I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.
The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.
If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
Just to play devil's advocate, couldn't sending zero-day exploits to a foreign nation's intelligence service potentially cause the sender significantly more trouble.
Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies
The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability
Because information asymmetry benefits those with the information. If the devil understands your argument, and you don't understand the devil's argument, the devil will have information advantage.
> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.
The CCC (Chaos Computer Club) in germany will probably do the same.
Were you somehow able to intuit that parent is Finnish?
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
> the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO
Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with
> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.
If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here
I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.
> I wouldn't trust anything like that in Germany [...] Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period.
This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was
Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate
As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)
Apart from a certain general incompetence in IT related topics, common sense is a rather important part of German legal interpretation. Intention, proportionality and such.
There are some infamous counter-examples, but you can find these in any country and it's these that make the news.
Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?
Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.
This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."
Reporting software vulnerabilites in Germany is the dumbest thing you can do, you WILL be arrested. There is a recent case where some company had a hardcoded database password in their EXE file and if you open it with e.g. Notepad you can see it and this already counts as "illegal hacking". https://www.heise.de/en/news/Federal-Constitutional-Court-re...
It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
> You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.
Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).
They just seem to blur the border between nationalism and patriotism more than most countries.
That sounds a lot like the assumption that crime rates are better in less populous areas - just because there is less reporting doesn't mean that it isn't there.
Have you been to the US? If not how can you be certain that the US is truly worse?
I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.
I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.
I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...
Some may criticize regulations, but the EU-mandated cyber-resilience act (CRA) actually forced companies to have a clear contact point for vulnerabilities reporting, and to act upon it.
2026-09-11, save the date folks. That's when all companies selling products with digital elements in the EU have to have a reporting pipeline for actively exploited vulnerabilities and severe incidents.
I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.
That's really sad to hear, you must have felt really bad. Just because they do not know about the vulnerability, it won't disappear. And they won't fix it too. Ignorance is a bliss, but not in this case...
The German "Chaos Computer Club" (hacker club) has a disclosure service. They approach the affected party as the club, hiding the persons identity. Not sure if they do it internationally as the page is in German. But nice idea and not a government agency.
Considering Snowden files have shown they intentionally hoard 0days, I don't think it's so much a lack of trust as it is a proven track record of their behavior.
No shit. Mind telling us how? Because elections sure aren’t going to do it.
edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.
No idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
Read the write up on YellowKey. [1] It sounds like, in at least some instances, he's publishing official Microsoft backdoors probably used by US intelligence agencies et al. It turns out that Bitlocker is insecure and backdoored. Something noooobody expected after TrueCrypt just mysteriously and suddenly shut their doors one day, removed all downloads, and recommended everybody move to Microsoft's BitLocker. lol.
If you were using bitlocker to replace truecrypt, you'd have a boot password and this would not affect you at all.
I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.
And where's the claimed version that works when a PIN is set?
> And where's the claimed version that works when a PIN is set?
Maybe it was on GitHub/GitLab before the author was banned by both Microsoft and GitLab, not really sure we'd know. The authors last post on their blog is from yesterday (28th of May, https://deadeclipse666.blogspot.com/) so seems they aren't fully gone. But yeah, been a lot of "promises" but besides the initial 0days, not so much released AFAIK.
Why would it not be? Microslop doesn't need to make such a backdoor, but it's still a lot more convenient to make one generic backdoor than many signed ones.
It all started because the bureaucracy refused to even consider Bluehammer when they couldn't cajole the reporter into providing video footage.
And then to double down and ban accounts because you'd rather not fix the bureaucracy is
really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
They're not. These programs make decisions I wouldn't make all the time (though for reasons more complicated than message board discussions capture). I'm making a much narrower claim than you think I am.
They also silently patched RedSun, didn't issue a CVE until much later.
There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.
The bug this guy brings up is very obviously a Bitlocker backdoor and raises very serious questions about what Microsoft is doing with the encryption. Pretty certainly they're able to decode the volumes without the user's key, which is extremely concerning.
Looks like they're trying to make it disappear, but it's in the wild now.
It’s a post-boot authentication bypass exploit. Any post-boot authentication bypass exploit against TPM-only sealed BitLocker effectively bypasses it. The user doesn’t have a key to start with in this setup, just the machine.
This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.
I wouldn't be surprised if this was intentionally put in, but I think its important to clarify that the encryption itself wasn't broken, and with this exploit specifically the drive also has to remain inside the original PC/TPM. It's a boot authentication bypass, not an encryption break.
As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.
I know someone who works for a nefarious gov org and they never put the bitlocker keys in the TPM on their laptops. You have to enter the password yourself on power up.
You don't need to be thinking of any specific vulnerability to realize that putting the decryption key next to the data you're trying to protect is a dumb idea.
If for example a laptop like that gets lost or stolen, the attacker has the data and the key, in a box they physically hold, with no attempt limit, and unless they actively mess with the boot process, it will happily load the key into memory for them. If it's a discrete TPM the attacker can likely sniff the key on the wire. If that doesn't work, they just need to find a vuln anywhere in the secure boot process, or in Windows, and again, they have the key. And if that doesn't work, they could sniff the memory bus, or do a cold boot attack (again, with unlimited attempts unless they irreparably damage the mainboard/TPM in the process).
To corroborate, working in bug bounty triage, I never saw any evidence of reluctance to pay out.† The worst company-side behavior I observed was asking researchers to "please stay away from X" in their proof-of-concepts and then making higher payouts to researchers who ignored that instruction (because, after all, the demonstrated risk was higher!).
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?
I would agree it's the researcher's responsibility. It's not that the company put up a webshell for kicks. The researcher found an exploit (good), and used it to install a webshell, demonstrating the highest possible risk (fine).
Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.
Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?
Was it publicly discoverable?
Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.
Was it publicly exploitable?
Yes; the researcher didn't set up any authentication or anything.
Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.
The shell disappears on step one.
Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?
It happened many times to me, especially on H1 but also from senior FAANG engineers on their mailing lists. If your job is to pretend all is fine it is easy to discard valid reports.
If they were smart after the ban, they'd hire him for mucho dinero. These corporations are nervous but if they're not stupid they pay out. It's Microsoft, so it's perhaps nof the most progressive when it comes to these things, so who knows if they've realized it.
Ever considered these aren't the full set of exploits the researcher discovered? Or that he can find more since he found these? If I found a bunch, I'd certainly withhold a few as insurance.
