Anyone shutting down all IT equipment down on July 13th 11:59pm?
Posted by Ooops-I-hid-it-again@reddit | sysadmin | View on Reddit | 442 comments
Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump
“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”
Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.”
My post's title is tongue-in-cheek, but I've added an Outlook calendar entry for the "event" nevertheless and might even buy a box of popcorn. lol
Anyone doing anything special or different in light of the string of zero days being released because Microsoft appears to not want to play nice with someone who (supposedly) wanted to tell them about all the bad sh!t they missed in their product(s) development?
How do you feel about the saga and its fallout?
perthguppy@reddit
Some idiotic middle manager at Microsoft thought they could make their numbers look better by starting to just reject security reports instead of paying out. And now the whole team is learning the hard way why things were the way they were, and all the customers suffer.
Now let’s all stay tuned for next months product announcement: Microsoft 365 E9 - now includes patches for reported CVEs, just another $100/endpoint/month
GreenFox1505@reddit
I'd love to see a class action lawsuit from CORPORATE customers against Microsoft for not following industry standards and practices for security. This negligence and greed has directly lead to customers spending paid man-hours on fixing their mistake. Doing the right thing here would have absolutely, ultimately, cost everyone less.
mrlinkwii@reddit
industry standards mostly isnt law in most countries , they have no grounds to sue over it in most countries
Gendalph@reddit
microslop's poor handling of this situation has caused either direct damage due to breaches, or indirect damage due to extra work, which could be grounds for a lawsuit.
GreenFox1505@reddit
Not on its own, no. You can't really sue someone only because they didn't follow industry standards.
There has been real measurable damage to their customers. Their customers will claim this damage was caused by negligence. Microsoft will argue "this was an honest mistake and it could have happened to anyone". But it couldn't have happened to just anyone. If you followed industry standards, headward not have happened.
Not following industry standards is not a crime. Falling below industry standards and practices causing harm to their customers could make them liable for damages.
thecommuteguy@reddit
That's what discovery is for so the plaintiffs can see what Microsoft knows and when they knew it.
Liquidretro@reddit
Don't you basically give away your rights by being forced to agree to the license terms too?
GreenFox1505@reddit
You or I would. But do you think corporations aren't given a different contract?
BrokenByEpicor@reddit
And even if they aren't, contracts are just the start at this level. Fuckups to the degree MS has been making may be actionable regardless of the contract, particularly to other corporations on their level.
ConsistentPicture583@reddit
The original email virus was a commentary on the stupidity of Microsoft in creating the OLE framework. The author was very adamant in describing how bad an idea this was, and the virus itself, after infection, simply popped up a message box that said “that’s enough to prove my point”
dard12@reddit
Microsoft made $83 billion this quarter. These bug bounty programs are rounding errors to them.
I'm highly skeptical this is an effort to save money.
Inevitable-Land-1559@reddit
Departments & teams have their own budgets, metrics, etc split down to a level usually <300 employees, often as small as 10 or 20.
Starbucks #11,359 can't spend 40 billion dollars on something just because Starbucks as a whole has that kind of money, and just because Starbucks as a whole has that kind of money, doesn't mean that single store can spend it like that.
Billy the Junior Assistant Manager of Starbucks #11,359 isn't going to try to save 40 billion dollars at his store to get promoted to Senior Assistant Manager. He's going to try to save dollars per day by tightening up on creamers, cups, overtime, and every small item he can. Then he can write up a fancy document detailing the $10,000 he saved this year ... by pissing off and annoying all the employees and customers alike with micromanagement. No regard given to the future of the store or company as a whole.
unixtreme@reddit
Good old climbers making everything shit for anyone.
unstoppable_zombie@reddit
I once worked at a $50b+ a year company where a newly promoted director cut the drink package for department events at our own cafeteria from water, tea, and fountain soda to just water and tea with full price sodas to cut cost.
He cut about $1,200 a year with that move. Which is to say he pissed everyone off to save 0 dollars.
unixtreme@reddit
Haha I used to work at another 50b+ IT company where we had to pay for coffee in the cafeteria. And we are talking filter coffee which is the worst kind of garbage coffee and the cheapest you can make... Well, this was part of a change they made at some point to save money, I stayed there for a few years but I remember when I left to a much better startup with much better conditions one of the seniors I really looked up to there told me: "If they start charging for coffee, run".
PraetorianOfficial@reddit
The Senior VP I worked under for about 9mo proclaimed "I don't reimburse for lunch when you travel". The company travel guide says very clearly the company does, but this SVP made up his own rule (that you didn't learn about until you sent in your reimbursement request). You see "if you were at work that day, you would have had to buy lunch anyway, so why should I pay for it when you travel?"
There's probably a reason the SVP lasted less than a year. I like to think it's totally because of that idiocy, but somehow I doubt it.
TexasVulvaAficionado@reddit
Yep! I saw a VP get fired for taking away the monthly birthday cakes at a fortune 100 company. It certainly wasn't the only reason but no one liked him a bit after he removed the ~$1000/yr perk that most people enjoyed to some degree. It was just two sheet cakes a month to celebrate whoever had a birthday that month and generally get people in the office and talking.
jshrlzwrld02@reddit
Ever worked for a publicly traded company?
SaltDeception@reddit
The exploit author says a lot of things that should be treated with skepticism tbh, and their entire blog reads as someone in desperate need of professional help. I’m not saying that lightly or to be mean either; they legitimately sound unwell. I fully believe there’s more to this whole saga than what we’re hearing from this guy, and it’s a shame we probably won’t ever get that full story.
Southern-Aardvark616@reddit
Well I wouldn't jump right to needs help, but safe to say they're don't come across neurotypical, I mean the bitlocker backdoor, who finds shit like that.
SaltDeception@reddit
Maybe so, maybe not. Paranoid delusions was my take, but I’m certainly not qualified to make any kind of diagnosis, especially from a blog. I’m just saying what it sounds like to me.
theballygickmongerer@reddit
A lot of talented people who may be on the spectrum can get really wound up if not appreciated and that can come out in their language or behaviour. This situation comes across as that to me. As others have said, this is not the normal behaviour of MS, so that would only raise the frustration of this bounty hunter as they are not being treated fairly under the scheme.
To state they need professional help is an insult to their talent considering the seriousness of the vulnerabilities.
SaltDeception@reddit
It’s not an insult to their talent. There are plenty of examples of exceptionally brilliant schizophrenics, too.
zmaile@reddit
Not every manager has access to that number as a budget. If a manager has previously spent $1m on bug bounties per year, and is now forecast to spend $3m, then they may try to pull some shenanigans.
NeverLookBothWays@reddit
What's the alternative? Honoring agreements to keep backdoors open for the NSA?
systemfrown@reddit
In the current political climate it could be for anyone.
TheInevitableLuigi@reddit
I mean...yeah.
FBI_Agent_Fred@reddit
Or worse, there is a back door that wasn’t known/sanctioned by anyone at Microsoft that is difficult to patch without a pretty complete refactor and exposing it will yeet all stockholder value.
FrivolousMe@reddit
Every individual program can be isolated to the point where it is relatively small in comparison. But it's a huge company with many moving parts, and it's more than likely that dumb financial optimizations are being made like that all the time across the board by dozens of different decision makers. We see it all the time.
GreenFox1505@reddit
Microsoft makes billions because they have thousands of employees each trying to save the company millions. Rounding errors add up.
cosmos7@reddit
Honestly my bet is these exploits are more likely part of intentional backdoors...
NoteTo@reddit
The way that bitlocker exploit happens to run it's hard not to think anything else.
Gendalph@reddit
Nah, apparently this has been a well known pattern with microslop: they either marked down the severity, or unilaterally reclassified the vulnerabilities to avoid CVEs and corresponding payouts.
ZAlternates@reddit
It would make sense as to why they aren’t talking about fixes but instead just deleting the info.
Gwigg_@reddit
This. Is this not the same guy who has been cancelled by Microsoft for explaining very clearly how the bit lock exploit that suddenly appeared out of nowhere was clearly a back door?
myS_@reddit
do you have any links on this sounds interesting
Mizerka@reddit
yellowkey, a bitlocker bypass hidden in winRE thats been around for years unnoticed. introduced with tpm bitlocker, and despite tpm+pin being unaffected, author of release already stated there's an exploit to get around pin as well.
FireLucid@reddit
I guarantee that the US and other nation states have been using this.
spittlbm@reddit
Created by them. For free.
litescript@reddit
Low Level has a really video on it
axonxorz@reddit
Yeah absolutely, scroll up to the top of this post and open the article.
frymaster@reddit
if he explained very clearly how it was an intentional back door I'd love to see it. Certainly in his original blog what he says is that it's difficult to see this as anything other than a deliberate back door - which is not nearly as definitive as explaining very clearly that it is
Cyhawk@reddit
That is the best backdoor isn't it? An intentional oversight in the security system that can be exploited easily by people who know that wouldn't be noticed by the vast majority of people working on the systems.
Hiding secret keys somewhere (see _NSAKEY) is risky and visible, it WILL be found. But a simple oversight that the company itself is both trying to hide and pretending it doesn't exist?
Never seen Microsoft act like this. They don't actively hide their mistakes, they typically issue a CVE/small warning document and ignore it afterwards if they have no plans to address it.
Something is up. Course, as someone said above it could just be some shit middle management thinking their numbers will go up by covering it up.
GallowWho@reddit
Of course, it's not the first time the US Government has had a vendor implement a back door.
Just search for "Operation Rubicon"
ExampleOtherwise4340@reddit
Who said its for the US Govt? It could be any number of nations.
GallowWho@reddit
Because they're a US company, it's a pretty easy assumption to make.
KernelMayhem@reddit
"Just search for "Operation Rubicon"
Wild
Phiddipus_audax@reddit
Didn't they just go through a fresh round of layoffs? That could help explain the incompetence. Maybe I've got that crosswired with some other companies' layoffs, dunno.
