Rendered at 09:22:38 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
JumpCrisscross 3 days ago [-]
> Hang on.. proof of concept exploit creation and distribution for zero days is “criminal activity” now?
Publicly publishing an exploit is so obviously First Amendment-protected activity that it’s almost tempting to want a test case.
avaer 2 days ago [-]
It's also quite the blame gymnastics. The code that enables the bad actors was written, published, and distributed at massive scale by Microsoft. The "crime" they are accusing the researcher of is telling the world about it.
It would be an interesting case if the defendant had good representation.
rurban 17 hours ago [-]
The interesting case seen to be that the researcher apparently got laid off recently by this MS team, and thus has a 6 month NDA. Apparently he still tried to get bug bounties from inside knowledge of these criminal backdoors. That's what is being talked about behind.
A true popcorn case if this would go to court. Would cause lot of governments to think about their backend choices.
bigfatkitten 3 days ago [-]
I’d love to see Microsoft try it on. The defence witnesses in any such trial are going to show up holding all kinds of receipts that Microsoft would prefer didn’t see the light of day.
1970-01-01 2 days ago [-]
Straight to jail for you, citizen. Distribution of 0day for lulz has been criminal since 2022. You're free to try and get away with it under any and all amendments. IANAL!
> Distribution of 0day for lulz has been criminal since 2022
Skimmed the article. Not seeing it support your claim.
1970-01-01 2 days ago [-]
Responsible disclosure is a normalized process in the courts. Skipping it opens you to, at very minimum, a plethora of civil lawsuits, including any and all the damages that resulted from skipping it. The odds are very much not great that you'll be OK.
JumpCrisscross 2 days ago [-]
Civil, sure. The dispute is over criminal jurisdiction.
dghlsakjg 2 days ago [-]
Is there actually a civil duty of care here?
Responsible disclosure is an industry norm, but I don't really see how an independent researcher has a legal obligation to play by industry norms. If I discover that any product has a defect, I am free to blab about it all I want as long as it is truthful. There may be considerations beyond this if you are disclosing something discovered by breaking terms of service or by fucking with a computer that isn't yours, but discovering that your copy of windows on your machine has a flaw and telling people about it is protected.
1970-01-01 2 days ago [-]
Yes. Simply publishing on GitHub makes it's a TOS violation. You're free to blab all you want. Just host it on your own server and maybe even your own ISP. The code will be protected, but the publishing is not!
dghlsakjg 2 days ago [-]
“Our clickwrap terms of service prohibit users from talking about dangerous defects in our products without telling us and keeping it a secret for a month” is a hell of an argument to even attempt in front of a judge, let alone to be accepted.
Again, there isn’t really any case law I can find suggesting that skipping responsible disclosure opens you to any legal liability - which is the argument being made here.
1970-01-01 2 days ago [-]
The dispute is whether or not it is perfectly legal free speech. By simply publishing it on GitHub, it was a violation of a TOS and that right there opens it up to lawsuits from MS. You are free to go down this path and prove me wrong.
bigfatkitten 2 days ago [-]
I’d be interested to read some case law involving judgements against researchers in these circumstances, if you have any references handy.
Not comparable at all. He was convicted one count of identity fraud and one count of conspiracy to access a computer without authorization — AT&T’s computer, not his computer.
gremlinunderway 2 days ago [-]
Re-read the beginning of the First Amendment, because it's such a common mistake that I'm surprised people still make it:
"Congress shall make no laws ... "
The first amendment bars the *government* from infringing on your free speech. It has zero standing or bearing on private citizens or corporations.
Which is why people crowing about it on social media or universities are completely oblivious to the fact that these organizations have absolutely zero responsibility to enable your free speech.
avaer 2 days ago [-]
Microsoft's blog is calling this criminal activity. They are threatening to bring in the government to go after this speech.
This is a first amendment issue.
HDBaseT 2 days ago [-]
I wouldn't call these "Exploits".
