invest 500 Billion in Datacentres by 2050!)
Sededin Dedovic (if that's a real name) does Microsoft stenography
[Meme] Master Engineer, But Only They Can Say It
One can conclude that "inclusive language" is a community-hostile trolling campaign
[Meme] It Takes Three to Grant a Monopoly, Or... Injunction Against Staff Representatives
Quality control
[Video] EPO's "Heart of Staff Rep" Has a Heartless New Rant
The wordplay is just for fun
An Unfortunate Miscalculation Of Capital
Reprinted with permission from Andy Farnell
Online Brigade Demands That the Person Who Made Nix Leaves Nix for Not Censoring People 'Enough'
Trying to 'nix' the founder over alleged "safety" of so-called 'minorities'
[Video] Inauthentic Sites and Our Upcoming Publications
In the future, at least in the short term, we'll continue to highlight Debian issues
List of Debian Suicides & Accidents
Reprinted with permission from disguised.work
Jens Schmalzing & Debian: rooftop fall, inaccurately described as accident
Reprinted with permission from disguised.work
[Teaser] EPO Leaks About EPO Leaks
Yo dawg!
On Wednesday IBM Announces 'Results' (Partial; Bad Parts Offloaded Later) and Red Hat Has Layoffs Anniversary
There's still expectation that Red Hat will make more staff cuts
IBM: We Are No Longer Pro-Nazi (Not Anymore)
Historically, IBM has had a nazi problem
Bad faith: attacking a volunteer at a time of grief, disrespect for the sanctity of human life
Reprinted with permission from Daniel Pocock
Bad faith: how many Debian Developers really committed suicide?
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, April 21, 2024
IRC logs for Sunday, April 21, 2024
A History of Frivolous Filings and Heavy Drug Use
So the militant was psychotic due to copious amounts of marijuana
Bad faith: suicide, stigma and tarnishing
Reprinted with permission from Daniel Pocock
UDRP Legitimate interests: EU whistleblower directive, workplace health & safety concerns
Reprinted with permission from Daniel Pocock
Links 21/04/2024: Earth Day Coming, Day of Rest, Excess Deaths Hidden by Manipulation
Links for the day
Bad faith: no communication before opening WIPO UDRP case
Reprinted with permission from Daniel Pocock
Bad faith: real origins of harassment and evidence
Reprinted with permission from Daniel Pocock
Links 21/04/2024: Censorship Abundant, More Decisions to Quit Social Control Media
Links for the day
Bad faith: Debian Community domain used for harassment after WIPO seizure
Reprinted with permission from Daniel Pocock
If Red Hat/IBM Was a Restaurant...
Two hours ago in thelayoff.com
Why We Republish Articles From Debian Disguised.Work (Formerly Debian.Community)
articles at disguised.work aren't easy to find
Google: We Run and Fund Diversity Programs, Please Ignore How Our Own Staff Behaves
censorship is done by the recipients of the grants
Paul Tagliamonte & Debian Outreachy OPW dating
Reprinted with permission from disguised.work
Disguised.Work unmasked, Debian-private fresh leaks
Reprinted with permission from disguised.work
[Meme] Fake European Patents Helped Fund the War on Ukraine
The European Patent Office (EPO) does not serve the interests of Europe
European Patent Office (EPO) Has Serious Safety Issues, This New Report Highlights Some of Them
9-page document that was released to staff a couple of days ago
IRC Proceedings: Saturday, April 20, 2024
IRC logs for Saturday, April 20, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Microsoft-Run FUD Machine Wants Nobody to Pay Attention to Microsoft Getting Cracked All the Time
Fear, Uncertainty, Doubt (FUD) is the business model of "modern" media
Torvalds Fed Up With "AI" Passing Fad, Calls It "Autocorrect on Steroids."
and Microsoft pretends that it is speaking for Linux
Gemini Links 21/04/2024: Minecraft Ruined
Links for the day