G8racingfool@reddit
I wouldn't think MS would tolerate some middle management coverup. Not when they still have as many big name clients still using Windows/Office as they do. There would (eventually) be some big-name that would step up and be like "hey, we pay you to fix shit like this...".
RvstiNiall@reddit
I would argue its semantics whether or not something is "clearly a backdoor", vs "difficult to see as anything other than". And with the differences in how some people talk, who knows? Also, unless he was in on that meeting at Microsoft where the decision was made, nobody possibly COULD know that.
But I definitely agree its likely he meant the latter: (its difficult to see it as anything rlse).
worldofchico@reddit
It isn't semantics, those two phrases have distinctly different meanings.
j9wxmwsujrmtxk8vcyte@reddit
No, they both communicate the speaker being certain about the fact they are asserting.
The difference is merely rhetorical.
If you are talking to people who are susceptible to your authority you can assert your certainty as a fact.
If you are talking to equals or people who will challenge your authority, qualifications, you use the softer version because it creates less resistance in your audience.
RvstiNiall@reddit
Um.... Semantics: the branch of linguistics that deals with the study of meaning, changes in meaning, and the principles that govern the relationship between sentences or words and their meanings
LelouBil@reddit
It only applies to bitlocker encrypted drives that only use the TPM. So basically, encrypted with the encryption key on the hardware.
So the drive is decrypted on boot, automatically. The only security boundary is the windows login (or windows recovery login) and this exploit allows files on a USB drive to bypass the windows recovery login.
The author said they have a version that bypasses TPM+PIN, but I assume this is something similar, but that allows brute forcing the PIN without the TPM locking since it would be done inside a "regular" windows recovery
Dtrain-14@reddit
That bitlocker thing was WILD lol. I was like holy shiiii that is stupid simple lol
cosmos7@reddit
As my wife is fond of saying, more than one thing can be true. This guy could be an ass. At least one of these exploits could be part of a previously issue MS is working on remediating. But the stalling and departure from standard procedure here along with the significant scorched earth reaction here signals a desire to stall and bury this in my mind.
FastHotEmu@reddit
He could be an ass, but he deserves the benefit of the doubt. Microsoft, on the other hand, was convicted of monopolistic behavior. They deserve the detriment of certainty.
DrPreppy@reddit
That was a shitty trial about an interesting issue. I was involved in the Apple/Quicktime bit: Apple had just fucked up and went to court in that aspect over a simple one line bug in Apple's code. They didn't have any technical review or discussion of it, just agreed with what Apple said. Months after the trial I met with Apple's dev team in person and again explained the issue to them and they finally fixed it.
Just an idiotic trial. There were and are serious issues involved and that trial didn't really cover any of them. Even the boundary of what a user expects from an operating system is fascinating.
LelouBil@reddit
It only applies to bitlocker encrypted drives that only use the TPM. So basically, encrypted with the encryption key on the hardware.
So the drive is decrypted on boot, automatically. The only security boundary is the windows login (or windows recovery login) and this exploit allows files on a USB drive to bypass the windows recovery login.
The author said they have a version that bypasses TPM+PIN, but I assume this is something similar, but that allows brute forcing the PIN without the TPM locking since it would be done inside a "regular" windows recovery
RvstiNiall@reddit
As a paranoiac, Ive always said this about commercial software. You can't trust it if you cant read the code.
iruleatants@reddit
It's such a terrible stance to take given that most security software isn't open source.
And now that we are seeing AI being more effective at finding vulnerabilities as well as being awful at finding real vulnerabilities, open source software might become a huge liability.
I've read a few recent blogs from maintainers talking about how much more time is stuck dealing with AI agents being told to find and post exploits and them wasting their time to validate and close the issue as not a real issue.
The massive amount of people who don't bother to validate or look at what their AI produced and instead shove it off on someone who does this in the spare time creates so much noise which is a significant issue when it comes to security.
So we get to see a period where maintainers are getting 400% more security reports and attackers who are not lazy are get leads on exploits they can refine or play with to turn into a serious exploit.
And generative AI is trash when it comes to countering AI slop, so there is no help to come from using AI to handle the extra noise. It's just bad all around.
RvstiNiall@reddit
If these projects were doing proper code audits as the code was added, then the project might progress slower, but it eould be a lot safer... Just sayin.
Yeah, I agree though, its quickly piling up and the maintainers cant keep up. Even Microsoft is having this problem but simce their code isnt open source its easier to hide. It still shows though when their bug patches increase in size every time. Not knocking them, they're doing their best just like everyone else. Ots just people like to look at the problems Open Source is having and pretend that their own house isn't falling apart also.
What I'm more interested in, honestly, is how Apple is faring. Haven't heard of very many exploits being found on that side, or too many gogantic patches being pushed either. I'm not a fanboy, and refuse to buy an iPhone, but I do think there's a chance they might have realized continuous code audits are the only safe way to go.
iruleatants@reddit
Code audits are nice, but they definitely don't magically fix vulnerabilities. Even if everyone is trained to find and patch vulnerabilities, you'll only catch the simple attack paths. Things like unsanitized inputs or sql injection (It's depressing that these attacks still account for the largest amount of vulnerabilities decades later). The truly dangerous vulnerabilities like heartbleed or spectre require you to spend time fiddling with code, testing outputs, and chasing down dead ends until you find the correct path to do it.
Honestly, the increase in vulnerability related to Microsoft isn't increasing nearly as fast as it would be expected, likely because the vast majority of vulnerability hunting is already conducted against Microsoft, so there is already a constant stream of things being identified and patched.
The products that don't normally get targeted are the danger spots, especially because a lot of them don't have proper vulnerability reporting paths since it's not been an issue before. Those get compromised and six months later someone discovers it and we get to play catchup in trying to find out what the attackers did.
Apple is just as vulnerable as any company, they just have a small market share especially in the enterprise industry as well as a small amount of products. The vast majority of attackers and security researchers focus on Microsoft for a reason. If you can find a vulnerability there, something like 80% of your targets will be vulnerable. And the list of products you can target is much higher, there are multiple versions of windows that companies refuse to move off of, all of the Office products (which has an even higher market share), exchange, internet explorer and edge, and all of their cloud products, and that's just barely scratching the surface.
Back in February Apple had to release a batch for several buffer overflow vulnerabilities (which should be caught in a code audit) including one with the ability to write to kernel memory. We just don't hear about it because there isn't enough people affected to surface it as a big security issue. They also don't have a good vulnerability reporting flow and so I would always treat them with extra caution. They haven't been tested enough to have a fast turn around to problems, and they don't have enough market share to have active third party hunters, and so you should expect them to be vulnerable for a longer window of time.
And still consistently runs into vulnerabilities only discovered by third parties. Code auditing is a step, not a solution.
RvstiNiall@reddit
I didn't mean to imply it was a patch fix solution like those flextape commercials. Simply that Microsoft and Apple have (probably, I've never worked for either company and don't know anyone personally who has) clearly both started auditing their new code because security is a problem everyone has to work on.
Yeah, I agree with your reasoning about Apple.
Yeah, I think Microsoft definitely doesn't have anywhere near as many vulns being discovered, and its definitely at least partly due to corporate resources allowing them to do proper testing. However, its also at least partially because the code isn't available for quite literally anyone (including AI) to check for potential vulnerabilities.
And as far as security... Might want to look numbers up because Windows is only between 50-55% of the world market (desktops, laptops, servers, network infrastructure devices, etc COMBINED). Linux is a bigger target than you think, and that number is growing every year. Yeah Linux is incredibly tiny on "desktop", but it accounts for roughly 90% of worldwide servers.
But open source software holds the world together, and whether anyone wants to support it or not they should. There are tons of tools and libraries that are used by hundreds of millions of systems that need more code reviews, and any (larger) company that uses it without supporting it, should be left out in the cold when the day comes that the software they rely on without supporting becomes too vulnerable to survive and they're just stuck twidling their thumbs trying to figure out why it wasn't prevented by SOME OTHER COMPANY, etc.
AI has merely highlighted how little security mattered to programmers everywhere and that needs to change. Anyone who can't get on board with that will fail eventually.
And lastly OpenBSD. I mean, I don't actually know of any other operating system that has full continuous HUMAN auditing and peer review on literally every line of code they accept. Its not a perfect system but its definitely a start. Every project big or small should do this, along with testing.
worldofchico@reddit
Curious to know what percentage of the software you use have you reviewed the source, and continued to do that, as versions increment?
RvstiNiall@reddit
oh man, come on. I have my ideals but everyone has to draw the line somewhere!
I do review code, which is why I also prefer to use projects that do continuous code audits where possible, and projects that do periodic code reviews where I can. And I can also audit allllll of our internal code, which I do, even though I'm not on that team. And every time I review a new segment of code that someone added, I fear for humanity because its hard to hide how much of it is just being Frankenstein'd together from unrelated projects with different "styles" to the code.
A_Sentient_JDAM@reddit
Apparently they are fixing the bugs silently in security patches, they just don't want to pay people.
That said, it wouldn't surprise me if there's at least one exploit they want to leave open for the three letter agencies.
identicalBadger@reddit
I’d assume they’d patch it all then just leave a new backdoor for their buddies. The three letter agencies don’t want backdoors in everything, they want back doors that only they know exist.
FrivolousMe@reddit
Yeah, but if someone discovers and publicizes your backdoor, you still need to patch it and find or create a different one.
I_like_microwave@reddit
Bingo! And this how the system works….
You are not supposed to know this!!! Thats a crime! /s
rswwalker@reddit
And by keep you safe they mean they aren’t actively sticking you up at gun point!
Ok-Measurement-1575@reddit
I think there's a few vendors doing the same thing.
Due-Communication724@reddit
I'd say its a mix of a few things, intentional, then a moronic reporting system, morons in management and then add in a flavour of disgruntled employees getting the boot to AI, also a lot of knowledge from the lifers that started with them in the 80/90s starting to retire now at MS after 30-40 years service.
hihcadore@reddit
Don’t you mean an addon that has 6 obscure prerequisites that aren’t listed in the admin center
danstermeister@reddit
Is that what happened or thats your guess?
ganjaccount@reddit
Or, just as likely, AI. MS is balls to the wall about AI adoption, and brags about how much of their code is now written by AI, and I would be money they are working hard to automate all of these decision points.