Sure, but GitHub and Gitlab aren’t the only two ways to share code on the Internet. The conspiracy theories about two unrelated companies shutting down his git accounts to prevent him from releasing these supposed exploits are reaching pretty deep into conspiracy theory nonsense. The conspiracy theories can’t even agree if he was banned for posting them or because he hadn’t posted them but might post them.
I can see a situation where Microsoft contacted federal law enforcement to strongarm both GitLab and GitHub. But I believe all megacorps are one giant government conspiracy so consider the source.
They’re pointing out a proposal that some nodes can block pins, resulting in censorship
and that censorship at all would compromise the point of IPFS
although I disagree with both of those takes. Nodes always had discretion in IPFS, just pick a different node or pin something yourself which has pretty much always been required. Everyone can route to your pinned files while pinned.
Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.
If you don't feed your army, you will soon feed someone's else's.
These days corporate security treats these workstations like a dummy terminal. No secrets live on the workstation. You have to re-auth with sso constantly with biometrics and are basically editing data that is in a cloud. So the risk to a corp is minimal where even in the worst case they are insured.
Zero days like this are being disclosed regularly so the idea of securing a windows workstation is tantalizing but you'll never feel satiated trying to drink that water so don't even try.
So yea there's plenty of windows users but we're certainly not hosting anything important on those boxes and would frankly be aghast at the suggestion.
> These days corporate security treats these workstations like a dummy terminal
Correct, "zero trust" is the buzzword but this is how Microsoft even recommends you set up your endpoint infra. Assume breach, treat every endpoint as if it is currently compromised or could be at any time. Laptops are basically ephemeral, when set up right, and can be wiped and re-imaged within an hour or less.
That's not unique to Windows either, that's how all employee/user endpoints should be managed.
Not to mention all the startups being founded right now. Sure, github's still the default, and maybe you can still monetize stars or something, but it's also a clown show from an availability, feature roadmap and company policy perspective.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
In the past recent months i've been dealing with a lot of strange digital responses at various related things. It caused a lot of frustration and i couldn't exactly pinpoint what i was doing wrong. Then i read this sentence in the article:
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
A lot of blue collar trades - mechanic/electrician/builder etc following the `flowchart` is the `law` of the land and process is written in blood and liability
Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process
These get trained to be able to reason about why the flowchart is the way it is or outright to construct it. If you can't create a flowchart yourself, you shouldn't direct work following it. Following the flowchart is, so that you don't make mistakes on execution, because there will eventually be mistakes, it's not intended that it saves you from knowing what you do in the first place. In other words: you follow a flowchart to prevent accidental deviations from the process. Once you question, what you actually should do, the flowchart is useless as guidance.
It depends, flowcharts are great for defined processes, but troubleshooting (which vulnerability research mirrors) is not a flowchart or checklist or task list.
It depends what your skill set is - professional engineers are qualified to make the flowcharts and sign off on designs. So it’s not about how you see yourself, it’s whether you have the experience and training to be able to follow actual engineering methodology.
I am all in favor for extensive logging, documentation and following the processes, especially regarding safety. But there will always be miscommunication and cases where some thinking or adaptation of those processes are required. Stopping that for cost reduction will eventually lead to enshittification.
Is this sarcasm? Or are you saying that the onus of providing proof is not on the those making the claim, but instead that the onus of proof is on those who did not make the claim?
> Sure you can provide an alternative explanation?
In terms of a possible explanation for why GitLab would take an action, was it considered whether the (disturbed?) user violated GitLab's Terms of Service? Is the assumption that GitLab didn't just enforce their ToS, but that they're instead more likely to be secretly acquiescing to backroom bullying between companies over specific users?
Are there any copies of what he supposedly posted? I have a hard time believing someone posted groundbreaking exploits to two separate Git websites and not a single person cloned them.
I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.
Forks are still alive on github, so it seems unlikely microsoft did this to suppress the code. Unless they are wildly incompetent, which I don't want to outright reject as a possibility.
Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.
Is there any public word from Microsoft about what is going on here? Why would both Microsoft and Gitlab ban the user? I thought both platforms allowed hosting exploits and security research as long as everything is clearly marked up-front, I'm guessing some rules were broken?
Usually, when intentional backdoors like that get found and fixed, the 'someone else' stays silent. Otherwise, they provide proof that they've been planting backdoors, and that's much worse than having a hole plugged.
To get an idea of how this stuff usually works, start with the Simple Sabotage field manual:
If a government agency wanted to sweep this under the rug, don’t you think they’d just pay the bounties for the guy instead of giving him more ammunition for his crusade?
I think it’s more likely that the guy is just being as abusive to these services as the quotes in the article where he’s talking about crushing their bones
I'm not a BitLocker user or expert, but I thought I'd read that if you used a BitLocker PIN, the exploit didn't work. If the gov't asked MSFT to deploy an exploit, wouldn't they make it work PINlessly?
There's zero proof it's an intentional backdoor, it's just FUD spread by the exploit author which is probably not helping his case and may be reason for his ban.
Microsoft doesn't need to put in a backdoor on disk because they can make payloads that'll pass the TPM and not need a single trace on the disk.
This situation highlights the inherent conflict of interest in Microsoft owning GitHub. While GitHub has clear terms of service regarding the hosting of active, weaponized exploits, the optics of banning a researcher who specifically targeted Windows are always going to look vindictive, regardless of the justification.
More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.
1. Section 230 was largely enacted in 1996 to solve the 1995 ruling that "because Prodigy had taken an editorial role with regard to customer content, it was a publisher and was legally responsible for libel committed by its customers" (i.e. one of the biggest purposes of section 230 was to allow companies to make editorial decisions without causing them to become legally liable as a result).
2. The law was "designed to override the decision…, so that a service provider could moderate content as necessary and would not have to act as a wholly neutral conduit."
3. However, Trump has challenged that, including with Executive Orders, although I don't think Trump's rationale is well thought through, including because he explicitly complained that his posts like "Any difficulty and we will assume control but, when the looting starts, the shooting starts" being taken down was a specific example of why 230 should be revoked.
4. And some think the opposite as well, such as Democratic leaders who "believed that Section 230 led the companies to fail to take any preemptive action against the people who had planned and executed the Capitol riots" for example.
> Section 230 allows for web operators, large and small, to moderate user speech and content as they see fit. This reinforces the First Amendment’s protections for publishers to decide what content they will distribute. Different approaches to moderating users’ speech allows users to find the places online that they like, and avoid places they don’t.
What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
It sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
Which, if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically
>>> flow chart tech support with a "buy a webcam" cherry on top
>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.
