By Roy Schestowitz<\/p>\n\n\n\n
The more important<\/u> news<\/strong> to watch today or this weekend: (it’s still largely unresolved and it enables blackmail, political\/industrial espionage, and further<\/em> security breaches)<\/h5>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-1.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-2.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-3.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-4.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-5.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-6.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-7.png\")
<\/figure>\n\n\n\n![\"Microsoft](\"https:\/\/techrights.org\/images\/2024\/Microsoft-Exchange-chaos-8.png\")
<\/figure>\n\n\n\nFor many of the above servers, it’s unequivocally a case of “too late”<\/strong>. The E-mails (and beyond<\/em>) got copied by hostile actors and the consequences remain to be seen for years<\/em> to come. This can cause suicides and cost billions of euros\/dollars in damages (over time).<\/p>\n\n\n\nOh, forget about that!<\/p>\n\n\n\n
Let’s talk about the version of xz<\/code> that’s in Microsoft’s GitHub.<\/p>\n\n\n\nMicrosofters didn’t invent a logo and a brand name for it this<\/em> time around?<\/p>\n\n\n\nWell, we guess not. Or not yet<\/em>.<\/p>\n\n\n\nSo earlier on<\/a> we made some remarks on the flaws that impacted mostly cutting-edge distros (which rush to adopt new and untested\/unaudited stuff). We saw that before with OpenSSL and similarly security-sensitive packages, which distros typically adopt just months<\/em> later (maturity required). We wrote some articles about it in 2021, rebutting the scare-mongering and hype\/FUD. Microsofters played a big role in that FUD at the time. It happened again a year later<\/a> (2022).<\/p>\n\n\n\nNow it’s 2024. The facts still<\/em> matter.<\/p>\n\n\n\nThe media mostly credits Red Hat (regarding xz<\/code>), but Red Hat was merely a respondent, and Red Hat formally complained about words like “backdoor” or logos and brand names being leveraged to hype up holes like “heartbleed” (which did not actually cause much damage, it just caused damage to the perception\/image of Linux, owing to endless media hype that lasted many years).<\/p>\n\n\n\nAs we explained at the time, and many times<\/strong> in fact, Microsofters were responsible for this hype campaign (even if the original discovery came from a Google employee).<\/p>\n\n\n\nSo today it seems familiar. Why? Because the latest reports we’ve found<\/a> make it clear that the disclosure came from Microsoft staff at a very strategic time (see screenshots above).<\/p>\n\n\n\nWhat Microsoft wants you not<\/strong> to notice (or resort to “whataboutism” when clients choose to move to GNU\/Linux) is the stuff at the top.<\/p>\n\n\n\nYes, Andres Freund works for Microsoft. It was not clear at first. He used his anarazel.de<\/code> email<\/a> instead of Microsoft email. Why?<\/p>\n\n\n\nWhat a timing to disclose his ‘revelations’ (a lot of this involves GitHub, not just systemd, which is led\/run by Microsoft staff).<\/p>\n\n\n\n
As noted above, Microsofters did the same with “heartbleed” over a decade ago. Because “Microsoft heart Linux”.<\/p>\n\n\n\n
So what exactly<\/em> happened here? One can guess based on salient points of evidence.<\/p>\n\n\n\nStockpiling holes for strategic<\/em> times?<\/p>\n\n\n\nWe debated this in length only a week ago in IRC because any time Microsoft has an epic security blunder the “Linux” news suddenly gets filled with FUD. And once again they’re bombarding all “Linux” related news with alarming security-themed headlines (not so unprecedented a pattern). The Friday\/Saturday news about “Linux” looked like this<\/a>, and that’s aside from the above. Pseudonymous reporters, who could even be on Microsoft’s payroll, released some information about a hole just at the same time Microsoft had a lot of answering to do (and an emergency patch, which came far too late, as servers had already been breached, exposing perhaps trillions of emails, some of them very sensitive).<\/p>\n\n\n\nWe need answers here. For instance, how long has Microsoft’s Andres Freund known about this issue? Did someone give him a tip?<\/p>\n\n\n\n
This man is in the business of selling Windows, not Linux, and at Microsoft security is never the objective<\/a>. It is just another “product” or “add-on”. \u2588<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"This is extremely interesting, in that this Linux SSH backdoor that was introduced through xz seems to have been reported by a Microsoft employee at just the perfect time to take heat away from Microsoft for a large percentage of Exchange servers that are unpatched against vulnerabilities as disclosed by Germany. Consequently, the xz SSH […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-6877","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/6877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=6877"}],"version-history":[{"count":4,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/6877\/revisions"}],"predecessor-version":[{"id":6881,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/6877\/revisions\/6881"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=6877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=6877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=6877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nFor many of the above servers, it’s unequivocally a case of “too late”<\/strong>. The E-mails (and beyond<\/em>) got copied by hostile actors and the consequences remain to be seen for years<\/em> to come. This can cause suicides and cost billions of euros\/dollars in damages (over time).