GitHub bans security researcher who posted zero-day Windows exploits(tomshardware.com) |
GitHub bans security researcher who posted zero-day Windows exploits(tomshardware.com) |
Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.
This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.
the bugs he is publishing are exactly the class of bugs that they would love to buy
Microsoft's stance on zero day exploits is a dumpster fire of their own making
MS owns GH. It's tonedeaf and criminal
Hasn't that been their MO since the start? Absolutely scummy company.
Make it make sense, Microsoft.
> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.
Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.
Example: https://lowendbox.com/blog/will-github-ever-remove-this-null...
A dying breed, most Intel machines have already fallen out of support and the few remaining ones (e.g. 2019 16-inch MBP) won't get any new OS updates after end of this year.
The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
The CCC (Chaos Computer Club) in germany will probably do the same.
This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...
In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.
All of that without any benefits.
I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.
I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...
I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.
Why?
To show the stubborn, offended little snowflakes that it's better to reward your heroes than try to turn them into villains.
I bet this post will get downvoted a ton. I'm OK with that. I'm sure that a message supporting any national resistance movement during WWII would have been downvoted, too.
In the black market, 0day are actually worth something.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
He also got banned from Gitlab, which isn’t related to Microsoft at all.
If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process
Hardware access is a given.
You guys need to stop reaching for conspiracy
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
>Build your own github.
Did I miss any?
If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?
More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
In the linked Microsoft blog post, they say :
> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.
So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?
It's a very weird situation
That statement irks me. Responsible disclosure or not, It's Microsoft themselves that put their customers at risk, not the researcher.
It's not a dichotomy either, they can both have put the customers at risk.
Maybe they're a foreign intelligence cutout masquerading as a burned researcher.
https://gitlab.com/nightmare-eclipse
Blocked user @nightmare-eclipse
Looks like they’re banned on GitLab as as well?
I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.
https://github.com/xiaoji235/bitlocker-bypass-tool-for-winre
Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.
Maybe don't piss off your betters?
Satya Nadella says as much as 30% of Microslop code is written by AI:
https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-a...
Actually I was a reference of Microsoft banning people on their Discord.
Because out of top "evil corps" Microsoft seem to have worst PR department.
I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.
Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.
Almost like trying to censor leakef HDCP key.
[1] - https://www.tomshardware.com/tech-industry/cyber-security/mi...
I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.
And where's the claimed version that works when a PIN is set?
And then to double down and ban accounts because you'd rather not fix the bureaucracy is really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.
Looks like they're trying to make it disappear, but it's in the wild now.
This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.
As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
selling to the highest bidder doesn’t generate headlines though.
I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
I might be projecting.
The style is the same, and it appears that SandboxEscaper has previously been fired by MSFT. (they are not dead) https://github.com/BigPolarBear1/The_story
SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com
OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459
The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.
> most expert researchers, all a bit quirky.
There are some really decent technical videos on it, CCC is really awesome!
Really loved this talk in particular from CCC: https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_mor...
I mean it took them until Windows 10 to move font rendering out of Ring 0, you could run malicious code in kernel space from a freaking font on a web page at one point.
Maybe it was on GitHub/GitLab before the author was banned by both Microsoft and GitLab, not really sure we'd know. The authors last post on their blog is from yesterday (28th of May, https://deadeclipse666.blogspot.com/) so seems they aren't fully gone. But yeah, been a lot of "promises" but besides the initial 0days, not so much released AFAIK.
Far safer than a backdoor and no evidence.
But the slop in your comment here indicates you're arguing in bad faith.
Wonder if they knew about this.
If for example a laptop like that gets lost or stolen, the attacker has the data and the key, in a box they physically hold, with no attempt limit, and unless they actively mess with the boot process, it will happily load the key into memory for them. If it's a discrete TPM the attacker can likely sniff the key on the wire. If that doesn't work, they just need to find a vuln anywhere in the secure boot process, or in Windows, and again, they have the key. And if that doesn't work, they could sniff the memory bus, or do a cold boot attack (again, with unlimited attempts unless they irreparably damage the mainboard/TPM in the process).
