Comment by zuzululu
1 month ago
What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
It sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
> and the response was flow chart tech support with a "buy a webcam" cherry on top
I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
Which, if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically
5 replies →
It feels like they’re trying put hurdles in front of you instead of getting info about repeatability of the vulnerability.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
selling to the highest bidder doesn’t generate headlines though.
Oh it does, but they don't say "Researcher sells exploits to the highest bidder", they say "Handala group shuts down nuclear power plant"
The researcher's own statements note that the zero days were not found with AI.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
> They seem to have a personal vendetta against Microsoft
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
I might be projecting.
What were the "so many better options" during that period? Have we found the only remaining CP/M fan?
OS/2 and DR-DOS are a couple examples. But what really gets me is the whole Xenix thing.
CP/M was great on Z80 systems. But a 386 was capable of so much more.
a bit later, but not much: OS/2
4 replies →
I was forced to use ms basic on my c64. Never forgive, never forget.
I always found it weird to ship a BASIC interpreter that didn't have specialised commands (unless you count POKE) to access the graphics and sound capabilities of a computer like the C64. Some computers of the same era had vastly superior BASICs (such as Sinclair BASIC).
3 replies →
We're witnessing the industrialization of intelligence.