> But what about all of the innocent people who would be harmed by such a callous approach?
They should then think again about their choice of using teams. Why should Microsoft rake in money from a shabby product while volunteers have to fix their shit?
Assigning a ridiculously low score to significantly lower the bounty as a billion dollar company is disgusting.
> They should then think again about their choice of using teams.
Try saying that to a student who is using Teams on a school-issued laptop, by no choice of their own.
I'm not in any way defending how Microsoft handled this. Frankly, I'm ashamed of my former employer (though I worked in a completely different division). But your outrage toward the company should not extend to its unwitting users.
Bullshit. Currently there are millions of children who are obligated to use Teams for their publicly funded education.
And thinking these huge metrics get changed by selling black hat exploits to what? Teach Microsoft a lesson? While harming an already vulnerable population (not just children are obligated to use Teams). As if the long term goal of educating "unwitting" users is advanced at all by blackhat behaviour.
Microsoft has had a serious reputation for being a serious security risk for the 30 or so years I've been in IT. It's one of the oldest jokes in the industry. People and the world in general clearly do not work the way you apparently think they do.
Zoom still has a ton of users, and every single thing they make or do is a serious security risk (or has been in the past, evidencing a distinct lack of secure development culture).
There are lots of vulnerabilities in most door locks, does that mean we should go around stealing things because Chubb have made money selling insecure locks?
Funny thing to say when we're in the middle of a global pandemic, and more people are working from home than ever.
I work at an university and I've been forced to install that crap on my home computer because I need to teach from home. And so do all the professors in around half the universities I know in my country.
Interesting, I'm surprised that they don't have to provide you with the tools needed to do your job!
In Australia, the emp is generally responsible for providing any necessary tools or equipment needed to do the job (contractors are another matter though)
In normal circumstances they do provide the tools needed for the job, as they should. But this was a sudden state of emergency triggered by a pandemic, there were no funds, reactions weren't fast enough... so basically, they didn't.
Anyway, those of us who have research projects (as is my case) typically do have computers provided by the university at home, because research has strange schedules and working from home has always been a need (meeting with colleagues in different timezones, waiting for experiments to complete at night, rushing for deadlines, etc.).
But... it's not really practical to make room for two different desktop computers for my own use in an already spaced-starved flat, or to work in a laptop for many hours when I could do so in a desktop. So in practice, my home computer and my work computer are one and the same. And it's like that here for most, if not all, people I know.
We are a Latin country and also tend to live in small flats, maybe in other places it's different. I can imagine that if I had one of those American McMansions, it would make sense to have a home office with a sober, black work computer, a good camera setup and a green screen, and then a gaming room with a flashy gaming computer and huge speakers (near the billiards and darts room, probably :)). But that's not really how things work about here. Here, separation of home and work computers at home is almost exclusive of jobs with high security restrictions. Most people in normal jobs just don't do it because it's not practical.
I consider that inherent risk. Not getting a raise because the company made business decisions that turned out suboptimal (such as gaining short-term profits by not investing IT security) is a risk that any employee faces. If you want a more stable environment you go for a more risk-averse employer, perhaps even public sector jobs.
That's a silly proposition. If my field of expertise is inherently private, I don't have that choice. Also I can't solve for every variable when searching for jobs. I choose among the ones I get an offer for, and obviously their IT decisions aren't top of my list (nor do I know what those are prior to hitting the desk)
To what extent should the blame for any harm fall on Microsoft? They are the ones relying on effectively free labor to protect the innocent. In such a case blaming the free labor instead of blaming the ones relying on free labor seems to create some very bad incentives.
Personally I would prefer just having all new vulnerabilities immediately disclosed once found. No selling, but letting people decide for themselves if they want to continue to use a product after someone has found a vulnerability. I also think the incentives this creates would mean that Microsoft and similar shops would put more effort into testing their own software because they would no longer have the safety net of a grace period when someone finds a problem.
They should then think again about their choice of using teams. Why should Microsoft rake in money from a shabby product while volunteers have to fix their shit?
Assigning a ridiculously low score to significantly lower the bounty as a billion dollar company is disgusting.