JBoss Caught in Anonymous Posting Scheme

Reader scubabear writes "For years rumors have run rampant about employees of JBoss Inc. being actively encouraged to post anonymously, drumming up business by flooding the net with fake posts and simultaneously attacking competitors, all from behind a safe veil of anonymity. With the advent of a new feature for tracking users by IP on TheServerSide.com, the floodgates have been opened and those rumors have apparently been confirmed. The Java blog space now erupted with posts from a variety of bloggers (here, here, and here for a start) exposing a variety of anonymous/pseudonymous accounts used by JBoss employees to put forth their Professional Open Source message and simultaneously slam anyone who gets in their way in online technical communities such as TheServerSide, JavaLobby, and various personal blogs. The evidence shows how a corporation can manipulate popular opinion via anonymous personalities, that open source companies can be just as ruthless as closed source when it comes to marketing their wares, and that you should never forget that your cookies and IP address can and will be tracked online. No official response has been heard yet from the JBoss crew. Disclosure: I'm one of those bloggers erupting on this issue (see my story here)."

Re:Anonymous or not opinions count.

[Timesprout]

Is it any wonder that such a flagrant policy has made JBOSS go undercover?

You obviously have no familiarity with JBOSS. Shy retiring innocents they are not. For years now they have been haranging anyone who listen that JBOSS is the best Application Server in the known universe, this despite substantial evidence that some of their critical systems were well below standard.

I have no problems with an organistion hawking their wares. I do have a problem with it being turned into propaganda and stuck down my throat when I know it to be patently false.

The JBOSS organisation are doing the OSS movement a serious disservice.

Re:One question

[Anonymous Coward]

An Open Source (LGPL) implementation of a J2EE aplication server.

There is a lot more than PHP out there, you know?

Re:And this is news because???

[Stevyn]

Yeah, but this is about computer stuff so it's on slashdot. If you expect to see "real" news on every article then you haven't been here for a while. I'll do my best to sum it up to you so you don't have to waste your time reading the articles, but just the headlines:

SCO, Microsoft, William Gates Foundation, RIAA, MPAA, Government, big companies not mentioned already, patents: bad

Linux, Linus, Apple (with regards to BSD), BSD, Java (with regards to Sun opening it), Freedom of Speech, Natalie Portman: good

There are probably a few I've missed (and they will be posted below along with complaining how I missed it) but you get the idea.

BileBlog Mirror

[Anonymous Coward]

Since JRoller seems to be Slashdotted already, here's the text of fate's BileBlog:

Does the fun ever stop with these guys? It turns out that theserverside.com forums now has an interesting new feature that many of you might not be aware of. If you click on a particular user, you will see all the other users that have logged in from the same IP. Obviously, this method is not foolproof, and can be easily misinterpreted to mean that two people behind the same proxy are indeed one and the same.

Having said that though, it is with immense glee that I see that once and for all, the JBoss wankstains can be seen for the hypocritical, conniving, underhanded, petty and insecure little fuckwits that they are.

So, let's pick a user at random! Say..ohhh I dunno...Marc Fleury. Who else does the slimy little fleury have hidden away in this too-large-for-one-person personality of his? Why, none other than our friend Arun Patel! Arun, for those of you unfamiliar with TSS, posts incredibly offensive polemics that happen to exactly mirror the unspoken thoughts of a certain JBoss cult. To be fair, many of the posts are too eloquent to be His Royal Garlicness, what with his penchant for multiple exclamation marks, rambling sentences, and all round freakish usage of full stops.

So, who else posts from that IP? Well, we have James Hardy. James' posts are often of the 'I'm sane but lets face it, JBoss rule' variety, as opposed to another on that list of deranged psychopaths, Chip Tyler. Chippie here will eagerly pipe in in any number of threads to say how much CDN suck, as well as how every move JBoss makes is intelligent and wise. There are literally dozens of other accounts that show how widespread this behaviour is. The only thing they have in common is a surprising love and admiration for all things JBossy, and disdain and abuse for all things non-JBossy.

