- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or register to comment.
What even is the headline
That was my thought, what a absolute mess of a ‘sentence’.
This is extremely unfair to MicroSlop.
Microsoft closed the case after the reporter refused to submit a video of the exploit
They don’t have any actual fucking security experts there, so they require video proof that ape will understand.
Posting zero day exploits on github is a shit move. But Microsoft should be happy that this guy posted it on github rather than selling it on the black market.
Banning his guthub account won’t make zero day vulnerabilities go away ffs.
I am so calling it ‘guthub’ from now on.
😅
Didn’t Google also recently used their stupid AI to find exploits in FFMPEG and then blackmailed them to fix it before deadline or they will release them to the public? If banning a dev for such “act” is right, then banning the company should also be right. Ban all of them.
The “vulnerability” in ffmpeg was only for an addon, which required a separate download by the user, which was only for a cinematic which was only in the game Star wars xwing vs tie fighter from the 90s, which would only occur at exactly 17s into the fmv.
There was a protocol for reporting security vulnerabilities. Of course some companies don’t follow the protocol when vulnerabilities are reported to them, but that’s their problem.
You report the problem and then you wait 1 month, if the company still hasn’t fixed the issue by then, then you publicly announce it.
Unless it is an open source piece of software, any vulnerability I find will be publicly posted while I remove all software using it from all my devices and infrastructure.
Uniformed other than a few snippets from the blog but the researcher doesn’t seem to be in a good place mentally. Understandable if what they claim is true, making them unreliable if it isn’t.
Not victim blaming, but things aren’t automatically true because they are anti Ms.
From what I’ve heard, the POC worked.
I think it’s less being uncertain about the vulnerability and more about being uncertain about all the other drama surrounding it.
This Dormann fellow paints a believable picture of MSRC as an organization ruined by mismanagement and left incompetent and dysfunctional. A very banal scenario of failure that is familiar to anyone with experience with big businesses. Eclipse seems to see a more malicious intent and assumes that MSRC had it out for Eclipse personally from the onset for… some reason.
Eclipse may have found real stuff, but the communication style is a bit unhinged so it’s hard to evaluate the surrounding drama. This unhinged communication style combined with a bureaucratic MSRC could lead to them not being able to understand Eclipse’s attempt to explain.
The question is whether Eclipse was unhinged from the onset or understandably driven off the deep end by malicious treatment by MSRC. Both scenarios are believable, hence the sensible take away that we have one side of the story and while we should recognize that, we must also consider that an alternate scenario played out.
I’m surprised admins found a window large enough when github wasn’t down to ban the researcher.
I feel that companies like Microsoft have forgotten that bug bounties and ethical reporting are the compromise where they agree to pay a fair amount for the bugs and are given time to fix them and the security researcher forgoes the 10x price they could get on the black market.
Given the rise in mercenary hacking/spyware corporations, the bug researchers could probably get way more money through those alternate, and still legal, channels.
So I hear.
“Hey, let’s piss off the security expert who’s really good at finding flaws in our products. There’s literally no downside.”
"Oh, the one who just published two exploits on our product, after we fucked them over during the responsible disclosure process? Great idea! What are the chances they’ll find another one, right?
He’s done more than two. This was his second round of releases. He was also the one that found the vulnerability in Windows Defender.
Is this the bitlocker backdoor? That’s not an exploit / zeroday
Thats making a backdoor be known.
Well the thing is it’s now been zero days since they had to write a new backdoor.
They don’t need to write a new one, they probably already have more than one built and deployed for the same thing.
But it’s a good idea to get started on another one, so I’m really just complaining about the word ‘had’ as if it was a requirement.
This is a cartoonish level of evil by Microsoft blud
I mean, the cartoonish evil was making the backdoor in the first place. This is just inept.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Okay,
So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.
You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.
Now you take the courtesy to flag my github account and wipe it out of the public, just like that ? You are proving to everyone that you actively escalating this conflict but I’m done begging you.
I might sound like crazy idiot who is whinning around but I have proof for every single word I said, I just can’t release it yet. Why ? Microsoft still has chains in my hands, it’s been like this for years and I just can’t stay silent anymore. I hope I can release the documents soon.
Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).
