I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog I was actually surprised that the repos weren’t taken down sooner given Microsoft’s track record with similar cases affecting their products.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog i mean, i can totally understand why it was done
if the coordinated disclosure process breaks down, full disclosure seems to be the obvious result. this isn't the first time this has happened and won't be the last.
MS seems to be acting more irrationally than the researcher here, banning them from MSRC seems to guarantee any future discoveries from them will be fully disclosed, and there are enough git forges that MS don't lean on.
and if MS's leaning on law enforcement does end up with something happening on that front, it seems that would increase the streisand effect exponentially? -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity -coordinating as needed with law enforcement around the world. -
@lykso @GossiTheDog
Microsoft attained market dominance in the eighties by scaring people with fake error messages, so yeah. People should remember better@RnDanger @lykso @GossiTheDog remember "different"
-
@GossiTheDog nah the finder was acting rationally cause ms didn't fucking pay them for the zero days like they was supposed to
@notavi10 @GossiTheDog
Is this for real? They submitted for bug bounty and got rejected? -
@anomr @kkarhan @GossiTheDog yup, i believe that the history is important too!
@anomr @kkarhan @GossiTheDog well I dunno where to rereupload it now.
-
@anomr @kkarhan @GossiTheDog well I dunno where to rereupload it now.
@anomr @kkarhan @GossiTheDog fuck it, I give up.
I'm not uploading my copy again elsewhere, turns out it's here anyway.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog yeah that reads as pretty hostile to researchers in general and labels as "threat actors" those who don't choose to play by Microsoft's rules.
-
@GossiTheDog nah the finder was acting rationally cause ms didn't fucking pay them for the zero days like they was supposed to
@notavi10 @GossiTheDog is there anything to support this claim? thanks.
-
@GossiTheDog yeah that reads as pretty hostile to researchers in general and labels as "threat actors" those who don't choose to play by Microsoft's rules.
@briankrebs @GossiTheDog I often hear UK politicians use "working around the clock", "working tirelessly", or "striving relentlessly" when defending themselves. It has become meaningless (which is the point) but to me it serves as a bullshit flag. I'm impressed they managed to get two in one press release!
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog Well that’s rather horrifying.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog bold threats coming from a company founded by a frequent visitor to epstein island.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog Microsoft continuing to work hard to prove to everyone else that they are the bad faith actor in infosec I have been criticising them for
-
@GossiTheDog yeah that reads as pretty hostile to researchers in general and labels as "threat actors" those who don't choose to play by Microsoft's rules.
@briankrebs @GossiTheDog not to defend M$, but isn't the responsible disclosure stuff an etiquette in the whole infosec domain? My friends working in a SOC told me so, and I can understand the point of "please think about the workers"
Still, M$ wanting people to think about the workers leaves a bitter taste int mouth, and nothing justifies sending legal threats against individuals like that -
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog That response playbook looks like a villain arc generator.
-
The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity -coordinating as needed with law enforcement around the world.@Ralph @GossiTheDog
Thank you, i really didn't want to look at the picture of text -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog@cyberplace.social So they complain about irresponsible disclosure but kick them off the MSRC so they can't disclose responsibly?
-
@GossiTheDog I really hope that somebody at Microsoft acknowledges that this screenshot looks like it could be lifted straight from Cyberpunk 2077.
-
@GossiTheDog I really hope that somebody at Microsoft acknowledges that this screenshot looks like it could be lifted straight from Cyberpunk 2077.
@will @GossiTheDog A statement straight out of the Arasaka Tower.
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog To add, according to Low Level's video on the subject, Microsoft marked previous zero days the person reported as ineligible for its bug bounty program (saying administrator to kernel/system access is not a security boundary).