MS will learn nothing from this.
Boomfrag@reddit
The decision was made by AI, no doubt.
gamebrigada@reddit
Or maybe Project Glasswing is already aware of all of these and they don't want to pay out for something they already internally know about.
Stonewalled9999@reddit
don't give them ideas....
DiabeticNomad@reddit
Ouch that’s a horrible number!
pmandryk@reddit
Microsoft M365 licensing...it goes to E11.
ThemB0ners@reddit
They aren't going to start learning shit until those sufferings customers are no longer customers.
VexingRaven@reddit
It's pretty funny thinking that you can apply rational logic to someone like this. Their first blog post accused Microsoft of taking their friends and family away and leaving them homeless, and their most recent one claims Microsoft's security advisory is slander somehow. They are talented, no doubt, but they also clearly see the world in a very different way than most...
Fallingdamage@reddit
Well yeah, someone need to be on the hook to pay all the developers they need to hire to fix this mess after they fired all their developers.
Bogus1989@reddit
man this is probably it
Ooops-I-hid-it-again@reddit (OP)
A subscription for better/faster protection is not something that seems beyond MS...
KuroNanashi@reddit
I've disclosed vulnerabilities to Microsoft multiple times only to have them thrown away or marked as not severe enough to warrant attention, only for them to release a hotfix or a patch for various Azure services days after. When the vendors don't take disclosure seriously, what other avenue is there other than public disclosure, at least then the broader community can find mitigations or be informed.
steeldraco@reddit
Sell it on the black market?
_theRamenWithin@reddit
https://youtu.be/9kxx5xp5nTQ?si=f0GDBt_-inK2NcvT
Looks like this is a pattern they've decided to adopt.
CeC-P@reddit
Their bug report system is about as bad as their software engineering dept at Microsoft.
Anyway, we already migrated the whole company to paper and pencil.
the1namedwill@reddit
😂 You should try the new rock and chisel option... I'll carrier pigeon you the report.
Hamburgerundcola@reddit
We didnt get your pigeon. The sending nest is not listed on your Sender Pigeon Framework (SPF) entry on your Domain Name Stone.
Phiddipus_audax@reddit
You blocked their pigeon?! The poor guy.
spittlbm@reddit
They won't get the memo
philly_bean_@reddit
Those pigeons must be jacked to carry tablets
techretort@reddit
You should check the throughput on IP over Avian Carrier, much better than you'd expect but latency is a killer
Extreme-Seaweed-5427@reddit
I'm more of an abacus kinda guy
Secret_Account07@reddit
It’s funny you say this because that’s my running joke with our security team. I tell them if they really want security get rid of computers. Instead they try to implement the silliest stuff like complex 20 character passwords that change every 6 hours. And it’s every engineers account. Not a shared/global account. That’s how they handle security
Our SecOps are something else
Outlet4Humanity@reddit
My company requires these insanely long, complex passwords that nobody remembers. Meanwhile they won't invest in a password management solution, so everyone either writes their password on a post it and stickers it to their cubicle, or they keep their password as a text message back to themselves. Genius security.
techretort@reddit
I'm convinced secops teams would act a lot differently if it was on them to implement the fixes they suggest
Nasa_OK@reddit
I see we work at the same company.
Our sec ups had me set up a tool that generates security dashboards. But they never bothered to configure it according to our company’s size, so it just hat the default values for a 100 employee company and obviously a lot of things showed up red. (5 global admin accounts for 100 people is way more than for >3k people, etc.) so they panicked because it was red. I then set it to the appropriate size and they were relieved that I fixed the security issues so fast (I just made the cell in the dashboard change color)
Then due to least privilege and just in time access Cloud engineers have a multitude of small roles so that you think about what you need and do go high yield every time. But some dashboard set that 6 priveliged roles is worse than 5.
I joked that they could kill 2 birds with one stone if the entire company just shares the same global admin account so we’d only have 1 priveliged role in total throughout the entire company. I’m not sure they got the joke…
ontheroadtonull@reddit
I'm going to have to compose a complaint tablet to Microsoft to express my outrage at their treatment of my servant and the quality of their copper.
CrestronwithTechron@reddit
Edgelord making vague threats on X ain’t gonna make me lose sleep. I’m good.
Ooops-I-hid-it-again@reddit (OP)
I mean, Microsoft did actually take time to respond to this situationship in a blog post (A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure) and didn't deny the person's capabilities but instead attacked the disclosure method (i.e. the bug finder didn't play ball how they wanted). Considering multiple zero-days already released by Nightmare still have no patch, it's hard to dismiss an escalation completely. ¯\_(ツ)_/¯
lordmycal@reddit
Maybe they should have just paid the bug bounties for the reported security flaws then.
sluuuudge@reddit
Maybe people should just want to help fix problems that could cause innocent people harm, rather than fixating on getting paid for every little thing they do.
There is literally zero reason why a “security researcher” would ever need to publicly disclose an exploitable issue they’ve found with a piece of software, other than to profit from it - either financially or in terms of credibility in their field.
Identify the exploit, report it, move on with your life.
Legitimate_Sell_8941@reddit
So are you in favor of a Universal Basic Income, so everyone is able to meet their needs, like housing, food, transportation, and healthcare (as well as the equipment necessary to hunt these bugs)? So we can just do things for the good of society, without the expectation of being paid? I am!
Or do you believe people ought to have to work for pay, that they then use to pay for their needs?
Just curious which POV this is coming from.
I'd gladly spend all my time doing things for the good of society and community - I love helping people!
But instead I have to spend the majority of my time on work that I am paid for (that is also mostly for the good of society), because I'm the one responsible for keeping a roof over heads and food on the table.
sluuuudge@reddit
Of course the former would be the ideal world for us all to live in.
Yet, I also still agree that we don’t live in that world and so we have to work to be able to pay for the things we want and need etc.
However, if your work requires you to put millions of people and businesses at risk then what you have is a shitty job and you should perhaps consider doing literally anything else with your time.
I’m not against people having jobs and working hard for their money. I’m just against people choosing to put others at risk as their means to financial gain.
lordmycal@reddit
That’s literally how he gets paid. He is self employed and gets paid for finding these types of bugs and exploits.
Legionof1@reddit
Yep, that’s always been the deal, hacker finds the vuln, company pays for a grace period to fix it, hacker releases after the grace period.
sluuuudge@reddit
But why though. Why are we acting like these hackers are the ones in the right for releasing their findings unless they get paid?
Legionof1@reddit
Because that’s the relationship, especially when you have a big hunting program. If you deny a bug is problematic then you are saying it’s okay to release.
DDOSBreakfast@reddit
Money isn't always part of the process. Many years ago I found one and disclosed it through Carnegie's CERT. 90 days is the standard for coordinated vulnerability disclosure.
As I found the vulnerability through my day job, liability was a concern of my employer. CERT won't disclose before 90 days under normal circumstances and disclosing through them shielded us from liability. The only thing I received was credit and something I can put on my resume.
Legionof1@reddit
You found it while working another job. These people’s job is to find bugs. The corp doesn’t pay, the bug gets released.
mrlinkwii@reddit
its how is works these days it is for most researchers
Dwokimmortalus@reddit
Wasn't the problem basically that there wasn't a realistic vector to actual exploit these problems in real world scenarios.
Looking at the CVEs, most appear to require a level of compromised user/system that would already superceed anything the exploit would add.
Not that I care to defend Microsoft, but this is a very real problem we are dealing with right now on the Linux side of the house as well.
lordmycal@reddit
Not really. The bitlocker bypass can be run by anyone with physical access.
TheCyFi@reddit
You mean the blog post where they failed to address the claim that Microsoft closed the researchers MSRC snd GitHub accounts which would have prevented the researcher from disclosing via their supposed preferred channels and suggested the researcher is a criminal for not using the disclosure channels that they prevented the researcher from using?
VexingRaven@reddit
The researcher also makes some outrageous claims such as Microsoft taking their family and leaving them homeless. I can see Microsoft mishandling a bug bounty, but some of the stuff they are claiming is extraordinary and there's so far been no extraordinary evidence to back it up.
lordmycal@reddit
I dunno that they're outrageous. If you're low on funds but expecting that Microsoft bug bounty any day now and then they pull the rug out from under you, I could see something like that happening. It's not Microsoft evicting him, but more an indirect outcome.
TheCyFi@reddit
I can’t say for certain because I haven’t seen the original source for those claims myself, but I do wonder whether this is hyperbole or indirect outcomes related to the financial impact related to unfair handling of vulnerability reports leading up to this.
Whether that’s the case or not, I know that many very well-respected security researchers and former Microsoft employees and former MSRC leadership have confirmed Nightmare’s claims as valid, systemic issues within the Microsoft vulnerability disclosure process and how they abuse the bug hunters who the security and quality of their tools and services relies upon.
Sasataf12@reddit
Their GH was closed most likely because they published working proof-of-concept exploit code on there.
AcornAnomaly@reddit
This is also ignoring the multiple other credible people in the security research industry coming forward over the last few weeks to report the same issues with MSRC.
There have been many others that have said that they've reported things to Microsoft through the proper process in MSRC, just to have Microsoft reject the report for one reason or another, and then to on to patch the vulnerability right away.
The person who actually found the vulnerability both didn't get paid, AND didn't even get ACKNOWLEDGED. Reputation is important in this industry, and Microsoft isn't even giving the bug reporters public credit for the funds, much less paying them(as they should).
Again, many of these issues were patched very quickly, so apparently they DID consider it an issue, but they still refused to pay out both in cash and in rep.
If Microsoft is going to be screwing over the people that go through the proper reporting channels through MSRC, what incentive does that give people to bother doing so?
japanfrog@reddit
To say there are no patches is a bit disingenuous. There’s short term fixes for least one of them (disable winre, enable pin as there is zero actual evidence there is a bypass yet despite claims, rename binary in winre involved in the bypass). Partners have also received briefings on patching before the update goes out that fixes the bypass.
