I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
Nothing crazy about it. Crazy is feeling sorry for the trillion dollar corporation. Don't let anyone tell you otherwise.
The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.
This is important to remember, in this situation and all other 0-day disclosures. There's also no guarantee that the uses of said 0 day after disclosure are the only time its been actively exploited. The exploit was already existing, and there are plenty of three letter agencies and Israeli companies that could very well have already been aware of them.
The only place blame belongs here is on Microsoft, no where else.
DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.
They could drag Eclipse through civil lawsuits though.
But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.
Naw totally agree, we need way more robust protections for security researchers and way harsher penalties for corpos doing bullshit, it should be a percentage of revenue.
We have way too much fuck around these days and not nearly enough find out.
Yes I'd happily buy one if it's quality matched the price and I'm sure in Japan it often does.
I have done some simple leather crafts, and I think the design clearly is suitable for building with rivets and full grain leather, if they do use that today then it'll be a spectacular product.
Texas Chainsaw Massacre was a flash in the pan (although the asymmetric horror genre continues basically dominated by dead by daylight).
Yet, the sheer exhilaration I felt the first time one of the "killers" walked past me as I kneeled in a bush was quite spectacular.
It's not the same as splinter cell (it's much more chaotic, you don't get to totally dominate the enemies, it definitely doesn't have that mindful quite as you systematically work your way through a level you know we'
ll).
But the key, I can stand in the right spot and human can't see me really is its own kind of feeling.
I'm similar, I think perhaps it's a generational thing which slightly modified the title in a pedantic way.
The people who "grew up" with text books still crack new ones and old ones.
The current generation turning 18-21 don't.
It surprises me because I'm often asked why I knew X or Y odd perhaps esoteric fact or design pattern. Usually it's because I came across it in a book interested in something else.
It's that peripheral knowledge that is being lost when people use LLMs, and quick start guides.
Historically you'd have a team where skill, knowledge and experience was very variable but each person often brought another piece of the puzzle to a team.
Increasingly people have narrow knowledge "bases".
Does it matter? Perhaps not but it definitely has taken some of the joy of discussing problems and solutions out of my working life.
> It surprises me because I'm often asked why I knew X or Y odd perhaps esoteric fact or design pattern. Usually it's because I came across it in a book interested in something else.
It was like this in the days when the primary shortcut was StackOverflow as well. People who are allergic to RTFM treat things that are covered in the docs as "esoteric" knowledge because they never read anything except as a shortcut to solving their immediate problem.
I think the stats are clear that reading is in decline in general, though. I'm sure LLMs will add to this much like YouTube has.
I actually require the book the Jon Bodner was talking about in a class I teach every couple of years. The students who do well (the ones you would want to hire) will read it, the others will skim or try to summarize it
This study tracked study resource usage in 2021 and mentions a study in 2006.
In 2006 medical students spent 10.8hours per week studying with textbooks, on 2021 4.2hours.
So under 40% the textbook usage as 2006. That's a fairly precipitous decline and it's pre-LLMs being mainstream. I down chatgpt 4/5 have sent the students back to the library!
It mentions question banks have expanded as have online resources. Also learning style has changed from lecture based to problem based learning.
I can't say this is objectively bad. But that I'm sure it contributes to narrowed knowledge bases.
The last three years more or less none of my students have bought the textbook for the subject. That is pretty mind blowing. In turn they expect a complete textbook from my lecture notes, which isn't possible.
I get that textbooks are getting more expensive though.
You can then download the image. The only thing I think they should add is the equation string as a comment to the images so you can upload and continue editing without a proprietary file format.
Though I am convinced this is intentional, i.e. a backdoor and not a bug, it should be noted that for goverment agencies there was already access anyway:
Access for those who used a Microsoft account and upload their encryption keys there. While I’m unhappy that most of the users end up using this (bad) mode, previously I was under the impression that there was a meaningful choice involved.
Microsoft has ensured the alternative is nearly impossible, constantly working to block any workarounds that users discover to use a local-only account. And it will even going so far as to silently reset the master recovery key if the original key couldn’t be uploaded (my coworker discovered this to his horror when finding out that not only had it changed his failsafe recovery key again, but also uploaded the wrong key to MDM—all data simply lost)
> Microsoft has ensured the alternative is nearly impossible, constantly working to block any workarounds that users discover to use a local-only account.
Local accounts still work fine for Win 11 Pro, I installed it a few days ago using a clean ISO directly from Microsoft. No special patching or command line stuff needed, making a local account is part of the official install process.
Did they make it better recently? There's plenty of blogs explaining why Microsoft wanted this to be increasingly difficult last year. Just from quick google:
Yes it does seem prudent to encrypt those keys some other way on the cloud and not add them to the clouds accessible keys.
They also seem suitable for using a secret sharing scheme.
I have Microsoft authenticator requests all day every day. Using aliases has helped but somehow they continue. It's only a matter of time before somehow accidentally I approve.
Which has simply led to me not putting anything of high value in my Microsoft account and not using it for my email.
This happened to me too. The only solution I found was to disable authenticator on the account. Their implementation actively makes accounts less secure.
I think people feel this is the begining of the end.
Meta is part of the reason Signals E2EE spread and E2EE became ubiquitous in general.
Many governments have also turned against E2EE and I suspect it's gone from a shield where you can say we can't really help you get that data, to a constant pressure.
Yea fine I see that, but their entire business model revolves around exposing people’s otherwise private lives, and they are making a lot of money doing so.
It’s like using a web browser distributed by a an ad company whose business model is all about tracking folks
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
reply