Needless to say, Ben Sabrin and the majority of the JBoss folks are all on the trail too. So while it's impossible to actually draw lines between the fakes and their puppetmasters, it's very very easy to spot the group of nefarious rumprangers who have embarked on this laughably incompetent marketing exercise. Having said that, some of the linkages are very clear and easy to follow to individuals who happen to not work in the same turdfactory as the fleurys do. Bill Burke has the highly dubious honour of also being Joe Murray, famous for making noises to the effect of 'Mike Spille doesn't exist!'. Let's see you uuhmm and err your way out of this one Billy! Marc'll have you back in that gimp suit pretty sharpish if you keep being this sloppy.

It all makes an awful lot of sense, if you think about it. JBoss is very very little beyond a whole lot of smoke and mirrors. I was actually surprised at how many people at TSSS for example smirked when I asked if they used JBoss. The silent majority pretty much views that server as a bit of a joke, and rightfully so!

What is stunning is how they seem to have next to no capacity for learning. Come on garlicboy, how fucking hard can it be to write a classloader? Do you really NEED UnifiedClassLoader, UnifiedClassLoader2, AND UnifiedClassLoader3? Didn't your mother teach you how to name classes? The thing is, it'd fine if you lot were just crapping out hilarious code. Sadly, it isn't enough for you, instead you feel the need to go out of your way and create a million fake accounts everywhere just to spread the word and hijack any potentially intelligent conversation. Are you that scared of innovation and a world where JBoss co-exists with the rest of humanity?

The saddest part about all this is that the most likely outcome is for these posters to now ensure they use a different IP when posting, to disguise the trail more effectively. I'm sure the very notion of 'gosh, maybe we should let our software do the talking instead of using underhanded tactics like these' is heretical in that camp.

So, the next time you see someone posting anything positive about JBoss, rest a

This can never happen on Slashdot, thankfully.

[sllort]

If you look at subroutine checkForOpenProxy [sourceforge.net] in Slashcode, you'll notice that it contains a hand-written port scanner/proxy checker built in Perl. Slashdot uses this to aggressively port scan and service map any IP address that tries to post anonymously, and saves the result in the DB. While this does have the unfortunate side affect of setting off IDS sensors across the globe and disrupting poorly hardened services on ports in Slash's scan list, it has the benefit of keeping us safe from those who would use a proxy to maintain anonymity, such as Chinese dissidents and corporate whisteblowers.

Re:More common than you think

[frenetic3]

It's also called "astroturf [disinfopedia.org]" (as in fake grassroots) in the offline/PR world.

-fren

Re:Anonymous or not opinions count.

[mrtom852]

I think people have grudges against JBoss because of these online forum practices. I've followed a couple of flame wars in the past and believe me, the JBoss guys just do not shut up. I remember looking back at how often they would post and wonder how much spare time they had on their hands - and that didn't include any of these 'anonymous' posts.

They always shoot people down, telling them to put their money where their mouth is but their problem now is that people are actually starting to do this - eg. Geronimo and these blogs.

I still use JBoss as I use JMX heavily, but their online participation has seriously put me off. I only hope that Hibernate doesn't fall to the same standards.

What is JBoss?

[ggvaidya]

When google fails ;)

JBoss
From Wikipedia, the free encyclopedia.

JBoss (pronounced Jay Boss) is an open source, Java based application server. Because it is Java based, JBoss can be used on any operating system that supports Java. It is open source, but a company (also named JBoss) creates it. The company has a tech consultation service, but the consultants spend half of their time programming.

JBoss implements the entire J2EE suite of services.

The Sims Online uses JBoss to run its multiplayer games.

Re:Story is a Reminder

[CowboyMeal]

Wow, that's gutsy, anonymously advertising a movie in this thread. Were you meaning to be ironic?

Re:Story is a Reminder

[johnnyb]

Check out My article on the subject [eskimo.com]. Basically it talks about the problems of corporations as apposed to sole proprietorships.

Re:This can never happen on Slashdot, thankfully.

[Anonymous Coward]

[a feature of Slashcode] has the benefit of keeping us safe from those who would use a proxy to maintain anonymity, such as Chinese dissidents and corporate whisteblowers.