Ooops-I-hid-it-again@reddit (OP)
Eh, not really disingenuous when there aren't patches but rather a mitigation on ONE of the three unpatched that requires manual deployment outside of Windows Update. I do agree that the 3 unpatched are unlikely to be exploited - even though YellowKey requires zero permissions on unmitigated machines, it does require physical access - but that doesn't negate the threat of future ZeroDays that may be released in this saga.
Valdaraak@reddit
Call him an edgelord, but the guy has the credentials and the history to add some credibility here.
BisonThunderclap@reddit
Yeah, he's been dropping the latest batch of 0 day exploits in record time. I wouldn't be surprised if hes sitting on something real bad.
Valdaraak@reddit
He is. At a minimum, a Bitlocker + PIN bypass. He's already said he has a POC of it.
This does allude to something bigger than that though.
CrestronwithTechron@reddit
I mean that’s not good I agree, but that also can be fixed by the number one rule of information security: Don’t give the bad actor a chance at physical access to your machine. All of these exploits require physical access. You’ve already screwed up big time.
Valdaraak@reddit
Sometimes that's unavoidable, which is the exact reason Bitlocker exists. For laptops that get lost, stolen, not returned when someone leaves, and so on.
CrestronwithTechron@reddit
Bitlocker exists to prevent regular Joe from getting access to your data if they get access to your laptop. It’s never really been all that effective at preventing a motivated person with the knowledge to bypass it.
DDOSBreakfast@reddit
Before this exploit, how exactly would a motivated person been able to bypass it on a modern business laptop?
TPM sniffing isn't viable on a lot of laptops and the earlier bitlocker bypass during feature updates has been patched a long time ago.
CrestronwithTechron@reddit
Yellowkey was just patched less than 2 weeks ago, so I’m sure there are still some out there in the wild.
0x_gooner@reddit
How ironic.
knd775@reddit
Are you unaware that this is the researcher that found yellowkey?
VellDarksbane@reddit
It has _always_ been true that physical access means they own your device. It is why physical security is one of the few places that corporate environments take seriously. Bitlocker is still useful in that it deters casual theft. Even with a bypass, your average smash & grab thief will just flip the laptop, it’s easier money. Without bitlocker at all, they might do a cursory look through to see if there’s data on it to use/sell, so they can double dip.
It’s like a fence. A 6 foot tall fence isn’t going to really stop someone who wants in, but it’s going to dissuade opportunistic attacks.
Tl;dr: wake me up when he drops an exploit that doesn’t require physical access, otherwise it’s just a whiny bug bounty kid who didn’t get his way.
bfodder@reddit
That is the entire point of drive encryption though. Saying "oh well, physical access is needed." is absurd when the thing we are talking about is specifically for a situation where physical access is obtained.
reallycoolvirgin@reddit
"Number one rule of information security: just don't get hacked lol"
VexingRaven@reddit
So he claims, but there's an enormous amount of skepticism around that claim and it doesn't seem possible.
bdam55@reddit
Well, other people have been funneling him some of their own stuff. For good or ill, he's got a large chunk of the relevant community behind them and they, by and large, are not a fan of how Microsoft, via the MSRC, have conducted themselves over the last several years.
DDOSBreakfast@reddit
Has anyone else found as many serious Windows vulnerabilities in this short of period in modern history? Chaotic Eclipse has yet to be bluffing.
jimicus@reddit
I doubt he found them in a short period of time.
For my money (and this is purely speculation) this guy was doing this for years, and probably had enough in the pipeline for bounty programs to earn a nice little living until Microsoft cut him off.
ITaggie@reddit
Or possibly even a former dev or NSA spook who knew about intentional backdoors.
jimicus@reddit
Why would such a person be reporting them through the bug bounty programme?
ITaggie@reddit
For the money that they're supposed to pay out
Wise-Reputation-7135@reddit
incredible username btw
RikiWardOG@reddit
edgelord? he dropped 6 zero days in less than a months time. dude clearly has some deep knowledge and a vendetta against MS
Hasz@reddit
Not even remotely edgelord.
The vulnerabilities are legitimate and MSFT should stop being a big dumb corporate entity and just given them some recognition, this is all this person really seems to want. Those vulns could have been sold for plenty of $ if msft bug bounty didn’t want to play ball.
safalafal@reddit
i'm feeling that i wish people knew that a 9.8CVSS doesn't mean that stuff can be hacked at six seconds notice
AliveInTheFuture@reddit
Wanna bet?
IdidntrunIdidntrun@reddit
jokes on you i've just hacked you 100 timees since you posted 10 minutes ago
safalafal@reddit
Patch it while your there, cheers
Bogus1989@reddit
🤣🤣i dunno why but this shit made me LMFAO.
the thought of hackers tidying the place up. or leaving you a message:
“Hey bro, stop using ubiquiti
fogman103@reddit
Cory Doctorow had a short story about this in a book Intel was giving out at SXSW a few years back. Haven't read it since then, but I remember enjoying it at the time. Knights of the Rainbow Table
Bogus1989@reddit
thanks ill check it out!
aes_gcm@reddit
There were patching viruses for Windows XP back in the day.
safalafal@reddit
Actually, this is a real thing - there are real documented incidents of hackers compromising an exchange server, then a zero day comes out, so they patch it to stop their compromise from being compromised
metamatic@reddit
Yo dawg, I heard you like compromises.
edmazing@reddit
Full white hat. Patch it. Close the back door on my way out.
Bogus1989@reddit
thats great
Nomaddo@reddit
Welchia worm anyone?
aenae@reddit
That java log bug was so easily exploited you could have been hacked with like 6 seconds notice.
I checked my logs when i heard of it; hack attempts to exploit it started less than an hour after the bug went public
tankerkiller125real@reddit
There's a reason all the internal shit where I work is truly internal ZTNA, zero external access, etc.) and the public stuff is actually behind a tunnel from a security vendor (so also not publicly exposed via any port forwarded IPs).
Could we still get hacked? 100% absolutely, nothing is fool proof, and nothing is 100% secure. But I sure do feel a hell of a lot better at night knowing that there are a bunch of walls in place, and those walls are guarded by 24/7 SOCs with security engineers way smarter than me.
cookerz30@reddit
No matter how deep the moat or high the wall... the bad actors will dig deeper and fly over. That's why we take backups.
tankerkiller125real@reddit
Oh yeah, I've got a ton of backups of backups, with multiple replications of said backups.
HotTakes4HotCakes@reddit
You want them on that wall, you need them on that wall.
aenae@reddit
I run a (populair) website. I could block everyone, but thats kinda shooting myself in the foot.
The attacks were not successful btw, but they do show up in logs
safalafal@reddit
absolutely fair - i think my glib response was mainly about the fact these things need proper investigation, it's not just a case that high number = bad
Helpjuice@reddit
People say, this but in reality once something is weaponized and automated it doesn't even take a second to exploit remotely in most cases. Take this to scale and millions of machines could be compromised.
Issues like this should be taken seriously, and vendors not taking things seriously after the problem has been publicly shown to be exploitable need to have a 3rd party audit conducted against them to the seriousness of their security issues at scale, especially if they are a large enterprise.
safalafal@reddit
i fully agree that they should be taken seriously, but take like, the curl 9.7 a few years ago - if you had embedded your own curl in your app, then that actual threat was nothing.
proper nasty in a fully shared system tho - i'll say it again, big number does not equal major threat.
as for npm - i refer you to a blog article i read earlier today: https://xeiaso.net/shitposts/no-way-to-prevent-this/supply-chain/2026-redhat-javascript-clients/ lol -- it's awful, and i'm increasingly npm is bad tbh
Helpjuice@reddit
This is a major problem with many not even understanding their environment. If it is reachable then it's a problem, if not then it's not as big of a problem.
safalafal@reddit
Absolutly like - erm, what was it, mongodb! theoretically fucking terrible, in reality, if it got pwned you kinda asked for it by making db connections open to the world
Helpjuice@reddit
Yeah, that is core foundational poor security and systems hygiene. Anyone doing this in any environment (prod, staging, dev) should not be working for anyone.
smonty@reddit
Do you do seminars by chance? Swear our security team gave us one of these 9.8’s with a 3 day sla that required a “threat actor with root access” the ability to execute code by way of such and such exploit.
Like yeah? If a threat actor has root access they’ll be able to execute code without any exploits too.
twistedbrewmejunk@reddit
Usually also same place that gives a 3 day on it also allows exclusions to for full admin or local built in admin enabled with a a master p word set. Or my favorite is they create snow tickets with the security finding that also can sometimes include embedded credentials . They create a ticket scolding some app or automation that ran real time in terminal that they caught. The fun is that something would need to be actively recording Content on the server to capture this when it ran but also these types of fixer usually requested by sec ops in the first place (reset junk server local account word) then they dump the entire finding including the account and pword in snow where almost all users have read access.
AussieHyena@reddit
My favourite is day before delivering a change that has been tested (including pen) and is all signed off and you get a message of "We need you to use this version of component y". That version was only released that day.
They went very quiet when I told them that they can explain to the execs why we were delaying a Government-required piece of work that would need to be re-tested (including pen). I also said that I would be pushing the extra costs imposed on the project (including any Government fines) back to InfoSec to cover.
dkoy@reddit
Just for a bit of an example that it doesn't matter when it gets announced, the last 9.8 Cpanel CVE-2026-41940 was officially published on April 29. I don't see much public chatter before that and plenty after. But here is our observation of the previous 30 days from May 1st of scanning for the vulns. It was already being exploited before the release. You can be hacked in -6 seconds.
Riffz@reddit
ehhh in this day and age it's getting closer and closer. within a day we can easily see something turn into active exploitation campaigns. especially with this level of attention? bet.
f0gax@reddit
Unless ur a l337 h4x0r
PowerfulDiet7155@reddit
Please tell this to the Cyber security department
safalafal@reddit
i mean i should transfer to cyber security, it's an easy life telling sysadmins that what they are doing in risky, taking no responsibility and refusing to give a firm answer on anything, sounds fucking easy
tbf - i'm sure there are good cyber security departments, i just don't have one myself and i'm a bit annoyed at it.
