alt Hacker NewsI know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.
That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.
Yes. Definitely a Friday night after a hard week take.
Replies
Nothing crazy about it. Crazy is feeling sorry for the trillion dollar corporation. Don't let anyone tell you otherwise.
The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.
Naw totally agree, we need way more robust protections for security researchers and way harsher penalties for corpos doing bullshit, it should be a percentage of revenue.
We have way too much fuck around these days and not nearly enough find out.
Microsoft chose to run a shoddy bounty program. The researcher tried to do the right thing.
Microsoft could have prevented this. They were warned. It's their own fault.
The exploit exists whether or not the researcher reports it. They didn't make the exploit.
> I am certain he will end up criminalized
DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.
They could drag Eclipse through civil lawsuits though.
But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.