I believe Hyper-V supports emulating TPM these days, so doing things to a VM and recording the desktop with the VM window _may_ work. In this case though it'd look very boring because you couldn't tell from the recording that anything happened.
Personally I'd think Microsoft would be cool with following the report instead of demanding video evidence in the first place, but silly me thinking the trillion dollar multi-national would be reasonable
The researcher's own statements note that the zero days were not found with AI.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
> They seem to have a personal vendetta against Microsoft
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
The fizzling of OS/2 was as much IBM's fault as anything. If they'd paid more attention to it sooner, MS might never have shipped Windows; they'd just have made their office applications OS/2 GUI programs. But IBM was too fixated on its mainframes to realize that they were giving away the PC market to MS (again--they did it the first time by licensing DOS to MS).
Before Facebook, I used Friendster. Years later, I read how Friendster execs were too busy patting themselves on the back and flying around on private jets to get around to fixing the horrendous site lag of sometimes a minute to even sign into the web app. How could a company's leadership be so foolish? I understood this paled in comparison to the doomed arrogance of IBM's leaders when I read stories about IBM's downfall in the delightful book In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters.
Wait, did IBM license DOS to Microsoft? I thought IBM was looking for an operating system for the PC and approached Kildall about CP/M. That deal fell through, so they approached Microsoft. Gates didn't have anything, so he licensed QDOS for a song and licensed it to IBM.
I always found it weird to ship a BASIC interpreter that didn't have specialised commands (unless you count POKE) to access the graphics and sound capabilities of a computer like the C64. Some computers of the same era had vastly superior BASICs (such as Sinclair BASIC).
I agree, it seems very low-effort on Commodore's part to license this lowest-common-denominator BASIC with no support for graphics and sound other than POKE. Super lame, but they got away with it.
The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.
It's not a dichotomy either, they can both have put the customers at risk.
Lots of copies of the Windows source code still on GitHub, which is problematic if you're interested in NT and want to contribute to Wine or something...hard to avoid running into restricted code
now, that should teach him to sell those on black marked instead
I'm mostly joking here, but Microsoft is one of few companies that handle cyber security in a way that really incentive people to not report them.
it's either by downplaying impact and not paying or paying very little or doing other researcher hostile activities.
especially that someone here mentioned some time ago that black market pays about 3x for the same class of vulnerability, so you need fairly high moral standards to go direct way
This often seems to be the case for the most expert researchers, all a bit quirky. Anyone remember SandboxEscaper? I think they are deceased now but they were dropping Windows 0 days left and right. That person was quite a character. It's hard to describe it without potentially incurring the wrath of someone here but those who know, know.
SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com
OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459
The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.
Is it a surprise that if you think differently you act differently? You have to think differently to become an expert. If you thought the same (as the "average") you'd, by definition, be "average".
Because you don't agree doesn't make the legitimate callout (i.e., victim-blaming “what were you wearing” vs. calling someone “unhinged” after they've endured repeated abuse/stress) a logical fallacy. Rather it positions you in opposition.
I don't really see any evidence of abuse in this post, though. It doesn't really say what Microsoft did, other than ban them from github after they said they will "make Microsoft's bones shatter".
It reads to me like Microsoft didn't pay him what he thought he earned from the exploits (i have no idea who is in the right on that), and then he published a zero day with no notification and threatened the company. Doesn't seem ridiculous to ban them at that point.
Again, I don't know the details so I cant say who is in the right, but the researcher comes off as a little bit unhinged and entitled. Not paying a bug bounty is 'ruining my life'?
> Again, I don't know the details so I cant say who is in the right
You are unsure of the details, so you instinctively choose to align with the $3T corporation. Further you assert the responsible discloser is "unhinged" for having a reaction to sustained abusive behavior by that $3T corporation.
Who exactly is unhinged here: the person who had a human reaction to abuse, or the person who thinks they are social in-group status with Microsoft? My vote is on the latter.
I know quite a few extremely skilled people who aren't employed in a technical field. Usually it's some combination of not working well with others, lack of formal credentials and the means to acquire them, or a criminal record. Government work also means you have to be morally okay with what the government does (or willfully ignorant), able to pass a background check, and be willing to go through the security clearance process.
"People with skills" just don't care for corporate or government bullshit. You may know them as "not being employed in a technical field", but it's just because you got filtered out.
It doesnt really matter. Banning someone GitHub account change literally nothing and its another proof Microsoft is not to be trusted as steward of open source platform.
They lost the trust of having secure products a long time ago. Windows is directly responsible for the rash of varying quality EDR & other "security software" for endpoints.
I mean it took them until Windows 10 to move font rendering out of Ring 0, you could run malicious code in kernel space from a freaking font on a web page at one point.
User also got themselves banned from Gitlab, an unrelated company. Their quotes in the article are threatening violence and destruction toward Microsoft.
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
Before we go down the road of analyzing someone's reaction, we should first analyze what they're reacting to: How much money did microsoft bilk this person out of? What is a reasonable reaction to someone taking that much money out of your paycheck?
Also, as a practical matter, maybe do as someone says if they have this many zero days sitting around?
While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.
If they're using the "write lots of mediocore code faster" approach to AI and not the "write better code more slowly" approach, this is a security nightmare.
> I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.
I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.
Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.
I don't think you should insert any number of insults into summaries of what other people said. It serves no purpose other than degrading the quality of discussion. If someone posted this comment:
> Satya Nadella says as much as 30% of Microsoft code is written by AI. More like Microslop, haha!
we'd all recognize that the last sentence is pointless name-calling (and thus violates the HN guidelines). But by interleaving the insult, it's easy to trick oneself into thinking that it's meaningful commentary. The quality of HN as a discussion forum requires holding ourselves to a higher standard than that.
Microsoft owns Github and Windows, makes sense. "Security researchers" love attention however, and I'm going to guess this one knew it would happen and is now making hay on the fact that it did. Now let me roll out the tired authoritarian excuses to wrap up the thread.
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
The combination of an overly unstable dramatic researcher, a tech news community which will undermine truth in a desperate plead for some clicks and people that are readily willing to believe everyone is constantly just casually in contact with the NSA, gives us these third rate stories
Lol, they ban a security researcher from Github for embarassing them, but massgrave's Microsoft Activation Scripts isn't just still on Github but verified?
Microsoft hasn’t particuarly cared about consumers pirating Windows for more than a decade. I’m pretty sure they make close to 0 money off Windows licensing to consumers.
> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.
Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.
A dying breed, most Intel machines have already fallen out of support and the few remaining ones (e.g. 2019 16-inch MBP) won't get any new OS updates after end of this year.
