Security researcher says Microsoft built a Bitlocker backdoor, releases exploit
techspot.com535 points by nolok 8 hours ago
535 points by nolok 8 hours ago
[dupe] 3 days ago OP
https://news.ycombinator.com/item?id=48129789
Seems this traces back almost a week, from Nightmare-Eclipse who is the researcher who found this:
Tuesday, 12 May 2026 - "Here are the links, yes, two vulnerabilities this time [YellowKey] [GreenPlasma] [...] Next patch tuesday will have a big surprise for you Microsoft"
Wednesday, 13 May 2026 - "I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft."
Author's blog: https://deadeclipse666.blogspot.com/
First post in March 2026 is "[...] someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine."
I'm not sure what to make of it, is this someone essentially "leaking" things from the inside? Sure sounds like it, and others are able to reproduce the results.
I read it as the author is / was going through the vulnerability disclosure process with Microsoft and they're annoyed for unclear reasons and decided to publicly disclose, rather than being an insider.
How would that leave them homeless?
Many brilliant people have serious mental health issues that preclude their ability to regulate their emotions and act maturely in serious situations e.g. responsible vulnerability disclosure.
I've watched genius-level IQ people get fired time and again because they don't know how to work with others at a basic kindergarten level.
Reporting wrongdoing to the ones doing it doesn't work. Perhaps they relied on Microsoft a bit too much for their livelihood and are just beginning to reevaluate their decisions. It's not so rare for brilliant people to live a life of the mind and not pay enough attention to their material conditions. But defining that as "serious mental health issues" is such a cheap shot.
> Reporting wrongdoing to the ones doing it doesn't work.
Most large companies — including Microsoft [1] — have an internal affairs call center where you can anonymously report issues of malfeasance — assuming that's what happened here.
[1] https://www.microsoft.com/en-us/legal/compliance/sbc/report-...
To be honest if I got fired in a mean or unfair way I'd definitely hit back at my employer in such a manner if I'd have the ability to. I'm unlikely to have that though as I'm not aware of any saucy company secrets. But if this is what happened I think it's pretty justified.
The secret here seems to be that Microsoft caches the key somewhere even when it's supposed to be only in the TPM! That's a pretty big revelation IMO.
> The secret here seems to be that Microsoft caches the key somewhere even when it's supposed to be only in the TPM!
Not what happened here (I reserve my judgment wrt the promised TPM+PIN exploit).
In the default TPM-only mode of BitLocker, the secret is in fact in the TPM, which will (as instructed by Windows upon key creation) release it to the correct OS running on the correct computer. Notably not in the picture is any user-provided data: measured boot is the only protection. It is only the correct programming of the OS that makes it request an account password (completely unrelated to the disk-encryption cryptography) before letting the user poke at the disk, which the OS can at that point already decrypt.
Well, turns out the programming is such that if you ask politely it’ll just pop an Administrator(?) shell.
> Not what happened here (I reserve my judgment wrt the promised TPM+PIN exploit).
Yes this is the one I'm referring to.
I have noticed it myself, it has happened to me that my system rebooted to install updates and it did not pass through the blue TPM pin entry screen at that point. That was a big red flag for me. A normal reboot always does that, even a 'hot' reboot.
> A normal reboot always [forces the TPM pin entry screen], even a 'hot' reboot.
In TPM-only mode, I only see the screen—which asks for an recovery key that serves an alternative to the TPM-borne secret, not for whatever you are calling the “TPM PIN” here—whenever I update the firmware or the bootloader (the latter from the other side of the dual-boot setup). Otherwise it boots straight to the login screen, which meshes with the measured-boot-only theory of operation I’ve described above. There’s nothing nefarious in this part, even if I think it exposes an unwisely large attack surface (e.g. the USB stack). I suspect you simply reboot so rarely you’re never hitting the happy path.
There is, sadly, no place for non-standard ICs in corpos nowadays. HR will enforce that.
Yeah I'm getting a lot of pressure to be a "team player" lately. I've told them over and over I'm not capable of that and that has never been a problem before. But we have a hipster new VP who is really pushy and wants to generalise everything.
> I've told them over and over I'm not capable of that
I can relate and empathize. And also provide this suggestion based on my own similar experience: if you can't provide evidence (e.g. doctor's diagnosis) that you are "special" or "not capable of that", then they don't have to care and will take steps to force you out. I wish you all the best.
Here in Europe it's different, we have more rights. Unfortunately I don't have an official diagnosis but I'm definitely neurodivergent. I've been meaning to get one but it is difficult.
I was once (12 years ago) told: "they debate, they decide, we deliver" along with other "teamwork" pablum. This evil has been with us for a very long time, unfortunately.
If you worked for me and you said you're not capable of being part of a team I'd immediately start looking to replace you.
You might be a 100x rockstar developer. You might even be the best software engineer in the world.
But the vast majority of good software is built by teams of people. It doesn't matter how good you are if you can't play nice with others.
I'd rather have a team of "merely" good engineers than one "rockstar" creating a toxic work culture. Fuck that noise.
"Not being a team player" doesn't mean the person is a nuisance, but they can be an introvert who has a limited interaction budget and can work silently and efficiently otherwise.
This generally means the person might not leave their cubicle much or give feedback frequent enough, but this doesn't mean they are not motivated to help others or share knowledge. One can approach and ask a question and get tons of help immediately.
How I know? That's me. I look like a cave dweller from a distance, but I'm not. The only difference I have is human interaction sometimes drains me a lot, so I just concentrate and work, yet everybody get their help immediately if they need them.
Also, no, I don't bite or belittle people. On the contrary.
Assuming the worst in others is bad. If I worked with you, I'd be looking for somewhere else the moment I found out how you think about me.
Remember. People don't leave bad jobs, but bad managers.
You require both team players and "rockstar" individuals. It's not one or the other or a competition, because they do different things.
Yes if you put a someone who can't work on a team on a team and expect team work then that will not work. But that's obvious, so then don't do that. Expecting a homogeneous workforce isn't realistic or optimal.
I'm not a software engineer at all. And I tend to take on projects nobody else wants because they are too complicated or esoteric.
And I didn't say I'm not capable of being part of a team. Just that I need to have my own responsibilities within a team. I can't deal with micromanagement or excessive coordination like 'standups' every day.
Yeah you've completely misread this. The phrase "not being a team player" is a euphemism for someone not willing to do dubiously unethical or illegal (or things that go against internal company policy) things in support of a low level supervisor or manager's wishes. Or more favourably, someone who's unwilling to do things outside of what he's actually paid for or to do things unpaid (or outside working hours etc.). Also known as wage theft.
The guy saying that he has been accused of "not being a team player" isn't literally quoting his management here. He's summarizing that his immediate supervisors don't like him because he's unwilling to enter in some patronage like relationship with them.
The fact that you gave the benefit of the doubt to some faceless employer here instead of an actual person recounting his experiences is really sad and maybe ought to be reason for you to rethink your biases to jump to the conclusion that this guy is a toxic loner. Sounds like you're projecting hard here from some other experience.
That is also a thing yeah. It's not really unethical or illegal but our VP has a huge preference for snazzy glitzy projects and never wants to tackle the problems that cause real pain in the organisation because they are not spectacular and don't make him look good. And yes I bring that up whenever it comes into play. I'm definitely not an order-follower.
Emotionally immature people tend to be a liability, not an asset. Therapy can help, but they first need a willingness to do better.
Nonsense. there are way more accommodations for people who wouldn't have had a place 20 years ago... those accommodations have changed what a "standard IC" is. There never was a place for run-of-the-mill geniuses who couldn't be bothered to spend a few hours researching P2P (Person to Person) protocols. They were always pushed off to small companies where the risk was much lower. This hasn't, won't, and shouldn't change. If that makes you salty, I got some things I'd recommend you research.
Adults pay rent in money, not feelings. The answer to “how could Microsoft leave you homeless?” is “by not paying you”, not some bizarre “by making you feel so bad you lose your house, which you pay for with good feelings”
This is an oddly passive-aggressive comment when a much more likely read is they were relying on the funding and the large tech company did what large tech companies do and started moving slowly.
And I can see others already blaming them for relying on the vulnerability for living expenses, but if we can hold the hyper-rationalization for a second, we shouldn't be against the person who expected an organization with more money than God to uphold a deal for relative peanuts, right?
Like yes we all get that large orgs make spending $5 very hard, many claps for being the in-group, but their frustration would be understandable.
I'm supposed to feel bad that Microsoft didn't immediately wire him an advance on the bounty before validating anything? Have you ever tried to get anything corrected with a corporate payroll department? Try three months minimum.
It's like suggesting someone was relying on a lottery ticket to payout to survive.
Yes and that's bad. Saying it's bad doesn't make it not-bad, it just makes it still bad but now we know it's bad.
I tried to be as coddling with my language as possible.
Acknowledged how orgs work, separated blaming the org from sympathizing with their reaction, tried to separate the prudence of their actions from the sticky situation they'd still be left in by the orgs actions...
But it was for naught: people are really ingrained in a weird "might-makes-right" model of corporate operations. "Larry Ellison is a lawnmower" was supposed to be a jeremiad but now it's more like a guiding principle that we browbeat anyone for questioning.
> we shouldn't be against the person who expected an organization with more money than God to uphold a deal for relative peanuts, right?
You're assuming that there was a deal that wasn't upheld. I don't think we have enough information to assess that. This person's blog posts do read as being somewhat unstable. There's even someone in the comments seemingly genuinely trying to be helpful: "Just wondering if you’re BiPolar (like me) and see a different reality than what is real. Been there."
Presumably, not paying out for these bugs which often take weeks of research to find.
Who in their right mind bets on bug bounties to cover their basic needs? They should be highly employable with these kind of skills.
> Who in their right mind bets on bug bounties to cover their basic needs?
Someone with a vulnerability worth as much as a two bedroom apartment?
If you take the statement at face value, that does not appear to be the case. If you don’t take it at face value, the underlying presumptions might be a lot of why they may not be employable.
Someone who doesn't have better options?
If you have those sorts of skills with a computer, you will have other options
Really depends on your background doesn't it? You could have convictions, be sanctioned, have visa problems, or all kinds of things that are not easily solvable.
Indeed, and this guy's personality seems a little "difficult" which might make the interview process short. I've known people with insane skills who have such weird personalities that they never get hired. Doing remote bug bounty stuff is a blessing for them.