I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.
The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.
If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.
The CCC (Chaos Computer Club) in germany will probably do the same.
Just to play devil's advocate, couldn't sending zero-day exploits to a foreign nation's intelligence service potentially cause the sender significantly more trouble.
Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies
The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability
Were you somehow able to intuit that parent is Finnish?
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
> the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO
Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with
> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.
If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here
I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.
> I wouldn't trust anything like that in Germany [...] Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period.
This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was
Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate
As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)
Apart from a certain general incompetence in IT related topics, common sense is a rather important part of German legal interpretation. Intention, proportionality and such.
There are some infamous counter-examples, but you can find these in any country and it's these that make the news.
Reporting software vulnerabilites in Germany is the dumbest thing you can do, you WILL be arrested. There is a recent case where some company had a hardcoded database password in their EXE file and if you open it with e.g. Notepad you can see it and this already counts as "illegal hacking". https://www.heise.de/en/news/Federal-Constitutional-Court-re...
Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?
Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.
This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."
It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
> You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...
You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.
Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).
They just seem to blur the border between nationalism and patriotism more than most countries.
That sounds a lot like the assumption that crime rates are better in less populous areas - just because there is less reporting doesn't mean that it isn't there.
Have you been to the US? If not how can you be certain that the US is truly worse?
I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.
I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.
I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...
I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.
Some may criticize regulations, but the EU-mandated cyber-resilience act (CRA) actually forced companies to have a clear contact point for vulnerabilities reporting, and to act upon it.
2026-09-11, save the date folks. That's when all companies selling products with digital elements in the EU have to have a reporting pipeline for actively exploited vulnerabilities and severe incidents.
The German "Chaos Computer Club" (hacker club) has a disclosure service. They approach the affected party as the club, hiding the persons identity. Not sure if they do it internationally as the page is in German. But nice idea and not a government agency.
No shit. Mind telling us how? Because elections sure aren’t going to do it.
edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.
That's really sad to hear, you must have felt really bad. Just because they do not know about the vulnerability, it won't disappear. And they won't fix it too. Ignorance is a bliss, but not in this case...
I'd do my very best to find more of such vulns from the same problematic and aggressive companies, then sell them on the black market for pennies - or just outright leak them.
Why?
To show the stubborn, offended little snowflakes that it's better to reward your heroes than try to turn them into villains.
I bet this post will get downvoted a ton. I'm OK with that. I'm sure that a message supporting any national resistance movement during WWII would have been downvoted, too.
No idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
Read the write up on YellowKey. [1] It sounds like, in at least some instances, he's publishing official Microsoft backdoors probably used by US intelligence agencies et al. It turns out that Bitlocker is insecure and backdoored. Something noooobody expected after TrueCrypt just mysteriously and suddenly shut their doors one day, removed all downloads, and recommended everybody move to Microsoft's BitLocker. lol.
If you were using bitlocker to replace truecrypt, you'd have a boot password and this would not affect you at all.
I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.
And where's the claimed version that works when a PIN is set?
> And where's the claimed version that works when a PIN is set?
Maybe it was on GitHub/GitLab before the author was banned by both Microsoft and GitLab, not really sure we'd know. The authors last post on their blog is from yesterday (28th of May, https://deadeclipse666.blogspot.com/) so seems they aren't fully gone. But yeah, been a lot of "promises" but besides the initial 0days, not so much released AFAIK.
Why would it not be? Microslop doesn't need to make such a backdoor, but it's still a lot more convenient to make one generic backdoor than many signed ones.
It all started because the bureaucracy refused to even consider Bluehammer when they couldn't cajole the reporter into providing video footage.
And then to double down and ban accounts because you'd rather not fix the bureaucracy is
really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
They're not. These programs make decisions I wouldn't make all the time (though for reasons more complicated than message board discussions capture). I'm making a much narrower claim than you think I am.
They also silently patched RedSun, didn't issue a CVE until much later.
There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.
The bug this guy brings up is very obviously a Bitlocker backdoor and raises very serious questions about what Microsoft is doing with the encryption. Pretty certainly they're able to decode the volumes without the user's key, which is extremely concerning.
Looks like they're trying to make it disappear, but it's in the wild now.
It’s a post-boot authentication bypass exploit. Any post-boot authentication bypass exploit against TPM-only sealed BitLocker effectively bypasses it. The user doesn’t have a key to start with in this setup, just the machine.