I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.
The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.
If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
I should have known this exists, yet I didn't. Thanks for pointing it out.
This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...
In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.
Just to play devil's advocate, couldn't sending zero-day exploits to a foreign nation's intelligence service potentially cause the sender significantly more trouble.
Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies
The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability
Because... your home country or affected company could consider it espionage? Sounds like a stretch.
It depends on the country apparently:
"Israel reached out to US hackers for ‘Zero Days’ tools" - https://www.timesofisrael.com/israel-reached-out-to-us-hacke...
Just to play devil's advocate
Why?
Because information asymmetry benefits those with the information. If the devil understands your argument, and you don't understand the devil's argument, the devil will have information advantage.
Not everything in life deserves to have both sides aired.
For example, the Internet giving every crackpot wingnut on Earth an equal voice with scientists is how we end up with measles outbreaks.
it's a good question
> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.
The CCC (Chaos Computer Club) in germany will probably do the same.
I knew I had heard of CCC from somewhere buts its https://ccc.de which includes the https://media.ccc.de
There are some really decent technical videos on it, CCC is really awesome!
Really loved this talk in particular from CCC: https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_mor...
Were you somehow able to intuit that parent is Finnish?
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
> the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO
Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with
> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.
That now that they've joined NATO, it's safe to share with them.
A "neutral" country might abuse them.
You now have the worst of both worlds.
You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.
All of that without any benefits.
If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here
I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.
> I wouldn't trust anything like that in Germany [...] Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period.
This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was
Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate
As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)
Apart from a certain general incompetence in IT related topics, common sense is a rather important part of German legal interpretation. Intention, proportionality and such.
There are some infamous counter-examples, but you can find these in any country and it's these that make the news.
Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?
Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.
You can also submit anonymously and/or via secure email: https://www.traficom.fi/en/contact-details/sending-secure-em...
This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."
Reporting software vulnerabilites in Germany is the dumbest thing you can do, you WILL be arrested. There is a recent case where some company had a hardcoded database password in their EXE file and if you open it with e.g. Notepad you can see it and this already counts as "illegal hacking". https://www.heise.de/en/news/Federal-Constitutional-Court-re...
Sir, this is not USA, don't assume stuff fucked up there is fucked up everywhere
It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
> You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.
Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).
They just seem to blur the border between nationalism and patriotism more than most countries.
That sounds a lot like the assumption that crime rates are better in less populous areas - just because there is less reporting doesn't mean that it isn't there.
Have you been to the US? If not how can you be certain that the US is truly worse?
I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.
I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.
I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...
Some may criticize regulations, but the EU-mandated cyber-resilience act (CRA) actually forced companies to have a clear contact point for vulnerabilities reporting, and to act upon it.
2026-09-11, save the date folks. That's when all companies selling products with digital elements in the EU have to have a reporting pipeline for actively exploited vulnerabilities and severe incidents.
Easy to remember
Silver anniversary for it
[flagged]
Do not bother.
I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.
That's really sad to hear, you must have felt really bad. Just because they do not know about the vulnerability, it won't disappear. And they won't fix it too. Ignorance is a bliss, but not in this case...
It should be obvious who the real criminals are in this case.
You could try reporting them (the exploits) anonymously to a government agency
The German "Chaos Computer Club" (hacker club) has a disclosure service. They approach the affected party as the club, hiding the persons identity. Not sure if they do it internationally as the page is in German. But nice idea and not a government agency.
https://www.ccc.de/disclosure
They did notify Collins Aerospace in the past, so I assume they do report internationally.
So they can exploit it in secret for their own benefit?
If you have so little trust in your government (maybe you're American?) it might be time for change!
Considering Snowden files have shown they intentionally hoard 0days, I don't think it's so much a lack of trust as it is a proven track record of their behavior.
No shit. Mind telling us how? Because elections sure aren’t going to do it.
edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.
sell them to a vuln or exploit broker. problem solved.
[flagged]
[flagged]
[flagged]
No idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
Read the write up on YellowKey. [1] It sounds like, in at least some instances, he's publishing official Microsoft backdoors probably used by US intelligence agencies et al. It turns out that Bitlocker is insecure and backdoored. Something noooobody expected after TrueCrypt just mysteriously and suddenly shut their doors one day, removed all downloads, and recommended everybody move to Microsoft's BitLocker. lol.
[1] - https://www.tomshardware.com/tech-industry/cyber-security/mi...
If you were using bitlocker to replace truecrypt, you'd have a boot password and this would not affect you at all.
I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.
And where's the claimed version that works when a PIN is set?
> And where's the claimed version that works when a PIN is set?
Maybe it was on GitHub/GitLab before the author was banned by both Microsoft and GitLab, not really sure we'd know. The authors last post on their blog is from yesterday (28th of May, https://deadeclipse666.blogspot.com/) so seems they aren't fully gone. But yeah, been a lot of "promises" but besides the initial 0days, not so much released AFAIK.
It's not a backdoor, Microsoft doesn't need a backdoor to bypass BitLocker because they can sign payloads that'll pass the TPM.
Why would it not be? Microslop doesn't need to make such a backdoor, but it's still a lot more convenient to make one generic backdoor than many signed ones.
They'd only need to make one payload that keeps the TPM happy, unlocks the disk and provides the files for export some way.
Far safer than a backdoor and no evidence.
But the slop in your comment here indicates you're arguing in bad faith.
It all started because the bureaucracy refused to even consider Bluehammer when they couldn't cajole the reporter into providing video footage.
And then to double down and ban accounts because you'd rather not fix the bureaucracy is really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
They're not. These programs make decisions I wouldn't make all the time (though for reasons more complicated than message board discussions capture). I'm making a much narrower claim than you think I am.
They also silently patched RedSun, didn't issue a CVE until much later.
There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.
They are probably the NSA backdoors
The bug this guy brings up is very obviously a Bitlocker backdoor and raises very serious questions about what Microsoft is doing with the encryption. Pretty certainly they're able to decode the volumes without the user's key, which is extremely concerning.
Looks like they're trying to make it disappear, but it's in the wild now.
It’s a post-boot authentication bypass exploit. Any post-boot authentication bypass exploit against TPM-only sealed BitLocker effectively bypasses it. The user doesn’t have a key to start with in this setup, just the machine.
This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.
I wouldn't be surprised if this was intentionally put in, but I think its important to clarify that the encryption itself wasn't broken, and with this exploit specifically the drive also has to remain inside the original PC/TPM. It's a boot authentication bypass, not an encryption break.
As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.
