• 🌈 vanta rainbow black 🌈@lemmy.blahaj.zoneEnglish
    2 minutes

    seeing a lot of people in this thread refer to this researcher as “he”

    their pronouns and such are unknown at this time as they have remained anonymous

    assuming male as default for everyone leads to trans people getting misgendered and is just generally a shitty out-of-touch thing to do

  • FauxLiving@lemmy.worldEnglish
    2 hours

    I feel that companies like Microsoft have forgotten that bug bounties and ethical reporting are the compromise where they agree to pay a fair amount for the bugs and are given time to fix them and the security researcher forgoes the 10x price they could get on the black market.

    Given the rise in mercenary hacking/spyware corporations, the bug researchers could probably get way more money through those alternate, and still legal, channels.

    So I hear.

  • qaz@lemmy.worldEnglish
    2 hours

    -----BEGIN PGP SIGNED MESSAGE-----

    Hash: SHA512

    Okay,

    So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.

    You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.

    Now you take the courtesy to flag my github account and wipe it out of the public, just like that ? You are proving to everyone that you actively escalating this conflict but I’m done begging you.

    I might sound like crazy idiot who is whinning around but I have proof for every single word I said, I just can’t release it yet. Why ? Microsoft still has chains in my hands, it’s been like this for years and I just can’t stay silent anymore. I hope I can release the documents soon.

    Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).

    Also,

    CVE-2026-45498 is UnDefend

    CVE-2026-41091 is RedSun

    New GitLab account,

    https://gitlab.com/nightmare-eclipse

    -----BEGIN PGP SIGNATURE-----

    iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCahGg+gAKCRDFFoRCS0/S

    bBMIAPsEczivsL71pbJizJHHlNNOf9guPAFFshJhhkwrDrwZ5wD/Vz6Z+d6vSvhQ

    uVrEh4lPM84Q8+J56RLa50Zp46QLkAY=

    =8wON

    -----END PGP SIGNATURE-----

    https://deadeclipse666.blogspot.com/

    Their account on GitLab is already blocked https://gitlab.com/nightmare-eclipse

    • Bazoogle@lemmy.worldEnglish
      2 hours

      Lmao. Is there anywhere he can go that wouldn’t immediately block him?

      • 🌈 vanta rainbow black 🌈@lemmy.blahaj.zoneEnglish
        4 minutes

        *they

        the researcher’s pronouns and such are unknown at this time as they have remained anonymous

        assuming male as default for everyone leads to trans people getting misgendered and is just generally a shitty out-of-touch thing to do

        • Bazoogle@lemmy.worldEnglish
          1 hour

          Of course he can… But then it’s as simple as a DDoS attack to shut it down. He wouldn’t want to host it on his own equipment, because there is a huge possibility for attack. He can pay for a server, but I assume he’d just setup the one. Unless he pays for a distributed server setup, there would be a single point of failure, and a single server to overwhelm. He can use CloudFlare, but then CloudFlare can decide they don’t like his content either, and just block access altogether.

          All of those things are much harder with an existing website with a larger infrastructure, and content other than his own posts.

          • trackball_fetish@lemmy.wtfEnglish
            33 minutes

            Well said… It would be difficult to match the load balancers larger sites have. Cost, resources, etc. Side note: fuck cloudflare.

          • kungen@feddit.nuEnglish
            39 minutes

            He could host a Tor Hidden Service or an I2P eepsite. Still possible to DDoS, but a bit harder. But then you’re missing out on 99% of spreading possibilities.

            • Bazoogle@lemmy.worldEnglish
              29 minutes

              Tor is a good idea. There are plenty of people that would happily seed the repository to spite Microslop

          • rumba@lemmy.zipEnglish
            28 minutes

            Put it on i2p and let the world shuffle it around.

      • qaz@lemmy.worldEnglish
        24 minutes

        Plebbit, they don’t moderate anything AFAIK (with predictable results)

      • rumba@lemmy.zipEnglish
        28 minutes

        I2P would be fine. They can ddos the service to an extent, but they’d just have to leave it there forever.