This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.
I wouldn't be surprised if this was intentionally put in, but I think its important to clarify that the encryption itself wasn't broken, and with this exploit specifically the drive also has to remain inside the original PC/TPM. It's a boot authentication bypass, not an encryption break.
As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.
I know someone who works for a nefarious gov org and they never put the bitlocker keys in the TPM on their laptops. You have to enter the password yourself on power up.
You don't need to be thinking of any specific vulnerability to realize that putting the decryption key next to the data you're trying to protect is a dumb idea.
If for example a laptop like that gets lost or stolen, the attacker has the data and the key, in a box they physically hold, with no attempt limit, and unless they actively mess with the boot process, it will happily load the key into memory for them. If it's a discrete TPM the attacker can likely sniff the key on the wire. If that doesn't work, they just need to find a vuln anywhere in the secure boot process, or in Windows, and again, they have the key. And if that doesn't work, they could sniff the memory bus, or do a cold boot attack (again, with unlimited attempts unless they irreparably damage the mainboard/TPM in the process).
If they were smart after the ban, they'd hire him for mucho dinero. These corporations are nervous but if they're not stupid they pay out. It's Microsoft, so it's perhaps nof the most progressive when it comes to these things, so who knows if they've realized it.
To corroborate, working in bug bounty triage, I never saw any evidence of reluctance to pay out.† The worst company-side behavior I observed was asking researchers to "please stay away from X" in their proof-of-concepts and then making higher payouts to researchers who ignored that instruction (because, after all, the demonstrated risk was higher!).
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?
I would agree it's the researcher's responsibility. It's not that the company put up a webshell for kicks. The researcher found an exploit (good), and used it to install a webshell, demonstrating the highest possible risk (fine).
Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.
Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?
Was it publicly discoverable?
Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.
Was it publicly exploitable?
Yes; the researcher didn't set up any authentication or anything.
Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.
The shell disappears on step one.
Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?
Ever considered these aren't the full set of exploits the researcher discovered? Or that he can find more since he found these? If I found a bunch, I'd certainly withhold a few as insurance.
Sure, but GitHub and Gitlab aren’t the only two ways to share code on the Internet. The conspiracy theories about two unrelated companies shutting down his git accounts to prevent him from releasing these supposed exploits are reaching pretty deep into conspiracy theory nonsense. The conspiracy theories can’t even agree if he was banned for posting them or because he hadn’t posted them but might post them.
Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.
If you don't feed your army, you will soon feed someone's else's.
These days corporate security treats these workstations like a dummy terminal. No secrets live on the workstation. You have to re-auth with sso constantly with biometrics and are basically editing data that is in a cloud. So the risk to a corp is minimal where even in the worst case they are insured.
Zero days like this are being disclosed regularly so the idea of securing a windows workstation is tantalizing but you'll never feel satiated trying to drink that water so don't even try.
So yea there's plenty of windows users but we're certainly not hosting anything important on those boxes and would frankly be aghast at the suggestion.
Not to mention all the startups being founded right now. Sure, github's still the default, and maybe you can still monetize stars or something, but it's also a clown show from an availability, feature roadmap and company policy perspective.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
In the past recent months i've been dealing with a lot of strange digital responses at various related things. It caused a lot of frustration and i couldn't exactly pinpoint what i was doing wrong. Then i read this sentence in the article:
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
A lot of blue collar trades - mechanic/electrician/builder etc following the `flowchart` is the `law` of the land and process is written in blood and liability
Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process
These get trained to be able to reason about why the flowchart is the way it is or outright to construct it. If you can't create a flowchart yourself, you shouldn't direct work following it. Following the flowchart is, so that you don't make mistakes on execution, because there will eventually be mistakes, it's not intended that it saves you from knowing what you do in the first place. In other words: you follow a flowchart to prevent accidental deviations from the process. Once you question, what you actually should do, the flowchart is useless as guidance.
It depends, flowcharts are great for defined processes, but troubleshooting (which vulnerability research mirrors) is not a flowchart or checklist or task list.
I am all in favor for extensive logging, documentation and following the processes, especially regarding safety. But there will always be miscommunication and cases where some thinking or adaptation of those processes are required. Stopping that for cost reduction will eventually lead to enshittification.
Is there any public word from Microsoft about what is going on here? Why would both Microsoft and Gitlab ban the user? I thought both platforms allowed hosting exploits and security research as long as everything is clearly marked up-front, I'm guessing some rules were broken?