Almost all of these appear to be backdoors inserted by Microsoft (and/or three letter agencies/Israel).
They are just being blown open and Microsoft isn't happy.
xtajv 2 days ago [-]
[dead]
h4kunamata 2 days ago [-]
Since Microsoft took over GitHub, everything went to shit.
GitHub, dead!
Windows, dead!
Xbox, dead!
Now security analysts blacklisted for disclosuring vulnerabilities.
Wait until the big players decide to ditch Microsoft altogether, I mean, why help when you are penalized for it??
With Microsoft doing so many things wrong, and users migrating to Linux because even Windows softwares have become evil, and security analysts jumping ship, let me tell ya, Copilot or even Mythos won't save you. AI is as good as the data it was trained on while humans adapt on the fly.
h4kunamata 2 days ago [-]
EDIT: This security analysts promised to release something big on July 14, 2026
Boy oh boy, Microsoft started a war they cannot afford to loose, and yet they already lost.
Nadella subsequently pushed security to the back seat.
justinclift 1 days ago [-]
The promise I'm talking about was 2024/2025, and we can see how that's gone. ;)
angry_octet 2 days ago [-]
If you can't win the game, don't play by the rules.
1970-01-01 2 days ago [-]
>Hang on.. proof of concept exploit creation and distribution for zero days is “criminal activity” now?
This is what happens when you jump the gun and publish without doing any research. The author needs to lookup how the CFAA works. Now, yesterday, and a decade ago, you couldn't just drop some exploit and walk away rambling about your rights. Dumpster fire takes are everywhere online.
Publicly publishing an exploit is so obviously First Amendment-protected activity that it’s almost tempting to want a test case.
It would be an interesting case if the defendant had good representation.
A true popcorn case if this would go to court. Would cause lot of governments to think about their backend choices.
https://krebsonsecurity.com/2022/06/what-counts-as-good-fait...
Skimmed the article. Not seeing it support your claim.
Responsible disclosure is an industry norm, but I don't really see how an independent researcher has a legal obligation to play by industry norms. If I discover that any product has a defect, I am free to blab about it all I want as long as it is truthful. There may be considerations beyond this if you are disclosing something discovered by breaking terms of service or by fucking with a computer that isn't yours, but discovering that your copy of windows on your machine has a flaw and telling people about it is protected.
Again, there isn’t really any case law I can find suggesting that skipping responsible disclosure opens you to any legal liability - which is the argument being made here.
"Congress shall make no laws ... "
The first amendment bars the *government* from infringing on your free speech. It has zero standing or bearing on private citizens or corporations.
Which is why people crowing about it on social media or universities are completely oblivious to the fact that these organizations have absolutely zero responsibility to enable your free speech.
This is a first amendment issue.
Almost all of these appear to be backdoors inserted by Microsoft (and/or three letter agencies/Israel).
They are just being blown open and Microsoft isn't happy.
GitHub, dead!
Windows, dead!
Xbox, dead!
Now security analysts blacklisted for disclosuring vulnerabilities.
Wait until the big players decide to ditch Microsoft altogether, I mean, why help when you are penalized for it??
With Microsoft doing so many things wrong, and users migrating to Linux because even Windows softwares have become evil, and security analysts jumping ship, let me tell ya, Copilot or even Mythos won't save you. AI is as good as the data it was trained on while humans adapt on the fly.
Boy oh boy, Microsoft started a war they cannot afford to loose, and yet they already lost.
This isn't "fixing the problem" at all. It's the opposite of fixing the problem.
https://www.wired.com/2002/01/bill-gates-trustworthy-computi...
Nadella subsequently pushed security to the back seat.
This is what happens when you jump the gun and publish without doing any research. The author needs to lookup how the CFAA works. Now, yesterday, and a decade ago, you couldn't just drop some exploit and walk away rambling about your rights. Dumpster fire takes are everywhere online.
https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#C...
Maybe you should look up who the author is.
The words "'s stance on zero day exploits" are unnecessary in the above sentence.