Also,
CVE-2026-45498 is UnDefend
CVE-2026-41091 is RedSun
New GitLab account,
https://gitlab.com/nightmare-eclipse
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCahGg+gAKCRDFFoRCS0/S
bBMIAPsEczivsL71pbJizJHHlNNOf9guPAFFshJhhkwrDrwZ5wD/Vz6Z+d6vSvhQ
uVrEh4lPM84Q8+J56RLa50Zp46QLkAY=
=8wON
-----END PGP SIGNATURE-----
https://deadeclipse666.blogspot.com/
Their account on GitLab is already blocked https://gitlab.com/nightmare-eclipse
What’s the context here?
Can’t wait for the drama to escalate. Maybe he sells these on black market for millions? Who knows. Banning his account is like pouring salt on the wound.
Lmao. Is there anywhere they can go that wouldn’t immediately block them?
Torrent magnet link to social media on several seed boxes. Magnet links with DHT (Distributed Hash Table) are fully decentralized. You can’t stop a 60 character text string.
Maybe they’d try to ban text strings again https://en.wikipedia.org/wiki/Illegal_number
He can use a locally hosted gitea
Of course he can… But then it’s as simple as a DDoS attack to shut it down. He wouldn’t want to host it on his own equipment, because there is a huge possibility for attack. He can pay for a server, but I assume he’d just setup the one. Unless he pays for a distributed server setup, there would be a single point of failure, and a single server to overwhelm. He can use CloudFlare, but then CloudFlare can decide they don’t like his content either, and just block access altogether.
All of those things are much harder with an existing website with a larger infrastructure, and content other than his own posts.
Torrent magnet link to social media on several seed boxes. Magnet links with DHT (Distributed Hash Table) are fully decentralized. You can’t stop a 60 character text string.
Maybe they’d try to ban text strings again https://en.wikipedia.org/wiki/Illegal_number
Well said… It would be difficult to match the load balancers larger sites have. Cost, resources, etc. Side note: fuck cloudflare.
He could host a Tor Hidden Service or an I2P eepsite. Still possible to DDoS, but a bit harder. But then you’re missing out on 99% of spreading possibilities.
Tor is a good idea. There are plenty of people that would happily seed the repository to spite Microslop
Put it on i2p and let the world shuffle it around.
I2P would be fine. They can ddos the service to an extent, but they’d just have to leave it there forever.
Plebbit, they don’t moderate anything AFAIK (with predictable results)
*they
the researcher’s pronouns and such are unknown at this time as they have remained anonymous
assuming male as default for everyone leads to trans people getting misgendered and is just generally a shitty out-of-touch thing to do
I happened to pick up in the article the neutral pronoun and have avoided it, but to accuse a pretty casual use of a prounoun as being a shitty thing to do is… a shitty thing to do.
Incidentally, I hate the plural pronoun as the stand in for unspecified. Especially when talking about a company versus an individual, it is useful to use the plural to refer to company and a singular for the individual. Otherwise it’s a vague mess. It’s so confusing when folks are using plural to refer to singular people.
I happened to pick up in the article the neutral pronoun and have avoided it, but to accuse a pretty casual use of a prounoun as being a shitty thing to do is… a shitty thing to do.
Why should misgendering be treated with more respect than the respect given?
Incidentally, I hate the plural pronoun as the stand in for unspecified. Especially when talking about a company versus an individual, it is useful to use the plural to refer to company and a singular for the individual. Otherwise it’s a vague mess. It’s so confusing when folks are using plural to refer to singular people.
Sorry but they has always been both singular and plural.
‘Can you flag the waiter when they’re not busy?’ Has always been grammatically correct. Its always been the ‘I’m not sure option’. You don’t say he/she when you don’t know how to refer to someone, you use they.
Why should misgendering be treated with more respect than the respect given?
You imply they intended some disrespect. They used a default pronoun and when asked to do otherwise they obliged, despite being immediately accused of doing a shitty thing. Folks are being offended on behalf of a person that hasn’t said anything about how that person feels one way or another.
A “could you use a non-specific pronoun instead of masculine when you don’t know” might have gone a long way, but implying some mundane default use of a pronoun is malicious and shitty is just a really excessive amount of vitriol when absolutely nothing was meant by any of it.
