[embedding-shape]

Seems this traces back almost a week, from Nightmare-Eclipse who is the researcher who found this:

Tuesday, 12 May 2026 - "Here are the links, yes, two vulnerabilities this time [YellowKey] [GreenPlasma] [...] Next patch tuesday will have a big surprise for you Microsoft"

Wednesday, 13 May 2026 - "I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft."

Author's blog: https://deadeclipse666.blogspot.com/

First post in March 2026 is "[...] someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine."

I'm not sure what to make of it, is this someone essentially "leaking" things from the inside? Sure sounds like it, and others are able to reproduce the results.

[krisbolton]

I read it as the author is / was going through the vulnerability disclosure process with Microsoft and they're annoyed for unclear reasons and decided to publicly disclose, rather than being an insider.

[mr_mitm]

How would that leave them homeless?

[866-RON-0-FEZ]

Many brilliant people have serious mental health issues that preclude their ability to regulate their emotions and act maturely in serious situations e.g. responsible vulnerability disclosure.

I've watched genius-level IQ people get fired time and again because they don't know how to work with others at a basic kindergarten level.

[wolvoleo]

To be honest if I got fired in a mean or unfair way I'd definitely hit back at my employer in such a manner if I'd have the ability to. I'm unlikely to have that though as I'm not aware of any saucy company secrets. But if this is what happened I think it's pretty justified.

The secret here seems to be that Microsoft caches the key somewhere even when it's supposed to be only in the TPM! That's a pretty big revelation IMO.

[mananaysiempre]

> The secret here seems to be that Microsoft caches the key somewhere even when it's supposed to be only in the TPM!

Not what happened here (I reserve my judgment wrt the promised TPM+PIN exploit).

In the default TPM-only mode of BitLocker, the secret is in fact in the TPM, which will (as instructed by Windows upon key creation) release it to the correct OS running on the correct computer. Notably not in the picture is any user-provided data: measured boot is the only protection. It is only the correct programming of the OS that makes it request an account password (completely unrelated to the disk-encryption cryptography) before letting the user poke at the disk, which the OS can at that point already decrypt.

Well, turns out the programming is such that if you ask politely it’ll just pop an Administrator(?) shell.

[wolvoleo]

> Not what happened here (I reserve my judgment wrt the promised TPM+PIN exploit).

Yes this is the one I'm referring to.

I have noticed it myself, it has happened to me that my system rebooted to install updates and it did not pass through the blue TPM pin entry screen at that point. That was a big red flag for me. A normal reboot always does that, even a 'hot' reboot.

[jrflowers]

> To be honest if I got fired in a mean or unfair way I'd definitely hit back at my employer in such a manner if I'd have the ability to.

I knew a contractor that developed a habit of not paying his workers for a short time. After people started walking off job sites with his tools and showing up at his house demanding to get paid, he magically found the money to pay them.

It’s pretty unsurprising how vindictive regular people rapidly become when they’ve been ripped off.

[txrx0000]

Reporting wrongdoing to the ones doing it doesn't work. Perhaps they relied on Microsoft a bit too much for their livelihood and are just beginning to reevaluate their decisions. It's not so rare for brilliant people to live a life of the mind and not pay enough attention to their material conditions. But defining that as "serious mental health issues" is such a cheap shot.

[866-RON-0-FEZ]

> Reporting wrongdoing to the ones doing it doesn't work.

Most large companies — including Microsoft [1] — have an internal affairs call center where you can anonymously report issues of malfeasance — assuming that's what happened here.

[1] https://www.microsoft.com/en-us/legal/compliance/sbc/report-...

[gusfoo]

There is, sadly, no place for non-standard ICs in corpos nowadays. HR will enforce that.

[david-gpu]

Emotionally immature people tend to be a liability, not an asset. Therapy can help, but they first need a willingness to do better.

[wolvoleo]

Yeah I'm getting a lot of pressure to be a "team player" lately. I've told them over and over I'm not capable of that and that has never been a problem before. But we have a hipster new VP who is really pushy and wants to generalise everything.

[stackghost]

If you worked for me and you said you're not capable of being part of a team I'd immediately start looking to replace you.

You might be a 100x rockstar developer. You might even be the best software engineer in the world.

But the vast majority of good software is built by teams of people. It doesn't matter how good you are if you can't play nice with others.

I'd rather have a team of "merely" good engineers than one "rockstar" creating a toxic work culture. Fuck that noise.

