- cross-posted to:
- hackernews@lemmy.bestiver.se
- cross-posted to:
- hackernews@lemmy.bestiver.se
You must log in or # to comment.
Microsoft closed the case after the reporter refused to submit a video of the exploit
They don’t have any actual fucking security experts there, so they require video proof that ape will understand.
Posting zero day exploits on github is a shit move. But Microsoft should be happy that this guy posted it on github rather than selling it on the black market.
Banning his guthub account won’t make zero day vulnerabilities go away ffs.
I am so calling it ‘guthub’ from now on.
😅
git gut(hub)
You can well imagine that this reaction will fall on fruitful ground that some security experts will think twice about sending it to M$ or better selling it on the dark web, especially zero day exploits! Hell, boy, Microsoft does not seem to know with whom they are messing with.
This is what happens when the source code isnt open to review.
Microsoft has been committing class war against computer users since the 90’s and they get all butt hurt as soon as someone holds their code to the flame.
I can’t imagine what nightmarish vulnerabilities Microsoft knows about and is hiding because they would require too much effort to patch. I bet there are some really crazy things that have probably been wide open for decades if you only knew where to look.
Maybe like bitlocker 🤔 It’s almost like keeping windos closed source enables the government to keep exploits to themselves. But that can’t be the truth… can it?
What even is the headline
That was my thought, what a absolute mess of a ‘sentence’.
Eclipse implies that Microsoft ignored or refused their zero-day reports and/or did not pay out bounties as requested, somehow causing financial harm in the process.
“Somehow?”
Were the bounties not earned? Because simply not paying as a promised for services rendered is a very clear financial harm.
Responsible disclosure is a kindness; it is not required–especially if/when the vendor doesn’t act in good faith.
MS shouldn’t be able to silence researchers, but that’s what the industry gets by voluntarily clustering around a single, proprietary service.
I don’t think either party should be compelled to take (or reverse) any action.
Exactly. Thank you Microsoft do more of this so we end up in a federated world.
Didn’t Google also recently used their stupid AI to find exploits in FFMPEG and then blackmailed them to fix it before deadline or they will release them to the public? If banning a dev for such “act” is right, then banning the company should also be right. Ban all of them.
There was a protocol for reporting security vulnerabilities. Of course some companies don’t follow the protocol when vulnerabilities are reported to them, but that’s their problem.
You report the problem and then you wait 1 month, if the company still hasn’t fixed the issue by then, then you publicly announce it.
Unless it is an open source piece of software, any vulnerability I find will be publicly posted while I remove all software using it from all my devices and infrastructure.
That’s the difference between a security researcher who gives, and does not give a shit about peoples security.
The grace period is to protect people by giving the company time to send out patches. At 1 month, they publish the exploit to shame the company and get the cred either way.
The thing is if you want to continue working in the industry you have to give people the benefit of the doubt and give them time to fix the issue. If you don’t do that you’re very quickly find yourself to be out of a job no one wants to lose cannon, is bad for business.
Its not even the benefit of the doubt. They still publish and name and shame at 1 month. Its just to avoid harm to the users who the security researchers are ostensibly working to protect.
This, I can totally be behind this. I take it back, no public shaming, because of the users. Couldn’t care less about the fucking proprietary driven bullshit development companies.
The “vulnerability” in ffmpeg was only for an addon, which required a separate download by the user, which was only for a cinematic which was only in the game Star wars xwing vs tie fighter from the 90s, which would only occur at exactly 17s into the fmv.
HACK THE PLANET’s windows
If she’s going for maximum damage, I am surprised this person doesn’t just announce when she’s found a big exploit, and then just sell it to up to 10 people, and then announce in very vague terms what the exploits are. (Like, “just sold exploit for windows defender” or “just sold way to hack into bitlocker”).
It seems like the vagueness of such things would make corporations more worried about being hacked and Microsoft could only guess as to what specific code was hacked, costing them greater resources.
Yes, it would be illegal, and therefore I hope she doesn’t do that and recommend against it. But I am just surprised, given the level of anger, that she has been approaching things in a way that is so easy to patch.
Is her approach more damaging the way she’s actually doing it?
Would it actually be illegal? Im not a lawyer or anything, but im not sure what crime it would be. Using the exploit to hack someone would be illegal, but I cant see why developing and selling an exploit would be
Its a fine line between getting revenge on Microsoft and screwing over human beings that trusted them. I wouldn’t be surprised if a bitlocker zero day got someone killed, given the number of people using it around the world.
I wouldn’t be surprised if a bitlocker zero day got someone killed
How would it get someone killed?
