25 comments

[ 0.27 ms ] story [ 55.3 ms ] thread
So weird that GitHub requires a login to view their BlueHammer repo.

https://github.com/Nightmare-Eclipse/BlueHammer

I'm logged in, but I'm seeing this now and can click on "View repository" or "Explore other repositories". Maybe that's why it's behind a login wall.

> This repository contains malicious content that may cause technical harms. We have decided to preserve this content for security research purposes. Please exercise CAUTION when clicking links, downloading releases, or otherwise interacting with this repository.

It's so obvious that many of the bugs being found are/were most likely M$ backdoors.

There doesn't seem to be any other plausible explanation. The reckoning needs to come and people need to stop using their products for good.

Would love a whistleblower to explain which part of the government or company forced it.

They might be incompetent
> which part of the government

the same one who takes care of Cisco ? and Google ? and ...

Oh cool. My brother's old laptop is locked. Maybe this will help
This won't work if Windows on boot is already asking for BitLocker key because it means it can't retrieve the key from TPM.
I think the Bitlocker "vuln" is a good reminder not to use vendor provided encryption for any sensitive data. https://github.com/Nightmare-Eclipse/YellowKey/ You load a specific file onto a flash drive, plug it into a Bitlocker encrypted computer, reboot it while holding a key combination, and it pops up a command prompt with full access to the encrypted volume. There's no way this isn't a backdoor.
> I think the Bitlocker "vuln" is a good reminder not to use vendor provided encryption for any sensitive data

I don't think that's true. Some vendors have a better track record than others. Nobody's popped the storage encryption on iOS or MacOS devices yet AFAIK; and the fact that it's tied to a hardware secure element makes it pretty strong.

this exploit works only if you dont use a PIN/password for your Bitlocker and the volume automatically unlocks

so it gives you access to an encrypted volume which automatically unlocks anyway

the only difference is that it immediately gives you root access to the volume instead of having to go through the Windows login procedure - this might be a stolen laptop you dont have an account on

How does Bill Gates keep getting away with this
Do you know of a backdoor for Apple FileVault?
Laid off Microsoft researcher?
No way to know but the timing is peculiar....conspiracy?
Or laid of NSA, laid off Mossad, or many other possibilities.

Or not laid off at all, but otherwise disgruntled security researcher who prompted AI to concoct some personal details that seem to be in line with someone inexplicably dropping Microsoft zero-days.

Could the Bitlocker vulnerability be a backdoor mandated by some government agency?
I see upvotes, so at least some people agree with this possibility.

One more reason to stick with open source, auditable solutions. Any backdoor in open source software would be quickly noticed by the community (such as recently when NPM packages got compromised).

Anyone remember the Samsung ssd issue with bitlocker from maybe like a decade or so ago where it was an empty encryption key or something
Seems odd that someone is both capable of this and homeless. This stuff has decent value on the grey market
Some anon hero cleans up backdoored garbage.

This year looks very refreshing for software. My guess is because of the AI-assitance in grinding an unlimited amount of code. While I feel sorry for maintainers and developers who have a new CVE everyday, society seems to be sweeping away 20 years of backdoor development by shady companies and spies, making computing actually safe and trusted for the first time in our lifetime.