Usually, when intentional backdoors like that get found and fixed, the 'someone else' stays silent. Otherwise, they provide proof that they've been planting backdoors, and that's much worse than having a hole plugged.
To get an idea of how this stuff usually works, start with the Simple Sabotage field manual:
If a government agency wanted to sweep this under the rug, don’t you think they’d just pay the bounties for the guy instead of giving him more ammunition for his crusade?
I think it’s more likely that the guy is just being as abusive to these services as the quotes in the article where he’s talking about crushing their bones
I'm not a BitLocker user or expert, but I thought I'd read that if you used a BitLocker PIN, the exploit didn't work. If the gov't asked MSFT to deploy an exploit, wouldn't they make it work PINlessly?
There's zero proof it's an intentional backdoor, it's just FUD spread by the exploit author which is probably not helping his case and may be reason for his ban.
Microsoft doesn't need to put in a backdoor on disk because they can make payloads that'll pass the TPM and not need a single trace on the disk.
Lots of copies of the Windows source code still on GitHub, which is problematic if you're interested in NT and want to contribute to Wine or something...hard to avoid running into restricted code
More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.
1. Section 230 was largely enacted in 1996 to solve the 1995 ruling that "because Prodigy had taken an editorial role with regard to customer content, it was a publisher and was legally responsible for libel committed by its customers" (i.e. one of the biggest purposes of section 230 was to allow companies to make editorial decisions without causing them to become legally liable as a result).
2. The law was "designed to override the decision…, so that a service provider could moderate content as necessary and would not have to act as a wholly neutral conduit."
3. However, Trump has challenged that, including with Executive Orders, although I don't think Trump's rationale is well thought through, including because he explicitly complained that his posts like "Any difficulty and we will assume control but, when the looting starts, the shooting starts" being taken down was a specific example of why 230 should be revoked.
4. And some think the opposite as well, such as Democratic leaders who "believed that Section 230 led the companies to fail to take any preemptive action against the people who had planned and executed the Capitol riots" for example.
> Section 230 allows for web operators, large and small, to moderate user speech and content as they see fit. This reinforces the First Amendment’s protections for publishers to decide what content they will distribute. Different approaches to moderating users’ speech allows users to find the places online that they like, and avoid places they don’t.
This situation highlights the inherent conflict of interest in Microsoft owning GitHub. While GitHub has clear terms of service regarding the hosting of active, weaponized exploits, the optics of banning a researcher who specifically targeted Windows are always going to look vindictive, regardless of the justification.
What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
It sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
Which, if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically
>>> flow chart tech support with a "buy a webcam" cherry on top
>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.
I believe Hyper-V supports emulating TPM these days, so doing things to a VM and recording the desktop with the VM window _may_ work. In this case though it'd look very boring because you couldn't tell from the recording that anything happened.
The researcher's own statements note that the zero days were not found with AI.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
> They seem to have a personal vendetta against Microsoft
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
The fizzling of OS/2 was as much IBM's fault as anything. If they'd paid more attention to it sooner, MS might never have shipped Windows; they'd just have made their office applications OS/2 GUI programs. But IBM was too fixated on its mainframes to realize that they were giving away the PC market to MS (again--they did it the first time by licensing DOS to MS).
Before Facebook, I used Friendster. Years later, I read how Friendster execs were too busy patting themselves on the back and flying around on private jets to get around to fixing the horrendous site lag of sometimes a minute to even sign into the web app. How could a company's leadership be so foolish? I understood this paled in comparison to the doomed arrogance of IBM's leaders when I read stories about IBM's downfall in the delightful book In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters.
I always found it weird to ship a BASIC interpreter that didn't have specialised commands (unless you count POKE) to access the graphics and sound capabilities of a computer like the C64. Some computers of the same era had vastly superior BASICs (such as Sinclair BASIC).
I agree, it seems very low-effort on Commodore's part to license this lowest-common-denominator BASIC with no support for graphics and sound other than POKE. Super lame, but they got away with it.
The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.
It's not a dichotomy either, they can both have put the customers at risk.
Is this sarcasm? Or are you saying that the onus of providing proof is not on the those making the claim, but instead that the onus of proof is on those who did not make the claim?
> Sure you can provide an alternative explanation?