Because people keep secrets on computers. You cave the combination of a tiny percentage of people who have secrets that are life threatening, and millions of people use bitlocker because its built into Windows. Its a tiny number times a huge number.
If I had to guess, that might include journalists who investigate authoritarian regimes, activists who keep their identity secret, and minorities who live in countries where their identity is a capital crime.
Then there are probably also governments who rely on bitlocker to secure the computers of people with state secrets like the identities of spies. Probably lots of other weird edge cases.
Image a dissidents hard drive and break into it later when an exploit drops. Selling to an exploit broker is even worse sense the individual would never know how or if a government intelligence agency got all their personal data because they expect it do be secured.
Best of luck to him on his crusade. Full support!
friendly reminder there is a github replacement for opensource made by framasoft I think
This is extremely unfair to MicroSlop.
deleted by creator
Man, Microsoft just keeps footgunning this one.
Every new exploit, they clearly have a meeting and convince themselves “that’s gotta be the last of it, right?”
So the next day-after-patch-tuesday rolls around and lo and behold, this guy drops some more nukes on their reputation as far as their most important customer demographic are concerned (corporate IT)
Given this genuinely does seem to stem from Microsoft mishandling this guy, why the fuck do they keep escalating
Puts a lot of evidence towards his claims that Microsoft was behaving badly from the outset and the reason why he started doing this. They keep escalating. Its a war they started.
you know, since this little saga began I’ve had this tiny voice in my head hoping this one vindictive dude is, eventually, directly responsible for Microsoft going out of business/doing severe restructuring or downsizing as a consequence of businesses losing faith in the company’s products. Lots of people already raise an eyebrow at Windows 11’s issues, things like “all our shit is fundamentally insecure because microslop left a backdoor in [insert critical thing here], and has been for [weeks/months/years/???]” tend to have an adverse effect on sales, especially to risk-averse business customers. It’s not impossible to imagine that continued “holy fuck what 0day exploit just dropped?” incidents, on the level of YellowKey, happening every month, could result in businesses deciding to drop their enterprise licensing of MS products; and that’s going to hurt. That’s where a big chunk, if not the biggest chunk iirc, of their revenue comes from. It’s unlikely, it’s a longshot, but I’m allowed to have hope.
I’m especially now wondering, if YellowKey was the teaser – you know, just casually revealing a backdoor in BitLocker, like nbd – what the actual fuck are they going to drop in July? If that’s the appetizer, how juicy’s the entree gonna be?
Microsoft going out of business/doing severe restructuring or downsizing
Although I wonder if they could. Microsoft seems like one of those “too big to fail” companies, where they’d never be allowed to fall on their face, since Azure and Exchange prop up so many things. It’s not like there’s a major second option for an OS if you just buy a computer off the shelf like a lot of people do. You either get a Windows or a Mac.
If that’s the appetizer, how juicy’s the entree gonna be?
At the risk of going on a tangent, isn’t the entrée the appetiser? You don’t have an appetiser, an entrée, and then the main course.
I think as long as nothing actually happens, other companies wont care. No one is capable of thinking about the future anymore, there is only next quartal and short term profits.
It might actually be needed for something big to go down first, like those 0day exploits actually get exploited and some client company or few loses a lot of money because of it. Considering how unsecure windows is, i’m a bit perplexed how nothing hasn’t happened already.
Some of the other 0days this guy released are already being actively exploited in the wild, but no reports of big losses as a result of them yet. Having said that, the entire point of BitLocker was that it was full disk encryption that you didn’t have to think too much about; and now I bet every corporate IT department out there is looking at it with suspicion. If this guy can keep delivering on “things that keep sysadmins awake at night”, like “oh god every hard drive we’ve had stolen in the last few years can be fully decrypted now”, eventually a lot of them will decide it is less harrowing and less work to move their entire stack away from Microsoft than it is to live with them.
They’d better not be overselling this bomb they’re gonna drop in July. I’m already moved over to Linux fully now, to quote photonicinduction: I want flames. I don’t just want to see it all over the tech news, I’m hoping he screws with them hard enough the story makes it to actual TV news channels.
Very little seems to be beyond the incredulity of MS meetings, remember they had a meeting where someone suggested the OS take a screenshot every ten seconds of whatever the user was doing and upload it to MS servers and rather than everyone laughing they agreed to move it into development.
rather than everyone laughing
You misspelled “firing the authoritarian nutjob for cause,” which would’ve been the bare minimum of reasonable reactions.
if that’s bare minimum, what is the upper limit for reasonable reactions? Hang him?
