Having known quite a few cybersecurity researchers in my time, I know that Microsoft is a controversial figure.
Windows, the world’s largest operating system, is often the target of hacks and exploits, along with Microsoft’s cloud Azure. Russian-backed hackers breached 365 layers of Microsoft last year, taking over official US government accounts, for example.
To combat this, Microsoft employs productive and not-so-productive security researchers, sometimes called white hat hackers, who test Microsoft’s security levels and then report problems. Microsoft has a flawed rewards program to that end, ethical hackers can report exploits for a big payday. At least in theory.
I know from experience working with Xbox and Windows sources that actually get paid often more difficult than the Microsoft documentation suggests. I know more than a few researchers who have not received fair compensation in the past, and to assume this latest drama revolves around one such potentially burned user.
Security researcher Nightmare Eclipse recently disclosed to the public six major security vulnerabilities On Windows and other Microsoft systems. Typically, such bugs would be reported directly to Microsoft so the firm could fix them, but pre-Eclipse blog posts suggest it made them public for response purposes.
“Normally, I would go through the process of begging them to correct a mistake.” Eclipse he wrote (via PCMag), “But to summarize, I was personally told that they were going to ruin my life and they did and I’m not sure if I was the only one who had this horrible (sic) experience or if it was a few people but I think most would have eaten it and cut their losses but they took everything for me. They wiped the floor with me and played every child game they could. They’re just having fun seeing me suffer but it seems like a collective decision.”
Nightmare Eclipse’s claims are still unconfirmed claims, but for what it’s worth, this isn’t the only story I’ve heard.
Microsoft has contracts with the US military and takes security very seriously, if perhaps not seriously enough. CEO Satya Nadella embarrassed with some in the last few years high-profile Azure hacksand maintaining a good relationship with well-intentioned ethical hackers should be a key pillar in protecting Microsoft customers.
I feel like every week there’s a new story of how it’s going to be AI– Powerful hackers can improve global cyber security from both sides. Microsoft appears to be taking a more aggressive stance in pursuing hackers as well as those who disclose vulnerabilities. So Microsoft made a publication the answer To Nightmare Eclipse’s statements.
“Vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk these disclosures create, our security teams are working around the clock to understand the impact, protect our customers, and develop security updates.
We strongly oppose these actions and any uncoordinated disclosures that could harm our customers and the digital ecosystem. Unsolicited disclosures that put proof-of-concept code for unpatched vulnerabilities in the hands of bad actors can never be justified and have real-world consequences. Our security teams across the company tirelessly monitor threat actors looking for vulnerabilities like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue to prosecute these actors and those who enable their criminal activities – coordinating with law enforcement agencies around the world as necessary.”
“If Microsoft’s tactic is to try to criminalize failure to comply with often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court.”
Kevin Beaumont via DoublePulsar.com.
The point is that the United States constitution will protect Nightmare Eclipse’s statements under free speech laws. However, depending on how the exploits are obtained, it may violate the Computer Fraud and Abuse Act.
The language in Microsoft’s blog post has drawn the ire of security researchers, as it appears they will go after those who disclose such exploits.
Former Microsoft senior security analyst Kevin Beaumont (via The Verge) it sounded Redmond’s obvious hypocrisy over the “Nightmare Seizure” treatment.
“Wait.. Proof of concept creation and distribution of zero-day exploits is now ‘criminal activity’? Who signed that statement on CELA? Microsoft is the largest distributor of zero-days. Github. Failure to follow fictitious “responsible disclosure” processes is not illegal.
Nightmare Eclipse was also removed from GitHub (owned by Microsoft), Gitlab (a Microsoft partner), they were doxxed on Twitter and their MSRC – Microsoft vulnerability reporting portal – accounts were disabled. “It’s very difficult to ‘responsibly’ report future vulnerabilities when you’re banned.”
In the same post, Beaumont suggested that Microsoft had previously hired security researchers who had a public record of selling exploits to rogue states like Russia and Iran. “Microsoft knowingly hired someone who talked repeatedly about selling exploits to Russia and Iran while working there for years. They have a long history of hiring people who have been prosecuted for hacking crimes.
When you’re a large and sprawling operation like Microsoft, you’re bound to be a target for both private and state-sponsored criminals. Microsoft also has one of the world’s largest market capitalizations, forcing Wall Street to cut corners to deliver glowing earnings reports.
Security exploits are inevitable in software, but in the age of artificial intelligence, the rate at which Microsoft will be attacked will increase exponentially over time. It doesn’t seem so virtuous to antagonize researchers as it seems now. The drama could fuel calls to formalize vulnerability disclosure legislation, which has been debated back and forth in the US but never fully implemented at the federal level.
as Beaumont closes on DoublePulsar.com, “If Microsoft’s tactic is to try to criminalize failure to comply with often arbitrary ‘responsible disclosure’ frameworks, I wish you luck defending that in court – because Microsoft has a whole clown machine of pre-judgment and the facts that come up in the process.”
Join us Reddit at r/WindowsCentral to share your thoughts and discuss our latest news, reviews and more.
