Microsoft under fire for threatening security researcher with criminal investigation
Microsoft under fire for threatening security researcher with criminal investigation
微软因威胁对安全研究人员进行刑事调查而饱受抨击
After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is now threatening to take legal action and call the cops on them. Microsoft’s veiled threat reignites a long-running argument over what responsibility, if any, security researchers have to disclose vulnerabilities affecting large and wealthy tech giants. 在一名安全研究人员发布了一系列微软产品中尚未修复的漏洞及其利用代码后,微软公司目前正威胁要对其采取法律行动并报警。微软这种含蓄的威胁重新点燃了一场旷日持久的争论:安全研究人员在披露影响大型富裕科技巨头的漏洞时,究竟承担着什么样的责任(如果有的话)。
On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker. 周三,微软发布了一篇博文,批评网名为“Nightmare Eclipse”的研究人员公开披露了一系列漏洞,包括 BlueHammer、RedSun、UnDefend 和 YellowKey。这些缺陷影响了 Windows 内置杀毒引擎 Defender 和磁盘加密工具 BitLocker 等产品。
The core of Microsoft’s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been “responsible,” as Microsoft’s blog put it. The other side of the company’s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. 微软投诉的核心在于,该研究人员并未尝试报告这些漏洞以便公司进行修复。正如微软博文所言,那才是“负责任的”做法。微软论点的另一面是,Nightmare Eclipse 在漏洞修复前发布其细节及利用方式,可能为恶意黑客提供了帮助。
Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA. “Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit has the mission of protecting the company through different strategies, including “civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships,” according to its website). 据微软及美国网络安全机构 CISA 称,Nightmare Eclipse 披露的部分漏洞已被黑客用于现实世界的攻击。“我们的数字犯罪部门将继续针对这些行为者及其犯罪活动的协助者提起诉讼,并根据需要与全球执法部门进行协调,”微软写道。(根据其官网信息,微软数字犯罪部门的使命是通过包括“民事法律行动、技术对策、刑事移交以及公私合作伙伴关系”在内的多种策略来保护公司)。
In a series of blogs published in the last couple of weeks — without providing many specific details — Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse’s implication was that they had no choice but to release the vulnerabilities publicly, which essentially meant that at that point they were zero-days, a specific term for security flaws that are unknown to the software maker affected at the time they are disclosed or exploited. 在过去几周发布的一系列博客中(未提供太多具体细节),Nightmare Eclipse 声称曾与微软联系,但据称受到了微软的不公正对待,包括被撤销了其微软安全响应中心(MSRC)账户的访问权限——该门户网站是研究人员向这家科技巨头报告漏洞的渠道。Nightmare Eclipse 的言下之意是,他们别无选择,只能公开披露这些漏洞。这意味着在披露之时,这些漏洞本质上已成为“零日漏洞”(Zero-days),这是一个特定术语,指在披露或被利用时,受影响的软件制造商尚不知晓的安全缺陷。
The researchers published the bugs on open source repositories GitHub (owned by Microsoft) and GitLab. The researchers’ accounts on those platforms have been banned. Nightmare Eclipse and Microsoft did not respond to a request for comment. 研究人员将这些漏洞发布在开源代码托管平台 GitHub(微软旗下)和 GitLab 上。目前,研究人员在这些平台上的账户已被封禁。Nightmare Eclipse 和微软均未回应置评请求。
Cybersecurity veterans warn of chilling effect
网络安全专家警告“寒蝉效应”
This public spat brings back a long-running and still somewhat controversial debate: Do independent security researchers have a duty to make sure the vulnerabilities they find get fixed? And how far are they supposed to go to make sure the companies whose products are vulnerable actually fix them? 这场公开争执重新引发了一场旷日持久且仍具争议的辩论:独立安全研究人员是否有义务确保他们发现的漏洞得到修复?他们又应该在多大程度上确保那些存在漏洞的产品公司真正进行修复?
One part of this debate, which has been fully settled and widely recognized, is that researchers deserve to get paid for their work. While it may sound obvious these days, it took years of struggle, captured in part during a campaign launched in 2009 called “No More Free Bugs.” Almost 20 years later, most companies small and large pay “bug bounty” financial rewards, which can today run as high as six figures or more to researchers who privately disclose bugs and coordinate publishing their details once the bugs are fixed. 这场辩论中已完全解决并被广泛认可的一部分是:研究人员理应为其工作获得报酬。虽然这在今天听起来显而易见,但这经历了多年的抗争,部分体现在 2009 年发起的一项名为“不再有免费漏洞”(No More Free Bugs)的运动中。近 20 年后的今天,大多数大中小型公司都会支付“漏洞赏金”作为经济奖励,对于那些私下披露漏洞并在漏洞修复后协调发布细节的研究人员,赏金最高可达六位数甚至更多。
In response to this latest controversy with Nightmare Eclipse, countless researchers have shared their bad experiences reporting bugs to Microsoft. It’s fair to say that much of the cybersecurity community is vocally unhappy about how Microsoft is handling this issue. This includes cybersecurity veterans, such as Luta Security founder Katie Moussouris, who while working at Microsoft in the mid- to late 2000s pioneered bug bounties and convinced the technology giant to move away from the concept of “responsible disclosure” by framing the process as “coordinated disclosure.” 针对此次 Nightmare Eclipse 的最新争议,无数研究人员分享了他们向微软报告漏洞时的糟糕经历。可以说,网络安全界的大多数人对微软处理此问题的方式感到非常不满。这其中包括像 Luta Security 创始人 Katie Moussouris 这样的网络安全专家。她在 2000 年代中后期在微软工作时,曾开创了漏洞赏金计划,并说服这家科技巨头放弃“负责任披露”的概念,转而将该流程定义为“协调披露”。
“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris told TechCrunch, referring to Microsoft’s blog post. “Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.” “在我看来,使用‘负责任’披露这个词是第一记重击,”Moussouris 在谈到微软的博文时告诉 TechCrunch。“通过提及[数字犯罪部门]来增加起诉威胁是过火的行为,只会导致安全研究人员不再信任微软。”
Moussouris warned that the consequences of security researchers losing trust with Microsoft could result in a chilling effect of fewer people coming forward to report bugs, “making it less safe for all of us.” Moussouris 警告称,安全研究人员对微软失去信任的后果可能会产生“寒蝉效应”,导致更少的人愿意站出来报告漏洞,“这会让我们的处境变得更不安全。”
Security researcher and former Microsoft employee Kevin Beaumont also called out Microsoft in a blog post, describing the company’s position a “dumpster fire of its own making.” “Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” wrote Beaumont. “Responsible disclosure quite often is framed to protect the product owner, not the customer — using it to try to criminally prosecute people is a new low.” 安全研究人员兼前微软员工 Kevin Beaumont 也在博文中批评了微软,称该公司的立场是“自找的垃圾场火灾”。“现在,针对零日漏洞创建和分发概念验证(PoC)利用代码也成了‘犯罪活动’?”Beaumont 写道。“‘负责任披露’往往被设定为保护产品所有者而非客户——利用它来试图对人们进行刑事起诉,这简直是刷新了下限。”