JuggernautUpbeat@reddit
I try to be as secure as I can as as sysadmin (on all the distro mailing lists and CVEs are monitored, external and internal scans are done every night, we have Wazuh, etc, it's the devs with vibe coding and using Claude to develop whole new apps that are mostly to blame. 0days will get that shit cracked every time.
RvstiNiall@reddit
zOMG yes it does! All teh hakkurs kno about it and r waiting for the release to exploit!! /s
In all seriousness I had to explain what you just said to a coworker on the Windows sysadmin side, and he acted like I was crazy. They'll fix it before it becomes a problem for more than one large corporation. Just hope your company isn't the unlucky one and do your job and you'll be fine!
BisonThunderclap@reddit
They really should stop those with videos on how the exploit works. I'm tired of distilling the latest exploit and why not everything is on fire into something leadership can understand.
lordmycal@reddit
I will hax0r0z j00! B0w be4 m3 newb! /s
SaintEyegor@reddit
Nope, all my stuff is Linux
onefish2@reddit
Right answer!!
Hey_HaveAGreatDay@reddit
A Microsoft representative said “I will make sure your bones are shattered”?
That’s fucking wild, I’ve been at MSFT for 6 years and I can’t think of a single person that would speak that way to a client
themunga@reddit
This was the leaker, not MSFT
ihaxr@reddit
We disable defender and vss, so not too worried about it.
RvstiNiall@reddit
As a *nix sysadmin, I'm buying a case of Kirkland Popcorn and showing up at the office with an extra microwave.
solracarevir@reddit
As a *nix sysadmin you must have had a few pretty busy weeks too.
RvstiNiall@reddit
With all the AI found exploits here lately? THATS WHY I'M MAKING POPCORN! lol
Its my turn to watch the show!
RvstiNiall@reddit
/s
If they would just listen to me and switch to completely custom FPGAs running completely custom CPUs, with completely custom OSes and tools... It would be so secure not even WE could use it!!
Dzov@reddit
Hell yeah! Nobody over here hacking my base-3 computer!
newaccountzuerich@reddit
Runs Morse.. One of the few trinary communication protocols, and one that people often don't realise is trinary..
Dot.
Dash.
Silence.
fuzzentropy2@reddit
We have 11 computers so we moved to base-33!!! We can't even get them to boot, so no way anybody getting in!!
Bogus1989@reddit
I want an FPGA. cuz im a nerd
RvstiNiall@reddit
https://liliputing.com/onechipbook-12-a-is-a-215-mini-laptop-with-an-fpga-for-retro-computing/ I mean, I kinda do too.
Bogus1989@reddit
okay i remembered it, its MISTer FPGA. you can get it for around 500 bucks.
Ive ran emulators before too……most of its fine, but you lose alot of stuff through not having the original chip or a crt. for 500 bucks thats really good. otherwise you end up buying a dedicated system per…or all kinds of special scalers to replicate the crt etc.
im reading the link you posted, this is pretty cool also!
Bogus1989@reddit
theres this one alot of people use for emulation. its quite cheap. I kinda got on board the whole train and understand how games need the original chip or some device to replicate , and understand how an FPGA could be very close to the real thing.
thecommuteguy@reddit
Should have a Mr. Robot watch party instead.
Pazuuuzu@reddit
Well until then head over to the rsync dumpster fire, that's wild too.
RvstiNiall@reddit
Man, our shop switched away from rsync like... a week beforehand, and it was my call, and half our peeps act like I was in on the exploit and thats why we switched lol. I just like another tool better for the job, ya know?
Pazuuuzu@reddit
C'mon dude... At least tell us the alternative...
RvstiNiall@reddit
We are literally in a post about critical vulnerabilities. I'm not telling you that!
rclone on one side, a custom tool on another, and a GUI tool for the Windows sysadmins at my company. No I'm not joking. But I won't say which one for that for real because I'm embarrassed at their skill level. (Some of the windows guys use rclone, but most use the GUI tool)
YourTechSupport@reddit
I'm like, sysadmin adjacent and log4j still gives me shivers.
TheNewl0gic@reddit
This
aenae@reddit
\~\~0 microsoft products here\~\~ 1 microsoft product here (a keyboard; their best product ever). So i’ll enjoy the popcorn as well
Bogus1989@reddit
I found one of these babies a few years ago. I actually mounted it on our wall like some ancient shrine. 🤣 people always ask why its there.
ScottieNiven@reddit
I also have that exact keyboard but in UK layout on my old Win 98 machine!
RvstiNiall@reddit
Which keyboard? One of the "Ergonomic" curved half-splits? Those are the only ones I'm aware of that I respect.
PSA: Split keyboards save careers! As do vertical mice if you prefer traditional over trackball, which trackball mice are also great for reducing wrist issues. https://www.contourdesign.com/mouse-for-rsi/mouse-to-prevent-carpal-tunnel
Ooops-I-hid-it-again@reddit (OP)
I love how this post turned to keyboard and mouse recommendations! lol
RvstiNiall@reddit
Gotta stay safe!
UMustBeNooHere@reddit
HE’S HACKED THE GIBSON!
RvstiNiall@reddit
Hack the planet!
SpaceChimps98@reddit
Kindly do the needful
tankerkiller125real@reddit
To be fair, avoiding wrist and hand injuries for IT professionals is a very serious thing. After all how are you supposed to eat popcorn while watching the world go to shit if your wrist hurts with every movement?
RvstiNiall@reddit
I dont like to brag, but I've used one of these (not that actual model though) for about ten years now. Both my parents have wrist issues, and I thought I'd be proactive. I also have a full split keyboard and a trackball mouse.
aenae@reddit
Yep, the 'natural elite 4000' i believe. Need to find someone who sells them new as most shops don't carry them anymore :/
RvstiNiall@reddit
I know there are several alternatives with similar form factors, but of course, they all feel slightly different from each other so if I were you I'd check a few out in person if you can.
I went for a full split, personally. Despite owning it for about 7 years, I've never been super thrilled with mine (Kinesis Freestyle Pro). I dont feel like paying $500+ for building a completely custom keyboard either though.
dabbydaberson@reddit
They use bitwise encryption on their wireless Bluetooth mice and keyboards. 😉
aenae@reddit
It is a 'natural elite 4000' It is not wireless; for some reason i have always problems with wireless keyboards. I do try them sometimes, but they never work properly..
tankerkiller125real@reddit
The only ones that work properly for me now at work are the Logi Bolt ones (the encrypted communications low latency ones). I think it might be down too having too many other wireless devices in the same spectrum maybe?
RvstiNiall@reddit
I use wired in the office because everything wireless gets glitchy sometimes at the office.
Hebrewhammer8d8@reddit
I'm just quitting IT and going to the farm. LLM just kill the joy of IT. I don't have for the love of the game for IT anymore.
RvstiNiall@reddit
Farm work is hard work. Hope you work out (at the gym).
Yeah, I hate all the AI code slop I see. The Frankenstein'd together code segments I see added to our internal bases is just.... Depressing. Its like "ok john, first off, that section is done in the Python Project's style, but its Rust code, and this is a C project!" Then they get all defensive, and I end up replacing it. THATS NOT EVEN MY JOB!
donith913@reddit
Yall haven’t exactly had the best month or so when it comes to LPE vulns. Might be more of a misery loves company situation.
RvstiNiall@reddit
Yeah, with all the recent stuff in my world, thats why I'm popping popcorn! My turn to enjoy the show!
donith913@reddit
That’s fair, honestly.
I’ll probably just yawn and let automated patching do its thing.
RvstiNiall@reddit
I mean, thats all we did. Other than mitigating potential problems via coordinating with infosec. Gotta throw on a white hat and help keep the bad people from storming the castle, etc.
Or in my case, watch all the servers from home while scripts run, and play on Reddit.
bjc1960@reddit
The kettle corn in the purple bag is on sale at Costco too, with the $2 instant rebate.
RvstiNiall@reddit
Oooh nice. Thanks for the tip! Might head there today to get that, and to re-up my allergy meds.
MonsterTruckCarpool@reddit
Plot twist the microwave gets exploited.
RvstiNiall@reddit
Doubt it, it runs NetBSD!
Ooops-I-hid-it-again@reddit (OP)
You're really going to enjoy the show - congrats! 😄
RvstiNiall@reddit
This is my time to shine... Maybe I can convince ~~corporation name redacted for security reasons~~ to switch a few of those Binblows boxen over.
ChiefBroady@reddit
I manage our Mac’s, so no.
1stPeter3-15@reddit
July 12th…
Ooops-I-hid-it-again@reddit (OP)
Yesss, you get it! lol
1stPeter3-15@reddit
July 14th, depending on how that goes…
Fallingdamage@reddit
July 14th. NEW CVE!!! AN AUTHENTICATED ATTACKER.....
Course, well yeah, people who are authenticated can do a lot of things.
newaccountzuerich@reddit
Even those whose authentication matches their authorisation, and even matches the expected identity.
Not every authenticated access is the correct entity's authentication effort. "Stolen creds" are very much a thing still.
roboto404@reddit
This but not coffee.
twistedbrewmejunk@reddit
To be safe let’s go with a 50/50 mix
s_schadenfreude@reddit
There's a distillery in Lancaster, PA called Thistle Finch that makes a black coffee whiskey. It's amazing.
roboto404@reddit
Ooh. Gonna have to write this down.
twistedbrewmejunk@reddit
Going on my if I'm in the area visit where list
Tyr_Kukulkan@reddit
Going into work in the morning...
kevinsyel@reddit
I'll just put this over here with the rest of the fire
Tyr_Kukulkan@reddit
I mean, at the moment, there is a lot of fire to put together in one place.
UsagiMimi@reddit
A whole heckin lot of fire
UncleSoOOom@reddit
Now everybody dance!
occamsrzor@reddit
Wow. I’ve not seen that meme in like, 20 years
linuxknight@reddit
https://x.com/i/status/779409304004820993
Devlin7@reddit
I have an IGA cutover/go-live on 7/13....should I just head off into the wilderness now?
