According to the researcher, YellowKey appears unusual for a previously unknown security bug. Nightmare-Eclipse explained that the flaw can be reproduced by copying an attached "FsTx" folder...
What are the indications that the BitLocker vulnerability is already being utilized?
Microsoft shipping a vulnerable version of the recovery environment. It is the ‘exploit’.
Alleged by a guy who was fired from Microsoft. I’d take that with a pinch of salt.
Such is the nature of closed source software. You select people who will remain complicit till they have a grievance against you. Even if they don’t and talked for moral reasons do you think they would not been fired for it?
That being said, open source repos are being attacked constantly with attempts at intentional malicious code injection - I’m sure you’ve heard of XZ Utils? How many others went through and are being exploited without anyone noticing?
Who knows. How many more went through at closed source software a limited amount of people can test in the same way?
Microsoft shipping a vulnerable version of the recovery environment. It is the ‘exploit’.
Red Hat and Canonical shipped a vulnerable version of SSH, the thing was caught basically hours before hitting all devices around the world.
Should Red Hat and Canonical be now considered hostile as much as MS is?
You select people who will remain complicit till they have a grievance against you. Even if they don’t and talked for moral reasons do you think they would not been fired for it?
I can only answer by saying this: I wish you luck in the job market and hope you’ll eventually find an employer you don’t assume to be a hostile entity towards you.
Who knows. How many more went through at closed source software a limited amount of people can test in the same way?
This is the equivalent of “prove that God doesn’t exist”. We can’t know because they haven’t been found, mate.
Were they the developers of the ssh package? Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.
I am employed, most employers are obviously not as corrupt as the biggest corporations on the planet, they simply can’t afford to.
I agree we can’t know. We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That’s dishonest, lad.
Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.
… one guy claims.
Another possibility is that they have two separate builds fro BitLocker, and the one used in WinRE is vulnerable which they missed.
We don’t have enough information to clearly state that they did this on purpose.
We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That’s dishonest, lad.
Again, read up about the XZ Utils vulnerability. We technically can know, but we don’t know, which was a statement by the guy responsible for package. It’s not dishonest, it’s a statement of fact.
If you actually read his github you would know that there is a different version of the responsible component between the recovery environment and an installation. Only the RE has the issue.
I’ve read the XZ vulnerability. The very same thing can happen in a closed source corporate project. There are many arrests of foreign intelligence agents that worked in big tech amd/government.
It would of course be easier to cover up. As would vulnerabilities discovered by ai, since they can limit who can check their code.
Microsoft shipping a vulnerable version of the recovery environment. It is the ‘exploit’.
Such is the nature of closed source software. You select people who will remain complicit till they have a grievance against you. Even if they don’t and talked for moral reasons do you think they would not been fired for it?
Who knows. How many more went through at closed source software a limited amount of people can test in the same way?
Red Hat and Canonical shipped a vulnerable version of SSH, the thing was caught basically hours before hitting all devices around the world.
Should Red Hat and Canonical be now considered hostile as much as MS is?
I can only answer by saying this: I wish you luck in the job market and hope you’ll eventually find an employer you don’t assume to be a hostile entity towards you.
This is the equivalent of “prove that God doesn’t exist”. We can’t know because they haven’t been found, mate.
Were they the developers of the ssh package? Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.
I am employed, most employers are obviously not as corrupt as the biggest corporations on the planet, they simply can’t afford to.
I agree we can’t know. We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That’s dishonest, lad.
… one guy claims.
Another possibility is that they have two separate builds fro BitLocker, and the one used in WinRE is vulnerable which they missed.
We don’t have enough information to clearly state that they did this on purpose.
Again, read up about the XZ Utils vulnerability. We technically can know, but we don’t know, which was a statement by the guy responsible for package. It’s not dishonest, it’s a statement of fact.
If you actually read his github you would know that there is a different version of the responsible component between the recovery environment and an installation. Only the RE has the issue.
I’ve read the XZ vulnerability. The very same thing can happen in a closed source corporate project. There are many arrests of foreign intelligence agents that worked in big tech amd/government. It would of course be easier to cover up. As would vulnerabilities discovered by ai, since they can limit who can check their code.