I know someone who works for a nefarious gov org and they never put the bitlocker keys in the TPM on their laptops. You have to enter the password yourself on power up.
Wonder if they knew about this.
You don't need to be thinking of any specific vulnerability to realize that putting the decryption key next to the data you're trying to protect is a dumb idea.
If for example a laptop like that gets lost or stolen, the attacker has the data and the key, in a box they physically hold, with no attempt limit, and unless they actively mess with the boot process, it will happily load the key into memory for them. If it's a discrete TPM the attacker can likely sniff the key on the wire. If that doesn't work, they just need to find a vuln anywhere in the secure boot process, or in Windows, and again, they have the key. And if that doesn't work, they could sniff the memory bus, or do a cold boot attack (again, with unlimited attempts unless they irreparably damage the mainboard/TPM in the process).
The key is still in the TPM in that scenario it just requires a password to unlock it.
It's a journal replay attack
To corroborate, working in bug bounty triage, I never saw any evidence of reluctance to pay out.† The worst company-side behavior I observed was asking researchers to "please stay away from X" in their proof-of-concepts and then making higher payouts to researchers who ignored that instruction (because, after all, the demonstrated risk was higher!).
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?
I would agree it's the researcher's responsibility. It's not that the company put up a webshell for kicks. The researcher found an exploit (good), and used it to install a webshell, demonstrating the highest possible risk (fine).
Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.
Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?
Was it publicly discoverable?
Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.
Was it publicly exploitable?
Yes; the researcher didn't set up any authentication or anything.
If the URL was unpublished, isn't that the same-ish as password protected?
All about bits of entropy i.e. difficulty if guessing.
I.. just can't wrap my head around that.
Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.
The shell disappears on step one.
Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?
What is this lunacy?
It's at the minimum a bit impolite to leave the system more vulnerable in between sending the report and the report being received and acted on.
It didn't become any more vulnerable.
This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.
If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.
> It didn't become any more vulnerable.
That depends on how secret the URL was. If you go from needing an exploit to just visiting a guessable link, that's significantly more vulnerable.
> If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.
Well most people wouldn't, and for good reason.
It happened many times to me, especially on H1 but also from senior FAANG engineers on their mailing lists. If your job is to pretend all is fine it is easy to discard valid reports.
If they were smart after the ban, they'd hire him for mucho dinero. These corporations are nervous but if they're not stupid they pay out. It's Microsoft, so it's perhaps nof the most progressive when it comes to these things, so who knows if they've realized it.
They are supposedly disgruntled ex microsoft. I dont know if they would accept a payout
I can’t help but feel Microsoft will regret this.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
But the story is supposedly about him posting the zero-day exploits, not selling them. It’s in the title.
He also got banned from Gitlab, which isn’t related to Microsoft at all.
Ever considered these aren't the full set of exploits the researcher discovered? Or that he can find more since he found these? If I found a bunch, I'd certainly withhold a few as insurance.
He's claimed that he has more as well. He seems to have a personal vendetta against Microsoft going by his blog, said nothing will be released in June but will in July: https://deadeclipse666.blogspot.com/2026/05/july-14th.html
Sure, but GitHub and Gitlab aren’t the only two ways to share code on the Internet. The conspiracy theories about two unrelated companies shutting down his git accounts to prevent him from releasing these supposed exploits are reaching pretty deep into conspiracy theory nonsense. The conspiracy theories can’t even agree if he was banned for posting them or because he hadn’t posted them but might post them.
I can see a situation where Microsoft contacted federal law enforcement to strongarm both GitLab and GitHub. But I believe all megacorps are one giant government conspiracy so consider the source.
At this point, the government is a megacorp conspiracy.
Is Gitlab also part of this? This is disappointing but unsurprising :(
time to post on IPFS
Sadly, IPFS is compromised[0].
0. https://specs.ipfs.tech/ipips/ipip-0383/
What does this mean and compromised in which sense?
They’re pointing out a proposal that some nodes can block pins, resulting in censorship
and that censorship at all would compromise the point of IPFS
although I disagree with both of those takes. Nodes always had discretion in IPFS, just pick a different node or pin something yourself which has pretty much always been required. Everyone can route to your pinned files while pinned.
Ah! Ok, when I read compromised I thought it was a proposal that introduced a security vulnerability to the tech. Thanks!
I'm not sure if this is an unintentional mistake. Gitlab did not perform a ban. Github performed the ban. Github is fully-owned by Microsoft.
Yes they did: https://gitlab.com/nightmare-eclipse
That git account was posted on their blogspot...
Awful.
I understand Microsoft's being petty, but why would GitLab do this?
Lawyers?
Not one or the other but both. He's banned on GitLab as well.
Are you sure?
Well, after they didn't pay him for previous bugs. Not an excuse but certainly a reason.
Not to mention all the other people who find 0-days. Reputation matters a lot.
Yep, and its a really small world out there.
If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.
Well. Its a bad news for society as whole.
Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.
If you don't feed your army, you will soon feed someone's else's.
It's had bad news only for Windows buerocrats. Good orgs don't use Windows.
I have now worked for/with a significant percentage of the fortune 500. All used Windows in some capacity.
Is this just your way of saying that only tiny, weird, companies are "good"?
It's saying that those with Windows could be 100x more effective and secure. Wasting billions of money and a lot of time
These days corporate security treats these workstations like a dummy terminal. No secrets live on the workstation. You have to re-auth with sso constantly with biometrics and are basically editing data that is in a cloud. So the risk to a corp is minimal where even in the worst case they are insured.
Zero days like this are being disclosed regularly so the idea of securing a windows workstation is tantalizing but you'll never feel satiated trying to drink that water so don't even try.
So yea there's plenty of windows users but we're certainly not hosting anything important on those boxes and would frankly be aghast at the suggestion.
> These days corporate security treats these workstations like a dummy terminal
Correct, "zero trust" is the buzzword but this is how Microsoft even recommends you set up your endpoint infra. Assume breach, treat every endpoint as if it is currently compromised or could be at any time. Laptops are basically ephemeral, when set up right, and can be wiped and re-imaged within an hour or less.
That's not unique to Windows either, that's how all employee/user endpoints should be managed.
Not to mention all the startups being founded right now. Sure, github's still the default, and maybe you can still monetize stars or something, but it's also a clown show from an availability, feature roadmap and company policy perspective.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
Why would they regret it? According to the person who found them, they put those vulnerabilities there for a reason.
> Guy sells zero days elsewhere.
