I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
-
@Ralph @GossiTheDog
Thank you, i really didn't want to look at the picture of textYou're welcome! I'm not sure why creating and then posting an image of the text is considered easier?, more authentic?, or whatever; than just cutting and pasting the same text. I suppose it eliminates the need for quotation marks.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
From the standpoint of the actor and their own future career in bounty hunting, I'm certain that this is irrational -- I have few doubts they'll be blackballed across the board, though it sounds like this may have already occurred.
From a community perspective, a great many malicious actions have recently been taken by the Big Three, raising an unignorable amount of rancor in the bug-hunting community. These actions are irrational in and of themselves, eroding and eliminating trust in the corporations while crippling one of the biggest incentives bounty hunters have to continue their work.
Standing up and making it clear that these bounty programs operate on an understanding of trust -- and that said trust, if broken, will lead to Bad Things like This happening -- is, from a community standpoint, rational, logical and sane. It's possibly the only way to counter a unilateral corporate decision to break the social contract holding things together.
-
The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity -coordinating as needed with law enforcement around the world.@Ralph @GossiTheDog Big “whistleblowers must go through the chain of command” energy
-
@notavi10 @GossiTheDog
Thank you @notavi10 -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog@cyberplace.social
Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.
oh fuck these assholes, the number of times they have had legitimate issues reported to them and then ignored the problem while leaving customers at risk is staggering, they're blatantly ignoring the entire reason for the full disclosure movement to exist and pretending they're the heroes who always save the day
absolute pile of horse shit, every single line -
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog that sounds like it should be illegal somehow, wow
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog 5 years ago you could have said so, but now? Its on you for still using Github.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog No more help from the good guys then, M$ ¯\_(ツ)_/¯
-
@briankrebs @GossiTheDog not to defend M$, but isn't the responsible disclosure stuff an etiquette in the whole infosec domain? My friends working in a SOC told me so, and I can understand the point of "please think about the workers"
Still, M$ wanting people to think about the workers leaves a bitter taste int mouth, and nothing justifies sending legal threats against individuals like that@sly_vi @briankrebs @GossiTheDog I'm not privy to the situation that made this guy do what he did, but MS have quite a history of responding to notifications with "works a designed" or other ways of shifting the blame to the user. In some cases, they fixed issues silently after sending the researcher into the weeds.
Mind you, I feel their pain. I would hate to do triage on their product line"s CVD, and that's even without considering all the crap reports everyone gets these days from folks whose expertise consists of reading chapter one from "ethical hacking for dummies" (now with free reporting templates).
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog It's like the 90's all over again.
-
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
@smilingdemon @GossiTheDog Apple's counter-intelligence department comes immediately to mind.
-
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
@theorangetheme @smilingdemon @GossiTheDog And still take those contracts.
-
@GossiTheDog looks like we are going back to combative Microsoft of the late 90’s early 2000’s.
@rtificial @GossiTheDog Yep.
-
@GossiTheDog if I find a 0day I'm dropping it the same way. I'm done with responsible disclosure.
@sycophantic @GossiTheDog If you do, just sell it. Probably safer.
-
@GossiTheDog 9 out of 10 doctore agree that sell-to-APT incentives are going up
-
@GossiTheDog No more help from the good guys then, M$ ¯\_(ツ)_/¯
@sigi714 @GossiTheDog Hear, hear.
-
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
@theorangetheme @smilingdemon @GossiTheDog Two centuries. Rounded up from 175-180ish.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
When it comes to finding serious errors in it software, how does MS define "responsibly disclosed?" Does it mean "Never!"
-
J jwcph@helvede.net shared this topic
