Olivia
Online
Andrew Healey
@healeyio
infosec, tech, ai, marine ๐บ๐ธ // endurance, triathlon, adventure // walk the difficult path โ do hard things // accelerate
Bentonville, AR
Joined March 2010
814 Following
888 Followers
1.4K Posts
Kids roasted me for years about keeping every 2x4, wheel, random screw, and hard drive magnet like some kind of doomsday prepper. Redemption. I always knew this moment was coming.
What an odd timeline. MSRC in self destruct mode.
For more than 20 years, I have supported MSRC, dating back to my times as a security researchers at eEye. I have spoken at conferences, defended their program & methods publicly, & shared examples and results of productive collaboration even when many, many researchers strongly disagreed with me.
That history makes this especially difficult to say.
The current treatment of security researchers is deeply disappointing. Trust between vendors & the research community is hard-earned & easily lost. Researchers are not the enemy. They are often the first line of defense for customers, helping identify and responsibly report issues before malicious actors can exploit them. Alienating these individuals carries real consequences for the security ecosystem as a whole.
I've spent decades advocating for constructive engagement between Microsoft & the security community. What we all are seeing today falls short of the standards that built that relationship in the first place.
I hope this message reaches the people who still remember why that relationship mattered. Not because researchers are asking for special treatment but because mutual respect, transparency & good-faith engagement have always produced better outcomes for everyone involved. Microsoft's relationship with the security community was once viewed as a model for the industry. I truly hope it can be again.
You can just do things
There's only one way to find out...
Who to follow
Rasta Mouse
@_RastaMouse
make pic +relax
Jared Atkinson
@jaredcatkinson
| CTO @specterops | Host @dcpthepodcast | Ex PowerShell MVP | USAF Vet | FC Bayern Supporter | Language Learner ๐ณ๐ด ๐ฎ๐น ๐ง๐ท |
Soldier of FORTRAN - Mild Dystopian Future Vibes
@mainframed767
Director of Mainframe Pentesting @NetSPI | thoughts are my own | 5x @DEFCON ๐ค | Not really here - hit me up on @[email protected]
@HackingDave Yep. ๐ซก
Out of breath while running? Swim laps.
Legs burning during intervals? Supplement with bike workouts.
Constant injuries? Build in a strength training routine.
For most, running is often done best & performance improves when complimented with other training.
Thanks but I hate it.
Let's recap:
1. Threatening legal action in a blog.
2. Walks it back in a tweet.
3. Walks the walk back just a few phrases later.
There's a reason MSFT's MSRC is getting scorn, they're earning it.
Do better. You have in the past.
This is so bad.
Microsoftโs handling of Nightmare Eclipse reveals how little they actually value independent security researchers when it becomes inconvenient.
Nightmare Eclipse followed the proper reporting channels, had his MSRC account revoked, received what amounted to legal threats, published PoCs for several unpatched Windows zero-days, and was subsequently banned from GitHub. Now @msftsecresponse issues a statement claiming they have no intention of pursuing researchers, while continuing to insist that coordinated disclosure is the only acceptable approach. Nightmare Eclipse still has no accounts reinstated and has received no meaningful apology.
Several researchers and observers have been clear about this today. @kln_nurv correctly notes that publishing exploits after attempting responsible disclosure is not a crime, yet there has been neither reinstatement nor apology, only damaged trust. @0x0Fuck rightly demands a public apology from Tom Gallagher (@secbughunter) and full reinstatement of Nightmare Eclipseโs accounts before MSRC can expect any credibility. @Stric_Nine, @PierreGrivet and others have made the same point, this is damage control, not accountability.
I once criticized @elder_plinius for releasing powerful jailbreaks and obliteration tools so openly. I believed it would introduce unnecessary risk and noise into the ecosystem. Under different circumstances, in other times, that view might still apply.
However, Microsoft and other large vendors have deliberately created an environment in which researchers who go public after official channels fail them are punished and silenced. In this reality, Pliny was correct. When companies treat disclosure as a threat to be managed rather than a necessary part of security, radical public release becomes one of the few remaining mechanisms researchers have to maintain visibility and pressure.
This problem is made worse by the rise of agentic attacks that can automatically discover and chain vulnerabilities at scale. The more vendors punish transparency, the greater the advantage they hand to automated exploitation.
Nightmare Eclipse should never have been forced into this position. Given how he was treated, his actions were entirely justified. I stand with the researchers who refuse to accept rules designed primarily to protect vendors.
If @msftsecresponse genuinely valued the security community, Nightmare Eclipse would have his accounts reinstated and there would be a substantive apology. Anything less is simply an attempt to reassert control while avoiding a real responsibility.
Hail core ne of Bentonville a bit earlier. #arwx
Sushi House heaven
A company whose name is literally "AI Slop" spelled backwards raised $30M by itself.
We literally live in the silliest timeline.
New office art. @_Invadergirl
Try to build as much code as possible over the next few months. The prices you are seeing now for AI will probably not last too long.
CVE-2020-2033, CVE-2020-2021, CVE-2020-2050, CVE-2026-0257, and now CVE-2026-0265
Authentication bypass, as in direct access to your internal networks over the Internet
This VPN architecture should be dead, get it off the Internet, it's a time bomb waiting to happen
FastMail + MCP is an absolute game changer for personal agentic mail operations. Can't believe I missed this announcement.
For National Email Day, you can now connect your AI assistant directly to your Fastmail email, calendar, and contacts. Opt-in, you stay in control of what it can access. Read more: https://t.co/Tchopr1Bfe
#NationalEmailDay #MCP #OpenStandards #Fastmail #EmailPrivacy #BetterEmail
Around and around we go.
Entra App Proxy continues to be one of the biggest hidden gems of Entra P1
For over a decade, we've been able to stop exposing risky apps to the Internet by routing through agents with outbound connections to Azure
I don't care what vendor you use, just get it off the Internet
This is truly ridiculous: "Retiring legacy authentication to improve security" now apparently includes deprecation of phishing-resistant authentication methods that don't require use of Entra ID.
Which tells you where the real priority is.
https://t.co/g4uogGYPd9
@billybinion The biggest problem with socialists being wrong about the economic cause of everything is the opportunity cost in addressing the wrong problem.
Unfortunately, opportunity cost is also a concept in economics, so this, additionally, is lost on them.
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers