Having met a few cybersecurity researchers in my time, I know that Microsoft is a somewhat controversial figure.
As the world’s largest operating system, Windows is often the target of attacks and exploits, along with Microsoft’s Azure cloud. Russian-backed hackers breached Microsoft’s 365 layer last year, for example, compromising official US government accounts.
To combat this, Microsoft is known to work with prolific and not-so-prolific security researchers, sometimes called white hat hackers, who test Microsoft’s security layers and then report issues. Microsoft has a bug bounty program to that end, where ethical hackers can report exploits for a major payday. At least, in theory.
I know from my experience working with Xbox and Windows fonts that actually receiving payment It’s often more difficult than Microsoft’s documentation suggests. I know more than a couple of researchers who haven’t been fairly compensated in the past, and to speculate, this latest drama revolves around one of those potentially burned users.
Security researcher Nightmare Eclipse went on a bender recently, publicly revealing six main security vulnerabilities on Windows and other Microsoft systems. Typically, these types of bugs would be reported directly to Microsoft so the company could fix them, but previous blog posts from Eclipse suggest that it may have disclosed them publicly for retaliation reasons.
“Normally, I would go through the process of begging them to fix a bug.” Eclipse wrote (through PCMag), “but long story short, they told me personally that they would ruin my life and they did and I’m not sure if I was the only one who had this horrible experience (sic) or few people did, but I think most would just suck it up and cut their losses, but for me, they took it all. They mopped the floor with me and used every playground they could. It was so bad that at some point I wondered if I was dealing with a massive corporation or someone who just gets a kick out of watching me suffer, but it seems to be a collective decision.”
Nightmare Eclipse’s claims are unverified accusations for now, but for what it’s worth, this isn’t the only story like this I’ve heard.
Microsoft contracts with the US military and takes security very seriously, although perhaps not enough. executive director Nadella Satya has been embarrassed in recent years with some High profile Azure hacksand maintaining a good relationship with well-intentioned ethical hackers should be a fundamental pillar of protecting Microsoft customers.
Every week I feel like there’s a new story about how AIComputer technology-driven hacks could disrupt global cybersecurity on both ends. It appears that Microsoft is taking a more aggressive stance when it comes to going after hackers, as well as those who publicize vulnerabilities. As such, Microsoft issued a answer to the revelations of Nightmare Eclipse.
“Known vulnerabilities such as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We continue to strongly oppose these actions and any disclosures outside of proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking down threat actors looking for weaknesses like these to attack Microsoft and our customers. “Our Digital Crimes Unit will continue to bring cases against these actors and those who enable their criminal activity, coordinating as necessary with law enforcement around the world.”
“If Microsoft’s tactic is to try to criminalize failure to comply with often arbitrary “responsible disclosure” frameworks, good luck defending it in court.”
Kevin Beaumont via DoublePulsar.com.
The point is that the US Constitution would protect the Nightmare Eclipse revelations under free speech laws. However, it could be violating the Computer Fraud and Abuse Act, depending on how the exploits were obtained.
However, the language in Microsoft’s blog post has drawn the ire of security researchers, as it seems to suggest that they will also go after those who simply disclose such vulnerabilities.
Former Microsoft senior security analyst Kevin Beaumont (via The edge) called Redmond’s apparent hypocrisy over the treatment of Nightmare Eclipse.
“Wait… the proof of concept of creating and distributing zero-day exploits is now a “criminal activity.” Who at CELA approved that wording? Microsoft is the largest distributor of zero-days, via GitHub. Failure to follow fabricated “responsible disclosure” processes is not illegal.
Nightmare Eclipse was also released from GitHub (owned by Microsoft), Gitlab (a Microsoft partner), they were trolled on Twitter and had their MSRC (Microsoft vulnerability reporting portal) account disabled. “It’s pretty difficult to ‘responsibly’ report future vulnerabilities when you’ve been banned.”
In the same post, Beaumont suggested that Microsoft had previously hired security researchers who were publicly known to sell exploits to rogue states such as Russia and Iran. “Microsoft knowingly employed someone who repeatedly talked about selling exploits to Russia and Iran, publicly, while he worked there, for years. They have a long history of hiring people, some with criminal convictions for hacking crimes, and hiring people who have posted zero days publicly.”
When it comes to an operation as large and extensive as Microsoft, it will undoubtedly become a target for criminals, both individually and state-backed. Microsoft also has one of the largest market capitalizations in the world and puts pressure on itself to cut corners to deliver glowing profitability reports to Wall Street.
Security exploits are inevitable in software, but in the age of AI, the speed at which Microsoft will likely be attacked will only increase exponentially over time. It does not seem especially virtuous of him to antagonize researchers as seems to be happening now. The drama may intensify calls to formalize vulnerability disclosure legislation, which has been debated in the United States but never fully implemented at the federal level.
As Beaumont closes at DoublePulsar.com, “If Microsoft’s tactic is to try to criminalize not following often arbitrary “responsible disclosure” frameworks, good luck defending it in court, because there’s quite a bit of clowning about prior decision-making within Microsoft and the facts that would emerge in that process.”
Join us at Reddit at r/WindowsCentral to share your ideas and discuss our latest news, reviews and more.
