How much do you want to bet he found government backdoors
While I don’t have much evidence, I suspect they are being pressured into leaving it open
Comment on Nightmare Scenario
groet@feddit.org 3 weeks ago
Explanaiton: Microsoft (MSFT) has a bug bounty program. Meaning researchers that find security vulnerability in Microsoft products can send them to the Microsoft security team and get a money reward. However they use AI to look through the submissions and also get slammed by submissions from AI meaning many of the legitimate vulnerability researchers are very frustrated. Submissions get rejected because they are “not a vulnerability” but one month later Microsoft publishes a patch against the vulnerability without acknowledging the researcher.
NightmareEclipse is a … person … who is frustrated by this. And they have A LOT of really really bad vulnerabilities. Because Microsoft did not want to pay them they just release the previously unknown vulnerabilities to the public. No patches exist. The hackers and Microsoft learn about the vulnerability at the same time.
So far they have released ~10 vulnerabilities in one month and claim they have many more with some big drops apparently coming in July.
Because of this, of course Microsoft is getting a lot of shit from big corporations that are afraid they will get hit with some nasty cyber attacks because of Microsoft’s fuckup.
How much do you want to bet he found government backdoors
While I don’t have much evidence, I suspect they are being pressured into leaving it open
The yellowkey vulnerability might be a backdoor. NightmareEclipse even speculated so in their publication.
This is one of the most insane discoveries I ever found, almost feels like backdoor but what do you know, maybe I’m just insane.
XML looks like one too 😂
Areldyb@lemmy.world 3 weeks ago
The much-feared July drops aren’t happening, or at least aren’t happening in July. Apparently whoever Eclipse is hasn’t been getting much sleep.
Quotes taken from deadeclipse666.blogspot.com which as far as I can tell is their actual blog.
groet@feddit.org 3 weeks ago
I feel like they are also doing some misdirection and spread false information. I am sure they are wanted by the FBI and NSA by now so not being predictable is safer.
redsand@infosec.pub 3 weeks ago
That’s very interesting. They haven’t dropped any RCEs and it very much sounds like they either have something ready or know exactly where to look so I’m still on the edge of my seat. This defiantly doesn’t seem over.