I'm logged in, but I'm seeing this now and can click on "View repository" or "Explore other repositories". Maybe that's why it's behind a login wall.
> This repository contains malicious content that may cause technical harms. We have decided to preserve this content for security research purposes. Please exercise CAUTION when clicking links, downloading releases, or otherwise interacting with this repository.
I think the Bitlocker "vuln" is a good reminder not to use vendor provided encryption for any sensitive data. https://github.com/Nightmare-Eclipse/YellowKey/ You load a specific file onto a flash drive, plug it into a Bitlocker encrypted computer, reboot it while holding a key combination, and it pops up a command prompt with full access to the encrypted volume. There's no way this isn't a backdoor.
> I think the Bitlocker "vuln" is a good reminder not to use vendor provided encryption for any sensitive data
I don't think that's true. Some vendors have a better track record than others. Nobody's popped the storage encryption on iOS or MacOS devices yet AFAIK; and the fact that it's tied to a hardware secure element makes it pretty strong.
this exploit works only if you dont use a PIN/password for your Bitlocker and the volume automatically unlocks
so it gives you access to an encrypted volume which automatically unlocks anyway
the only difference is that it immediately gives you root access to the volume instead of having to go through the Windows login procedure - this might be a stolen laptop you dont have an account on
Or laid of NSA, laid off Mossad, or many other possibilities.
Or not laid off at all, but otherwise disgruntled security researcher who prompted AI to concoct some personal details that seem to be in line with someone inexplicably dropping Microsoft zero-days.
I see upvotes, so at least some people agree with this possibility.
One more reason to stick with open source, auditable solutions. Any backdoor in open source software would be quickly noticed by the community (such as recently when NPM packages got compromised).
This year looks very refreshing for software. My guess is because of the AI-assitance in grinding an unlimited amount of code. While I feel sorry for maintainers and developers who have a new CVE everyday, society seems to be sweeping away 20 years of backdoor development by shady companies and spies, making computing actually safe and trusted for the first time in our lifetime.
25 comments
[ 0.27 ms ] story [ 55.3 ms ] threadhttps://github.com/Nightmare-Eclipse/BlueHammer
> This repository contains malicious content that may cause technical harms. We have decided to preserve this content for security research purposes. Please exercise CAUTION when clicking links, downloading releases, or otherwise interacting with this repository.
There doesn't seem to be any other plausible explanation. The reckoning needs to come and people need to stop using their products for good.
Would love a whistleblower to explain which part of the government or company forced it.
the same one who takes care of Cisco ? and Google ? and ...
I don't think that's true. Some vendors have a better track record than others. Nobody's popped the storage encryption on iOS or MacOS devices yet AFAIK; and the fact that it's tied to a hardware secure element makes it pretty strong.
so it gives you access to an encrypted volume which automatically unlocks anyway
the only difference is that it immediately gives you root access to the volume instead of having to go through the Windows login procedure - this might be a stolen laptop you dont have an account on
Or not laid off at all, but otherwise disgruntled security researcher who prompted AI to concoct some personal details that seem to be in line with someone inexplicably dropping Microsoft zero-days.
YellowKey Bitlocker Bypass Vulnerability
https://news.ycombinator.com/item?id=48114997
One more reason to stick with open source, auditable solutions. Any backdoor in open source software would be quickly noticed by the community (such as recently when NPM packages got compromised).
This year looks very refreshing for software. My guess is because of the AI-assitance in grinding an unlimited amount of code. While I feel sorry for maintainers and developers who have a new CVE everyday, society seems to be sweeping away 20 years of backdoor development by shady companies and spies, making computing actually safe and trusted for the first time in our lifetime.