I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog@cyberplace.social
Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.
oh fuck these assholes, the number of times they have had legitimate issues reported to them and then ignored the problem while leaving customers at risk is staggering, they're blatantly ignoring the entire reason for the full disclosure movement to exist and pretending they're the heroes who always save the day
absolute pile of horse shit, every single line -
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog that sounds like it should be illegal somehow, wow
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog 5 years ago you could have said so, but now? Its on you for still using Github.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog No more help from the good guys then, M$ ¯\_(ツ)_/¯
-
@briankrebs @GossiTheDog not to defend M$, but isn't the responsible disclosure stuff an etiquette in the whole infosec domain? My friends working in a SOC told me so, and I can understand the point of "please think about the workers"
Still, M$ wanting people to think about the workers leaves a bitter taste int mouth, and nothing justifies sending legal threats against individuals like that@sly_vi @briankrebs @GossiTheDog I'm not privy to the situation that made this guy do what he did, but MS have quite a history of responding to notifications with "works a designed" or other ways of shifting the blame to the user. In some cases, they fixed issues silently after sending the researcher into the weeds.
Mind you, I feel their pain. I would hate to do triage on their product line"s CVD, and that's even without considering all the crap reports everyone gets these days from folks whose expertise consists of reading chapter one from "ethical hacking for dummies" (now with free reporting templates).
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog It's like the 90's all over again.
-
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
@smilingdemon @GossiTheDog Apple's counter-intelligence department comes immediately to mind.
-
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
@theorangetheme @smilingdemon @GossiTheDog And still take those contracts.
-
@GossiTheDog looks like we are going back to combative Microsoft of the late 90’s early 2000’s.
@rtificial @GossiTheDog Yep.
-
@GossiTheDog if I find a 0day I'm dropping it the same way. I'm done with responsible disclosure.
@sycophantic @GossiTheDog If you do, just sell it. Probably safer.
-
@GossiTheDog 9 out of 10 doctore agree that sell-to-APT incentives are going up
-
@GossiTheDog No more help from the good guys then, M$ ¯\_(ツ)_/¯
@sigi714 @GossiTheDog Hear, hear.
-
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
@theorangetheme @smilingdemon @GossiTheDog Two centuries. Rounded up from 175-180ish.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
When it comes to finding serious errors in it software, how does MS define "responsibly disclosed?" Does it mean "Never!"
-
J jwcph@helvede.net shared this topic
