Kevin BeaumontNew by me - Microsoft Vibing. A very strange fake open source project published by Microsoft employees, which gathers screenshots and voice recordings of users with unique machine identifiers attached. Not sure how this one has happened.
This Vibing one is a fun blog btw as every page it gets to be a bigger version of this
Since publishing my blog, Yaoyao Chang, who authored Vibing, has removed references to it from Microsoft’s VibeVoice repo - marking the change as “removing outdated links”. https://github.com/microsoft/VibeVoice/commit/e73d1e17c3754f046352014856a922f8208fb5d3
I withheld a load of details from the blog on this so far btw, if you're a researcher and want a laugh pull the binaries and have a look at what the MS Research team were doing and poke the backend.
Something tells me Microsoft are going to end up freezing the Azure backend for Vibing and having a security incident.
Vibing has been suspended and downloads removed pending a compliance review by Microsoft. https://github.com/VibingJustSpeakIt/Vibing
Also worth noting - Yaoyao Chang made the changes to the Vibing-Team repo, which is the first time Microsoft has officially been linked to Vibing.
It’s a very strange situation where MS were covertly operating an AI service, while pretending it was an open source project.
Microsoft are now trying to hide the compliance review message, by removing the download links and removing the compliance review messages on Github. https://github.com/VibingJustSpeakIt/Vibing/commit/ab8e6302543754685f85cf02e02d1d0287d2f4f0
Did anybody happen to the screenshot or archive the Microsoft Vibing website ( https://vibingjustspeakit.github.io/Vibing/ ) and Github ( https://github.com/VibingJustSpeakIt/Vibing/ ) showing the compliance suspension messages before they were deleted? The changes are archived on GitHub, but I'd like to document what they looked like prior to removal.
An attempt to hide the MS link with Microsoft Vibing on GitHub - “This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.” - the commit hiding the compliance review has been redone today without Yaoyao’s name on it.
New commit: https://github.com/VibingJustSpeakIt/Vibing/commit/84c82ccad2092b4bc2dffe5c96ef8c8d4466cc6e
Hidden commit: https://github.com/VibingJustSpeakIt/Vibing/commit/ab8e6302543754685f85cf02e02d1d0287d2f4f0
So @dangoodin asked Microsoft about Vibing - they’ve confirmed it is a Microsoft research project. They say “We have removed the application as we review its functionality and adherence to our policies. We remain committed to responsible AI and are taking appropriate steps as part of this review.”
I’ve updated my write up. https://doublepulsar.com/microsoft-vibing-capturing-screenshots-and-voice-samples-without-governance-6973c48f03a7
Here's a question - re the Microsoft Vibing thing.
Microsoft didn't disclose they were behind Vibing, multiple staff pretended on Github it was an open source community project (it wasn't), one specifically said they weren't involved (they were), they collected screenshots and mic recordings, and it had no security, compliance or AI review by Microsoft.
Is that okay?
If anybody is wondering - almost a month later, Microsoft Vibing is still suspended, the infrastructure is offline and the downloads gone.
GarretSidzaka@GossiTheDog
Not every hero wears a cape.
Not every hero wears a cape.
Nate@GossiTheDog it definitely isn't
Simon Poirier@GossiTheDog nope! I reported it internally with your report still waiting for an outcome
Bill@GossiTheDog I think it is less malice and more disorganization.
J$@GossiTheDog It’s just Vibislop doing typical Viboslop things. Of course it’s not okay, and the company gets wristslapped ever so gently every now and then for its transgressions. And then carries on doing what it does.
Martin Seeger@GossiTheDog No, but that answer is valid concerning a lot of thing Microsoft does...
Will Dormann@GossiTheDog
TBH, when I first read your writeup, I didn't believe that it was from Microsoft, the company.
TBH, when I first read your writeup, I didn't believe that it was from Microsoft, the company.
mushroom_man@GossiTheDog absolutely not okay - and the cover up and complete lack of public acknowledgement and attempt at accountability is the worst part of it.
We also don’t know if anything happened internally, a disciplinary process, a review of controls to prevent this from happening again and so on, but that lack of public knowledge is itself part of the problem.
Phil Haigh@GossiTheDog that’s an easy “nope” from me. It’s bloody appalling.
Gary 
@GossiTheDog hard nope on that. The blatant lying when questioned about it, more than the actual security/privacy infringements, tbh. Covering up rather than fessing up is next level Evil.
codehorse@GossiTheDog rethoric question? NOOOOO!
abadidea@GossiTheDog I’ve been busy the last week and just caught up on all this. oof it kinnnd of sounds like a rogue employee with a data stealing side hustle
rooney (not the famous one)@GossiTheDog This is my first time encountering MS `Vibing' and I just know I'm gonna be saying "This is some bullshit!" as I discover more about it. I fear no more than three minutes.
