I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog
So that's why linux is getting the press about zero days when windows is still the most rickty shit you ever saw -
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog nah the finder was acting rationally cause ms didn't fucking pay them for the zero days like they was supposed to
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog looks like we are going back to combative Microsoft of the late 90’s early 2000’s.
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog Shit, Microsoft was basically *built* on the other side of the Rubicon, to torture the analogy. Never have they ever been accused of being ethical.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog the criminal activity was issuing the bugs in the first place.
-
@sharkfie @GossiTheDog One presumes management? I don't follow MS execs, but one assumes that there's more third-party thinkers in charge than there used to be.
-
@kkarhan @GossiTheDog i have a backup of all of it
all recent as of May 16th
i thought they'd be useful and i KNEW that something like this would happen so i came prepared
-
@GossiTheDog Shit, Microsoft was basically *built* on the other side of the Rubicon, to torture the analogy. Never have they ever been accused of being ethical.
@lykso @GossiTheDog
Microsoft attained market dominance in the eighties by scaring people with fake error messages, so yeah. People should remember better -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog "We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue. "
Also we'll blatantly conflate researchers of our bugs and attackers and threaten to send the cops after both; unless you are a respectable nerd-merc like NSO, of course.
Fuck whoever wrote this.
-
@kkarhan @GossiTheDog i have a backup of all of it
all recent as of May 16th
i thought they'd be useful and i KNEW that something like this would happen so i came prepared
@kkarhan @GossiTheDog also, this story goes way deeper...
turns out Nightmare Eclipse has their own blog too which has been talking about all of this.
deadeclipse666 dot blogspot dot com
interesting url for a blog but i wont question it
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog this one needs to be said in German:
-
@kkarhan @GossiTheDog also, this story goes way deeper...
turns out Nightmare Eclipse has their own blog too which has been talking about all of this.
deadeclipse666 dot blogspot dot com
interesting url for a blog but i wont question it
@kkarhan @GossiTheDog @anomr Edit: It was instantly taken down. I had only been away for 5 minutes. What rule does this even violate?
Malware archives are allowed on archive.org but this isn't?
-
@kkarhan @GossiTheDog @anomr Edit: It was instantly taken down. I had only been away for 5 minutes. What rule does this even violate?
Malware archives are allowed on archive.org but this isn't?
@mrmasterkeyboard @kkarhan @GossiTheDog you also included the .git, amazing!
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog if I find a 0day I'm dropping it the same way. I'm done with responsible disclosure.
-
@mrmasterkeyboard @kkarhan @GossiTheDog you also included the .git, amazing!
@anomr @kkarhan @GossiTheDog yup, i believe that the history is important too!
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog 9 out of 10 doctore agree that sell-to-APT incentives are going up
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog I was actually surprised that the repos weren’t taken down sooner given Microsoft’s track record with similar cases affecting their products.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog i mean, i can totally understand why it was done
if the coordinated disclosure process breaks down, full disclosure seems to be the obvious result. this isn't the first time this has happened and won't be the last.
MS seems to be acting more irrationally than the researcher here, banning them from MSRC seems to guarantee any future discoveries from them will be fully disclosed, and there are enough git forges that MS don't lean on.
and if MS's leaning on law enforcement does end up with something happening on that front, it seems that would increase the streisand effect exponentially?