> Satya Nadella says as much as 30% of Microsoft code is written by AI. More like Microslop, haha!
we'd all recognize that the last sentence is pointless name-calling (and thus violates the HN guidelines). But by interleaving the insult, it's easy to trick oneself into thinking that it's meaningful commentary. The quality of HN as a discussion forum requires holding ourselves to a higher standard than that.
Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.
Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?
Was it publicly discoverable?
Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.
Was it publicly exploitable?
Yes; the researcher didn't set up any authentication or anything.
All about bits of entropy i.e. difficulty if guessing.
Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.
The shell disappears on step one.
Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?
What is this lunacy?
edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.
Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with
> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.
A "neutral" country might abuse them.
This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.
If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.
That git account was posted on their blogspot...
Even beyond that… most business relationships wouldn’t involve an expectation that Microsoft does things for other entities that it does for itself.
Section 230 has no concern with publishers making editorial decisions. GitHub can moderate user content on its site however it wants.
1. Section 230 was largely enacted in 1996 to solve the 1995 ruling that "because Prodigy had taken an editorial role with regard to customer content, it was a publisher and was legally responsible for libel committed by its customers" (i.e. one of the biggest purposes of section 230 was to allow companies to make editorial decisions without causing them to become legally liable as a result).
2. The law was "designed to override the decision…, so that a service provider could moderate content as necessary and would not have to act as a wholly neutral conduit."
3. However, Trump has challenged that, including with Executive Orders, although I don't think Trump's rationale is well thought through, including because he explicitly complained that his posts like "Any difficulty and we will assume control but, when the looting starts, the shooting starts" being taken down was a specific example of why 230 should be revoked.
4. And some think the opposite as well, such as Democratic leaders who "believed that Section 230 led the companies to fail to take any preemptive action against the people who had planned and executed the Capitol riots" for example.
EFF's take on 230 ( https://www.eff.org/issues/cda230 ) includes:
> Section 230 allows for web operators, large and small, to moderate user speech and content as they see fit. This reinforces the First Amendment’s protections for publishers to decide what content they will distribute. Different approaches to moderating users’ speech allows users to find the places online that they like, and avoid places they don’t.
Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.
If you don't feed your army, you will soon feed someone's else's.
Is this just your way of saying that only tiny, weird, companies are "good"?
The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability
"Israel reached out to US hackers for ‘Zero Days’ tools" - https://www.timesofisrael.com/israel-reached-out-to-us-hacke...
Why?
Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically
>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera
That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.
I don't think you'd need an external camera for that. What you're doing would be mentioned in the accompanying report.
I do agree with you about the boot process, though.
Zero days like this are being disclosed regularly so the idea of securing a windows workstation is tantalizing but you'll never feel satiated trying to drink that water so don't even try.
So yea there's plenty of windows users but we're certainly not hosting anything important on those boxes and would frankly be aghast at the suggestion.
Everything you disagree with isn't incorrect.
For example, the Internet giving every crackpot wingnut on Earth an equal voice with scientists is how we end up with measles outbreaks.
and that censorship at all would compromise the point of IPFS
although I disagree with both of those takes. Nodes always had discretion in IPFS, just pick a different node or pin something yourself which has pretty much always been required. Everyone can route to your pinned files while pinned.
It reads to me like Microsoft didn't pay him what he thought he earned from the exploits (i have no idea who is in the right on that), and then he published a zero day with no notification and threatened the company. Doesn't seem ridiculous to ban them at that point.
Again, I don't know the details so I cant say who is in the right, but the researcher comes off as a little bit unhinged and entitled. Not paying a bug bounty is 'ruining my life'?
Otherwise, that's the best we have.
In terms of a possible explanation for why GitLab would take an action, was it considered whether the (disturbed?) user violated GitLab's Terms of Service? Is the assumption that GitLab didn't just enforce their ToS, but that they're instead more likely to be secretly acquiescing to backroom bullying between companies over specific users?
This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was
Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate
As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)
There are some infamous counter-examples, but you can find these in any country and it's these that make the news.
You can also submit anonymously and/or via secure email: https://www.traficom.fi/en/contact-details/sending-secure-em...
This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."
You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.
Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).
They just seem to blur the border between nationalism and patriotism more than most countries.
Have you been to the US? If not how can you be certain that the US is truly worse?