Microsoft's GitHub under fire after disappearing proof-of-concept exploit for critical Microsoft Exchange vuln On Wednesday, shortly after security researcher Nguyen Jang posted a proof-of-concept exploit on GitHub that abuses a Microsoft Exchange vulnerability revealed earlier this month, GitHub, which is owned by Microsoft, removed code, to the alarm of security researchers. The PoC code, something short of an actual functioning …
I deleted my GitHub account when they bought it.
I've since created a new one, mainly so I can use it to moan about how inaccurate their documentation is.
That said, I suspect they won't be hosting it much longer on GitHub, given the UserVoice shenanigans they're starting on now.
Benevolent and MS aren't words I'd ever associate even remotely. Monopolistic, undirected, incoherent mush; that's perhaps more like it. 90's MS might have been "legal evil", but I have a lot of time for DOS / 3.1. Comprehensible systems on a scale that could realistically be user controlled, that in the main, did exactly what you told them to do.
There are small pockets of MS that do good work, usually where they have gobbled up smaller outfits until the original idea is tarnished beyond belief. Things like VSCode (allegedly everyone's favourite?) or SysInternals.
Pretty much my feelings towards MS as well - I've never had much time for MS either in terms of their technical prowess or their business behaviour, but at least in the old days of Gates/Ballmer there was a level of consistency in their approach - their products were in the main workmanlike if nothing earth shattering, and got on with the job without making too many assumptions about who actually owned the PC they were being used on. And when they did do something particularly well, by god was it good - from the first time I encountered one at the tail end of 1994, an Intellimouse was the only mouse I'd be happy to see connected to any PC I had to use until I discovered the delights of Logitech rodents about a decade later.
These days they're trying, at the corporate level, to put on a veneer of huggy-feely niceness, whilst at the OS level they're making ever more presumptions about who's in charge of the PC with every update, which leads to an ever greater discrepancy between what their left and right hands are doing. When you had more native control over what your desktop environment looked like in Win3.1 than in Win10, and when the OS then didn't place arbitrary roadblocks in the way of third parties trying to provide retheming tools to allow the actual owner of the PC to set up their environment in whichever way THEY preferred it to be, rather than forcing everyone to use the environment that MS thought was best for us all, then something has gone badly wrong in the balance of power between those who merely provide the OS and those who sit in front of it for hours at a time, day in day out.
The thing is, even if Microsoft were a benevolent organization, there's an unavoidable conflict of interest here. Some manager somewhere will decide he (or she, but I'm laying odds on "he" most of the time) doesn't like something on GitHub and will order an underling to get it removed, without having that decision confirmed by anyone higher up.
Corporate cultures aren't monolithic, and don't determine the behavior of every employee at every moment. At its worst, Microsoft still had good people doing good work; at its theoretical best, it still can't be trusted to police GitHub in a fair and proportionate manner. There's simply too much opportunity for a bad actor to intervene unfairly.
I was never a fan of GitHub in the first place (these public central repositories are using git wrong, and I find that irksome), but I certainly wouldn't be interested in using it now for anything I control.
In a book about Freud’s Theory and Method, a chap by the name of F.S. Perls quoted "a great astronomer" as saying:
“Two things are infinite, as far as we know – the universe and human stupidity.”
It is not known if Perls was referring to Einstein or someone else.
Both are long gone so it is quite probable that we will never know for sure.
But with respect to human stupidity, the evidence is at hand.
Also applies to the use of GitHub.
O.
This quote always annoyed me.
We actually have no way of knowing if the universe is infinite or not. Since it is demonstrably expanding (red-shifts can be measured so that's not really at question), things further from us move away from us faster. Since the speed of light is also constant and known, we can't see beyond the point at which stuff is moving away from us, relatively, faster than the light from it can reach us. This imposes a "horizon" we can't see beyond, so we can't say one way or another whether the universe is infinte, from empirical observation.
Big bang theory, on the other hand, which is a perfectly reasonable extrapolation from the observable expansion of the universe, suggests that the universe expanded from a point. Since there's no way to get from a point to infinity without an infinite amount of expansion, it's a fair conclusion that the universe is not, in fact infinite, although we can't observe this to confirm it.