Sorry, but Slashdot does not exist primarily as a medium for people who are making ethically right use of anonymous publishing. It is a community for dissemination and discussion of technology-related news. While it does have features to allow for some reasonable level of anonymity, Slashdot also has a number of hostile adversaries sufficient enough to warrant counter-measures, including the ones you highlight.

With these measures it may be unuseable for extremely serious anonymous posting. But that doesn't mean Slashdot is a failure, for without these measures it would be completely unuseable in the way that the vast majority of users want it to be - the trolling, garbage, automated attacks, etc. would make it intolerable.

So it is unfortunate that it is difficult for the noble people you describe to find a secure medium with which they can do what they need to, but it is not the purpose of Slashdot to solve that problem.

If the editors are interested in this problem, they can act like real journalists and break a story while refusing to reveal their source. If the source requires technologically guaranteed anonymity, they will have to deal with the pitfalls that (necessarily? or just contingently) plague any medium that can provide it, including a very low signal to noise ratio.

Links not /.ed, more thoughts...

[SuperKendall]

Hey I clicked on a link before and got nothing - now they all seem to work.

I agree that some of the posts seem a little shady, but nothing as bad as this group of bitter blooggers seem to make it out to be. I didn't even see a lot of good examples of real problem posts - there was one like "Hey in the last six months JBoss CMP has got way better!" - but even that is OK with me, if it is true (have no personal experience with JBoss CMP yet).

But take a look at this quote from the posters blog:

As far as distributed tx and recovery and logging goes, yes, that is a weakpoint, but how often do apps require that kind of functionality. My guess the number is in the minority. I guess what I am saying is that the JBoss J2EE stack is quite complete minus distributed tx and recovery based from what I've seen

That all sounds fine to me, even if I didn't know that came from JBoss it still makes a lot of sense to me. I personally also believe that not a lot of people need distributed TX (sometimes I wonder if ANYONE really needs distributed TX really) or distributed logging. I have played around a very little with JBoss and it does indeed seem very complete - I use Weblogic during the course of my job and of course that is pretty good, but it's also very expensive and for a lot of work I see going on in my company JBoss would more than suffice (and has, some groups have been using it and are only moving to Weblogic to keep with a corperate standard).

One thing not mentioned by the original poster is there seems to be an undercurrent of this CDN company (I think the poster is an employee from his blog?) which split off from JBoss and they were very pissed about the whole thing, as it seemed to have been done in an underhanded way (which they support with dates of the domain registration). So from that aspect I think a lot of the worst posts were sort of revenge for this action, and this have at least some explanation behind them beyond mere astroturfing - there were strong emotions involved. So this whole blogging attack against posters from JBoss seems to be orchistrated by CDN people resentful of people attacked by multiple sources they felt were from the parent company (which they may have screwed over).

Re:Links not /.ed, more thoughts...

[scubabear]

Sorry, not even close. I'm not an employee of CDN, have never been, am not affiliated with them in any way. Neither are the other bloggers referenced. The only person referenced with any affiliation with JBoss is Rickard, who used to be a major committer on JBoss.

The reason I blogged about this is really simple: truth. Yeah, I know, that sounds trite and stupid, but that really is the main motivation. JBoss people have been posing with very convincing names like "Chip Tyler" and "Joe Murray" for quite some time now, talking up their own product, dissing people like the CDN folks, and directly going after people like me. Some of it got quite nasty as well - and all under the cover of fake names. NOT anonymous ones - no Anonymous Coward. One of them - someone claiming to be Arun Patel but really a senior JBoss executive - went so far as to say online that he worked for WIPRO in Bangalore, India, and to attempt to prove that I was a shill. And he did this when the guy actually has e-mailed me and knew exactly who I really am. The icing on the cake is that the individual _setup the fake Arun Patel account using his real corporate e-mail address_.

This isn't about a vendetta, or revenge, or personalities clashing. It's about exposing a company that uses deceitful tactics to gain market share and simultaneosuly attack individuals and companies. I personally don't care if it's common or not - no matter how prevalent it may, it's still wrong and it should be rooted out and exposed when it's discovered.

Keep in mind also that this was a coordinated corporate policy, and it involved the "big names" at JBoss, and sometimes the weight of faker posts would actually overwhelm entire threads.