NextSouceIT@reddit
Yeah
dangeldud@reddit
Does he? That is a live video of a rack next to his Domain Controllers...
Smith6612@reddit
Oh man that pot of popcorn looks so tasty.
Operation_Neither@reddit
And forfeit the potential overtime? No thank you!
TheZeR0x@reddit
Uhm
sophware@reddit
I'll just change my desk calendar to be June 14 2025.
ArchonTheta@reddit
That’s how you do it, brotha!!!
Wasteofskin50@reddit
"As requested, it is full of bugs... forcing people to upgrade for years."
Secret_Account07@reddit
It’s funny you post this because I’ve been following this story like it’s a reality TV show. It’s pretty rare one person so publicly and competently shames a (b/t)rillion dollar company.
This person has both skills, motivation, and has no qualms with going scorched earth. At this point I’d say their threats are pretty credible and expect another bad day for MS.
We don’t get much juicy entertainment in our field. It’s nice to sometimes get a little dramatic entertainment 😆
I like to think about what’s going on behind the scenes. I’m certain this one petty individual has created many, many meetings from engineers all the way up to execs. He wanted their attention- he’s certainly got it
I for one am glad he exposed the bitlocker backdoor…..I mean vulnerability. It’s completely changed how I view MS encryption. I always assumed there was some deeply technical or secret way past bitlocker for top level national security scenarios. But after using his exploit I realized it’s fucking amateur hour. Like really? That’s it? That’s the backdoor and the technical door that holds our data safe? Surprised this wasn’t outed long long ago
threwthelookinggrass@reddit
bitlocker has always been trivial. When the TPM is discrete the key is sent from TPM to CPU in plaintext and can just be sniffed. https://blog.compass-security.com/2024/02/microsoft-bitlocker-bypasses-are-practical/
ooglybooglies@reddit
What's a brillion? :P
gerowen@reddit
Nothing I work on depends on Windows so nah.
Itchy_Meaning753@reddit
Bro, I collect zero days and then dont patch them for 12 years, whi gives a shit
TargetFree3831@reddit
I mean...how are these being exploited?
I only see an attack vector through Fortigate SSL VPN which is disabled now in modern firmware. SSL VPN has been insecure for aeons now.
Internet-of-cruft@reddit
Whoever this security researcher is, I wouldn't be surprised if Microsoft's legal team is ramping up to take action against him.
This sounds like a straight up threat. Like I get the guy is pissed, but you don't go making threats against a multi billion dollar company without expecting some retaliation.
MS doesn't even need a legally sound reason to go after him - they can just bury him in legal fees and process.
NoPossibility4178@reddit
Sounds like an incentive for people to stop dealing with Microsoft and just sell the exploits primarily to black markets, otherwise Microsoft can just not pay you and then sue you to oblivion if you complain, that risk is not worth it.
EquipLordBritish@reddit
I mean, if they push him like that, then what reason would he have to not burn microsoft to the ground?
thatOneJones@reddit
As a bystander / curious individual into the sysadmin world, can someone explain this in terms even an idiot can understand?
tankerkiller125real@reddit
Big bad Zero Day with easy exploit = world wide exploitation within hours = shit show for IT industry.
Especially because the 14th is Patch Tuesday, and the Eclipse guy dropping the Zero Days always waits until shortly after the standard patches drop. Meaning that the only option available to Microsoft to fix it is either out of band patches (which are always a royal PITA to deal with), and/or publishing scripts/guidance on what services/functionality to kill in order to protect systems until the next patch Tuesday. (In August)
thatOneJones@reddit
That’s like my wife asking me to fill her water after I’ve already sat down after being in the kitchen.
tankerkiller125real@reddit
I'm going to give a more apt description along the same line (hopefully):
It’s like getting home from a, once-a-month grocery haul and putting everything away, only for your wife to say, "Oh, I forgot to tell you, we’re out of milk and diapers" And now the car is very low on gas, the stores are closed for the night, and you have to figure out how to keep a toddler happy until tomorrow morning using only what's left in the pantry.
techretort@reddit
Do you turn off the toddler for the night, or commit to hosing them off in the morning
SeaPollution2750@reddit
So you have buggy water?
tankerkiller125real@reddit
It's worse, it's like your wife asking for a home cooked steak after you sit down and giving you 90 seconds to do it or else she'll withhold any fun time for the next several days if not weeks.
Bearlodge@reddit
Tl;Dr, this guy found a key to Microsoft's house, tried to return it to Microsoft, Microsoft told him to get lost, so now he's releasing the key onto the internet for everyone to use.
Often times, large software companies (like Microsoft) have bug bounty programs where hackers can report vulnerabilities they find and be compensated by said company in exchange for not releasing the bug to the public and allowing malware to be built with it.
I'm not fully up to speed on this specific individual, but it sounds like Microsoft has been fighting them over bugs they have reported and so now this individual is threatening to release the bugs to the public since Microsoft is refusing to work with them.
Given the CVSS score of 9.8 (out of 10), it means that this particular vulnerability is quite severe and could cause a LOT of damage to IT systems. Assuming all of this is true and the vulnerability does exist and is as bad as claimed, it means that starting July 14, all windows systems are going to be subject to this vulnerability and whatever damage it may be able to cause (unless other measures are in place which most IT departments have).
Unless of course he and Microsoft make amends in the next month and a half....
thatOneJones@reddit
Thanks for the breakdown! Glad I’m just a bystander, best of luck to all sysadmins out there 🫡
Gositi@reddit
Microslop has promised to give money if you find security bugs in their software. This guy found and reported security bugs. Microslop claimed the bug report was wrong and didn't pay anything, even though the bugs existed and presented a security issue. Discussion back and forth between Microslop and this guy. Now this guy says he has found a really bad security bug and will release it on June 14th. This posts asks (jokingly) if sysadmins will turn off their systems until we know whay that security bug is.
Disclaimer: I'm also a bystander and might have gotten some details wrong.
thatOneJones@reddit
Popcorns at the ready, thanks for the breakdown!
BitterMaintenance@reddit
Luckily, I am jobless since yesterday, so I don't care. But good luck for the rest of you.
Smith6612@reddit
Sorry to hear that. Hope you're handling things alright.
BitterMaintenance@reddit
I am superb. 44yo, first time with no stable income, i am psyched.
techretort@reddit
It's a shit time my guy. Look after yourself as best you can.
If things don't work out the speed of CVE releases should give you a reliable income if you decide to put on a different colour hat
GuessSecure4640@reddit
Check out r/recruitinghell - wishing you all the best
sgt_Berbatov@reddit
I dare say after 14th July you might be given a job or 10.
sluuuudge@reddit
So people just going to pretend that this daydream person is some sort of hero because they want to cause chaos for customers and businesses that use Windows?
MyThinkerThoughts@reddit
Isnt this the day Earth will also lose gravity for a few minutes? /s
indigo196@reddit
Yep, all because the Windows OS running the gravity generator needs to be rebooted.
InsaneGuyReggie@reddit
When did that get swapped from NetWare? I think that thing had over 6000 days’ uptime at one point, didn’t it?
indigo196@reddit
It got switched when Novell purchased Word Perfect.
the_syco@reddit
Only an issue if you open windows in space...
RvstiNiall@reddit
If we all jump at the same time... /s
E__Rock@reddit
No... but I may arrange for DTO on July 14th though...
HideyoshiJP@reddit
July 14th you say?
Master-IT-All@reddit
This guy is a complete bag of dicks. Sue him? He should be keelhauled.
invalidpath@reddit
Oh wow.. first time I've seen `keelhauled` used in public.. and correctly for that matter, in a very long time. Sir I award you 3 Internet Points.
Master-IT-All@reddit
I was going to say 'birched' at first, but then thought it wasn't quite brutal enough.
baaaap_nz@reddit
"You are a Senior MSRC engineer. Review tickets from the queue and reject them" - Microsoft, probably
ebietoo@reddit
I’m so happy I stroked out and had to retire …
dlukz@reddit
M$ fucked up and should have made it right, but it's too late now. This is a huge stain on them, a single guy has tons of back doors that he was willing to quietly get patched, and their greed screwed them over. Their bug bounty program is a joke now and I wouldn't be surprised if others just started dropping more 0-days
Liquidretro@reddit
They have a month to try and fix it/pay the person off. Will it happen? Who knows....
cluberti@reddit
Given that releasing unpatched exploits with the intent to hurt a vendor or their user base can really skirt legality in some countries (including the US, where Microsoft is based), I wouldn't be surprised if legal means wasn't included in the options they're considering.
FastHotEmu@reddit
This is a huge stain on them? https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corp.
invalidpath@reddit
Im so glad that we're going to be replacing the remaining few Windows-powered infrastructure hosts by EOY.
Successful-One2695@reddit
I will say this dude has release some crazy CVE's however they did orignally say this BIG TIME CVE was supposed to be released in May's patch Tuesday. However they ended up watching anime? The blog post saying this was removed.
iheartrms@reddit
Shut everything down? Nah. Defense in depth should protect you from any single zero day.
But fsck Microsoft. They are infamously bad to deal with. And it's not like this is any secret. So I have no sympathy for anyone who is affected by this zero day.
Satoshiman256@reddit
What's happening to then?
According-Regret-311@reddit
Yeah, the world's going to end. Just like Y2K . . .
ConkerPrime@reddit
Microsoft’s response to suggestions of Windows 11 problems seems to be plug finders into ear holes and yell loudly they can’t hear anything so it isn’t true. It has to create bad PR or cost their customer corporations’ money and suddenly receptive.
Of course nowadays since they use AI to “fix” code and “test” code, the update might be as bad as the problems addressing. At five months on a row of significant Win11 update problems?
AlexisHadden@reddit
Azure’s just better at hiding it. It is anecdotal, but my experience is that we’ve hit more slowdowns and partial outages in the last 12 months.
stromm@reddit
July 14 is patch Tuesday.