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
In the past recent months i've been dealing with a lot of strange digital responses at various related things. It caused a lot of frustration and i couldn't exactly pinpoint what i was doing wrong. Then i read this sentence in the article:
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
Most companies providing corporate security consulting I had to deal in the past are operating on a checklist.
A lot of blue collar trades - mechanic/electrician/builder etc following the `flowchart` is the `law` of the land and process is written in blood and liability
Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process
These get trained to be able to reason about why the flowchart is the way it is or outright to construct it. If you can't create a flowchart yourself, you shouldn't direct work following it. Following the flowchart is, so that you don't make mistakes on execution, because there will eventually be mistakes, it's not intended that it saves you from knowing what you do in the first place. In other words: you follow a flowchart to prevent accidental deviations from the process. Once you question, what you actually should do, the flowchart is useless as guidance.
And in other blue collar union environments, following the book is known as "work to rule" and considered a mild form of sabotage/industrial action.
It depends, flowcharts are great for defined processes, but troubleshooting (which vulnerability research mirrors) is not a flowchart or checklist or task list.
It depends what your skill set is - professional engineers are qualified to make the flowcharts and sign off on designs. So it’s not about how you see yourself, it’s whether you have the experience and training to be able to follow actual engineering methodology.
I am all in favor for extensive logging, documentation and following the processes, especially regarding safety. But there will always be miscommunication and cases where some thinking or adaptation of those processes are required. Stopping that for cost reduction will eventually lead to enshittification.
> forcing them to pack up and move shop to GitLab instead.
https://gitlab.com/nightmare-eclipse
Blocked user @nightmare-eclipse
Looks like they’re banned on GitLab as as well?
I suspect MS threatened them with a SmartScreen blackhole for the domain, I'm not surprised they pulled it.
I don’t like the idea Microsoft can bully other websites into blocking content they don’t like.
Do we have any evidence they did that other than the comment you replied to speculating?
Yes they definitely did that. Find evidence to the contrary.
Is this sarcasm? Or are you saying that the onus of providing proof is not on the those making the claim, but instead that the onus of proof is on those who did not make the claim?
You don't need to be Sherlock Holmes to draw that conclusion.
Sure you can provide an alternative explanation?
Otherwise, that's the best we have.
> Sure you can provide an alternative explanation?
In terms of a possible explanation for why GitLab would take an action, was it considered whether the (disturbed?) user violated GitLab's Terms of Service? Is the assumption that GitLab didn't just enforce their ToS, but that they're instead more likely to be secretly acquiescing to backroom bullying between companies over specific users?
It seems clear that the Bitbucket devs paid bribes to Gitlab to ban this user to drum up anti-GitHub sentiment.
Are there any copies of what he supposedly posted? I have a hard time believing someone posted groundbreaking exploits to two separate Git websites and not a single person cloned them.
I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.
Forks are still alive on github, so it seems unlikely microsoft did this to suppress the code. Unless they are wildly incompetent, which I don't want to outright reject as a possibility.
https://github.com/xiaoji235/bitlocker-bypass-tool-for-winre
Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.
Is there any public word from Microsoft about what is going on here? Why would both Microsoft and Gitlab ban the user? I thought both platforms allowed hosting exploits and security research as long as everything is clearly marked up-front, I'm guessing some rules were broken?
Well if it’s a full disk encryption exploit that still requires hardware access I imagine it would have been made for a 3-letter govt org or something
FDE is meant to protect data at rest.
Hardware access is a given.
The fde encryption exploit is only for volumes that auto decrypt anyway. So it's a know (accepted) that the model doesn't really try to avoid.
You guys need to stop reaching for conspiracy
Which is all of them that don't require a pin (rare).
[dead]
[flagged]
Usually, when intentional backdoors like that get found and fixed, the 'someone else' stays silent. Otherwise, they provide proof that they've been planting backdoors, and that's much worse than having a hole plugged.
To get an idea of how this stuff usually works, start with the Simple Sabotage field manual:
https://ia601309.us.archive.org/14/items/Simplesabotage/Simp...
If a government agency wanted to sweep this under the rug, don’t you think they’d just pay the bounties for the guy instead of giving him more ammunition for his crusade?
I think it’s more likely that the guy is just being as abusive to these services as the quotes in the article where he’s talking about crushing their bones
>you think they’d just pay the bounties for the guy instead of giving him more ammunition for his crusade?
It seldom pays to presume competence.
I'm not a BitLocker user or expert, but I thought I'd read that if you used a BitLocker PIN, the exploit didn't work. If the gov't asked MSFT to deploy an exploit, wouldn't they make it work PINlessly?
The hacker claims it can bypass PINs as well, but AFAIK hasn't posted poc
There's zero proof it's an intentional backdoor, it's just FUD spread by the exploit author which is probably not helping his case and may be reason for his ban.
Microsoft doesn't need to put in a backdoor on disk because they can make payloads that'll pass the TPM and not need a single trace on the disk.
Shoot the messenger. That’ll fix it.
Maybe they want to incentivise selling exploits to nation states, not patching them?
This situation highlights the inherent conflict of interest in Microsoft owning GitHub. While GitHub has clear terms of service regarding the hosting of active, weaponized exploits, the optics of banning a researcher who specifically targeted Windows are always going to look vindictive, regardless of the justification.
Has Microsoft just created an editorial responsibility for itself to remove zero days from GitHub?
If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?
Why would taking this action have any implication for responsibility to take future actions against other accounts?
Legally? I don’t know.
More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.
Outside of legally, I’m not aware of any framework where “creates an editorial responsibly” makes sense.
Even beyond that… most business relationships wouldn’t involve an expectation that Microsoft does things for other entities that it does for itself.
I’m thinking of § 230 of the CDA [1], where the line between publisher/speaker and not can come down to editorial discretion.
[1] https://en.wikipedia.org/wiki/Section_230
It can’t, and it doesn’t.
Section 230 has no concern with publishers making editorial decisions. GitHub can moderate user content on its site however it wants.
Per your source:
1. Section 230 was largely enacted in 1996 to solve the 1995 ruling that "because Prodigy had taken an editorial role with regard to customer content, it was a publisher and was legally responsible for libel committed by its customers" (i.e. one of the biggest purposes of section 230 was to allow companies to make editorial decisions without causing them to become legally liable as a result).
2. The law was "designed to override the decision…, so that a service provider could moderate content as necessary and would not have to act as a wholly neutral conduit."
3. However, Trump has challenged that, including with Executive Orders, although I don't think Trump's rationale is well thought through, including because he explicitly complained that his posts like "Any difficulty and we will assume control but, when the looting starts, the shooting starts" being taken down was a specific example of why 230 should be revoked.