It was coordinated, it was nasty, and had high volumes over a span of well over a year.

-Mike Spille

Re:Anonymous

[Christopher Thomas]

Whew! good thing you "x"-ed out your MD5'd IP and Subnet.

Given the MD5 hashes, you could find the IP within a few hours with a brute-force search. IPv4 space isn't *that* big.

Subnet would be within milliseconds, as there are only 32 normally-sane values, and only about 10 are actually used.

One-way hashes don't help much if the space of possible keys is small (that's why we have /etc/shadow).

Re:So what was the real motivation?

[scubabear]

You have to realize first that this really did go on for years, and involves hundreds of posts. The motivations seemed to be three fold. 1) Show JBoss in a good light. 2) Disparage competing products. 3) Gain control of discussion threads, and discredit people who wrote negative posts regarding JBoss.

A big key of this is hijacking threads. If a thread started going "bad" from a JBoss perspective, both employees with their real names and fake names would sweep in simultaneously posting positive things about JBoss and refuting negative parts. They literally turned some threads from being anti-JBoss to looking positive.

Along the way, they made people who posted any negative JBoss posts look like they were the bad guys. "Oh poor us, look, these mean people are persecuting us!". This is a prime JBoss tactic - do something underhanded and slimy, and if there's a whiff of being caught make the people doing the catching look like the bad guys - and make yourself look like a poor victim.

Keep in mind that, having literally done it for years, they're pretty good at it. No blatant cheerleading. Sometimes they would put a mild negative comment in to make the post look more realistic "gee, CMP really sucked, but I hear it's better in 3.2", or "yeah their JMS wasn't that good, but they say they're making it better - anyone know anymore about that?".

To judge it, you have to look at the volume of threads and volume of posts over time. The blogs referenced have touched upon only maybe 5-10% of the total! We had neither the time or energy to exhaustively post everything the fake users did. If you happen to have the time, check out some of the threads on TheServerSide. Watch for their entry into them, and watch them turn the tide of opinion on a thread, and discredit naysayers along the way. In an odd way you have to respect it - they've raised these fake posts to an art form, they've honed their craft over many years.

Re:Who cares?

[tbien]

No it isn't... Their classloader design in simply broken (at least in the 3.x series - which I tried). It's maybe possible to use JBoss in an 1 Server - 1 Application environment, but forget it if you want to use more than one application using the same libraries in different versions... In that case you're screwed!

Re:Anonymous

[Fulcrum of Evil]

The problem is that this secret must be transferred from one party to the other before it can be used. That makes it much less secretive. A discussion of the key exchange problem (of which this is a subset) is beyond the scope of this thread.

Not in this case. They just have to track what secret they use, possibly changing it regularly, as all they use it for is generating and then verifying a hash.

Re:I am crying big fat crocodile tears of this.

[ryen]

here is an archived link to the nytimes article (which requires payment for view on their site now since it is past a month old or so).

Amazon Glitch Unmasks War of Reviewers [donswaim.com]

This quote says it all: "John Rechy, author of the best-selling 1963 novel "City of Night" and winner of the PEN-USA West lifetime achievement award, is one of several prominent authors who have apparently pseudonymously written themselves five-star reviews, Amazon's highest rating. Mr. Rechy, who laughed about it when approached, sees it as a means to survival when online stars mean sales."

Frankly I'm not surprised

[CountBrass]

If you go to their forums you'll get a taste of the sheer nastiness around JBoss:

• Books about JBoss written by anyone other than a JBoss guru (eg the rather good "JBoss 3.0 Deployment and Adminstration Handbook" by Meeraj Moidoo Kunnumpurath) get slammed.
• Newbies looking for help get cursed and told they're cheap for not paying for the documentation.
• Any slight criticism: even constructive, is instantly flamed.

Altogether a very unpleasant community. So the kinds of slimey, underhand and outright dishonest behaviour by JBoss people being reported here doesn't exactly surprise me. I guess they must take Microsoft and SCO as their inspiration.

The bad behaviour of the JBoss community has been reported previously on Slashdot.

Such a shame really as JBoss itself is an excellent App Server.