It’s also when MS if forcing a patch that removes Kerberos RC4 from all servers 2012 and up. Which means anything running on older servers will no longer be accessible.
_kinesthetics@reddit
I'm not OnCall that week thankfully
inhoyukine@reddit
I have a start date of july 13th 🫠
Ooops-I-hid-it-again@reddit (OP)
You're (potentially) getting one hell of a welcome party! lol
MobileArtist1371@reddit
!Remindme July 13 2026
crisis averted?
Jkabaseball@reddit
July 14th is my first day back from vacation.
Ooops-I-hid-it-again@reddit (OP)
Damn... Didn't realize you drew the short-straw, did you...
Miserable-Text8249@reddit
Not shutting anything down but definitely making sure our segmentation and detection are tight before that date. The bigger concern imo is the copycats this kind of thing inspires, not the one researcher.
nestersan@reddit
Nope.
Leproide-IT@reddit
"I hope they're not talking bullshit and that they really hurt Microsoft badly. The day that piece of crap finally fails will be a day of celebration."
KeyHalf6609@reddit
I am! I'll be on vacation starting that day, so all my IT stuff is going to be shut down. Don't need management to bother me when they got a dozen other admins just as capable.
Gonna suck for them, but I'm going to enjoy the show lol.
FastFredNL@reddit
We do, but on July 10th. Power is gonna go out for scheduled maintenance work on the powergrid in the street
scytob@reddit
given the number of folks MS works with on vulnerabilities and disclosure my bet is behind closed doors this guy was acting like an ass
his reponse seems to be more about publicity and attacking MS - he doesn't seem concerned about protecting folks - seems like a black hat hacker in white hat hacker clothing who tried ransonming MA for cash - i bet he asked for money......
linuxlifer@reddit
Ehh not so sure about that. There were a bunch of other independent security researchers as well as high ranking staff in large tech companies that came out after this and had his back saying that the whole MSRC is a really shitty system to deal with.
ThemesOfMurderBears@reddit
Where can I read about this?
scytob@reddit
no doubt its a shitty system, no doubt it needs to be improved, i know some ex MSRC folks
that isn't solved by what this guy is doing and putting people and systems at higher risk (when people do things like that it impacts systems that are actually life/death in some cases)
tankerkiller125real@reddit
When your bug bounty program is so shit that the people who are doing things the right way just walk away and never bothering doing any bug testing for your shit again (which there are now many well established pentesters who have admitted to doing exactly that) then you're doomed to have someone, or even a group of people say "Fuck it, the best way to protect people at this point is to just make shit public"
Is it a PITA for IT Admins like myself? Yes. Have I submitted my own security bugs to MSRC (including for potentially significant issues) that have gone ignored? Also, yes. Do I bother submitted MSRC reports when I find those bugs now? Why bother, I have other shit to do with my time instead of filling out reports that will get ignored.
It also doesn't help that a trillion dollar company (Microsoft) celebrates the fact that they'll never pay out for bug bounties (or at least the exec team does). So simply put, fuck em. They did the whole fuck around part. Now they've entered into the found out stage.
jimicus@reddit
I've seen this sort of behaviour before, and it's often associated with intense stress. You find in such situations that people do get emotional, they do get arsey and they simply don't behave the way you'd expect them to in normal circumstances.
He even hinted it in his early blog posts.
My guess is a big chunk of his income came from bug bounty programmes and Microsoft has basically said "nah, not gonna pay up" for a year or more worth of work.
scytob@reddit
maybe, thing is they tend to only get bounties for things they find that are new
could also be he disagrees with their classification
lots of possibilities here, but given his public posts i am not inclined to give him the benefit of the doubt, for MS to post that post they did means it went of the rails quite some time - it takes many layers of review for a post like that to go live.....
jimicus@reddit
I'm not really convinced the details are relevant - they all boil down to the same thing. He's put in a shedload of work and he's not getting paid for it.
scytob@reddit
that's his claim, not sure i believe him, his behavior doesn't make him trustworthy or make me believe him
jwalshjr@reddit
Okay… but Microsoft has already openly proven to not be trustworthy, and he is far from the first to experience issues with their bug bounty program in recent years.
The actual truth is likely somewhere in the middle - but I would much rather trust the random guy who might not be trustworthy but clearly has the skills and has already released several 0-days than trust the company that I know without a doubt will only act in their own best interest.
scytob@reddit
no they have not, they have proven to be difficult to work with, thats it
mrlinkwii@reddit
yes they have numerous researchers have said publicly ( twitter etc ) this is on form for MS not to pay and then slightly patch the bugs
jwalshjr@reddit
Your first paragraph is wrong - and your second paragraph has nothing to do with my main point.
I’m just going to end this conversation here… not worth getting frustrated over somebody who clearly hasn’t been following Microsoft closely in recent years, or if he has is choosing to white-knight them when they’ve done the exact opposite of earning it… just not worth my effort.
mrlinkwii@reddit
even if he was , MS didnt do their side of teh deal
omegadeity@reddit
And hypothetically speaking- what would be wrong with him asking them for money?
If the general public is expected to function as beta\bug testers for a multi-billion dollar company, it's fair that the people who actually choose to do so should be fairly compensated for their efforts.
The truth is, something like the recently released YellowKey Bitlocker exploit could ONLY exist because Microsoft bent the knee to the NSA\the US government behind closed doors and chose to leave a critical vulnerability in their encryption system that could be used to access encrypted systems.
That exploit being present for all this time means that people who believed their bitlocker encrypted systems were secure actually aren't(unless additional steps are taken). If someone stumbles across such a massive security flaw, I think they should have every right to hold it over Microsoft's head and demand significant payment from them, especially since they could just release the exploit privately on the darker sections of the internet and watch them exploit it to catastrophic effect.
ZAlternates@reddit
Eh holding exploits over a company’s head for money “or else” is called extortion.
ek00992@reddit
I’m sorry, but I can’t take anyone seriously who believes this is what’s happening behind the scenes.
The banality of bureaucratic evil is a force to be reckoned with.
And no, nobody has the “right” to hold exploits over a companies head. That is NOT how the laws for this work. You are playing with fire if you believe otherwise.
japanfrog@reddit
I’d rather subscribe to the theory that it was a mistake someone made since they got rid of their entire testing team in favor of automated testing years ago.
They basically made insiders test the code instead of paying for testing teams to review it. It’s a bit ludicrous that a company with record profits decides to get rid of testing personnel.
scytob@reddit
nothing, and there is nothing wrong with them saying no 'here is the normal bug bounty'
anyone who starts a sentence with the truth is and is not on the inside is amusing, i have some tin foil hats for you
folks like the NSA/GCHQ etc don't need to ask for code to be put in, they already have a super deep well of zero day exploits
also you realize MS, google, etc all likely have undercover spies from most major govts and that MS and those companies are always looking for ways to protect from that... that is actually the bigger issue (after bugs)
you have ZERO clue how this works in reality
INSPECTOR99@reddit
Does it really matter the color of the hat when the "HAT" delivers on a contractually agreed bug disclosure submission??????????????????$$$$$
ek00992@reddit
The federal law will always overwhelm such disclosures.
When it comes to computer-related exploits, the details matter a great deal.
You can’t just break into a privileged machine and demand money for being able to do so.
scytob@reddit
it matters if someone claiming good intent actually has ill intent as proved by their public actions, yes
ek00992@reddit
😂😂😂😂😂
I can’t take anyone seriously who believes this is what’s happening behind the scenes
CrestronwithTechron@reddit
Yup. That was my feelings as well. Dude is a manchild and was bitching on X about it gave some really shitty vibes.
dabbydaberson@reddit
Yeah but from their pov they were ignored, not paid, and my understanding is that MS "ruined their life".
My guess is that MS saw how damning this could be and somehow got them fired, deleted all the evidence of past contributions, nuked their MS accounts, etc.
Sure feels to me like MS fired the first shots here and tried to play their giant corporation card which has mostly backfired
japanfrog@reddit
Can’t vouch 100% on this but one of my close channels claimed that the yellow vuln was something that had already been patched over a year ago, but was just pending an update to go out, since winre updates are different than the usual quality updates, their cadence are different.
And that their report might just have been treated as a “we know about this one already and we are addressing it” but that he might not have liked being brushed off and decided to disclose instead of not getting payment or recognition. Enough people work there that eventually we will find out the truth, but I out my money that that’s what it was.
It really sucks when you spend what they said, two months of their lives working on this, only for a company to say “yeah we are aware already and it’s being addressed.”
scytob@reddit
i can believe that, that tracks with my experiences on dumb prioritization decisions product managers make (i am a dumb product manager who once worked for MS a long time ago, still interacts with them and sees not much has changed)
its also a case of how risky is the patch - how many people will it break.... MS have a bad testing record at the mo for all patches, my hope is that is starting to change with some of the quality initiatives I see
and great point about the , yup we know about that one already - i have been hearing how big a deal Mythos has been......
EntHW2021@reddit
If all your protection is via windows you already have problems
hooblelley@reddit
Microsoft at its finest, a prime example of infinite incompetence.
At least we have this jerk called Copilot that nobody asked for. /s
Professional-Heat690@reddit
Clippy say hi
Stryker1-1@reddit
At least clippy was helpful and just kinda hung out in the corner.
leadout_kv@reddit
Oh you mean like when we shut everything down the night before y2k so stuff didn’t crash? Nope.
Notto happened on y2k too
Sarithis@reddit
Remember remember the 14th of... July. Damn, doesn't rhyme
Yosheeharper@reddit
Listen to my children and you shall hear of the midnight Ride of the nightmare... On the 14th of July he will strike with both windows and Mac OS insight...
HongPong@reddit
turn off the Internet till morale improves
ldti@reddit
Why does he sound like Ea Nassir?
UltraChip@reddit
There's a joke here somewhere about the copper in their Ethernet cables...
aes_gcm@reddit
Didn't Ea Nassir just collect all the complaint tablet and leave them around the house? I got the impression that he never actually responded to the complaints.
