Nightmare Scenario - AOS for Lemmy.World - A generic Lemmy server for everyone to use.

7830

Nightmare Scenario

5d 18h ago by infosec.pub/u/redsand in memes@sopuli.xyz from infosec.pub

I haven't not understood a meme so much in a while

I think it's regarding a Microsoft security researcher who is on a hot streak for exploits.

https://www.darkreading.com/vulnerabilities-threats/nightmare-eclipse-microsoft-exploit-rogueplanet

I haven't followed your link yet, but this did remind me that the gossip about this is that Microsoft intentionally made these vulnerabilities for spying on people for governments, and he's dropping all of the exploits on them, forcing them to have to patch them out.

Never attribute to malice what incompetence can explain, or however that goes. Except for YellowKey. That was obviously a backdoor to get into bitlocker encrypted drives for either higher-upper law enforcement or their intelligence agencies. No one has presented another explanation that makes sense.

It's more that it adds to the statement that Microsoft are a marketing company that happens to market software. They're more focused on profit and they benefit from there being less zero days in the media, so they do everything they can to not have cves flying around while also doing the least amount of work possible.

Whatever is dropped in July is going to be interesting though, it's been very hyped up.

Never attribute to malice what incompetence can explain

It's so sad that the Nazis wanted to give Jews a Zionist homeland but had made so many political enemies they couldn't help them emigrate them anymore... And then those disease outbreaks in the holding camps, whew, that was some bad civil engineering. And when they installed the delousing showers they should really have fired the guy that made the delousing gas release valve dump too much into a closed space, but that's the for of war for ya.

Malice exists, and people like making excuses for themselves. That quote, even in its original form, has never been good advice.

It's advice worthy of consideration for interpersonal relationships.

At any level above that, though, you are completely correct.

Well no not homeland, just want to force move outside of Reich... which also supposed be entire world... lol first moonbase for jew?

If you take the Nazis to be incompetent rather than malicious, then you're going to assume their officially published plan to make a Zionist homeland for Jews in Madagascar was made in good faith, and the timing with the British naval blockade because of the invasion of Poland was unfortunate happenstance.

Well i take Rademacher to be incompetent. But not rest, those probably malicious. Also even madagascar very harsh and probably kill an lot of jew, which they say themself.

But i disagree that plan was to make zionist homeland. It was more exile. Homeland imply have a home. This absolutely not a home.

MSFT has a documented way of dealing with the NSA and others; NSA can request bugs go unpatched for a time window (possibly indefinitely) and Microslop just leaves it until it's a problem or the window expires.

Yellow key and XML are surprisingly blatant

XML also looks like a backdoor and from the did not patch description of some of the others likely more

I never understood the Umbrella Academy one until I finally saw one that actually made sense with the image.

Explanaiton: Microsoft (MSFT) has a bug bounty program. Meaning researchers that find security vulnerability in Microsoft products can send them to the Microsoft security team and get a money reward. However they use AI to look through the submissions and also get slammed by submissions from AI meaning many of the legitimate vulnerability researchers are very frustrated. Submissions get rejected because they are "not a vulnerability" but one month later Microsoft publishes a patch against the vulnerability without acknowledging the researcher.

NightmareEclipse is a ... person ... who is frustrated by this. And they have A LOT of really really bad vulnerabilities. Because Microsoft did not want to pay them they just release the previously unknown vulnerabilities to the public. No patches exist. The hackers and Microsoft learn about the vulnerability at the same time.

So far they have released ~10 vulnerabilities in one month and claim they have many more with some big drops apparently coming in July.

Because of this, of course Microsoft is getting a lot of shit from big corporations that are afraid they will get hit with some nasty cyber attacks because of Microsoft's fuckup.

The much-feared July drops aren't happening, or at least aren't happening in July. Apparently whoever Eclipse is hasn't been getting much sleep.

I'm starting to genuinely struggle with sleep and constant fevers. I feel like my muscles are degenerating as time passes by lack of nutrition and severe fevers, not mention that I just can't find a reasonable way to put myself as sleep anymore.

The issue of me not sleeping is i end up writing more and more code and it will keep getting worst.

Lord help me.

(Un)fortunately I will be unable to mass disclose zerodays in July 14th, RoguePlanet took way more time than expected and truly drained me. I might take a break but I can't say for sure what I will be doing for next month, maybe it's nothing, maybe it's smtg. But the big thing is not happening. I did not intend to spread a mass panic with that post and I apologize for doing so.

Quotes taken from https://deadeclipse666.blogspot.com/which as far as I can tell is their actual blog.

I feel like they are also doing some misdirection and spread false information. I am sure they are wanted by the FBI and NSA by now so not being predictable is safer.

That's very interesting. They haven't dropped any RCEs and it very much sounds like they either have something ready or know exactly where to look so I'm still on the edge of my seat. This defiantly doesn't seem over.

How much do you want to bet he found government backdoors

While I don't have much evidence, I suspect they are being pressured into leaving it open

The yellowkey vulnerability might be a backdoor. NightmareEclipse even speculated so in their publication.

This is one of the most insane discoveries I ever found, almost feels like backdoor but what do you know, maybe I'm just insane.

XML looks like one too 😂

I believe there are some dicks missing

I almost placed NIGHTMARE ECLIPSE where that last dong was erased but couldn't get it to fit and be readable

What am I missing? Corporate IT will stop using Windows?

In some places yes. Bitlocker being backdoored is a big problem for insurance purposes alone.

One can only hope that they actually see the light, but my bet is it would be way too expensive (in terms of money and willingness to retrain) to switch to Linux and they'll just shrug and continue. Hopefully I'm wrong.

Schleswig-Holstein (germany) has moved entire gov workforce (ca. 40k people) off of sharepoint, outlook, office, onedrive. And now start to move from windows to linux. Slow, steady, training and helping all the way. Material generated for this gan also used by other state if want.

Ich liebe es.

Depends where and who. Other governments are the biggest single segment MS has to worry about

In many cases Linux was never an option

The goods news is that it only impacts the Windows recovery environment

So, the good news is that your stolen laptop can be decrypted. Nice. That's the main argument for bitlocker, so your stolen laptop can't be decrypted.

If you turn off the recovery environment Bitlocker works as expected.

It is really bad but not hard to mitigate