Bonum Certa Men Certa

[Video] How the Media Blamed SSH and Linux (for Nearly a Whole Fortnight!) Instead of Microsoft's GitHub and Systemd

posted by Roy Schestowitz on Apr 11, 2024,
updated Apr 11, 2024

k Video download link | md5sum 0343d2a5fb805701dab56eb12ef302ac
How Media Failed at XZ Coverage
Creative Commons Attribution-No Derivative Works 4.0

Preview for How Media Failed at XZ Coverage

Introduction

THIS MORNING we made some new videos. We recorded 3 videos in total, but this one is the worst of them all for purely technical reasons. It ends after about 33 minutes even though the original plan was to go through almost 150 titles/articles, illuminating the way the media likes to smear "Linux" and illustrating the dishonesty of so-called 'journalists' (parrots and stenographers). After the technical issues I thought of recording a "part 2", but eventually it seemed like enough material had been covered and, at the very least in order to avoid repetition, it was probably OK to just leave things (fine as is). It deals with a small sub-sample of coverage we've gradually collected in a roughly chronological order, showing how FUD gets recycled and sometimes upcycled.

As noted here last week, some ludicrous articles went as far as praising Microsoft, reiterating the lie that it "loves Linux" (it loves using "Linux" for distraction) and framing Microsoft as some sort of authority/expert at security.

The Present

The "xz" (or "Xz" or "XZ" or the name of the encapsulating package; most of the media went for more familiar "brands") story and/or the hype isn't over per se, but I saw that "XZ BS" only once yesterday and my wife also saw it once (another example, some blog in Planet Fedora). So now it's probably safe to take stock of the whole thing. Tomorrow this thing turns 14 days ("officially"). And prior Techrights articles set aside - as most of them over a week old with a high view count already - we take a fresher look at these things. This long page (no JavaScript or bloat) was updated about 50 times and some people asked why we keep updating it so often (several times per day). "What we are describing here will be covered in my upcoming video about xz," I said, "I just wait for "the news" to calm down a bit..."

So let's look back and consider what had been published until yesterday's "trickle" ('only' 2 instances in one day). The longer version of it is in the video at the top.

Microsoft Not to the Rescue

Microsoft-connected sites have said a whole bunch of lies. Some of them were covered here a week ago, so we would rather not air those lies again.

To give one example, Risky Business (RB, or Australia's RiskyBiz where Microsoft's mouthpieces like Brett Winterford [1, 2] work) had three recordings on xz [1, 2, 3], "casting aspersions at SSH in general (they hate SSH and campaign against it) and blame Linux specifically and the OSS development model in general," an associate has noted. "Again, if distros had the minimum of three developers per subproject, the Xz breach would have been harder to pull off. However, when the same technique is tried against proprietary softer, there is basically no chance at detection."

This associate keeps saying that we "need to pound the drum on the benefits of OSS (and especially FOSS) and the same attack against proprietary would slide by undetected."

Richard Stallman covered this already, even close to 2 decades ago [1, 2]. Stallman said it many times; he spoke of how someone had been arrested for trying to put backdoors from within Microsoft on behalf of Al-Qaeda. No kidding!

I spoke to another person last week. "Something that's changed culturally, at least in the US, which Microsoft seems way ahead in exploiting, is vanity and need for popularity among the new gen tech devs," he said. We have said this for years!

"Instead of coders just scratching an itch and putting up a project in case a few dozen people find it useful, Github has set up a pageant, a frenzy of egotistical self-promotion, with badges and "likes" and ways to track activity and whatnot. The recent tech layoffs and it's proximity to Linked-In is amplifying that desperation."

And the media tells them that's the right thing to do. We covered many examples in the past. Sometimes you cannot even apply for things unless you provide a GitHub (i.e. Microsoft) handle.

"Microsoft wanna set themselves up as a Dickensian workhouse with Nancy and Bill Sikes (Gates) ruling a gang of kids who will pick pockets and write code for gruel," the person told me. "When I interview young devs now, instead of giving me a a URL to their domain, or even a written CV, they just give me their GitHub ID. I say, "So you already work for Microsoft?".

That's a good line!

On the upside, those are easy to reject promptly and upfront. If this is how they develop and write code, maybe they lack a lot of basic skills.

"Anyway," the person told me, "what concerns me is the terrifying cybersecurity implications of this."

So today I will explain what this media frenzy served to distract from. I want to focus on why GitHub is actually part of the problem here. We also need to remind readers what Microsoft is ALWAYS hoping to distract from. Aside from tributes to Ross Anderson, who valued real security, Microsoft distracted from at least 3 major security blunders. We'll revisit this towards the end of this article.