  • bamboo@lemmy.blahaj.zoneEnglish
    3 hours

    Microsoft has been mum on any details about these matters, so it’s hard to tell if the situation is about an uncooperative researcher who doesn’t follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse’s GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.

    Classic Streisand effect. Just two years ago Satya Nadella publicly announced they’re prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft’s actions speak louder than words and they probably didn’t pay for the bounties.

    • Bazoogle@lemmy.worldEnglish
      2 hours

      He also intentionally did it the day after patch Tuesday. July 14th is also Patch Tuesday. This is about retribution for him. How you view that is going to depend on your world view. I doubt any of us feel bad for Microsoft though XD

      • kungen@feddit.nuEnglish
        37 minutes

        And I fully believe it’d be some kind of justified retribution. The silence from Microslop’s side is deafening.

  • magnetosphere@fedia.io
    4 hours

    “Hey, let’s piss off the security expert who’s really good at finding flaws in our products. There’s literally no downside.”

    • Chais@sh.itjust.worksEnglish
      3 hours

      "Oh, the one who just published two exploits on our product, after we fucked them over during the responsible disclosure process? Great idea! What are the chances they’ll find another one, right?

      • Bazoogle@lemmy.worldEnglish
        2 hours

        He’s done more than two. This was his second round of releases. He was also the one that found the vulnerability in Windows Defender.

  • Washedupcynic@lemmy.caEnglish
    3 hours

    I’m no expert. Is this an issue where MS is refusing to pay bounties to the researcher for finding the bugs, and MS follows up by deleting the researcher’s git hub? Am I missing anything? If I understand the basics, this is how you turn a white hat into a black hat. Good job microslop.

    • Trainguyrom@reddthat.comEnglish
      49 minutes

      So the researcher has posted on their blog over the past few months some rants about Microsoft “destroying their life” and vowing to continue to post zero days in retaliation, and has been posting proof of concept code for these zero days to their GitHub.

      From their rants (there’s a couple of fresh ones including indication that tomorrow will be “one of the hardest days of their life” and that they’ll post a big zero day on July 14th) it sounds like Microsoft deleted their account, revoked their access to the responsible disclosure portal and they’ve had some back and forth discussions in private that they’re now making more public

      Normally what happens is researchers report vulnerabilities via Microsoft’s purpose-built bug bounty portal, and Microsoft can patch these vulnerabilities before they can be actively exploited, and researchers can pocket enough income to make a living entirely off of bug bounties. Obviously this all broke down in the case of this particular researcher so here we are

    • Bazoogle@lemmy.worldEnglish
      2 hours

      His blog posts share his side of the story, but Microsoft has not made any comments about what happened.

      From March 26:

      I never wanted to reopen a blog and a new github account to drop code…

      But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.

      Then on April 15:

      Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I’m not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.

      And one other thing, they do everything but support the research community, I won’t disclose details but they sabotage people a lot. I mean just look at the past, Microsoft is the only major company who had a track of multiple vulnerabilities being publicly disclosed just because the researchers were soo upset by how MSRC treated them.

      Unfortunately, the folks who have the capacity to stop those disclosures, not only don’t care but also seems to push harder for worst exploits to be released, I didn’t want to be evil but they are actively poking me to start releasing RCEs which I will be doing at some point…

      I will personally make sure that it gets funnier every single time Microsoft releases a patch.

      There was a comment on the first post that I feel like is pretty on point, though a bit arm chair psychologist:

      You’re a smart guy. Maybe a savant. Just wondering if you’re BiPolar (like me) and see a different reality than what is real. Been there.

    • KairuByte@lemmy.dbzer0.comEnglish
      3 hours

      I don’t think we know enough information to say what the root cause is, but this is definitely not the way to go about anything on the M$ side.

  • apftwb@lemmy.worldEnglish
    3 hours

    Too bad there aren’t any GitHub alternatives for them to post future exploits on.

    • Jhestyr@lemmy.worldEnglish
      2 hours

      I have to assume being sarcastic. But if not a locally hosted gitea is trivial to set up.

      • DanceMomsSavedMe@lemmy.zipEnglish
        1 hour

        Everyone keeps mentioning this but what about Codeberg or one of the other ones I see mentioned here a lot?