In terms of a possible explanation for why GitLab would take an action, was it considered whether the (disturbed?) user violated GitLab's Terms of Service? Is the assumption that GitLab didn't just enforce their ToS, but that they're instead more likely to be secretly acquiescing to backroom bullying between companies over specific users?
Are there any copies of what he supposedly posted? I have a hard time believing someone posted groundbreaking exploits to two separate Git websites and not a single person cloned them.
I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.
Forks are still alive on github, so it seems unlikely microsoft did this to suppress the code. Unless they are wildly incompetent, which I don't want to outright reject as a possibility.
Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.
This often seems to be the case for the most expert researchers, all a bit quirky. Anyone remember SandboxEscaper? I think they are deceased now but they were dropping Windows 0 days left and right. That person was quite a character. It's hard to describe it without potentially incurring the wrath of someone here but those who know, know.
SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com
OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459
The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.
Is it a surprise that if you think differently you act differently? You have to think differently to become an expert. If you thought the same (as the "average") you'd, by definition, be "average".
Because you don't agree doesn't make the legitimate callout (i.e., victim-blaming “what were you wearing” vs. calling someone “unhinged” after they've endured repeated abuse/stress) a logical fallacy. Rather it positions you in opposition.
I don't really see any evidence of abuse in this post, though. It doesn't really say what Microsoft did, other than ban them from github after they said they will "make Microsoft's bones shatter".
It reads to me like Microsoft didn't pay him what he thought he earned from the exploits (i have no idea who is in the right on that), and then he published a zero day with no notification and threatened the company. Doesn't seem ridiculous to ban them at that point.
Again, I don't know the details so I cant say who is in the right, but the researcher comes off as a little bit unhinged and entitled. Not paying a bug bounty is 'ruining my life'?
Microsoft owns Github and Windows, makes sense. "Security researchers" love attention however, and I'm going to guess this one knew it would happen and is now making hay on the fact that it did. Now let me roll out the tired authoritarian excuses to wrap up the thread.
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
User also got themselves banned from Gitlab, an unrelated company. Their quotes in the article are threatening violence and destruction toward Microsoft.
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
Before we go down the road of analyzing someone's reaction, we should first analyze what they're reacting to: How much money did microsoft bilk this person out of? What is a reasonable reaction to someone taking that much money out of your paycheck?
Also, as a practical matter, maybe do as someone says if they have this many zero days sitting around?
While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.
I know quite a few extremely skilled people who aren't employed in a technical field. Usually it's some combination of not working well with others, lack of formal credentials and the means to acquire them, or a criminal record. Government work also means you have to be morally okay with what the government does (or willfully ignorant), able to pass a background check, and be willing to go through the security clearance process.
"People with skills" just don't care for corporate or government bullshit. You may know them as "not being employed in a technical field", but it's just because you got filtered out.
It doesnt really matter. Banning someone GitHub account change literally nothing and its another proof Microsoft is not to be trusted as steward of open source platform.
They lost the trust of having secure products a long time ago. Windows is directly responsible for the rash of varying quality EDR & other "security software" for endpoints.
I mean it took them until Windows 10 to move font rendering out of Ring 0, you could run malicious code in kernel space from a freaking font on a web page at one point.
If they're using the "write lots of mediocore code faster" approach to AI and not the "write better code more slowly" approach, this is a security nightmare.
I don't think you should insert any number of insults into summaries of what other people said. It serves no purpose other than degrading the quality of discussion. If someone posted this comment:
> Satya Nadella says as much as 30% of Microsoft code is written by AI. More like Microslop, haha!
we'd all recognize that the last sentence is pointless name-calling (and thus violates the HN guidelines). But by interleaving the insult, it's easy to trick oneself into thinking that it's meaningful commentary. The quality of HN as a discussion forum requires holding ourselves to a higher standard than that.
> I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.
I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.
Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.
The combination of an overly unstable dramatic researcher, a tech news community which will undermine truth in a desperate plead for some clicks and people that are readily willing to believe everyone is constantly just casually in contact with the NSA, gives us these third rate stories
Lol, they ban a security researcher from Github for embarassing them, but massgrave's Microsoft Activation Scripts isn't just still on Github but verified?
Microsoft hasn’t particuarly cared about consumers pirating Windows for more than a decade. I’m pretty sure they make close to 0 money off Windows licensing to consumers.
> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.
Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.