4. And some think the opposite as well, such as Democratic leaders who "believed that Section 230 led the companies to fail to take any preemptive action against the people who had planned and executed the Capitol riots" for example.
EFF's take on 230 ( https://www.eff.org/issues/cda230 ) includes:
> Section 230 allows for web operators, large and small, to moderate user speech and content as they see fit. This reinforces the First Amendment’s protections for publishers to decide what content they will distribute. Different approaches to moderating users’ speech allows users to find the places online that they like, and avoid places they don’t.
What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
It sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
> and the response was flow chart tech support with a "buy a webcam" cherry on top
I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
Which, if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically
I've used cheap HDMI to USB adapters for that in the past. Worked fine albeit somewhat low res. (Still much better than a camera pointed at a screen.)
>>> flow chart tech support with a "buy a webcam" cherry on top
>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.
> (USB or other HID, key combination)
I don't think you'd need an external camera for that. What you're doing would be mentioned in the accompanying report.
I do agree with you about the boot process, though.
I believe Hyper-V supports emulating TPM these days, so doing things to a VM and recording the desktop with the VM window _may_ work. In this case though it'd look very boring because you couldn't tell from the recording that anything happened.
Personally I'd think Microsoft would be cool with following the report instead of demanding video evidence in the first place, but silly me thinking the trillion dollar multi-national would be reasonable
It feels like they’re trying put hurdles in front of you instead of getting info about repeatability of the vulnerability.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
selling to the highest bidder doesn’t generate headlines though.
Oh it does, but they don't say "Researcher sells exploits to the highest bidder", they say "Handala group shuts down nuclear power plant"
The researcher's own statements note that the zero days were not found with AI.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
> They seem to have a personal vendetta against Microsoft
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
I might be projecting.
What were the "so many better options" during that period? Have we found the only remaining CP/M fan?
OS/2 and DR-DOS are a couple examples. But what really gets me is the whole Xenix thing.
CP/M was great on Z80 systems. But a 386 was capable of so much more.
a bit later, but not much: OS/2
The fizzling of OS/2 was as much IBM's fault as anything. If they'd paid more attention to it sooner, MS might never have shipped Windows; they'd just have made their office applications OS/2 GUI programs. But IBM was too fixated on its mainframes to realize that they were giving away the PC market to MS (again--they did it the first time by licensing DOS to MS).
Before Facebook, I used Friendster. Years later, I read how Friendster execs were too busy patting themselves on the back and flying around on private jets to get around to fixing the horrendous site lag of sometimes a minute to even sign into the web app. How could a company's leadership be so foolish? I understood this paled in comparison to the doomed arrogance of IBM's leaders when I read stories about IBM's downfall in the delightful book In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters.
Wait, did IBM license DOS to Microsoft? I thought IBM was looking for an operating system for the PC and approached Kildall about CP/M. That deal fell through, so they approached Microsoft. Gates didn't have anything, so he licensed QDOS for a song and licensed it to IBM.
I was forced to use ms basic on my c64. Never forgive, never forget.
I always found it weird to ship a BASIC interpreter that didn't have specialised commands (unless you count POKE) to access the graphics and sound capabilities of a computer like the C64. Some computers of the same era had vastly superior BASICs (such as Sinclair BASIC).
OTOH, I learned a hell of a lot about microprocessor internals by using POKE.
I agree, it seems very low-effort on Commodore's part to license this lowest-common-denominator BASIC with no support for graphics and sound other than POKE. Super lame, but they got away with it.
No they didn’t. If they had, I would be typing this on my Commodore phone.
We're witnessing the industrialization of intelligence.
Very important info: https://www.theregister.com/security/2026/05/28/microsoft-0-...
In the linked Microsoft blog post, they say :
> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.
So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?
It's a very weird situation
> the disclosures put our customers at unnecessary risk.
That statement irks me. Responsible disclosure or not, It's Microsoft themselves that put their customers at risk, not the researcher.
The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.
It's not a dichotomy either, they can both have put the customers at risk.
Especially since the only explanation for why this exists is as a backdoor.
Yeah, but the customer in this statement being entities that requested this backdoor. Not the people/companies who paid for the licences.
>Why would Nightmare-Eclipse not report them if they are not ?
Maybe they're a foreign intelligence cutout masquerading as a burned researcher.
>Maybe they're a foreign intelligence cutout masquerading as a burned researcher.
Whoever silently downvoted this, I'd love to hear why you so strongly disagree with my assessment.
[dead]
Lots of copies of the Windows source code still on GitHub, which is problematic if you're interested in NT and want to contribute to Wine or something...hard to avoid running into restricted code
Amidst abysmal uptime, Ghostty leaving and now this, GitHub is accelerating their own downfall.
now, that should teach him to sell those on black marked instead
I'm mostly joking here, but Microsoft is one of few companies that handle cyber security in a way that really incentive people to not report them.
it's either by downplaying impact and not paying or paying very little or doing other researcher hostile activities.
especially that someone here mentioned some time ago that black market pays about 3x for the same class of vulnerability, so you need fairly high moral standards to go direct way
Researcher seems a bit unhinged.
This often seems to be the case for the most expert researchers, all a bit quirky. Anyone remember SandboxEscaper? I think they are deceased now but they were dropping Windows 0 days left and right. That person was quite a character. It's hard to describe it without potentially incurring the wrath of someone here but those who know, know.
SandboxEscaper and Nightmare Eclipse both explicitly deny this, but I'm pretty sure they're the same person.
The style is the same, and it appears that SandboxEscaper has previously been fired by MSFT. (they are not dead) https://github.com/BigPolarBear1/The_story
SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com
OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459
The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.
SandboxEscaper is still alive, but yeah, Eclipse's prolific vuln dropping reminds me of her.
[dead]
This the same person? https://www.patreon.com/SandboxEscaper
Passed away? What evidence do you have around that statement?
palantir embraces the neurodivergent.
https://x.com/PalantirTech/status/2057157517969445252
That may go with the task of looking for low-level security holes.
Or being forced into homelessness by Microsoft
Takes a certain kind of crazy to pay your bills with bug bounties.
sanity isn't his job
ahh, the "what was she wearing" comment.
ahh, the false analogy comment.
“False analogy” isn’t a counterpoint, it's a deflection. What part of the mapping breaks for you?
False analogy isn’t a deflection, it’s a logical fallacy.
