I may not have seen the full story - and I am cognizant of this - but what I have seen so far puts me solidly on the side of Nightmare Eclipse.
Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.
> “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”
> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”
TBH, the microsoft statement itself feels like slop. Not necessarily LLM slop (although who are we kidding, it probably was), but definitely like corporate slop, written by some manager with no context for how any of this is supposed to work (they laid off all the people who did), but with a need to make some sort of statement-shaped response
At the end of the day, Microsoft won't care how bad any of this will make them look. Their reputation has been abysmal for decades, but none of it actually seems to have any kind of negative effect on their bottom line.
I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
Naw totally agree, we need way more robust protections for security researchers and way harsher penalties for corpos doing bullshit, it should be a percentage of revenue.
We have way too much fuck around these days and not nearly enough find out.
Nothing crazy about it. Crazy is feeling sorry for the trillion dollar corporation. Don't let anyone tell you otherwise.
The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.
DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.
They could drag Eclipse through civil lawsuits though.
But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.
Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.
Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.
> “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,”
Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.
The best interests of the customers of Microsoft is an immediate apology, a payment of at least $100,000, and a signed agreement pledging that no (further) legal action will be taken.
The denial of Microsoft is just as harmful as the exploits of these flaws.
I've been working with Microsoft products since about 1989. It has been mostly miserable, like living with a schizophrenic gorilla. You wake up in the morning and don't know how fucked your day is going to be. Dealing with them has been absolutely impossible even when you were one of their "gold" tier partners back in the day.
I hope the promise of a July 14th threat goes as planned. They need to hurt. And everyone needs to see the risks they are taking by using their products.
I read a little about BitLocker. It seems to store the encryption key in TPM and acquire it automatically after boot. I wonder, can encryption key be extracted by inserting a rogue PCIe card and reading it from memory, or by inserting a rogue DDR memory card with a backdoor to read the key from it, or by sniffing CPU - TPM bus?
It's poor form to publish exploits like this but Microsoft not paying their bounty is also poor form, and so is attempting to exploit the legal system to defend Microsoft's "right" to write buggy code.
It is not all about money, but microsoft had a net income of 101 billion last year, and a 36% profit margin.
I am not saying humans or AI can create "perfect" software, but NASA has shown there is a HUGE gap between what can be achieved and what commercial software has generally done. We have given software a pass on the liability for the damage it can caused when it is defective for too long, that's the only way to change this, it must hit the bottom line.
did they start to do that at some point, or is this a pressure (blackmail?) campaign to get the to do that? I have no love for, but rather hate for, Microsoft, so I'm not suggesting blackmail in the sense of defending them, but it's something they could claim.
this is on Microsoft's website, they don't promise much for CVD
Responding to bug bounty reports is a thankless job. Especially these days it's a flood of AI spam, language barriers, "pay me first", incomplete reports, huge egos, and people who think every find should be treated as a critical vulnerability. The people who handle these reports often do so after-hours or on holidays. In smaller companies they're also often the ones who manage the triage, patching, testing, and security release process. In larger companies they have to find owners for every line of code and convince those code owners of the severity (often knowing that neither or them will be rewarded for doing the work).
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
I guess I'll play devil's advocate here, don't shoot me.
Over the course of my career I've had to deal with multiple hacks, DDOSes, and even situations working with the FBI. It's a mess, and extremely frustrating and unfair to those of us who are just trying to do a good job and make a living. Those of you who are throwing stones at Microsoft's coding, how confident are you that your code is safe from this new AI age?
Obviously MS handled this poorly, even after reading this article it's not clear how MS handles bug bounties. But that doesn’t mean this “researcher” deserves a pass.
Releasing 0-days, especially working exploit code for unpatched vulnerabilities, is extremely unethical. It has real potential to cause a lot of harm to regular engineers, and users who had nothing to do with the dispute.
Putting it out from "only a small group of people/companies exploit it" to the public is the way how you get it fixed. In this case it seems that was the only way that was left after Microsoft refuses cooperation. What counts are the results: This are fixed now.
Attacking the messenger is an age-old trend in the bug reporting arena.
Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.
Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.
Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.
Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.
Did Microsoft ever explain why Bitlocker could be deliberately circumvented?
Part of me thinks they are welcoming this drama because if the other 0-days are genuine bugs then it muddies the water and shifts the focus away from a the fact that they shipped an intentionally backdoored security product.
38 comments
[ 2.5 ms ] story [ 57.2 ms ] threadMicrosoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.
so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
only recently has a OOB mitigation been offered
https://www.techspot.com/news/112410-security-researcher-mic...
> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”
Well said.
GitHub bans security researcher who posted zero-day Windows exploits
https://news.ycombinator.com/item?id=48315968
Usually, when an individual is that upset, the group or corporation is wrong and tries to shape public perception by lying.
Since when is publishing zero days a crime anyway? Shame on Microslop for these intimidation tactics. The real crime is vibe coding operating systems.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
Microsoft could have prevented this. They were warned. It's their own fault.
The exploit exists whether or not the researcher reports it. They didn't make the exploit.
We have way too much fuck around these days and not nearly enough find out.
The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.
DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.
They could drag Eclipse through civil lawsuits though.
But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.
Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.
Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.
The denial of Microsoft is just as harmful as the exploits of these flaws.
I hope the promise of a July 14th threat goes as planned. They need to hurt. And everyone needs to see the risks they are taking by using their products.
I am not saying humans or AI can create "perfect" software, but NASA has shown there is a HUGE gap between what can be achieved and what commercial software has generally done. We have given software a pass on the liability for the damage it can caused when it is defective for too long, that's the only way to change this, it must hit the bottom line.
did they start to do that at some point, or is this a pressure (blackmail?) campaign to get the to do that? I have no love for, but rather hate for, Microsoft, so I'm not suggesting blackmail in the sense of defending them, but it's something they could claim.
this is on Microsoft's website, they don't promise much for CVD
https://www.microsoft.com/en-us/msrc/cvd
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
Over the course of my career I've had to deal with multiple hacks, DDOSes, and even situations working with the FBI. It's a mess, and extremely frustrating and unfair to those of us who are just trying to do a good job and make a living. Those of you who are throwing stones at Microsoft's coding, how confident are you that your code is safe from this new AI age?
Obviously MS handled this poorly, even after reading this article it's not clear how MS handles bug bounties. But that doesn’t mean this “researcher” deserves a pass.
Releasing 0-days, especially working exploit code for unpatched vulnerabilities, is extremely unethical. It has real potential to cause a lot of harm to regular engineers, and users who had nothing to do with the dispute.
Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.
Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.
Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.
Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.
Part of me thinks they are welcoming this drama because if the other 0-days are genuine bugs then it muddies the water and shifts the focus away from a the fact that they shipped an intentionally backdoored security product.
They spent billions trying to build this open source and developer friendly image to just burn it all over $200,000 of unpaid security bounties.
Microsoft is a dumpster fire.