[coderjames]

> I've told them over and over I'm not capable of that

I can relate and empathize. And also provide this suggestion based on my own similar experience: if you can't provide evidence (e.g. doctor's diagnosis) that you are "special" or "not capable of that", then they don't have to care and will take steps to force you out. I wish you all the best.

[abawany]

I was once (12 years ago) told: "they debate, they decide, we deliver" along with other "teamwork" pablum. This evil has been with us for a very long time, unfortunately.

[gpvos]

IC = Independent contractor (I assume?)

[fg137]

https://www.indeed.com/career-advice/finding-a-job/what-is-a...

[WaitWaitWha]

individual contributor. Someone who has no one reporting to them.

[greekrich92]

Individual contributor i.e., non-management

[hatsix]

Nonsense. there are way more accommodations for people who wouldn't have had a place 20 years ago... those accommodations have changed what a "standard IC" is. There never was a place for run-of-the-mill geniuses who couldn't be bothered to spend a few hours researching P2P (Person to Person) protocols. They were always pushed off to small companies where the risk was much lower. This hasn't, won't, and shouldn't change. If that makes you salty, I got some things I'd recommend you research.

[jrflowers]

Adults pay rent in money, not feelings. The answer to “how could Microsoft leave you homeless?” is “by not paying you”, not some bizarre “by making you feel so bad you lose your house, which you pay for with good feelings”

[BoorishBears]

This is an oddly passive-aggressive comment when a much more likely read is they were relying on the funding and the large tech company did what large tech companies do and started moving slowly.

And I can see others already blaming them for relying on the vulnerability for living expenses, but if we can hold the hyper-rationalization for a second, we shouldn't be against the person who expected an organization with more money than God to uphold a deal for relative peanuts, right?

Like yes we all get that large orgs make spending $5 very hard, many claps for being the in-group, but their frustration would be understandable.

[866-RON-0-FEZ]

I'm supposed to feel bad that Microsoft didn't immediately wire him an advance on the bounty before validating anything? Have you ever tried to get anything corrected with a corporate payroll department? Try three months minimum.

It's like suggesting someone was relying on a lottery ticket to payout to survive.

[BoorishBears]

I tried to be as coddling with my language as possible.

Acknowledged how orgs work, separated blaming the org from sympathizing with their reaction, tried to separate the prudence of their actions from the sticky situation they'd still be left in by the orgs actions...

But it was for naught: people are really ingrained in a weird "might-makes-right" model of corporate operations. "Larry Ellison is a lawnmower" was supposed to be a jeremiad but now it's more like a guiding principle that we browbeat anyone for questioning.

[array_key_first]

Yes and that's bad. Saying it's bad doesn't make it not-bad, it just makes it still bad but now we know it's bad.

[antonvs]

> we shouldn't be against the person who expected an organization with more money than God to uphold a deal for relative peanuts, right?

You're assuming that there was a deal that wasn't upheld. I don't think we have enough information to assess that. This person's blog posts do read as being somewhat unstable. There's even someone in the comments seemingly genuinely trying to be helpful: "Just wondering if you’re BiPolar (like me) and see a different reality than what is real. Been there."

[allset_]

Presumably, not paying out for these bugs which often take weeks of research to find.

[mr_mitm]

Who in their right mind bets on bug bounties to cover their basic needs? They should be highly employable with these kind of skills.

[michaelt]

> Who in their right mind bets on bug bounties to cover their basic needs?

Someone with a vulnerability worth as much as a two bedroom apartment?

[brudgers]

If you take the statement at face value, that does not appear to be the case. If you don’t take it at face value, the underlying presumptions might be a lot of why they may not be employable.

[etchalon]

Someone who doesn't have better options?

[cortesoft]

If you have those sorts of skills with a computer, you will have other options

[cowpig]

people with values different from yours, presumably

[dpark]

This is one it those answers that seems on the surface like it contains insight but on closer inspection it’s vacuous.

This could be rewritten as “because they aren’t you”, which is true but not a meaningful or educational answer.

[zingababba]

https://github.com/BigPolarBear1/The_story

I've been pretty convinced this is SandboxEscaper for awhile now.

[bri3d]

Previously discussed numerous times on HN, like: https://news.ycombinator.com/item?id=48130519

Whether this is a backdoor or not boils down to whatever your usual proclivities about "bug or backdoor" are; it's not like "if microsoft = 1 hack bitlocker" like the tech press seem to love to report.

