Arthur T Knackerbracket has processed the following story:
A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation.
Senior principal vulnerability analyst Will Dormann said last week he contacted Microsoft Security Response Center (MSRC) with a clear description of the bug and supporting screenshots, only to be told that his report wouldn't be looked at without a video.
MSRC told Dormann: "As requested, please provide clear video POC (proof of concept) on how the said vulnerability is being exploited? We are unable to make any progress without that. It will be highly appreciated."
Frustrated with Microsoft's demand, which Dormann said would only show him typing commands that were already depicted in the screenshots, and hitting Enter in CMD, the analyst created a video laden with malicious compliance.
The video is 15 minutes long and at the four-second mark flashes a screenshot from Zoolander, in which the protagonist unveils the "Center for Kids Who Can't Read Good."
It also features a punchy techno backing track while wasting the reviewer's time with approximately 14 minutes of inactivity.
Dormann said via Mastodon: "I get that people doing grunt work have mostly fixed workflows that they go through with common next steps.
"But to request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?"
To top it all off, when trying to submit the video via Microsoft's portal, the upload failed due to a 403 error.
[...] We also asked Dormann for additional input. He said requests for video can be found on other platforms such as HackerOne and Bugcrowd but in his opinion, requiring one signals to researchers that the reviewer is merely following a process rather than understanding the report itself.
As the post and video suggest, he was unimpressed by MSRC's refusal to proceed with the vulnerability report just because a video wasn't submitted in tandem.
"If a researcher is going out of their way to be nice to vendors and writing up vulnerability reports to share with them, the least the vendor could do is at least pretend to be taking it seriously," said Dormann.
"I reported three related but different vulnerabilities to Microsoft recently. Two of them requested video evidence of exploitation (for things that don't even make sense to have a video of, thus my malicious compliance example that I posted), and the third was rejected as not a vulnerability with clear evidence that the MSRC handler didn't bother actually reading what I submitted. Researchers doing the 'right thing' deserve better."
(Score: 5, Insightful) by looorg on Saturday March 22, @04:57PM (4 children)
I guess they don't want you to submit bug reports then. It's so tedious. After all if you know about it you have, or at least have to try, to fix them. In that regard this is a great way of claiming your products are bug free. No, proper, reports of bugs have been filed. Hench we are bug free. Problem solved.
Still this seems like an excellent source of rick-rollin or having people stare deep into the goatse. Oh you want video evidence ... suure... here you go ... I wouldn't expect to get any bug bounties after that but still, it might be worth it.
It's either that or perhaps some black screen with the flashing text "READ THE FUCKING REPORT BIATCH!" accompanied by some super annoying, or catchy, techno drum track. Looping for as long as is inappropriate. It seems like he went for a version of this one.
(Score: 5, Insightful) by Anonymous Coward on Saturday March 22, @06:13PM (2 children)
Why fight the system on their terms? You will lose every time. The only way you're going to get a proper response is to disclose the bugs in the tabloid media.
(Score: 2, Interesting) by Anonymous Coward on Saturday March 22, @06:25PM (1 child)
Exactly. It's as if the person thinks the video wiill ever be watched lol. It''s classic - here, go waste some more time. Now go and waste some more time. Not one yet? OK here go and waste some more time. We can keep going all day.
(Score: 4, Interesting) by mcgrew on Sunday March 23, @04:42PM
Some governments do that. Illinois did under Thompson, Edgar, and Ryan; I worked in its "Bureau of Demonstrations and Evaluations," doing social science. When they first hired me they were trying to get different Deadbeat Dad databases in different states to work together (the attempt was a failure).
They didn't exactly say they were trying to dissuade people it, but it was obvious to me. Make the hoops so small and far off the ground and so many of them that people would give up trying to jump through them.
Ryan, who later went to prison, disbanded our bureau. We were supposedly trying to get poor people gainfully employed.
I'm glad I retired right before Rauner was elected governor, he was a worse governor than the two crooks who went to prison. I could tell some stories... maybe I should?
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 0) by Anonymous Coward on Sunday March 23, @09:27AM
The alternative is to sell the stuff. I hear you can get a fair bit of money for certain zero days.
More if you can develop it into an actual exploit: https://www.crowdfense.com/exploit-acquisition-program/ [crowdfense.com]
As for the ethics, if you and all your loved ones don't use MS stuff, you might care as much as a typical Muslim cares about damage to the pork industry.
(Score: 5, Insightful) by number11 on Saturday March 22, @06:10PM (8 children)
Unless there are rational reasons why video is necessary, other than Microsoft workers' poor reading skills, fuggedaboudit. Send the report in, and 30 days later publish the bug for all the world to see. (Or whatever interval is commonly accepted for "I told 'em about it, but they didn't do squat".