#ThisIsSomeBullshit
#ThisIsSomeBullshit
@GossiTheDog Oh god I was wrong, this is *ALL* the bullshit.
fuzzyfuzzyfungus@GossiTheDog It seems like a bad look for anyone; and a very, very, bad look for an outfit with substantial cloud offerings that are mostly on a 'trust me bro' basis when it comes to what they supposedly can't or won't do to a customer tenant.
This should be absolutely radioactive for Microsoft; both their response to one or more of their people basically doing malware with company resources and the questions about exactly how well-watched the roles with insider threat potential are or aren't.
Micdan 💾@GossiTheDog No alt-text?
Alex Edu@GossiTheDog That was entertaining AF, thanks
Mike Siegel@GossiTheDog this is exactly what happens when internal Hackathons run amok. I would bet $5 on it.
@GossiTheDog it’s almost as if they have something to hide…
But how do you hide something that smells this bad?
Rairii 
@GossiTheDog you can view the repo at a specific commit
https://github.com/VibingJustSpeakIt/Vibing/tree/c61bb2d407796667307a9c47aac8c07592d0eddb
https://github.com/VibingJustSpeakIt/Vibing/tree/c61bb2d407796667307a9c47aac8c07592d0eddb
Clark Breyman (he/him)@Rairii @GossiTheDog - wont survive a force push
Carey@clark @Rairii @GossiTheDog How about if someone forks the repo and leaves this on their fork’s main branch?
@GossiTheDog https://infosec.exchange/@simonpoirier/116459614756235115
It is just the suspension message
Simon Poirier (@[email protected])
Attached: 1 image @[email protected] Look like they are under investigation already based on their github repo : https://github.com/VibingJustSpeakIt/Vibing
Chris@GossiTheDog did someone put it through archive.is pre-bust?
@GossiTheDog as someone familiar with the microsoft store, that's "been made unavailable to download if you didn't already have it". the file is still available on the backend and anyone who already had it can still redownload as usual
"removed" in this case would be "the store listing, dcat page, etc all 404"
"removed" in this case would be "the store listing, dcat page, etc all 404"
piofthings@GossiTheDog why do they need this when everyone and their dog uses VSCode!
@GossiTheDog So the company from Redmond should now be called Viboslop?
Steve Loughran@GossiTheDog this from a company that shipped Windows Me while pretending it was an OS
Simon Zerafa
Nichlas Krook@simonzerafa @GossiTheDog Would love to have this design on stickers.
@GossiTheDog I feel like I'm being led into a Cyberpunk questline; with the unplanned discovery of a Redmond deniable op harvesting data out of a front operation.
@GossiTheDog wtaf is going on with slopya nadella's company
gibwar@GossiTheDog it looks like they removed the notice just after you posted about it.
Philip Mallegol-Hansen@GossiTheDog Following corporate compliance rules isn’t a very “VibeFriendly” thing to do.
Graham Sutherland / Polynomial@GossiTheDog this reeks of an employee (or small group of them) unilaterally sidestepping process. probably in part because the company culture around rigor has rotted to the point where they thought it was acceptable.
@GossiTheDog maybe keep an eye on this dude's linkedin to see if he's on a job hunt soon lol
prozacchiwawa@gsuberland @GossiTheDog definitely seems like someone hanging a flag on an internal project while they can to get hired away.
Sébastien Duquette@gsuberland @GossiTheDog It feels like Vibing is a personal project of a Microsoft employee who blurred the lines by referencing it in the VibeVoice Microsoft project. Maybe the reference wasn't even intended given the dev is clearly vibe-coding. Doesn't excuse it if that's what happened just stating my theory.
Colin Haynes@GossiTheDog I think I speak for many people when I say WT actual F?
Agnew Hawk 
It's like the old days of downloading any old .EXE off the internet cos it looked interesting, only this time it's from Microsoft.
Interpipes 💙@GossiTheDog You really expect Microsoft to do anything meaningful at all in response to this? I don't really think they've earned that trust lately
@GossiTheDog I am reporting it internally ... hopefully someone will care 🤷♂️
@GossiTheDog Look like they are under investigation already based on their github repo : https://github.com/VibingJustSpeakIt/Vibing
Jan-Hendrik@GossiTheDog this is all very surreal 🫠
On the other hand, Microsoft could be preparing a new season of their Standards of Business Conduct training "Trust Code" in the wild 😂
On the other hand, Microsoft could be preparing a new season of their Standards of Business Conduct training "Trust Code" in the wild 😂
Birk@GossiTheDog Microslop at it again