Tuesday, 12 May 2026 - "Here are the links, yes, two vulnerabilities this time [YellowKey] [GreenPlasma] [...] Next patch tuesday will have a big surprise for you Microsoft"
Wednesday, 13 May 2026 - "I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft."
Author's blog: https://deadeclipse666.blogspot.com/
First post in March 2026 is "[...] someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine."
I'm not sure what to make of it, is this someone essentially "leaking" things from the inside? Sure sounds like it, and others are able to reproduce the results.
Someone with a vulnerability worth as much as a two bedroom apartment?
This could be rewritten as “because they aren’t you”, which is true but not a meaningful or educational answer.
Sure. And that’s a meaningful answer to the question.
“people with values different from yours, presumably” is a condescending nonanswer.
Whether this is a backdoor or not boils down to whatever your usual proclivities about "bug or backdoor" are; it's not like "if microsoft = 1 hack bitlocker" like the tech press seem to love to report.
This is a bug in the NTFS transaction log replay functionality in the Windows Recovery Environment WinRE, where it will read NTFS transaction logs from an external volume and apply them to the mounted filesystem. This allows the attacker to perform an authentication bypass against WinRE. With BitLocker without PIN or Password, _any_ authentication bypass becomes a disk encryption bypass, since the disk is unsealed by the bootloader (this architectural "flaw" is true for Linux with the same configuration, as well, like Ubuntu installed with their newish Hardware Disk Encryption checkbox in the installer).
In lieu of additional evidence, whether you think the NTFS transaction log issue is a planted backdoor or a simple enumeration bug depends on your conspiracy theory level, like most things in exploit development. To me, it seems like a plausible bug. The weaknesses in boot-time unseal are well known and obvious and this is just one of many, so I don't see it as an earth-shattering revelation, although it is a fun bug.
Well gee, I wonder why people have been saying negative things about them for so long?
Perhaps if it's been that long there's a kernel of truth to the matter.
Perhaps they're a shitty company who does shitty things selling shitty products.
They had to do the open-source thing for .NET because of external pressure - not because they've changed.
They had to get GitHub because of the eyeballs. It's not some altruistic play.
In both cases some VPs spun it around, juked the stats and got their bonus.
The first E of EEE feels so good makes you forget the inevitable outcome. Like heroin.
Are they going to ship an official cross platform UI library any time the next century? Decades after the Java lawsuit they still ship only a crippled copy of their scrapped Microsoft JVM for other platforms.
> Microsoft is a huge open source contributor now
Aren't almost all of their contributions for integration with their proprietary technology?
> Sorry to say, but believing nothing with MS has changed is deranged.
Yes, they got worse. They maintained Windows XP for ages and you could actually feel the improvements they shipped. Windows 11 meanwhile makes me wait for them to add a robotic arm with a knife as hardware requirement, to improve the backstabbing experience.
I guess if there are always new 20 year olds just discovering something, that must mean there are also always new 15 year olds that haven't discovered it yet, and 80 year olds that have gone Dawkins and lost what they had, and the just plain ignorant or unobservant with no real excuse.
The B&MG foundation sold their remaining 7.7m shares.
The published exploit doesn’t affect Bitlocker with a PIN, without which Bitlocker isn’t secure anyway. The original author claims they have an exploit that also works with a PIN, but hasn’t provided any proof of that.
>In a normal WinRE session, you have a X:\Windows\System32 directory that has a winpeshl.ini file in it
>However, with the YellowKey exploit, it looks like Transactional NTFS bits on a USB Drive are able to delete the winpeshl.ini file on ANOTHER DRIVE
Interesting. I dont know about this environment - some kind of naive file handle contructing/passing? But then, why require a key press during winre reboot?
I wonder how patachable this is. The thousands of winre thumb drives are certainly out of reach; maybe the bitlocker side update the access permissions? Would it require unenc/reenc?
Seems like lots more to follow
The part that isn't mentioned is that the win re is privileged because windows stores a decryption key in the TPM that allows win re to decrypt the disk even without the recovery key. That's why the attack requires win re in the first place, rather than booting into an ubuntu live cd or whatever. This also means you don't have to patch all the winRE thumbdrives out there because their secureboot signatures can simply be revoked, meaning they can't pass TPM validation anymore, therefore they won't be able to decrypt any disks.
The researcher claims a way to bypass PIN too but hasn't revealed it.
If they put a backdoor into FDE it would make more sense to advise people to stop using windows at all and using Linux instead. If they put a backdoor in FDE you can be sure there is not just one backdoor in the operating system itself. You shouldn't trust proprietary software at all. You shouldn't even trust open source if it isn't properly audited.
Anything in particular that makes you wary? I'm aware of the 2016 and 2020 audits (https://ostif.org/the-veracrypt-audit-results/ is the 2016 one, I believe), but those seemed to suggest things were getting better over time. Curious what other signals to look for.