I know about singular they, but I don’t like it. Perhaps because there was a movement in my childhood education to “correct” the use of singular they, as noted in that wikipedia article there was significant pressure for hundreds of years to make people not use plural pronouns singularly. I for one wish that a singular, human appropriate, non-specific personal pronoun emerged because singular “they” just grates my nerves.
Just because you didn’t intend to disrespect someone, doesnt mean you didn’t. Impact over intent every time. Its a shitty thing to do. So someone should kiss your ass and hold your hand through misgendering someone?
Your personal gripes about they are frankly just your opinion on them, and I’m not givibg it more weight that that.
Like I said in a different reply,
This is people asking for the respect and thought to you know, check a profile before you speak. No one here got offended, it was called out as a dick move, as it should have been.
If you don’t see that as basic respect, thats part of the problem.
I don’t mind being corrected, but calling an honest mistake a shitty thing to do makes me just want to get defensive and not be receptive to what you’re actually saying.
Have you considered the possibility that aggressively interjecting pronoun arguments into unrelated conversations and implying people are shitty and out of touch is eroding public support for trans rights?
Sorry, but if your allyship is so fragile that someone being a dick online can wiaver it, you were never an ally.
Do you want more allies? Chasing away reluctant ones seems counterproductive to me TBH.
No, I don’t want fake ally’s.
Were not a pymarid scheme. Were people asking for basic respect.
And if you see that as a problem, not only were you never an ally, your actively part of the problem.
Microsoft has been mum on any details about these matters, so it’s hard to tell if the situation is about an uncooperative researcher who doesn’t follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse’s GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.
Classic Streisand effect. Just two years ago Satya Nadella publicly announced they’re prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft’s actions speak louder than words and they probably didn’t pay for the bounties.
He also intentionally did it the day after patch Tuesday. July 14th is also Patch Tuesday. This is about retribution for him. How you view that is going to depend on your world view. I doubt any of us feel bad for Microsoft though XD
And I fully believe it’d be some kind of justified retribution. The silence from Microslop’s side is deafening.
They most likely did something illegal or at least something that puts them on very shaky ground if they try to litigate. I am guessing there are multiple other people they fucked over and those people are not as ethical as this person. So they chose the blackhat path. I would treat any Windows device as a comprised device. It is possible that there are 20 other people, who are the best of the best security researchers, that were taking the low effort paycheck because it was a legal route that are now going to fuck Microsoft up. The non technical people who made the decision to stop paying out, did not fundamentally understand what they were doing. Mythos was just marketed as the best model for doing security research and they fell for it.
I don’t feel bad for Microsoft, but responsible disclosure is about more than that.
It’s ethical. It gives the developer time to correct an error before it has the potential to affect anyone using their products. When you don’t follow that process, whether one set out by the developer, or a best effort on your part, you are now contributing to the potential harm caused by that vulnerability.
This isn’t universal, and I have no doubt that Microsoft is also partly to blame, but there’s a significant element of attention seeking in the mix here. They could have reached out to other security researchers, validated the findings in private and found another channel to work through. Maybe he tried, but largely it seems like his actions are retaliatory and broadly harmful to anyone who has to administer these products.
I have a lot of respect for security researchers. My job relies on the work they do and the skill it takes to do it. But part of that relies on doing things in a way that minimizes potential harm.
Microsoft clearly doesn’t care about ethics if they’re putting backdoors in their product…
Man, Microsoft just keeps footgunning this one.
Every new exploit, they clearly have a meeting and convince themselves “that’s gotta be the last of it, right?”
So the next day-after-patch-tuesday rolls around and lo and behold, this guy drops some more nukes on their reputation as far as their most important customer demographic are concerned (corporate IT)
Given this genuinely does seem to stem from Microsoft mishandling this guy, why the fuck do they keep escalating
Puts a lot of evidence towards his claims that Microsoft was behaving badly from the outset and the reason why he started doing this. They keep escalating. Its a war they started.
Very little seems to be beyond the incredulity of MS meetings, remember they had a meeting where someone suggested the OS take a screenshot every ten seconds of whatever the user was doing and upload it to MS servers and rather than everyone laughing they agreed to move it into development.
rather than everyone laughing
You misspelled “firing the authoritarian nutjob for cause,” which would’ve been the bare minimum of reasonable reactions.
if that’s bare minimum, what is the upper limit for reasonable reactions? Hang him?