VintageLunchMeat@reddit
With clay tablets, at some point hate mail is a new extension on the house.
UltraChip@reddit
A bunch of tablets were found around the house but I don't think archeologists ever had enough information to say definitely what he did about them.
I remember reading somewhere that they're not even sure if Ea Nassir's copper genuinely sucked or if the complaint just came from Civilization's First Karen.
Deweyoxberg@reddit
I wish this was hyperbole on the part of Nightmare.
However, after reporting several of my own, the process is....
A gelatinous dumpster fire would be an improvement.
mistersd@reddit
Just at patch day
sgt_Berbatov@reddit
Nope.
I'll be on holiday.
4SysAdmin@reddit
I’ll be in the middle of a national parks vacation that day, god speed to the rest of you.
AutomaticGrape9263@reddit
Bring it on
FortheredditLOLz@reddit
I once rebooted a server on July 4 remotely while watching it on the CCTV. I saw something odd and wondered why I could see power draw from PSU or any packets from sw but i could vaguely see light. Waited 30 minutes while changing, hopped into a cab. Got into server room and Whatchu know….bastard did to magic smoke me and require a holiday server HW move from one server to another. Then validated everything via idrac in a bar…..while cursing how I pissed off the IT gods
Test-NetConnection@reddit
This guy has turned into an asshole with little to no respect. At this point it's all dick swinging and ego with very little substance.
Vacantless@reddit
very little substance ? These releases exploits are VERY substantial. But I agree on the asshole attitude.
Test-NetConnection@reddit
Yellowkey was a big nothingburger that exploited a known attack vector against bitlocker implementation without a PIN. The researcher claimed to have a POC that allowed bitlocker to be defeated even with a PIN, but he has yet to release this and I'm inclined to believe it's BS.
Ooops-I-hid-it-again@reddit (OP)
Can we talk about how funny it is that you have to protect encryption with a PIN because simply having to have a Bitlocker key to unlock a drive is somehow not enough? I get defense in depth but to have to have a key to protect your key is pretty wild. Also, bitlocker setup doesn't prompt users to set a key but instead allows users to believe their encrypted device's data is safe if it's lost.
Sysadmin's may know about the PIN requirement but it's pretty f'd up for Microsoft to be okay pushing Bitlocker to everyone like it protects data against physical loss when it doesn't without a PIN. This is doubly true if they've refused to implement a simple patch along the lines of their mitigations if "Bitlocker without a PIN has always been insecure and vulnerable against side-channel/physical attacks."
Test-NetConnection@reddit
Read up on side channel attacks and how hardware encryption actually works. You'll understand why it's necessary for there to be an external authentication factor before the encryption/decryption operations actually start.
lordmycal@reddit
He's certainly immature, but I blame Microsoft for this. All they had to do was honor their payout for the bug bounty.
mrlinkwii@reddit
i mean considering the BS MS has done, me or you wouldnt have respect for MS
theEvilQuesadilla@reddit
Admittedly, you don't need to be likable to be good at discovering vulnerabilities, and he seems really damn good at that. Definitely an asshole but I get the distinct feeling that I can trust this asshole's threat.
the_star_lord@reddit
Looks like I've picked a good week to take time off then
dayburner@reddit
Maybe 2026 will finally be the year of linux on the desktop.
rra-netrix@reddit
Yes, just like how 2015 was going to be the year of Linux on the desktop, then 2016, 2017, 2018, 2019, 2020 through 2025….
Any year now!
It’s coming!
UMustBeNooHere@reddit
Lmao…. No. If you weren’t around in 2001, look up the extreme malware outbreaks that were everywhere pre-XP SP2. That didn’t force it then, either.
Gositi@reddit
Linux was... a bit different back then.
dayburner@reddit
I was around.
yankdevil@reddit
I have had a 30+ year career where I largely avoid Microsoft products. I recommend it. Go learn other things and stop enabling shitty software.
ZAlternates@reddit
Didn’t Linux just have a pretty bad exploit too? Yeah it required access, but so do these issues.
KN4SKY@reddit
Linux had a few high profile exploits recently. CopyFail, DirtyFrag, Fragnesia, and ssh-keysign-pwn (less severe than the others but still lets an unprivileged user read the shadow file that has all the hashed passwords). Most of them have been in the kernel for years.
romu006@reddit
ALso they where patched before the CVE release AFAIK. That helps
TaxHazyShade@reddit
no, no, this is Reddit. If MiCr0$oFt WinBL0ws has an upatched flaw, your entire business will burn to the ground within minutes.
ThumbComputer@reddit
I mean I understand the sentiment but I don't think 90%+ of sysadmins here get the luxury of that choice. You get hired into a microsoft shop so you work on microsoft products. I don't have that much of a say in the company's stack as sysadmin.
fuzzentropy2@reddit
Yep, to everybody else here except for one person Linux is deep voodoo...
tankerkiller125real@reddit
If I could completely avoid it I would, my home is 100% Linux, but at work we unfortantly deal with making customization to a legacy ERP system that runs VB6 and thus requires Windows. Combine that with employees who couldn't function if you dropped them into any other OS, and devs that complain at the mere idea of needing to use Linux and you get a forced Windows/Microsoft environment.
Luckily, I have somewhat turned the dev team around for new deployments, given that all of our Azure deployed services now run Linux (originally a license savings thing, but now also a ease of operations things). Now if only I could drop Azure for a different vendor (not AWS, holy fuck is AWS a complete and utter mess every time I've looked at the docs)
Mutiny32@reddit
Oh why didn't I think of that, just don't use it!
Everybody! This guy solved the problem!
_haha_oh_wow_@reddit
Hmm, maybe I should take some time off mid-July...
the1namedwill@reddit
Windows OS26 launching on the 13th...
Excellent-Program333@reddit
Im fucking tired of this guy.
Crismodin@reddit
It might be something, it might be nothing.
It kind of reads like someone with paranoid schizophrenia thinking they see something that others don't. But hey, I could be wrong, been wrong before, will be wrong again.
RikiWardOG@reddit
? they've dropped some crazy zero days back to back, you're not giving them enough credit
SpaceChimps98@reddit
I've been meaning to take a vacation in July. I might do that week.
ChesterM54@reddit
cringey edgelord stuff
whoframed@reddit
Thats it. Im dusting off my iMac and installing Mac OSX Snow Leopard ASAP!
AccomplishedVisit545@reddit
So computer's go dark July 13 and microstuff comes out with a fix you just need to by a new computer running winddows 12 (so maybe this is their plan and paying him from the profits will not be a problem ) see I rnt as paronid as they say heheheheh
Low_Prune_285@reddit
Regardless of the MSRC or their bug bounty payments, or treatment of said researcher, if they do release something that is a valid 0day against something like AD or EID then they (the researcher) are a*s.
ILikeFPS@reddit
I can't say I am, no, but I don't have Windows in my life so maybe that's why.
techtornado@reddit
I’m on a Mac for this very reason MacroSlop can learn this lesson the hard way
The_Wkwied@reddit
....none of us should be making business decisions based off what rumors we see online. Unless you C-suit or director tells you to 'turn everything off just because we may get hacked'... don't turn anything off....
andytagonist@reddit
When everything Windows shuts down, I’ll be posting pics all day from my MacBook. 🤣🖕
techtornado@reddit
I’m already using a Mac
Superb_Raccoon@reddit
I dont do Windows...
myg0t_Defiled@reddit
Finally something exciting going on
Ikinoki@reddit
Is it Conficker level or EternalBlue?
yojimboLTD@reddit
Sounds like bug boy is crossing into being an actual criminal because I guess he didn’t get paid. No one has time for this BS, I’m sure he will be handled one way or another.
COskibunnie@reddit
Let it burn 🤪
Cautious_Movie_3447@reddit
Plans vacation at 11 july
AwalkertheITguy@reddit
Hmmm A bunch of peggers from Twitter? S¿D...no fks given.
estcst@reddit
My C=64 will not fail me.
Tall-Bonus-6850@reddit
Full air gap technology right there!
AegorBlake@reddit
So glad I work for an evaluation lab. I do not run any actual infra that needs to be connected to the network outside of the lab.
bytezvex@reddit
Yeah that’s kind of the dream for this week honestly.
Whole thing makes me extra jealous of anyone who can just snapshot, break stuff, learn from it, and move on without some VP asking why payroll is down. For the rest of us, it’s more like “here’s your zero day, please enjoy the overtime and vague executive guidance.”
Tricky-Service-8507@reddit
You use Microsoft wow
Ok-Ingenuity4889@reddit
July 13th is my birthday.
lamalasx@reddit
No. Any true sysadmin long switched to linux including all workstations.
-mrhyde_@reddit
mrlinkwii@reddit
/r/sysadmin version of no true scotsman ?
IdidntrunIdidntrun@reddit
Now this is the funniest thing I've read in a long time
25toten@reddit
excited
BrainWaveCC@reddit
This saga is going to hurt Microsoft more than they think over the long haul, unless they change course soon.
PrincipleExciting457@reddit
I don’t think anything will happen… but if it does what a good time to have been laid off and not own any windows devices. I’ll sit with my pop corn.
raptorshadow@reddit
oh i have leave booked to extend my weekend. enjoy the apocalypse suckers
rootkode@reddit
But I’m airgapped and barely patch.
ItaJohnson@reddit
I hope this is entertaining. I have zero love for Microslop.
UltraChip@reddit
I'm fortunate enough to work in an all-nix environment so I'm going to put my feet up and enjoy the show.
Main_Ambassador_4985@reddit
No.
Even if it is a CVSS 10 we have to maintain operations.
We reserve the right to block or shutdown services and change firewall rules.
Og-Morrow@reddit
Don’t use MS
natefrogg1@reddit
I feel like Microsoft are acting idiotically in a lot of ways, this was not surprising, let it burn
freethought-60@reddit
No, I don't think so, at least not based on a online newspaper article.
su_A_ve@reddit
Nibiru again?
argama87@reddit
Really?
snebsnek@reddit
oof ouch owie. my bone hurting CVE :(