        Are those not viable alternatives that you don’t have to self host?

        • raspberriesareyummy@lemmy.worldEnglish
          47 minutes

          Codeberg would be sympathetic to the cause but does not have the €€ or legal power to deal with being bullied by microSLOP. :( Corporate law in Europe (and everywhere) is written to favour & protect big corps and corruption & bribery.

  • SuiXi3D@fedia.io
    5 hours

    I wonder if the dude happened to find an internally documented backdoor intended for use by government actors? Or most likely they just don’t wanna deal with it and the perceived fastest way to deal with it is to try and bury it. Both could be true, but I’m just speculating.

      • Snot Flickerman@lemmy.blahaj.zoneEnglish
        2 hours

        Whatever the last part of the link is it is getting caught in the content filter and being replaced with “removed”.

        Can anyone actually share the actual end of the link without triggering the content filter?

          • Snot Flickerman@lemmy.blahaj.zoneEnglish
            1 hour

            Interesting, I wonder why the choice to remove blog spot dot com specifically, this is actually the first time I have ever seen a “removed” from this instance, which is why I assumed at first it must be remote (also I had just woken up). Now that I’m more awake I realize, you’re right, it must be my instance. Maybe I’ll ask my admin sometime if there’s a reason why they block that phrase.

    • Chais@sh.itjust.worksEnglish
      3 hours

      I was wondering that myself.
      I mean, a mechanism that allows you to get the malware scanner to place whatever software you want on a machine, give it system access and then execute it, feels like a prime suspect for “lawful source interception” bullshit.

      • Bazoogle@lemmy.worldEnglish
        2 hours

        I do feel like it’s entirely possible it was a bug. I would imagine if they wanted to do a backdoor, they would require some form of key. There would need to be a form of revocation. If an employee, either for the government or Microsoft, went rogue then they could abuse that, or at the very least whistleblow and it would be easily verifiable for other entities.

        • Chais@sh.itjust.worksEnglish
          59 minutes

          I do feel like it’s entirely possible it was a bug. I would imagine if they wanted to do a backdoor, they would require some form of key.

          That would negate plausible deniability.

  • atrielienz@lemmy.worldEnglish
    7 hours

    If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).

    Even if this person is lying I’m more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.

    • 0x0@infosec.pubEnglish
      3 hours

      Microsoft has always been an evil company, but wow they are trying their hardest to reach Gates level of shit

  • 9point6@lemmy.worldEnglish
    7 hours

    Man, Microsoft just keeps footgunning this one.

    Every new exploit, they clearly have a meeting and convince themselves “that’s gotta be the last of it, right?”

    So the next day-after-patch-tuesday rolls around and lo and behold, this guy drops some more nukes on their reputation as far as their most important customer demographic are concerned (corporate IT)

    Given this genuinely does seem to stem from Microsoft mishandling this guy, why the fuck do they keep escalating

    • Miller@lemmy.worldEnglish
      6 hours

      Very little seems to be beyond the incredulity of MS meetings, remember they had a meeting where someone suggested the OS take a screenshot every ten seconds of whatever the user was doing and upload it to MS servers and rather than everyone laughing they agreed to move it into development.

      • grue@lemmy.worldEnglish
        5 hours

        rather than everyone laughing

        You misspelled “firing the authoritarian nutjob for cause,” which would’ve been the bare minimum of reasonable reactions.

        • Bazoogle@lemmy.worldEnglish
          2 hours

          if that’s bare minimum, what is the upper limit for reasonable reactions? Hang him?

    • BrightCandle@lemmy.worldEnglish
      7 hours

      Puts a lot of evidence towards his claims that Microsoft was behaving badly from the outset and the reason why he started doing this. They keep escalating. Its a war they started.

