Microsoft Criticized for Threatening Legal Action Against Security Researcher

"A security researcher published a series of unpatched bugs in Microsoft products," reports TechCrunch, "along with code to exploit them."

Microsoft's response to the researcher? "Threatening to take legal action and call the cops on them." On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle "Nightmare Eclipse," for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.

The core of Microsoft's complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been "responsible," as Microsoft's blog put it. The other side of the company's argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA. "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world," Microsoft wrote...

In a series of blog posts published in the last couple of weeks — without providing many specific details — Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse's implication was that they had no choice but to release the vulnerabilities publicly... The researchers published the bugs on open source repositories GitHub (owned by Microsoft) and GitLab. The researchers' accounts on those platforms have been banned...

In response to this latest controversy with Nightmare Eclipse, countless researchers have shared their bad experiences reporting bugs to Microsoft.
Thanks to long-time Slashdot reader Elektroschock for sharing the news.

"Our teams have been instructed NOT to rappel and

[Provocateur]

When knocking on your door will suffice.

Nonsense

[bjoast]

Claiming that he had no choice but to release the bugs publicly seems like nonsense to me. His blog posts doesn't really make him appear rational either.

Re:

[Anonymous Coward]

So your argument is the liability isn't on the company releasing defective software, it's on the people who point out the defects?

There's no public duty to sweep bugs under the rug.

Re:Nonsense

[saloomy]

This. In fact I think it is downright irresponsible. If this guy found the bugs there is a high likelihood others may have as well. Releasing bugs to the public is the better safer approach when finding a zero day, because it gives users a chance to self-mitigate risks before software can be patched. If you tell me there is a risk using my cars garage door opener link without my consent, I can remove that link myself, until the manufacturer releases a patch. Likewise, I can move sensitive information in th case of bit locker to an encrypted archive or some other solution in this case. The manufacturer 90 day pre-warning is not a good security posture.

Re:Nonsense

[Junta]

Yeah, I think the big question is was Eclipse as unhinged as the blog posts suggests throughout, or was this unhinged state brought on by unreasonable treatment by Microsoft...

From some analysis, I think MS team became less competent and more bureaucratic, and probably struggled to understand whatever the hell Eclipse was getting at, and Eclipse was perhaps on top of confusing was also potentially offended that they failed to respond in what he thought was an appropriate amount of time.

So Eclipse obviously had real stuff, but maybe MSRC couldn't understand, and Eclipse took it gravely personally and here we are.

The other option is that MSRC engaged as described and drove Eclipse to be unhinged after trying to engage in a reasonable way.

My life experience is probably that the former is the scenario, that he was smart, but communicated poorly and took offense easily when faced with a boringly incompetent corp team and mistook their nature for malice initially. Things might have gotten heated on Microsoft's side, but I would guess Eclipse went off the rails first, based on his communication style on display in his blog...

Re: Nonsense

[getuid()]

"Life experience" doesn't necessarily need to mean "experiencing the exact same situation", you know...

Re:

[Anonymous Coward]

Yeah, I think the big question is was Eclipse as unhinged as the blog posts suggests throughout, or was this unhinged state brought on by unreasonable treatment by Microsoft... ...
My life experience is probably that the former is the scenario, that he was smart, but communicated poorly and took offense easily when faced with a boringly incompetent corp team and mistook their nature for malice initially. Things might have gotten heated on Microsoft's side, but I would guess Eclipse went off the rails first, based on his communication style on display in his blog...

I disagree on this even being a question, let alone the big question.

Reporting the flaws to MS is nothing more than a favor to them, not doing so isn't "wrong", and absolutely is not illegal.
The researcher being unhinged, angry with MS (with or without reason), or having communication skills at all let alone above "poor", also doesn't make him wrong.
Being annoying or difficult to interact with is not an acceptable reason to falsely accusing him of crimes for the illegal abuse of weaponizing the legal system

Re: Nonsense

[Sneftel]

Reporting the flaws to MS is nothing more than a favor to them

Hm. Do you actually believe that? Do you actually think the sole purpose of responsible disclosure is to be nice to vendors?

who cares

[Anonymous Coward]

For a while the software industry had a way of suing and pressing charges against security researchers (see the arrest of Dmitry Sklyarov in 2001), and then we ended up at a kind of detente of "responsible disclosure" along with bug bounties which were a kind of compensation for the impact on the security researchers. (Imagine if biologists had to postpone publication of their research for the benefit of some private companies, which got to be the ones to write the research paper.)