This is a bug in the NTFS transaction log replay functionality in the Windows Recovery Environment WinRE, where it will read NTFS transaction logs from an external volume and apply them to the mounted filesystem. This allows the attacker to perform an authentication bypass against WinRE. With BitLocker without PIN or Password, _any_ authentication bypass becomes a disk encryption bypass, since the disk is unsealed by the bootloader (this architectural "flaw" is true for Linux with the same configuration, as well, like Ubuntu installed with their newish Hardware Disk Encryption checkbox in the installer).

In lieu of additional evidence, whether you think the NTFS transaction log issue is a planted backdoor or a simple enumeration bug depends on your conspiracy theory level, like most things in exploit development. To me, it seems like a plausible bug. The weaknesses in boot-time unseal are well known and obvious and this is just one of many, so I don't see it as an earth-shattering revelation, although it is a fun bug.

[bastawhiz]

It's very strange that the same component exists in Windows without the issue, though. Like the author, I'm finding it difficult to come up with reasons why they'd be different.

[bri3d]

WinRE ending up with a different version of fstx.dll in it seems like a pretty standard Microsoft (or any other big company) thing to have happen? Again, it all comes down to whether you think the drift was a malicious internal fork or a simple mistake. I will say that the functionality being different makes it an inferior backdoor in many ways; especially in Windows land vulnerability researchers are obsessed with binary diffing, and any delta internally would be more likely to be discovered as a backdoor in review too (ie - “hey maybe we should update fstx in winrt finally, let’s review the drift to make sure there’s not going to be a regression, wait a second why did xyz employee add this suspicious looking code”).

A fun next step would be to look at different fstx versions to see if it’s just something that was patched or refactored out at some point. At that point it could be a patch-door (ie an organic bug where the patch was held back by interference), but again, that would be a crappy setup due to the propensity for Windows vulnerability engineers to use binary diffing - if you had the exploit and the power to hold back the patch, it would be way better to hold it back everywhere.

[bastawhiz]

I'm not necessarily suggesting they intentionally made the dll different for RE. The possibility that RE was maliciously backdoored is certainly possible, but there are three plausible other possibilities I can see:

1. A bug was introduced that affects both, and the bug never make it back into the 11 branch

2. There's conditional logic in RE that triggers the issue

3. 11 introduced new behavior that never make it to RE, causing the bug

The fact that 10 is seemingly unaffected is telling. #2 seems very unlikely, because it suggests new conditional logic was added and not tested. #3 seems unlikely because I can't understand why the binaries would be different anyway. #1 seems unusual because it suggests there's no canonical source of truth for the code, which feels very unlikely for bitlocker of all things (where you want everything speaking the same language).

If there's any benign explanation, I suspect it's likely due to incompetence. This feels like such a strange problem to have. I suspect the follow-ups you suggest are going to happen very soon and we'll know more.

[solenoid0937]

The author says he is able to use a similar vuln to bypass the PIN requirement. Most certainly a backdoor if true.

[bri3d]

I discussed this at length in the last thread: https://news.ycombinator.com/item?id=48137059

We know how PIN-locked BitLocker works, and it requires unwrapping using a key sealed behind a TPM PIN policy and stretching it using the PIN itself. So we can deduce that this would require that:

* The attacker was able to bypass the TPM PIN sealing policy _and_ brute-force the stretching applied to the decrypted key. Brute-forcing the stretch is plausible on a "lots of expensive stuff" timeline but not an easy attack. Bypassing TPM PIN policy across multiple platforms would be something quite incredible. Given that TPMs are implemented by multiple vendors across multiple fundamental architectural approaches, and aren't based on a universal reference implementation, it would be rather bizarre to find a mistake in many or all of them.

* There is a secret volume key stored on a volume which can be decrypted by another mechanism. This would be a backdoor, but seems vanishingly unlikely given the amount of research which has been applied against BitLocker historically.

* The attacker is at some point able to inject something which allows them to observe the victim applying the PIN. There could be an attack here but it isn't nearly as interesting.

[ChocolateGod]

> Most certainly a backdoor if true

If Microsoft wanted a backdoor they don't need to put it in the WinRE environment. They can sign payloads that will pass the TPM and unlock bitlocker, without needing to store anything on your disk.

[ranger_danger]

Except with TPM+PIN, the TPM itself is verifying the PIN before unsealing any keys... so something else must be going on if they're telling the truth about a PIN exploit.

Maybe their alleged exploit doesn't work on a cold boot or has some other non-standard situation.

[866-RON-0-FEZ]

This is the most succinct, plain-English explanation I've seen to date. Thank you for posting this.

[Alifatisk]

Can’t wait to read the blogpost of what have truly happened and motivated this person to expose M$ like this