    • volore@scribe.disroot.orgEnglish
      6 hours

      you know, since this little saga began I’ve had this tiny voice in my head hoping this one vindictive dude is, eventually, directly responsible for Microsoft going out of business/doing severe restructuring or downsizing as a consequence of businesses losing faith in the company’s products. Lots of people already raise an eyebrow at Windows 11’s issues, things like “all our shit is fundamentally insecure because microslop left a backdoor in [insert critical thing here], and has been for [weeks/months/years/???]” tend to have an adverse effect on sales, especially to risk-averse business customers. It’s not impossible to imagine that continued “holy fuck what 0day exploit just dropped?” incidents, on the level of YellowKey, happening every month, could result in businesses deciding to drop their enterprise licensing of MS products; and that’s going to hurt. That’s where a big chunk, if not the biggest chunk iirc, of their revenue comes from. It’s unlikely, it’s a longshot, but I’m allowed to have hope.

      I’m especially now wondering, if YellowKey was the teaser – you know, just casually revealing a backdoor in BitLocker, like nbd – what the actual fuck are they going to drop in July? If that’s the appetizer, how juicy’s the entree gonna be?

      • reksas@sopuli.xyzEnglish
        4 hours

        I think as long as nothing actually happens, other companies wont care. No one is capable of thinking about the future anymore, there is only next quartal and short term profits.

        It might actually be needed for something big to go down first, like those 0day exploits actually get exploited and some client company or few loses a lot of money because of it. Considering how unsecure windows is, i’m a bit perplexed how nothing hasn’t happened already.

        • volore@scribe.disroot.orgEnglish
          2 hours

          Some of the other 0days this guy released are already being actively exploited in the wild, but no reports of big losses as a result of them yet. Having said that, the entire point of BitLocker was that it was full disk encryption that you didn’t have to think too much about; and now I bet every corporate IT department out there is looking at it with suspicion. If this guy can keep delivering on “things that keep sysadmins awake at night”, like “oh god every hard drive we’ve had stolen in the last few years can be fully decrypted now”, eventually a lot of them will decide it is less harrowing and less work to move their entire stack away from Microsoft than it is to live with them.

          They’d better not be overselling this bomb they’re gonna drop in July. I’m already moved over to Linux fully now, to quote photonicinduction: I want flames. I don’t just want to see it all over the tech news, I’m hoping he screws with them hard enough the story makes it to actual TV news channels.

  • Optional@lemmy.worldEnglish
    7 hours

    The saga has drawn speculation from other experts, like William Dormann from Tharros, who said that “MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that’s apparently an MSRC requirement now.”

    . . . In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window completely obsolete, and both time-until-exploit and unused exploits are both nearing zero, Microsoft and other software players would do well to adjust their policies.

    That’s such an insane aside. 90-day disclosure-to-patch. Craziness.

    On the other hand, this is exactly the way microsoft has been for - easily - 30 years. Like, 1996 microsoft could be slotted into today and literally nothing would change. Other than Nadella would probably be on a bunch of coke.

  • shortwavesurfer@lemmy.zipEnglish
    8 hours

    And this is why if you’re going to post something like this, you host your own git. Or use something like codeberg.

    • mote@lemmy.caEnglish
      8 hours

      The dichotomy here is you can’t be famous hosting exploits on smaller forges. Gotta be on the big platforms where you can be starred and forked for social media cred to make news stories to impress your friends. IIRC I think HeartBleed (maybe ShellShock?) was the tip of this popularity iceberg…

      • [object Object]@lemmy.caEnglish
        7 hours

        Does anyone care about stars?

        Openclaw is the most starred repo in years (i wonder why) and is incredibly niche.

        Stars are kind of a scam.

        • NotSteve_@lemmy.caEnglish
          7 hours

          I do loosely use stars to gauge how popular a library/framework is before investing a lot of time in it, however, I do also use other metrics like PR count, issues, etc

          • mote@lemmy.caEnglish
            6 hours

            Stars are just someone’s bookmark (me included) because there’s no simple “bookmark this because I’ll forget in an hour and want to look at it later when I have time.” If one trusts Stars, you’re literally trusting a bookmark that I didn’t put more than 2 seconds of thought into clicking because I have a bad memory. Many I know do the same.

            I go straight to code history, show me what the commits look like. One can derive a lot about the project based on just the way the commit messages are written before looking at the code being changed. How the code is changed over time (process, communication, methods, etc.) adds more layers to the qualitative observation. I move on to Issues when I want to see how the devs interact with the users having problems, which is another story.