Well, that detente only wo

Solution: give them 90 minutes.

[Sebby]

Since '90' is some arbitrary number some tech elites pulled out of their arses, this researcher should decide on a 90-minute window for "responsible disclosure" so they’re covered. I mean, Microslop are the ones that released a defective product in the wild, they’re the ones to really blame for it being found/exploited in the first place.

Full Disclosure needs to come back

[Tom]

The core of Microsoft's complaints is that the researcher did not attempt to report the bugs so that the company could fix them.

The exact scenario we warned about when the discussions about this "responsible disclosure" nonsense started. Someone needs a reminder that letting you know your software sucks is a courtesy, not something you can demand.

Re:

[fahrbot-bot]

Someone needs a reminder that letting you know your software sucks is a courtesy, not something you can demand.

In Microsoft's case, I always assume it sucks and let them know about the rare occasions it doesn't. :-)

Re:

[Tom]

In Microsoft's case, I always assume it sucks and let them know about the rare occasions it doesn't. :-)

BOTH of them? :-)

NSA involvement

[DrMrLordX]

If Nightmare Eclipse did disclose these vulnerabilites to MS already (and if MS refused to act on them), one has to wonder if at least one of them was a deliberate backdoor left in their software (notably Bitlocker) for the benefit of the NSA? It's already well-known that the NSA has had backdoors for Bitlocker since its inception years ago.

Definitely a bad look...

[fuzzyfuzzyfungus]

The whole 'responsible disclosure' preaching and the not-terribly-subtle threats seem particularly bad given that there's an entire industry of actively more dangerous people who are not only treated as legal but actively courted by state agents and cops(and often even less savory customers, though they tend to be cagey about those); the ones who actively seek to keep vulnerabilities quiet so that they can continue to sell exploit tools and services based on them. Throwing zero days on github isn't ideal vs. getting them fixed; but it gets them fixed faster than if Cellebrite wants to hang on to a bitlocker bypass or Trenchant, and L3Harris Technologies Company, wants to keep selling 'network investigative techniques' that can bypass default windows defender configurations or whatever the situation is.

From the outside it's hard to know whether MS actually mistreated the researcher badly enough to justify their displeasure(the consensus appears to be that MSRC was never the best to deal with and has actively gone downhill; but this person's position seems significantly angrier than average) or whether they are perhaps wound a little tight; but implying that their legal status is the same as people actively running attacks against user systems is blatantly false and totally ignores the class of researchers who do actively run attacks while being treated as respectable.

It's a particularly bad look when at least Facebook got into a public legal fight with the NSO group over their nerd-merc work against their users; not like that actually solved the problem of attacks on cellphones; but it was an all-too-rare case of industry pushing back against the 'respectable' arms dealers; and not one that MS has an analog to.

Re:

[organgtool]

From the outside it's hard to know whether MS actually mistreated the researcher badly enough to justify their displeasure

The irony is that a lawsuit would bring that to light during discovery. Microsoft probably has little intention of following through with their threat of a lawsuit, but in the unlikely chance that they did, it could open them up to even more public scrutiny about how they address security issues. And if they did file a lawsuit, other security researchers could protest in solidarity by

Why is it always on the companies terms

[MeNeXT]

The company assumes no responsibility when selling software but the user needs to assume responsibly when they find something wrong with the software.

Sorry but the company needs to take better care of it's customers if it wants it's customers to care about the company.

First Amendment

[symbolset]

In the US this is protected speech. There is a flaw in published software such that x and y... This is a statement of observed fact no matter how obscure.

Poor form, yes. Illegal, no. To threaten or intimidate rather than fix the fault is reliance on the ancient Microsoft trope security through obscurity. Tolerance of that oppressive behavior makes us less secure, not more.

Closing their account on your service is fair game though. No obligation to host anyone for any reason.

Dealing with aggrieved customers is just a part of doing business with the public. No matter how well you behave some people just have issues, and some will have legitimate complaints. Microsoft is a multitrillion dollar multinational corporation. That comes with the turf.