Publicly shame, actively blacklist them from ever working in any of their companies, and making sure everybody in the IT space knows this, would ruin this person’s ability to do any more damage and might be the upper limit? Well that or doing a Boeing… Take your pick.
Snapshots and the contextual information derived from them are saved and encrypted to your local hard drive. Recall does not share snapshots or associated data with Microsoft or third parties, nor is it shared between different Windows users on the same device. Windows will ask for your permission before saving snapshots. You are always in control of what apps and websites get saved in snapshots, and you can delete snapshots, pause or turn them off at any time. Any future options for the user to share data will require fully informed explicit action by the user.
Considering the thread we’re talking in, it’s up to you if you trust MS to implement this well, but they are not uploading the screenshots to the cloud.
Personally I think the idea of Recall is great if it works to help you and only you. The problem isn’t the idea, it’s the trust. If a reputable open source project or Linux distro made a feature like this I think it would be cool, because I know my privacy is going to be respected and the feature is designed solely to help me and nothing more. However, when MS suggests this I’m immediately cautious, skeptical, and concerned about how it could be used against me.
The statement you quoted is itself a lie. It talks about snapshots, when that’s not at all what Recall is about. It takes snapshots, true. But it does not matter to MS whether the snapshots themselves are saved, or where. “Recall does not share snapshots or associated data” is a reference solely to the snapshot itself, not the data Recall creates from it.
Here’s what really happens. Once a snapshot is taken, it is analyzed with AI as well as converted into text (if text is present) and all that content (including passwords, banking details, medical records, whatever passes the desktop when a snapshot is taken) plus its local AI analysis is kept in a local database. That shrinks its size to almost nothing, making it much easier for MS to collect. This secretive local database itself is inaccessible to you (even as admin), one you have zero rights to control or delete or edit or even view, one over which you are never given any permissions, and at regular intervals that database is scraped and sent back to MS to use in data aggregation and resale and AI training and whatever the fuck else they want to do with it. Sure, you can turn off Recall in the AI settings, but it has now been proven that any Windows update just turns it all back on again.
Knowing this, go back and reread their statement in regard to snapshots. The entire thing is a misdirection and never once addresses the real payload of Recall and why MS, even after they pinky swore they had dropped it, they continued partnering with hardware makers to deliver “Recall-ready” PCs that already have the requisite NPU on the motherboard, which are needed to do all that local data OCR and analysis on the snapshots that don’t even matter to MS once they’ve been scraped for content.
It’s also a big attack surface. Just like how a lot of malware looks for the browser password cache now, it doesn’t take much for a malware developer to just go for the recall store. The malware doesn’t need to pack in software to take screenshots, if the OS serves it up for them on a platter.
The location is known, and I seem to remember it being fairly simple to view the contents in the right system viewer with a bit of work, so yeah. I never considered that but you’re quite right: MS is packaging that shit up all nice and handy for whoever can grab it by whatever means.
you know, since this little saga began I’ve had this tiny voice in my head hoping this one vindictive dude is, eventually, directly responsible for Microsoft going out of business/doing severe restructuring or downsizing as a consequence of businesses losing faith in the company’s products. Lots of people already raise an eyebrow at Windows 11’s issues, things like “all our shit is fundamentally insecure because microslop left a backdoor in [insert critical thing here], and has been for [weeks/months/years/???]” tend to have an adverse effect on sales, especially to risk-averse business customers. It’s not impossible to imagine that continued “holy fuck what 0day exploit just dropped?” incidents, on the level of YellowKey, happening every month, could result in businesses deciding to drop their enterprise licensing of MS products; and that’s going to hurt. That’s where a big chunk, if not the biggest chunk iirc, of their revenue comes from. It’s unlikely, it’s a longshot, but I’m allowed to have hope.
I’m especially now wondering, if YellowKey was the teaser – you know, just casually revealing a backdoor in BitLocker, like nbd – what the actual fuck are they going to drop in July? If that’s the appetizer, how juicy’s the entree gonna be?
Microsoft going out of business/doing severe restructuring or downsizing
Although I wonder if they could. Microsoft seems like one of those “too big to fail” companies, where they’d never be allowed to fall on their face, since Azure and Exchange prop up so many things. It’s not like there’s a major second option for an OS if you just buy a computer off the shelf like a lot of people do. You either get a Windows or a Mac.