Personally, I hate wasting my time watching 10 minutes of video when I could have learned the same thing in under a minute by reading about it. But I'm an old fart, from the days when we were taught how to read.
(Score: 5, Funny) by Anonymous Coward on Saturday March 22, @06:27PM (1 child)
tldr; please submit a video summarizing what you wrote
(Score: 2) by driverless on Sunday March 23, @08:45AM
And please make sure the backing soundtrack is either Diamanda Galas or Merzbow. An entirely missed opportunity in the original I think.
I would have suggested Sunn O))) but since the original video is only 15 minutes long they wouldn't have had time to get to the second note.
(Score: 5, Informative) by looorg on Saturday March 22, @06:29PM (4 children)
Reminds of the weather service here. It used to be I could go to their homepage and watch a table with a 10 day forecast. Easy. Quick. Usable info at a glance. Now they replaced it with a four minute video with a weather-bimbo reading the same information while also standing there in front of a map showing me where places I already know where they are are. Not sure why or how that was an improvement of service.
(Score: 3, Interesting) by Unixnut on Sunday March 23, @12:07AM
You assume that "improvement of service" was the end goal? Possibly someone higher up felt obliged to provide a job for said weather-bimbo (whose skills were limited to standing and reading a script), so online video weather report it is! New position created and ready to be filled.
Still I don't see why they could not have kept the table as well (from your post it sounds like they removed it), it isn't like they need to scrimp on electrons.
(Score: 0) by Anonymous Coward on Sunday March 23, @06:23AM
Please tell me that's not some version of beta.bom.gov.au because the new design is crap enough as it is compared to the original
(Score: 0) by Anonymous Coward on Sunday March 23, @09:11AM
Well depending on the bimbo some audiences may consider it an improvement:
https://www.youtube.com/watch?v=ePG6zUYvUZg [youtube.com]
(Score: 2) by mcgrew on Sunday March 23, @04:49PM
It's the enshitificatioon of America. First Bank of Omaha traded their usable web site to one that made me wonder if they really wanted me to pay my credit card bill. When did the ^ character start meaning "click here to pay your bill?" It's as if English has gone out of style and it's all emojis and videos now.
I sent them a flaming arrow email about it; sharp, burning, and to the point.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 3, Interesting) by turgid on Saturday March 22, @07:15PM
I once heard that Microsoft outsources a lot of its software development work to various places around the world. Many of the developers probably don't have good English, so that's probably why they do it. Of course, that's putting the burden back onto the customer. You'd think they had internal processes to make sure that things were properly translated for the people doing the work.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: -1, Interesting) by Anonymous Coward on Saturday March 22, @07:11PM (2 children)
Anti-M$ neckbeard has problem submitting bug report, resorts to childish troll...
(Score: 5, Insightful) by janrinok on Saturday March 22, @07:37PM
I'm not quite sure of the point you are making. Can you make a video of you typing your next comment please, and send that along with your comment?
Now do you understand?
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 3, Touché) by mcgrew on Sunday March 23, @04:52PM
I couldn't decide to mod this Troll or Flamebait, but "neckbeard" gave the uneducated TROLL who submitted it away. Go back to slashdot, asshole. S/N has no need for your noise.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 5, Funny) by SomeGuy on Sunday March 23, @12:15AM (1 child)
I've had the unfortunate displeasure of seeing a bunch of corporate communication lately, and much of it was terse, incomplete, abbreviated, drivel. A video or phone call would have yielded infinitely better information. (Follow up e-mails just get ignored)
So, I'm not entirely surprised that a big corp like Microsoft added such a silly requirement to their bureaucracy.
At least they are not making them get information via a Microsoft Teams chat!
BTW, I was under the impression all the in-fashion managers were calling bug reports "stories" now, because "bug" sounds too negative. :P
(Score: 0) by Anonymous Coward on Monday March 24, @08:29PM
"Content".
(Score: 2, Insightful) by Anonymous Coward on Sunday March 23, @06:26AM
People actually submit bug reports to MS? Why? For what point? Karma?
No, really. I have to put up with Microsoft BS for half my waking hours. It's full of crap that should be fixed. They keep doing things that don't make sense, break what is there, and make work frustrating.
For exampe, in Powershell they blocked creating a default entry for repositories, and force you to use their command to make it, but then their command has been broken for months. There is no way to get it to work anymore. Literally no way. This kind of thing.
So, why bother?
(Score: 2) by jman on Sunday March 23, @10:02AM
(Score: 3, Interesting) by mrpg on Monday March 24, @12:54AM
Certain service that I use now forces you to use a 6 digits password. I wrote them an email but of course nothing changed.