A dying breed, most Intel machines have already fallen out of support and the few remaining ones (e.g. 2019 16-inch MBP) won't get any new OS updates after end of this year.
The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
The CCC (Chaos Computer Club) in germany will probably do the same.
There are some really decent technical videos on it, CCC is really awesome!
Really loved this talk in particular from CCC: https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_mor...
This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...
In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.
The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability
"Israel reached out to US hackers for ‘Zero Days’ tools" - https://www.timesofisrael.com/israel-reached-out-to-us-hacke...
Why?
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with
> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.
A "neutral" country might abuse them.
You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.
All of that without any benefits.
This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was
Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate
As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)
There are some infamous counter-examples, but you can find these in any country and it's these that make the news.
You can also submit anonymously and/or via secure email: https://www.traficom.fi/en/contact-details/sending-secure-em...
This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."
You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.
Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).
They just seem to blur the border between nationalism and patriotism more than most countries.
Have you been to the US? If not how can you be certain that the US is truly worse?
I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.
I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...
I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.
https://www.ccc.de/disclosure
edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.
Why?
To show the stubborn, offended little snowflakes that it's better to reward your heroes than try to turn them into villains.
I bet this post will get downvoted a ton. I'm OK with that. I'm sure that a message supporting any national resistance movement during WWII would have been downvoted, too.
In the black market, 0day are actually worth something.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
[1] - https://www.tomshardware.com/tech-industry/cyber-security/mi...
I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.
And where's the claimed version that works when a PIN is set?
Maybe it was on GitHub/GitLab before the author was banned by both Microsoft and GitLab, not really sure we'd know. The authors last post on their blog is from yesterday (28th of May, https://deadeclipse666.blogspot.com/) so seems they aren't fully gone. But yeah, been a lot of "promises" but besides the initial 0days, not so much released AFAIK.
Far safer than a backdoor and no evidence.
But the slop in your comment here indicates you're arguing in bad faith.
And then to double down and ban accounts because you'd rather not fix the bureaucracy is really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.
Looks like they're trying to make it disappear, but it's in the wild now.
This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.
As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.
Wonder if they knew about this.
If for example a laptop like that gets lost or stolen, the attacker has the data and the key, in a box they physically hold, with no attempt limit, and unless they actively mess with the boot process, it will happily load the key into memory for them. If it's a discrete TPM the attacker can likely sniff the key on the wire. If that doesn't work, they just need to find a vuln anywhere in the secure boot process, or in Windows, and again, they have the key. And if that doesn't work, they could sniff the memory bus, or do a cold boot attack (again, with unlimited attempts unless they irreparably damage the mainboard/TPM in the process).
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.
Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?
Was it publicly discoverable?
Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.
Was it publicly exploitable?
Yes; the researcher didn't set up any authentication or anything.
All about bits of entropy i.e. difficulty if guessing.
Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.
The shell disappears on step one.
Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?
What is this lunacy?
This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.
If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
He also got banned from Gitlab, which isn’t related to Microsoft at all.
0. https://specs.ipfs.tech/ipips/ipip-0383/
That git account was posted on their blogspot...
I understand Microsoft's being petty, but why would GitLab do this?
If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.
Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.
If you don't feed your army, you will soon feed someone's else's.
Is this just your way of saying that only tiny, weird, companies are "good"?
Zero days like this are being disclosed regularly so the idea of securing a windows workstation is tantalizing but you'll never feel satiated trying to drink that water so don't even try.
So yea there's plenty of windows users but we're certainly not hosting anything important on those boxes and would frankly be aghast at the suggestion.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process
Hardware access is a given.
You guys need to stop reaching for conspiracy
To get an idea of how this stuff usually works, start with the Simple Sabotage field manual:
https://ia601309.us.archive.org/14/items/Simplesabotage/Simp...
I think it’s more likely that the guy is just being as abusive to these services as the quotes in the article where he’s talking about crushing their bones
It seldom pays to presume competence.
Microsoft doesn't need to put in a backdoor on disk because they can make payloads that'll pass the TPM and not need a single trace on the disk.
If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?
More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.
Even beyond that… most business relationships wouldn’t involve an expectation that Microsoft does things for other entities that it does for itself.
[1] https://en.wikipedia.org/wiki/Section_230
Section 230 has no concern with publishers making editorial decisions. GitHub can moderate user content on its site however it wants.
