> “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”
> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”
I would argue that this form of disclosure is ethical in the face of Microsoft misbehaving. It's like mutually assured destruction - and in this case (it sounds like) Microsoft tried to cheat and thought they would get away with it.
Feeling consequences are how they are kept in line. Maybe next time they will think twice before (allegedly) treating a person like they did here, as well as the creative reasoning I recall them using in the past to reduce payouts.
I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
> so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.
Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...
I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.
Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.
> “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,”
Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.
Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.
Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.
At the end of the day, Microsoft won't care how bad any of this will make them look. Their reputation has been abysmal for decades, but none of it actually seems to have any kind of negative effect on their bottom line.
I may not have seen the full story - and I am cognizant of this - but what I have seen so far puts me solidly on the side of Nightmare Eclipse.
Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.
> “CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”
> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”
Well said.
I would argue that this form of disclosure is ethical in the face of Microsoft misbehaving. It's like mutually assured destruction - and in this case (it sounds like) Microsoft tried to cheat and thought they would get away with it.
Feeling consequences are how they are kept in line. Maybe next time they will think twice before (allegedly) treating a person like they did here, as well as the creative reasoning I recall them using in the past to reduce payouts.
I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
there are active forks, and active mitigations for redsun undefend and bluehammer.
so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
only recently has a OOB mitigation been offered
https://www.techspot.com/news/112410-security-researcher-mic...
> so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.
It does look like an intentional backdoor. The way ms is responding to it is even more suspicious.
Pretty funny since this defeats security on most corporate laptops, so impact is huge. You'd expect them to treat the reporter better and fix the issue fast...
I'm curious why they put it in, I'm not sure I understand the 'to "manage" your computer' note.
Microsoft should have no reason to put something like this in. So either they were forced or they had some engineers that did this on their own without any oversight.
[delayed]
> backdoor that ms needs
source:
> “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,”
Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.
Responsible disclosure isn't a law, it's a norm vendors invented and lean on when it suits them. Nothing legally requires you to report to a vendor first. Full disclosure and non disclosure are a valid choice as well.
Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.
At the end of the day, Microsoft won't care how bad any of this will make them look. Their reputation has been abysmal for decades, but none of it actually seems to have any kind of negative effect on their bottom line.
Related:
GitHub bans security researcher who posted zero-day Windows exploits
https://news.ycombinator.com/item?id=48315968
Sorry not sorry
This is poor damage control by Microslop. Why would the researcher publish valuable exploits without trying to get a bounty?
Usually, when an individual is that upset, the group or corporation is wrong and tries to shape public perception by lying.
Since when is publishing zero days a crime anyway? Shame on Microslop for these intimidation tactics. The real crime is vibe coding operating systems.
I may not have seen the full story - and I am cognizant of this - but what I have seen so far puts me solidly on the side of Nightmare Eclipse.
Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.
Everything I've ready points to the same.