"Regarding the Xz-based FUD," an associate stresses, "the fact that many projects (curl, linux, etc) actually issue their own CVEs is a major improvement. There is an article about that and this fact should be folded somehow into the eventual Xz round-up."

Also see "Verified curl" from yesterday. "Conceivably," Daniel wrote, "the xz attackers have infiltrated more than one other Open Source project to cover their bases. Which ones?"

Daniel is the founder of curl going back 2.5 decades and he already wrote about what would happen if he "fell under a bus".

A Theory

Is there a "bigger story" here? Check where the CSO of GitHub came from! Spoiler: 20 years inside NSA. Is there a US state role in the revelation?

Hard to tell.

Here is a hypothetical possibility.

It is not at all unthinkable that the massively-staffed NSA (or sibling agency/partner in the US; they're malicious and they are as big as megacorporations), with staff dedicated to audits and back doors, informed GitHub (i.e. Microsoft) of what had happened some time earlier. The CSO of GitHub is a 20-year NSA veteran and Microsoft knew that right after Easter it would get blasted by official authorities for getting clients cracked by China, not to mention getting cracked itself (also by China). So they could pass on some details to a Microsoft employee (not high-level and not particularly well known) on Friday before the holiday and days before the release of the 'dreadful' report (to Microsoft; it knew it was coming as there was a degree of cooperation with the investigation, ultimately castigating the company), promptly weaponising sensationalist language to occupy news searches for "China" and "security" while at the same time smearing "Linux" (not GitHub or systemd), even if it's over some beta releases that few people use, casually and swiftly while having the audacity to paint Microsoft not just as security expert but also "saviour" of "Linux". Yes! All this while in fact the real China breach was the fault of Microsoft and the impending report spoke of a tall chain/cascade of failures, showing sheer incompetence and neglect at Microsoft, leading up to the actual breach that cost a lot to the US government (espionage). Microsoft tried to cover up this breach until the government demanded and pressured it to admit what had happened. It turned out to be worse than initially assumed/believed/seen on the surface. So if Microsoft used its staff as "mules" for inversion/invention of narratives, aided by lazy "media", that would need substantial proof. We might never have that.

Anyway, that's just a theory. Plausible? Needs proof.

What It Still Distracts From

Even days later the Microsoft-connected (or sponsored) publishers are spamming the media with "China" stuff that isn't the above-mentioned breach. Days ago Microsoft was accusing China of fakes (calling everything "AI"). One example is "Chinese hackers turn to AI to meddle in elections" and it misrepresents Microsoft as an authority in this domain. In reality, Microsoft is the very source (or generator) of these fakes. So Microsoft has quite some audacity weighing in on this.

This is only one way in which Microsoft is distracting from the report about how China cracked Microsoft's entire infrastructure. That's a fact and the US Government blasted it for it only days earlier until ~2 days ago (the video above covers this). Here is an example from 5 days ago:

China is ramping up use of AI-generated content and fake social control media accounts to inflame division in the United States and elsewhere, according to the latest report from Microsoft’s threat center.

In relation to Asia (it's not known if the crack in the case of xz can be attributed to China, but it's likely someone in Asia), there's also pure noise like this. The "India" stuff and lots more like this "Hey Hi" (AI) nonsense stole the thunder - to the point nobody spoke or said anything about how Microsoft failed the whole nation. Articles about India, Microsoft, Modi, and Bill Gates help distract from high usage of GNU/Linux in India.

Earlier this week we saw that Microsoft had managed to (once again!) engineer a security blunder for itself. To quote a new piece or an article by Sam Varghese:

A suspected Russian intrusion into Microsoft's corporate systems, which was disclosed in January, also affected US federal government systems, according to the US Cybersecurity and Infrastructure Security Agency.

Also see "US Cyber Safety Review Board on the 2023 Abusive Monopolist Microsoft Exchange Hack" and this morning's pick from Federal News Network, stating: "Oregon Senator fed up with data breaches, blasts Big Tech, demands mandatory standards Sen. Ron Wyden (D-Ore) cites a Cyber Safety Review Board report that blames Microsoft's inadequate cybersecurity culture."

This is what Microsoft wants nobody to pay any attention to. Please keep the eyes on the ball.

Other Recent Techrights' Posts

linuxsecurity.com Still At It! 98% Probability Chatbot Generated, According to GPTZero!
"The Internet is mostly made by AI... but that's ok, it's all being deleted anyway."
 