Re:

[organgtool]

Absolutely! Public disclosure was always a courtesy. And bounties were set up to allow researchers a method of profiting on their discoveries without resorting to selling them on the black market, because as you pointed out, doing so is perfectly legal. In fact, researchers would likely make much more money doing that, so Microsoft should stop acting so entitled and make sure that they take good care of security researchers.

Re: First Amendment

[rezachi]

The first amendment is intended to protect citizens from the actions of the government. I am not sure it applies here where we are discussing the actions of a corporation not owned by the government.

Re:

[symbolset]

This is a threat of referral to criminal prosecution. Criminal prosecution is a government, not personal or corporate activity. What I say here is that such threats are empty.

People do get that wrong a lot though. Apparently even Microsoft, the FBI and US Attorneys these days.

Re: First Amendment

[rezachi]

Has the government acted against anyones freedom of speech here? Or did a company threaten to try to invoke the government to do so?

Typical behavior from Microsoft

[Todd Knarr]

This has been typical behavior for large companies when dealing with vulnerability reports for decades. Report one, they treat you as the problem. They'll try to ignore it, consider it "not exploitable", delay and deflect as long as they can get away with it, anything but address the vulnerability. And they'll never tell anyone the vulnerability exists. This only changes when they have no choice but to admit to the problem and fix it, usually when the vulnerability is being publicly exploited. They push "responsible disclosure" because it includes the reporter not making the vulnerability public until the company has a fix, which allows them to stall disclosure as long as they want.

It used to be enough to just include a reasonable deadline when reporting it, after which the reporter would make it public if the company hadn't taken some action on it. Then companies started threatening and then taking legal action against the reporter as soon as they reported the problem, playing the deadline up as "blackmail".

So, what do you do when faced with this? The only reasonable response is to skip the company entirely and make the details public immediately. You're going to be facing retaliation from the company either way, this way the public isn't vulnerable for an extended time. And yes you include details on how to exploit the vulnerability, ideally via working code, so researchers other than the company can confirm it's a real vulnerability that's actually exploitable without having to take your word for it. No, that doesn't give the bad guys anything because remember the working assumption for vulnerabilities: if a good guy has found it, the bad guys already know about it and are using it. Remember that when the company whines.

MS: now known as MicroSLAPP

[Sebby]

[MS' response:] "Threatening to take legal action and call the cops on them."

So I guess we can now call them MicroSLAPP.

It's really Microsoft endagering everyone..

[Rujiel]

by sitting on 0-days for their partners to use at will. That's not to say all of these exploits were such, but I bet many were (especially the bitlocker one).

Re:

[bill_mcgonigle]

Your theory fits all of the strange behavior data we have.

Good thinking.

I tried

[RitchCraft]

I tried to report a bug to Microsoft back in the day too but they ignored me and released Windows anyway. Assholes.

Were their two of their/them(s) /s

[Mirnotoriety]

“Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse's implication was that they had no choice but to release the vulnerabilities publicly.”

Re:

[drinkypoo]

Were their two of their/them(s) /s

You can't know the eclipse's gender unless you know which bodies are involved...

Threaten Microsoft With Jail

[Khyber]

For criminal negligence by foisting their QA and QC upon their users instead of trained QC/QI/QA personnel.

What to do with MS

[J. L. Tympanum]

Bill Gates should burn in Hell.

I reported one once

[rezachi]

Fairly recently too even. Iâ(TM)m just your average Windows admin and while doing other work I just happened to notice a machine being logged in sitting at a desktop when it should have been at a login screen. So I played around with it and got to where I could reliably reproduce what I had seen earlier. I wrote up step by step instructions on how I accessed a Windows system from another Windows system potentially without credentials and supplied a video showing the process from between two Windows Ins

Here's the thing

[RUs1729]

This amounts to work done for for-profit companies for free. What are people who report such things getting from the companies that will directly benefit from such reports? In this case, could the guy have reasonably charged, say, 100 hours at $100/hr? I understand that some companies give some compensation, but I don't know how much, and according to what criteria. What happens if they don't give what the reporter thinks that is deserved?

Big corps acting like babies!!!

[sentiblue]

They banned his account to report bugs, then they banned his account to github. Then they threaten him with lawsuit for releasing it to the open. I don't get it, why is MS doing things that even 5 year old kids know is unreasonable. What could he have possibly done to get those bans. And even if he didn't get banned, he wasn't obligated to be "reasonable" like they said. If I were this person, I'll wait for the lawsuit to come and counter-sue.