Because you don't agree doesn't make the legitimate callout (i.e., victim-blaming “what were you wearing” vs. calling someone “unhinged” after they've endured repeated abuse/stress) a logical fallacy. Rather it positions you in opposition.
Everything you disagree with isn't incorrect.
I don't really see any evidence of abuse in this post, though. It doesn't really say what Microsoft did, other than ban them from github after they said they will "make Microsoft's bones shatter".
It reads to me like Microsoft didn't pay him what he thought he earned from the exploits (i have no idea who is in the right on that), and then he published a zero day with no notification and threatened the company. Doesn't seem ridiculous to ban them at that point.
Again, I don't know the details so I cant say who is in the right, but the researcher comes off as a little bit unhinged and entitled. Not paying a bug bounty is 'ruining my life'?
> Again, I don't know the details so I cant say who is in the right
You are unsure of the details, so you instinctively choose to align with the $3T corporation. Further you assert the responsible discloser is "unhinged" for having a reaction to sustained abusive behavior by that $3T corporation.
Who exactly is unhinged here: the person who had a human reaction to abuse, or the person who thinks they are social in-group status with Microsoft? My vote is on the latter.
One should just exploit it next time :D
A perfect storm of GitHub's own self-destruction and downfall all done by themselves.
Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.
This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.
Surely, the public string of exploits means he can find gainful employment from any of the various spooks?
I know quite a few extremely skilled people who aren't employed in a technical field. Usually it's some combination of not working well with others, lack of formal credentials and the means to acquire them, or a criminal record. Government work also means you have to be morally okay with what the government does (or willfully ignorant), able to pass a background check, and be willing to go through the security clearance process.
People with skills/means don't want to live in the cheap city/suburb where they have offices. Work from home obviously isn't a thing.
"People with skills" just don't care for corporate or government bullshit. You may know them as "not being employed in a technical field", but it's just because you got filtered out.
Government work also usually means relocating. The money wouldn't be good enough for me to uproot my family.
The optics don't look good for Microsoft, but we don't know their side of the story.
It doesnt really matter. Banning someone GitHub account change literally nothing and its another proof Microsoft is not to be trusted as steward of open source platform.
Worse, cant be trusted to have secure products.
They lost the trust of having secure products a long time ago. Windows is directly responsible for the rash of varying quality EDR & other "security software" for endpoints.
I mean it took them until Windows 10 to move font rendering out of Ring 0, you could run malicious code in kernel space from a freaking font on a web page at one point.
We need to move to IPFS or something federated for source code
Hosting it yourself is trivial and cheap. Git is not heavy protocol, nor git over https
Yeah because he didn't responsibly report it. What did he expect?
User also got themselves banned from Gitlab, an unrelated company. Their quotes in the article are threatening violence and destruction toward Microsoft.
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
Before we go down the road of analyzing someone's reaction, we should first analyze what they're reacting to: How much money did microsoft bilk this person out of? What is a reasonable reaction to someone taking that much money out of your paycheck?
Also, as a practical matter, maybe do as someone says if they have this many zero days sitting around?
While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.
Maybe don't piss off your betters?
Also recently:
Satya Nadella says as much as 30% of Microslop code is written by AI:
https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-a...
If they're using the "write lots of mediocore code faster" approach to AI and not the "write better code more slowly" approach, this is a security nightmare.
"Write better code more slowly" is just regular software development, without the LLM.
“Recently” this was a year ago - it’s probably more like 95% now
I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.
> I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.
I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.
Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.
Transforming 'Micro$oft's' name as a form of commentary is a time-honored tradition.
I disagree with policing someone elses language like this in the first place, but it's only one insult and it's just "Microslop".
I don't think you should insert any number of insults into summaries of what other people said. It serves no purpose other than degrading the quality of discussion. If someone posted this comment:
> Satya Nadella says as much as 30% of Microsoft code is written by AI. More like Microslop, haha!
we'd all recognize that the last sentence is pointless name-calling (and thus violates the HN guidelines). But by interleaving the insult, it's easy to trick oneself into thinking that it's meaningful commentary. The quality of HN as a discussion forum requires holding ourselves to a higher standard than that.
It isn't name calling its a fact. Their software was and now increasingly F grade quality. Microslop.
Ooops. Just copilot-made mistake of 30% comment that been AI generated. Kidding.
Actually I was a reference of Microsoft banning people on their Discord.
Because out of top "evil corps" Microsoft seem to have worst PR department.
Just create a new account :D
Looks like Microslop will have a happy Bastille day. Getting popcorn.
The NSA isn't even subtle anymore jeez.
_NSAKEY part deux
This is such a bad idea and what the point anyway? Once 0-day is out its out.
Almost like trying to censor leakef HDCP key.
Microsoft owns Github and Windows, makes sense. "Security researchers" love attention however, and I'm going to guess this one knew it would happen and is now making hay on the fact that it did. Now let me roll out the tired authoritarian excuses to wrap up the thread.
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
>Build your own github.
Did I miss any?
Related:
Microsoft's stance on zero day exploits is a dumpster fire of their own making
https://news.ycombinator.com/item?id=48313038
The combination of an overly unstable dramatic researcher, a tech news community which will undermine truth in a desperate plead for some clicks and people that are readily willing to believe everyone is constantly just casually in contact with the NSA, gives us these third rate stories
I mean he should sell those 0days to exploit.im market for a good money instead of going for "whitehat" if you want maximum damage
why doesn't he sell those to someone like zerodium
the bugs he is publishing are exactly the class of bugs that they would love to buy
Looks like Zerodium shut down last year
There are more similar ones
Basic conflict of interest stuff
MS owns GH. It's tonedeaf and criminal
>It's tonedeaf and criminal
Hasn't that been their MO since the start? Absolutely scummy company.
[flagged]
[dead]
Lol, they ban a security researcher from Github for embarassing them, but massgrave's Microsoft Activation Scripts isn't just still on Github but verified?
Make it make sense, Microsoft.
Pirating windows keeps you in the ecosystem so they can sell ads/games/365/cloud etc.
Microsoft hasn’t particuarly cared about consumers pirating Windows for more than a decade. I’m pretty sure they make close to 0 money off Windows licensing to consumers.
A quote from Billy G comes to mind
> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.
Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.
Is there any other OS that gets pirated these days? Are Hackintosh still a thing?
> Are Hackintosh still a thing?
A dying breed, most Intel machines have already fallen out of support and the few remaining ones (e.g. 2019 16-inch MBP) won't get any new OS updates after end of this year.
Github's anti-piracy enforcement is a joke and always has been.
Example: https://lowendbox.com/blog/will-github-ever-remove-this-null...