I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog Shit, Microsoft was basically *built* on the other side of the Rubicon, to torture the analogy. Never have they ever been accused of being ethical.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog the criminal activity was issuing the bugs in the first place.
-
@sharkfie @GossiTheDog One presumes management? I don't follow MS execs, but one assumes that there's more third-party thinkers in charge than there used to be.
-
@kkarhan @GossiTheDog i have a backup of all of it
all recent as of May 16th
i thought they'd be useful and i KNEW that something like this would happen so i came prepared
-
@GossiTheDog Shit, Microsoft was basically *built* on the other side of the Rubicon, to torture the analogy. Never have they ever been accused of being ethical.
@lykso @GossiTheDog
Microsoft attained market dominance in the eighties by scaring people with fake error messages, so yeah. People should remember better -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog "We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue. "
Also we'll blatantly conflate researchers of our bugs and attackers and threaten to send the cops after both; unless you are a respectable nerd-merc like NSO, of course.
Fuck whoever wrote this.
-
@kkarhan @GossiTheDog i have a backup of all of it
all recent as of May 16th
i thought they'd be useful and i KNEW that something like this would happen so i came prepared
@kkarhan @GossiTheDog also, this story goes way deeper...
turns out Nightmare Eclipse has their own blog too which has been talking about all of this.
deadeclipse666 dot blogspot dot com
interesting url for a blog but i wont question it
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog this one needs to be said in German:
-
@kkarhan @GossiTheDog also, this story goes way deeper...
turns out Nightmare Eclipse has their own blog too which has been talking about all of this.
deadeclipse666 dot blogspot dot com
interesting url for a blog but i wont question it
@kkarhan @GossiTheDog @anomr Edit: It was instantly taken down. I had only been away for 5 minutes. What rule does this even violate?
Malware archives are allowed on archive.org but this isn't?
-
@kkarhan @GossiTheDog @anomr Edit: It was instantly taken down. I had only been away for 5 minutes. What rule does this even violate?
Malware archives are allowed on archive.org but this isn't?
@mrmasterkeyboard @kkarhan @GossiTheDog you also included the .git, amazing!
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog if I find a 0day I'm dropping it the same way. I'm done with responsible disclosure.
-
@mrmasterkeyboard @kkarhan @GossiTheDog you also included the .git, amazing!
@anomr @kkarhan @GossiTheDog yup, i believe that the history is important too!
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog 9 out of 10 doctore agree that sell-to-APT incentives are going up
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog I was actually surprised that the repos weren’t taken down sooner given Microsoft’s track record with similar cases affecting their products.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
@GossiTheDog i mean, i can totally understand why it was done
if the coordinated disclosure process breaks down, full disclosure seems to be the obvious result. this isn't the first time this has happened and won't be the last.
MS seems to be acting more irrationally than the researcher here, banning them from MSRC seems to guarantee any future discoveries from them will be fully disclosed, and there are enough git forges that MS don't lean on.
and if MS's leaning on law enforcement does end up with something happening on that front, it seems that would increase the streisand effect exponentially? -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity -coordinating as needed with law enforcement around the world. -
@lykso @GossiTheDog
Microsoft attained market dominance in the eighties by scaring people with fake error messages, so yeah. People should remember better@RnDanger @lykso @GossiTheDog remember "different"
-
@GossiTheDog nah the finder was acting rationally cause ms didn't fucking pay them for the zero days like they was supposed to
@notavi10 @GossiTheDog
Is this for real? They submitted for bug bounty and got rejected? -
@anomr @kkarhan @GossiTheDog yup, i believe that the history is important too!
@anomr @kkarhan @GossiTheDog well I dunno where to rereupload it now.