1. Section 230 was largely enacted in 1996 to solve the 1995 ruling that "because Prodigy had taken an editorial role with regard to customer content, it was a publisher and was legally responsible for libel committed by its customers" (i.e. one of the biggest purposes of section 230 was to allow companies to make editorial decisions without causing them to become legally liable as a result).
2. The law was "designed to override the decision…, so that a service provider could moderate content as necessary and would not have to act as a wholly neutral conduit."
3. However, Trump has challenged that, including with Executive Orders, although I don't think Trump's rationale is well thought through, including because he explicitly complained that his posts like "Any difficulty and we will assume control but, when the looting starts, the shooting starts" being taken down was a specific example of why 230 should be revoked.
4. And some think the opposite as well, such as Democratic leaders who "believed that Section 230 led the companies to fail to take any preemptive action against the people who had planned and executed the Capitol riots" for example.
EFF's take on 230 ( https://www.eff.org/issues/cda230 ) includes:
> Section 230 allows for web operators, large and small, to moderate user speech and content as they see fit. This reinforces the First Amendment’s protections for publishers to decide what content they will distribute. Different approaches to moderating users’ speech allows users to find the places online that they like, and avoid places they don’t.
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
selling to the highest bidder doesn’t generate headlines though.
I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically
>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.
I don't think you'd need an external camera for that. What you're doing would be mentioned in the accompanying report.
I do agree with you about the boot process, though.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
I might be projecting.
In the linked Microsoft blog post, they say :
> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.
So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?
It's a very weird situation
That statement irks me. Responsible disclosure or not, It's Microsoft themselves that put their customers at risk, not the researcher.
It's not a dichotomy either, they can both have put the customers at risk.
Maybe they're a foreign intelligence cutout masquerading as a burned researcher.
https://gitlab.com/nightmare-eclipse
Blocked user @nightmare-eclipse
Looks like they’re banned on GitLab as as well?
Otherwise, that's the best we have.
In terms of a possible explanation for why GitLab would take an action, was it considered whether the (disturbed?) user violated GitLab's Terms of Service? Is the assumption that GitLab didn't just enforce their ToS, but that they're instead more likely to be secretly acquiescing to backroom bullying between companies over specific users?
I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.
https://github.com/xiaoji235/bitlocker-bypass-tool-for-winre
Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.
The style is the same, and it appears that SandboxEscaper has previously been fired by MSFT. (they are not dead) https://github.com/BigPolarBear1/The_story
SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com
OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459
The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.
https://x.com/PalantirTech/status/2057157517969445252
Everything you disagree with isn't incorrect.
It reads to me like Microsoft didn't pay him what he thought he earned from the exploits (i have no idea who is in the right on that), and then he published a zero day with no notification and threatened the company. Doesn't seem ridiculous to ban them at that point.
Again, I don't know the details so I cant say who is in the right, but the researcher comes off as a little bit unhinged and entitled. Not paying a bug bounty is 'ruining my life'?
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
>Build your own github.
Did I miss any?
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.
Maybe don't piss off your betters?
I mean it took them until Windows 10 to move font rendering out of Ring 0, you could run malicious code in kernel space from a freaking font on a web page at one point.
Satya Nadella says as much as 30% of Microslop code is written by AI:
https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-a...
> Satya Nadella says as much as 30% of Microsoft code is written by AI. More like Microslop, haha!
we'd all recognize that the last sentence is pointless name-calling (and thus violates the HN guidelines). But by interleaving the insult, it's easy to trick oneself into thinking that it's meaningful commentary. The quality of HN as a discussion forum requires holding ourselves to a higher standard than that.
Actually I was a reference of Microsoft banning people on their Discord.
Because out of top "evil corps" Microsoft seem to have worst PR department.
I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.
Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.
Almost like trying to censor leakef HDCP key.
Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.
This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.
the bugs he is publishing are exactly the class of bugs that they would love to buy
Microsoft's stance on zero day exploits is a dumpster fire of their own making
https://news.ycombinator.com/item?id=48313038
MS owns GH. It's tonedeaf and criminal
Hasn't that been their MO since the start? Absolutely scummy company.
Make it make sense, Microsoft.
> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.
Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.
A dying breed, most Intel machines have already fallen out of support and the few remaining ones (e.g. 2019 16-inch MBP) won't get any new OS updates after end of this year.
Example: https://lowendbox.com/blog/will-github-ever-remove-this-null...