“Hey, let’s piss off the security expert who’s really good at finding flaws in our products. There’s literally no downside.”
this post was submitted on 27 May 2026
332 points (99.1% liked)
Technology
84949 readers
5008 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
"Oh, the one who just published two exploits on our product, after we fucked them over during the responsible disclosure process? Great idea! What are the chances they'll find another one, right?
Microsoft has been mum on any details about these matters, so it's hard to tell if the situation is about an uncooperative researcher who doesn't follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse's GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.
Classic Streisand effect. Just two years ago Satya Nadella publicly announced they're prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft's actions speak louder than words and they probably didn't pay for the bounties.
I wonder if the dude happened to find an internally documented backdoor intended for use by government actors? Or most likely they just don’t wanna deal with it and the perceived fastest way to deal with it is to try and bury it. Both could be true, but I’m just speculating.
I was wondering that myself.
I mean, a mechanism that allows you to get the malware scanner to place whatever software you want on a machine, give it system access and then execute it, feels like a prime suspect for "lawful source interception" bullshit.
If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).
Even if this person is lying I'm more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.
Microsoft has always been an evil company, but wow they are trying their hardest to reach Gates level of shit
Man, Microsoft just keeps footgunning this one.
Every new exploit, they clearly have a meeting and convince themselves "that's gotta be the last of it, right?"
So the next day-after-patch-tuesday rolls around and lo and behold, this guy drops some more nukes on their reputation as far as their most important customer demographic are concerned (corporate IT)
Given this genuinely does seem to stem from Microsoft mishandling this guy, why the fuck do they keep escalating
Very little seems to be beyond the incredulity of MS meetings, remember they had a meeting where someone suggested the OS take a screenshot every ten seconds of whatever the user was doing and upload it to MS servers and rather than everyone laughing they agreed to move it into development.
rather than everyone laughing
You misspelled "firing the authoritarian nutjob for cause," which would've been the bare minimum of reasonable reactions.
Puts a lot of evidence towards his claims that Microsoft was behaving badly from the outset and the reason why he started doing this. They keep escalating. Its a war they started.
you know, since this little saga began I've had this tiny voice in my head hoping this one vindictive dude is, eventually, directly responsible for Microsoft going out of business/doing severe restructuring or downsizing as a consequence of businesses losing faith in the company's products. Lots of people already raise an eyebrow at Windows 11's issues, things like "all our shit is fundamentally insecure because microslop left a backdoor in [insert critical thing here], and has been for [weeks/months/years/???]" tend to have an adverse effect on sales, especially to risk-averse business customers. It's not impossible to imagine that continued "holy fuck what 0day exploit just dropped?" incidents, on the level of YellowKey, happening every month, could result in businesses deciding to drop their enterprise licensing of MS products; and that's going to hurt. That's where a big chunk, if not the biggest chunk iirc, of their revenue comes from. It's unlikely, it's a longshot, but I'm allowed to have hope.
I'm especially now wondering, if YellowKey was the teaser -- you know, just casually revealing a backdoor in BitLocker, like nbd -- what the actual fuck are they going to drop in July? If that's the appetizer, how juicy's the entree gonna be?
I think as long as nothing actually happens, other companies wont care. No one is capable of thinking about the future anymore, there is only next quartal and short term profits.
It might actually be needed for something big to go down first, like those 0day exploits actually get exploited and some client company or few loses a lot of money because of it. Considering how unsecure windows is, i'm a bit perplexed how nothing hasn't happened already.
"Footgunning"?
A colloquial term equivalent to “shooting oneself in the foot”
AI loves to use the word. I never heard it regularly until AI started helping popularize it.
Then you did not speak with programmers regularly, I learned this term probably back in 2008ish
FWIW I've proudly been using it for years
Prove you haven't been an Ai for years
The saga has drawn speculation from other experts, like William Dormann from Tharros, who said that "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
. . . In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window completely obsolete, and both time-until-exploit and unused exploits are both nearing zero, Microsoft and other software players would do well to adjust their policies.
That's such an insane aside. 90-day disclosure-to-patch. Craziness.
On the other hand, this is exactly the way microsoft has been for - easily - 30 years. Like, 1996 microsoft could be slotted into today and literally nothing would change. Other than Nadella would probably be on a bunch of coke.
And this is why if you're going to post something like this, you host your own git. Or use something like codeberg.
The dichotomy here is you can't be famous hosting exploits on smaller forges. Gotta be on the big platforms where you can be starred and forked for social media cred to make news stories to impress your friends. IIRC I think HeartBleed (maybe ShellShock?) was the tip of this popularity iceberg...
Does anyone care about stars?
Openclaw is the most starred repo in years (i wonder why) and is incredibly niche.
Stars are kind of a scam.
I do loosely use stars to gauge how popular a library/framework is before investing a lot of time in it, however, I do also use other metrics like PR count, issues, etc
Stars are just someone's bookmark (me included) because there's no simple "bookmark this because I'll forget in an hour and want to look at it later when I have time." If one trusts Stars, you're literally trusting a bookmark that I didn't put more than 2 seconds of thought into clicking because I have a bad memory. Many I know do the same.
I go straight to code history, show me what the commits look like. One can derive a lot about the project based on just the way the commit messages are written before looking at the code being changed. How the code is changed over time (process, communication, methods, etc.) adds more layers to the qualitative observation. I move on to Issues when I want to see how the devs interact with the users having problems, which is another story.
and their gitlab is already blocked as well
Why did gitlab block it?