Publicly shame, actively blacklist them from ever working in any of their companies, and making sure everybody in the IT space knows this, would ruin this person’s ability to do any more damage and might be the upper limit? Well that or doing a Boeing… Take your pick.
Snapshots and the contextual information derived from them are saved and encrypted to your local hard drive. Recall does not share snapshots or associated data with Microsoft or third parties, nor is it shared between different Windows users on the same device. Windows will ask for your permission before saving snapshots. You are always in control of what apps and websites get saved in snapshots, and you can delete snapshots, pause or turn them off at any time. Any future options for the user to share data will require fully informed explicit action by the user.
Considering the thread we’re talking in, it’s up to you if you trust MS to implement this well, but they are not uploading the screenshots to the cloud.
Personally I think the idea of Recall is great if it works to help you and only you. The problem isn’t the idea, it’s the trust. If a reputable open source project or Linux distro made a feature like this I think it would be cool, because I know my privacy is going to be respected and the feature is designed solely to help me and nothing more. However, when MS suggests this I’m immediately cautious, skeptical, and concerned about how it could be used against me.
The statement you quoted is itself a lie. It talks about snapshots, when that’s not at all what Recall is about. It takes snapshots, true. But it does not matter to MS whether the snapshots themselves are saved, or where. “Recall does not share snapshots or associated data” is a reference solely to the snapshot itself, not the data Recall creates from it.
Here’s what really happens. Once a snapshot is taken, it is analyzed with AI as well as converted into text (if text is present) and all that content (including passwords, banking details, medical records, whatever passes the desktop when a snapshot is taken) plus its local AI analysis is kept in a local database. That shrinks its size to almost nothing, making it much easier for MS to collect. This secretive local database itself is inaccessible to you (even as admin), one you have zero rights to control or delete or edit or even view, one over which you are never given any permissions, and at regular intervals that database is scraped and sent back to MS to use in data aggregation and resale and AI training and whatever the fuck else they want to do with it. Sure, you can turn off Recall in the AI settings, but it has now been proven that any Windows update just turns it all back on again.
Knowing this, go back and reread their statement in regard to snapshots. The entire thing is a misdirection and never once addresses the real payload of Recall and why MS, even after they pinky swore they had dropped it, they continued partnering with hardware makers to deliver “Recall-ready” PCs that already have the requisite NPU on the motherboard, which are needed to do all that local data OCR and analysis on the snapshots that don’t even matter to MS once they’ve been scraped for content.
It’s also a big attack surface. Just like how a lot of malware looks for the browser password cache now, it doesn’t take much for a malware developer to just go for the recall store. The malware doesn’t need to pack in software to take screenshots, if the OS serves it up for them on a platter.
The location is known, and I seem to remember it being fairly simple to view the contents in the right system viewer with a bit of work, so yeah. I never considered that but you’re quite right: MS is packaging that shit up all nice and handy for whoever can grab it by whatever means.
“Footgunning”?
A colloquial term equivalent to “shooting oneself in the foot”
A very clear answer
An explanatory sequence of words
Over-complication of ‘sentence’
AI loves to use the word. I never heard it regularly until AI started helping popularize it.
FWIW I’ve proudly been using it for years
Prove you haven’t been an Ai for years
You’re very right! There’s a lot of reasons to believe I might be an AI, such as:
- overusing bulleted lists and other common basic formatting features to improve readability
- uncommon grammatical symbols primarily used by autistic people in writing appearing overly-frequently
- overly bubbly, wordy and pleasant writing style that continues to respond even to terminating phrases and instructions to my own detriment
The verdict? I may in fact be an AI
Did this one achieve some intense introspection just now?
Shit
Then you did not speak with programmers regularly, I learned this term probably back in 2008ish
I guess so. I’ve learned lots of words from the ones I know, but not this one.
If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).
Even if this person is lying I’m more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.
It sounds like the guy treats these issues in a very standard way by notifying the company beforehand with a note that the findings will be made publicly at a certain date. Microsoft ignores it and it inevitably gets published. That‘s standard procedure. Microsoft throwing a tantrum is the only extra thing here although „shooting the messenger“ seems to become more common these days with these findings.
Microsoft has always been an evil company, but wow they are trying their hardest to reach Gates level of shit
“Hey, let’s piss off the security expert who’s really good at finding flaws in our products. There’s literally no downside.”
"Oh, the one who just published two exploits on our product, after we fucked them over during the responsible disclosure process? Great idea! What are the chances they’ll find another one, right?
He’s done more than two. This was his second round of releases. He was also the one that found the vulnerability in Windows Defender.
