[zuzululu]

What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?

Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.

[hedora]

It sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:

> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."

If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.

Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).

Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.

If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

[selcuka]

> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.

[thaumasiotes]

> and the response was flow chart tech support with a "buy a webcam" cherry on top

I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.

[xethos]

Which, if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera

Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically

[thaumasiotes]

> (USB or other HID, key combination)

I don't think you'd need an external camera for that. What you're doing would be mentioned in the accompanying report.

I do agree with you about the boot process, though.

[mook]

I believe Hyper-V supports emulating TPM these days, so doing things to a VM and recording the desktop with the VM window _may_ work. In this case though it'd look very boring because you couldn't tell from the recording that anything happened.

[xethos]

Personally I'd think Microsoft would be cool with following the report instead of demanding video evidence in the first place, but silly me thinking the trillion dollar multi-national would be reasonable

[tosti]

I've used cheap HDMI to USB adapters for that in the past. Worked fine albeit somewhat low res. (Still much better than a camera pointed at a screen.)

[no-name-here]

>>> flow chart tech support with a "buy a webcam" cherry on top

>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.

> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera

That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.

[itopaloglu83]

It feels like they’re trying put hurdles in front of you instead of getting info about repeatability of the vulnerability.

[sgjohnson]

> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

selling to the highest bidder doesn’t generate headlines though.

[chadgpt3]

Oh it does, but they don't say "Researcher sells exploits to the highest bidder", they say "Handala group shuts down nuclear power plant"

[technion]

The researcher's own statements note that the zero days were not found with AI.

And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.

[beej71]

> They seem to have a personal vendetta against Microsoft

Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...

I might be projecting.

[antonvs]

What were the "so many better options" during that period? Have we found the only remaining CP/M fan?

[beej71]

OS/2 and DR-DOS are a couple examples. But what really gets me is the whole Xenix thing.

CP/M was great on Z80 systems. But a 386 was capable of so much more.

[em-bee]

a bit later, but not much: OS/2

[pdonis]

The fizzling of OS/2 was as much IBM's fault as anything. If they'd paid more attention to it sooner, MS might never have shipped Windows; they'd just have made their office applications OS/2 GUI programs. But IBM was too fixated on its mainframes to realize that they were giving away the PC market to MS (again--they did it the first time by licensing DOS to MS).

[stephenhuey]

Before Facebook, I used Friendster. Years later, I read how Friendster execs were too busy patting themselves on the back and flying around on private jets to get around to fixing the horrendous site lag of sometimes a minute to even sign into the web app. How could a company's leadership be so foolish? I understood this paled in comparison to the doomed arrogance of IBM's leaders when I read stories about IBM's downfall in the delightful book In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters.

[beej71]

Wait, did IBM license DOS to Microsoft? I thought IBM was looking for an operating system for the PC and approached Kildall about CP/M. That deal fell through, so they approached Microsoft. Gates didn't have anything, so he licensed QDOS for a song and licensed it to IBM.

[pdonis]

I was being somewhat sloppy. IBM bought DOS from Microsoft for the IBM PC--but neglected to buy exclusive rights to it, so Microsoft could and did sell it on its own as MS-DOS. (And later, other vendors began selling their own versions.) For PC users, this was a great deal, since it effectively made the IBM PC an open standard. But it meant that IBM captured much less value from DOS and PCs than Microsoft did.

[lstodd]

I was forced to use ms basic on my c64. Never forgive, never forget.

[selcuka]

I always found it weird to ship a BASIC interpreter that didn't have specialised commands (unless you count POKE) to access the graphics and sound capabilities of a computer like the C64. Some computers of the same era had vastly superior BASICs (such as Sinclair BASIC).

[nonfamous]

OTOH, I learned a hell of a lot about microprocessor internals by using POKE.

[chihuahua]

I agree, it seems very low-effort on Commodore's part to license this lowest-common-denominator BASIC with no support for graphics and sound other than POKE. Super lame, but they got away with it.

[voakbasda]

No they didn’t. If they had, I would be typing this on my Commodore phone.

[soulofmischief]

We're witnessing the industrialization of intelligence.