I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
@briankrebs @GossiTheDog not to defend M$, but isn't the responsible disclosure stuff an etiquette in the whole infosec domain? My friends working in a SOC told me so, and I can understand the point of "please think about the workers"
Still, M$ wanting people to think about the workers leaves a bitter taste int mouth, and nothing justifies sending legal threats against individuals like that@sly_vi @briankrebs @GossiTheDog I'm not privy to the situation that made this guy do what he did, but MS have quite a history of responding to notifications with "works a designed" or other ways of shifting the blame to the user. In some cases, they fixed issues silently after sending the researcher into the weeds.
Mind you, I feel their pain. I would hate to do triage on their product line"s CVD, and that's even without considering all the crap reports everyone gets these days from folks whose expertise consists of reading chapter one from "ethical hacking for dummies" (now with free reporting templates).
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog It's like the 90's all over again.
-
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
@smilingdemon @GossiTheDog Apple's counter-intelligence department comes immediately to mind.
-
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
@theorangetheme @smilingdemon @GossiTheDog And still take those contracts.
-
@GossiTheDog looks like we are going back to combative Microsoft of the late 90’s early 2000’s.
@rtificial @GossiTheDog Yep.
-
@GossiTheDog if I find a 0day I'm dropping it the same way. I'm done with responsible disclosure.
@sycophantic @GossiTheDog If you do, just sell it. Probably safer.
-
@GossiTheDog 9 out of 10 doctore agree that sell-to-APT incentives are going up
-
@GossiTheDog No more help from the good guys then, M$ ¯\_(ツ)_/¯
@sigi714 @GossiTheDog Hear, hear.
-
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
@theorangetheme @smilingdemon @GossiTheDog Two centuries. Rounded up from 175-180ish.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
When it comes to finding serious errors in it software, how does MS define "responsibly disclosed?" Does it mean "Never!"
-
J jwcph@helvede.net shared this topic