There are obvious problems with infinities (and indeed with getting something from nothing), and our understanding of the early universe is limited by what we can actually observe, although we can fairly accurately measure its age as 13.77 Bn years. By comparison, the age of the Earth is around a third of that at 4.5 Bn years. It always surprises me that our planet should have existed for an appreciable fraction of the lifetime of the universe, I get the feeling that the universe itself ought to be a lot, lot older.
"There are obvious problems with infinities"
The biggest problem with infinities is our ability to understand them. As with quantum physics, if you think you understand it, you're probably wrong. And as is so often with physics outside the familiar human scale, this tends to lead to our intuitive understanding getting things completely wrong. Without going into details on all your points, I'll just note that the Big Bang is entirely compatible with an infinite universe. That is, after all, why people are still arguing about whether the universe is infinite or not, despite everyone involved being pretty sure the Big Bang did happen.
I will correct you a bit on the horizon thing though. The horizon defined by the point where things start moving away from us faster than light is called the Hubble horizon, and it is not related to the size of the observable universe. The size of the observable universe is defined by the particle or cosmological horizon, which is simply a measure of how far light has been able to travel since the universe began. Obviously the past expansion of the universe affects this, but whether it's currently expanding or not, and whether it's accelerating or not, is completely irrelevant. It's possible for an object to be beyond the Hubble horizon, but still be inside the particle horizon.
Yeah, in my opinion, incompetence is worse than malice. Like, even if what someone does is malicious in nature, at least you can appreciate the beauty of their work in a positive light. If someone is just patently stupid and that results in a bad outcome, then there's nothing to admire besides their astounding mental capacity.
Of course, if someone is incompetent and malicious, then that's what we in the industry call two candles short of a summoning circle—either hilarious to watch and comfortable in your relatively assured safety, or running for your life because they just released the antichrist.
Carlo Cipolla's well reasoned 5th law of Human Stupidity: Incompetence is more damaging to society than malice.
In general also malicious acts are more predictable so we have a hope of countering them or mitigating their effects. Trying to thwart incompetence in all it's bewildering permutations is futile.
there are more than enough people in this country that speak Vietnamese. it would be no trouble at all to get a translation from a native speaker that is also fluent in English. A lot of these native-Vietnamese-speaking people are software gurus and many probably work for Micros~1. One guy I worked with, a PFY at the time, went on to work for Sony, on Playstation development last I heard. i think it was on his Linked-in page. A 'dream job' for a gamer.
more than likely, as stated in the article: they have elected themselves the arbiters of what is 'responsible.'
References to "Cancel Culture" need not be explicitly stated.
Indeed. It was a zero day patch, not a patch based on PoC. The hack was already active and in use.
Any admins that havent patched by now shouldnt be running their own email server. Just have a look at all the 404s in your logs for the exploit pages, thise are probably now being looked for by the script kiddies.
Kicking security researchers off your platform, who are trying to spread awareness of how vulnerabilities can be exploited, and in the process help you to improve your own products as well as everyone else's.
Once you've kicked enough of them off, the researchers will probably feel the need to generalise their discoveries that they've made in your product, and publish them without naming the product, leaving you to work out at huge cost if they're present in all your products, but still helping others to avoid or remedy the new classes of exploits they've found.
If they keep on doing this then it won't be long before those researchers decide NOT to tell MS about the Zero-days etc that they discover on their crappiness... sorry apology for software.
Treat them nicely and they'll play ball with you. Don't and... be prepared to suffer the consequences.
"Other PoC code for the same CVE was still available on GitHub at the time this article was filed."
So if other PoC code is still up then this clearly isn't a blanket policy from MS to take down PoC code affecting their products. And yet the article does its best to state that's exactly what it is.
"Welcome to E-Corp"
Yeah, actually that name crossed my mind when I was writing the original comment. The Mr. Robot's paranoia is actually mine now. How many child companies have Disney, Coca-Cola, Procter & Gamble... etc etc? this list of parent companies is still big, but it's shrinking very quickly. Diversification across several orthogonal markets is really dangerous.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