KDE Neon Weirdness
Reprinted with permission from Ryan Farmer
Congratulations to Sirius Open Source, Still Claiming to Employ People Who Left Half a Decade Ago (or More!)
What signal does that send to con men?
[Meme] Bluewashing
Cent OS? No more.
IRC Proceedings: Thursday, May 23, 2024
IRC logs for Thursday, May 23, 2024
Over at Tux Machines...
GNU/Linux news for the past day
Tenfold Increase for ChromeOS+GNU/Linux in Brunei
Brunei Darussalam is a country most people don't know about and never even heard about
Coming Soon: Another Round of 'Cancel Stallman' Chorus
The series required a great deal of patience
Links 23/05/2024: SeekOut Collapsing and Why Microsoft Probably Isn’t Going to Buy Valve
Links for the day
Gemini Links 23/05/2024: The Allure of Vinyl
Links for the day
Links 23/05/2024: Apple Responds to Streaming Music Fine, DOJ to Sue Live Nation
Links for the day
Links 23/05/2024: UK General Election and Archival
Links for the day
[Video] 3 Major Issues in Nationwide, Including (Potentially) a Major Data Breach
'electronic-bank' security has become the joke of the town
[Meme] Pointing Out Corruption Isn't a "Hate Crime"
The European Commission's reflexive (re)action to any sort of doubt or criticism
More Evidence in "iLearn AI Day" (a Buzzwords Festival) That EPO Intends to Eliminate Staff and Deviate Further Away from Fairness, Law, and Constitutions (Including Its Own!)
The EPO is a very potent danger to Europe's unity and the very concept of lawfulness. It exists to serve international monopolists and patent lawyers.
Microsoft's Windows Has Fallen Below 3% in Democratic Republic of the Congo (100+ Million Citizens)
Microsoft's sharp fall in Congo
The Real Reason Censorship is Attempted Against Us (and Against Others Too)
Microsoft's Windows market monopoly was in trouble
You Are Not The Only One
Reprinted with permission from Cyber Show (C|S)
GNU/Linux in Monaco: From 0.3% to Almost 6%
Monaco is a small country
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, May 22, 2024
IRC logs for Wednesday, May 22, 2024
Microsoft Has Lost Cote D'ivoire (Ivory Coast), Where Android Now Exceeds 60% of the Operating Systems' 'Market Share'
According to statCounter anyway
The Rumour Said Later Today Red Hat (IBM) Might Announce Layoffs
Let's see what happens later today (or next week)
Governments That Fail Journalism
Australia is known for giving us pure garbage like Rupert Murdoch
Windows Has Fallen From 'Grace'
When you tell people that Microsoft watches their every move in Windows many of them will freak out and ask for alternatives
Serbia: GNU/Linux at Almost 4% (or Beyond if ChromeOS is Counted)
considerable growth for GNU/Linux
Links 22/05/2024: China in Other Countries' Islands, Growing Threat of Piracy
Links for the day
Gemini Links 22/05/2024: Freedom Through Limitation, Cloud Photos
Links for the day
Canonical Supports Monopoly
more of the same
A farewell to Finland, an occupied territory
Finland, Finland, Finland
Links 22/05/2024: "Copilot+" as Mass Surveillance and Microsoft Defying Consent in Scarlett Johansson's Case
Links for the day
[Meme] Escalating After Failures
4 stages of cancel culture
Red Hat Had 2+ Days to Deny Reports of Impending Layoffs. But Red Hat Chose to Keep Silent.
Red Hat DOES NOT deny layoffs on the way
Microsoft-Connected Person Was Threatening to Sue Me and to Sue My Wife (Because His Feelings Were Hurt After Had He Spent More Than a Decade Defaming Me and Violating My Family's Dignity, Privacy)
litigation was chosen and we shall defend everything we wrote
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, May 21, 2024
IRC logs for Tuesday, May 21, 2024
Attempts to Sink the Free Software Movement (Under the Guise of Saving It)
We can see who's being drowned
Czech Republic: Windows Down From 98% to 43%, GNU/Linux Rises to Over 3%
modest gains for GNU/Linux
Links 22/05/2024: Pixar Layoffs and More Speculation About Microsoft Shutdowns/Layoffs (Ninja Theory)
Links for the day
Microsoft-Connected Sites Trying to Shift Attention Away From Microsoft's Megabreach Only Days Before Important If Not Unprecedented Grilling by the US Government?
Why does the mainstream media not entertain the possibility a lot of these talking points are directed out of Redmond?