If that’s the appetizer, how juicy’s the entree gonna be?
At the risk of going on a tangent, isn’t the entrée the appetiser? You don’t have an appetiser, an entrée, and then the main course.
I think as long as nothing actually happens, other companies wont care. No one is capable of thinking about the future anymore, there is only next quartal and short term profits.
It might actually be needed for something big to go down first, like those 0day exploits actually get exploited and some client company or few loses a lot of money because of it. Considering how unsecure windows is, i’m a bit perplexed how nothing hasn’t happened already.
Some of the other 0days this guy released are already being actively exploited in the wild, but no reports of big losses as a result of them yet. Having said that, the entire point of BitLocker was that it was full disk encryption that you didn’t have to think too much about; and now I bet every corporate IT department out there is looking at it with suspicion. If this guy can keep delivering on “things that keep sysadmins awake at night”, like “oh god every hard drive we’ve had stolen in the last few years can be fully decrypted now”, eventually a lot of them will decide it is less harrowing and less work to move their entire stack away from Microsoft than it is to live with them.
They’d better not be overselling this bomb they’re gonna drop in July. I’m already moved over to Linux fully now, to quote photonicinduction: I want flames. I don’t just want to see it all over the tech news, I’m hoping he screws with them hard enough the story makes it to actual TV news channels.
“Footgunning”?
A colloquial term equivalent to “shooting oneself in the foot”
A very clear answer
An explanatory sequence of words
Over-complication of ‘sentence’
AI loves to use the word. I never heard it regularly until AI started helping popularize it.
FWIW I’ve proudly been using it for years
Prove you haven’t been an Ai for years
You’re very right! There’s a lot of reasons to believe I might be an AI, such as:
- overusing bulleted lists and other common basic formatting features to improve readability
- uncommon grammatical symbols primarily used by autistic people in writing appearing overly-frequently
- overly bubbly, wordy and pleasant writing style that continues to respond even to terminating phrases and instructions to my own detriment
The verdict? I may in fact be an AI
Did this one achieve some intense introspection just now?
Shit
Then you did not speak with programmers regularly, I learned this term probably back in 2008ish
I guess so. I’ve learned lots of words from the ones I know, but not this one.
If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).
Even if this person is lying I’m more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.
It sounds like the guy treats these issues in a very standard way by notifying the company beforehand with a note that the findings will be made publicly at a certain date. Microsoft ignores it and it inevitably gets published. That‘s standard procedure. Microsoft throwing a tantrum is the only extra thing here although „shooting the messenger“ seems to become more common these days with these findings.
Microsoft has always been an evil company, but wow they are trying their hardest to reach Gates level of shit
I wonder if the dude happened to find an internally documented backdoor intended for use by government actors? Or most likely they just don’t wanna deal with it and the perceived fastest way to deal with it is to try and bury it. Both could be true, but I’m just speculating.
Their april 15th blog post explicitly calls it a backdoor and mentions it was very well hidden. I’m interested to see what comes of this
Did you see the last post?
Whatever the last part of the link is it is getting caught in the content filter and being replaced with “removed”.
Can anyone actually share the actual end of the link without triggering the content filter?
Might be your instance. Try
blogandspotand.comwithout spaces. The blog is also linked within OPs articleInteresting, I wonder why the choice to remove blog spot dot com specifically, this is actually the first time I have ever seen a “removed” from this instance, which is why I assumed at first it must be remote (also I had just woken up). Now that I’m more awake I realize, you’re right, it must be my instance. Maybe I’ll ask my admin sometime if there’s a reason why they block that phrase.
I was wondering that myself.
I mean, a mechanism that allows you to get the malware scanner to place whatever software you want on a machine, give it system access and then execute it, feels like a prime suspect for “lawful source interception” bullshit.I do feel like it’s entirely possible it was a bug. I would imagine if they wanted to do a backdoor, they would require some form of key. There would need to be a form of revocation. If an employee, either for the government or Microsoft, went rogue then they could abuse that, or at the very least whistleblow and it would be easily verifiable for other entities.
I do feel like it’s entirely possible it was a bug. I would imagine if they wanted to do a backdoor, they would require some form of key.
That would negate plausible deniability.