<\/p>\n\n\n\n Oh, forget about that!<\/p>\n\n\n\n Let’s talk about the version of Microsofters didn’t invent a logo and a brand name for it this<\/em> time around?<\/p>\n\n\n\n Well, we guess not. Or not yet<\/em>.<\/p>\n\n\n\n So earlier on<\/a> we made some remarks on the flaws that impacted mostly cutting-edge distros (which rush to adopt new and untested\/unaudited stuff). We saw that before with OpenSSL and similarly security-sensitive packages, which distros typically adopt just months<\/em> later (maturity required). We wrote some articles about it in 2021, rebutting the scare-mongering and hype\/FUD. Microsofters played a big role in that FUD at the time. It happened again a year later<\/a> (2022).<\/p>\n\n\n\n Now it’s 2024. The facts still<\/em> matter.<\/p>\n\n\n\n The media mostly credits Red Hat (regarding As we explained at the time, and many times<\/strong> in fact, Microsofters were responsible for this hype campaign (even if the original discovery came from a Google employee).<\/p>\n\n\n\n So today it seems familiar. Why? Because the latest reports we’ve found<\/a> make it clear that the disclosure came from Microsoft staff at a very strategic time (see screenshots above).<\/p>\n\n\n\n What Microsoft wants you not<\/strong> to notice (or resort to “whataboutism” when clients choose to move to GNU\/Linux) is the stuff at the top.<\/p>\n\n\n\n Yes, Andres Freund works for Microsoft. It was not clear at first. He used his What a timing to disclose his ‘revelations’ (a lot of this involves GitHub, not just systemd, which is led\/run by Microsoft staff).<\/p>\n\n\n\n As noted above, Microsofters did the same with “heartbleed” over a decade ago. Because “Microsoft heart Linux”.<\/p>\n\n\n\n So what exactly<\/em> happened here? One can guess based on salient points of evidence.<\/p>\n\n\n\n Stockpiling holes for strategic<\/em> times?<\/p>\n\n\n\n We debated this in length only a week ago in IRC because any time Microsoft has an epic security blunder the “Linux” news suddenly gets filled with FUD. And once again they’re bombarding all “Linux” related news with alarming security-themed headlines (not so unprecedented a pattern). The Friday\/Saturday news about “Linux” looked like this<\/a>, and that’s aside from the above. Pseudonymous reporters, who could even be on Microsoft’s payroll, released some information about a hole just at the same time Microsoft had a lot of answering to do (and an emergency patch, which came far too late, as servers had already been breached, exposing perhaps trillions of emails, some of them very sensitive).<\/p>\n\n\n\n We need answers here. For instance, how long has Microsoft’s Andres Freund known about this issue? Did someone give him a tip?<\/p>\n\n\n\n This man is in the business of selling Windows, not Linux, and at Microsoft security is never the objective<\/a>. It is just another “product” or “add-on”. \u2588<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" This is extremely interesting, in that this Linux SSH backdoor that was introduced through xz seems to have been reported by a Microsoft employee at just the perfect time to take heat away from Microsoft for a large percentage of Exchange servers that are unpatched against vulnerabilities as disclosed by Germany. Consequently, the xz SSH […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-6877","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/6877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=6877"}],"version-history":[{"count":4,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/6877\/revisions"}],"predecessor-version":[{"id":6881,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/6877\/revisions\/6881"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=6877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=6877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=6877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}xz<\/code> that’s in Microsoft’s GitHub.<\/p>\n\n\n\nxz<\/code>), but Red Hat was merely a respondent, and Red Hat formally complained about words like “backdoor” or logos and brand names being leveraged to hype up holes like “heartbleed” (which did not actually cause much damage, it just caused damage to the perception\/image of Linux, owing to endless media hype that lasted many years).<\/p>\n\n\n\nanarazel.de<\/code> email<\/a> instead of Microsoft email. Why?<\/p>\n\n\n\n