This has got to be the most surprising encryption-related comment I've ever read from you. Please tell us what you're thinking about VeraCrypt. What would you say about TrueCrypt v7.1a, the last known good release?
If I trust them to provide my FDE software, I certainly trust them when they say I shouldn’t use it.
Securing Microsoft products is busy work while waiting to have it undercut by the next wave of MS’s insane tech debt and greed. And now backdoors!
You can enable ADP for E2E encrypted backups, but it's probable not going to help you much, because the people you are communicating with likely didn't.
This is not to defend Microsoft, more to say that all these companies were part of PRISM.
That just sounds like a fundamental issue with security in general, not specific to Apple/Microsoft.
I have found that even many tech people have incorrect beliefs about these things, like assuming that iCloud Backups are E2E encrypted by default or that disabling Allow Apps to Request to Track disables trackers inside apps.
But you are defending MS, conflating a bunch of things, mainly full disk encryption and cloud backups.
There's a big difference between Apples cloud backup which has documented behavior and a backdoor. I'm also fairly confidant in Apple's full disk encryption, they've gone to court to defend it. There also a lot more data points we can use to judge Apple vs Microsoft on privacy and security, and MS comes out looking bad.
Another example is WhatsApp on Android, by default when backups are enabled, they are stored unencrypted in Google Drive. A good counter-example is Signal, which opts out of backups on iOS and Android and the only option is to do E2E backups to their own servers.
I'm also fairly confidant in Apple's full disk encryption, they've gone to court to defend it.
FWIW, in the last leaked report, iPhone was not an issue AFU for Cellebrite (macOS is most likely even easier due to looser security):
https://discuss.grapheneos.org/d/14344-cellebrite-premium-ju...
Though I suppose then I have to give a negative % to all the systems that have insecure online backups. This whole area is a train wreck really.
Signal is slowly, very slowly, moving toward providing real backups and cross-device transfers
I understand why you’d believe Signal still can’t deliver that, because they had been ignoring the user demands for years.
But there is real progress now
https://support.signal.org/hc/en-us/articles/9708267671322-S...
Obviously Signal don't owe me anything. I'm not paying for the product and I appreciate what it does offer and makes available for free. But it would be much better if it also supported local backups under the user's control.
"now"?
Shall we have a discussion about the excuse Microsoft gave as to why keys they claimed, back then, were "secondary keys" belonging to Microsoft, were called ..._NSAKEY when a version of Windows NT shipped, by mistake, with debug symbols on?
One time, just freaking one time, a version of Windows shipped with debug symbols on and, by chance, there had to be cryptographic keys named "NSAKEY" in there.
Yeah.
Now that people constantly turning a blind eye on the wrongdoings of the state are of course going to say that it's totally normal and just repeat the, carefully crafted, excuses from Microsoft from back, that it was totally not a backdoor etc.
This won't work because the TPM will only give you the keys if you're booting an "approved" OS, specifically the PCR states that the encryption keys are bound to.
>or if you have to buy a $5 microcontroller and solder it to certain pins on the main board to sniff the TPM keys.
That only works with dTPMs. fTPMs aren't vulnerable to this, and are far more popular than dTPMs.
Also can recover data without my mainboard.
Maybe a hybrid (secureboot-TPM+phrase) slot for day to day to also prevent against evil maid attacks, and another slot with a backup passphrase would be acceptable.
It's not an either-or. You can combine TPM with passwords which makes it far more secure than password alone. A TPM can enforce password guessing limits, otherwise a password needs to be absurdly long to be secure against GPU bruteforcing attacks. It also prevents someone from swapping out the bootloader with a backdoored version that steals your passwords.
>Also can recover data without my mainboard.
You're supposed to keep a backup of the encryption key when using TPM, in case it fails.
https://deadeclipse666.blogspot.com/2026/05/were-doing-silen...
If it's a backdoor, that's a serious fraud against their customers.
If you really think this will be prosecuted as fraud, then you'll be shocked by how American courts handle these sorts of things.
Prevailing theory is they were pressured to put in a backdoor and couldn't disclose it, so they had to make a seemingly ridiculous statement (because who in their right mind would trust bitlocker) to call attention that "something is very wrong"
Alternately, they don't want people to rely on abandonware for security.
Also, despite the conspiracy theories of backdoors I'm not aware of any bitlocker exploits that work on TPM + pin, which is the intended "secure" configuration[1]. All exploits rely on TPM-only (ie. ez-mode), which is basically the security equivalent of running https/ssh without certificates and blindly accepting whatever keys shows up.
[1] https://learn.microsoft.com/en-us/windows/security/operating...
At the point where you're able to mount the EFI partition and effectively modifying the bootloader, it's game over anyway - just run `manage-bde -unlock`, you already have to be root to mount the EFI partition.
No one should have their data encrypted and kept from them without consent unless they do something. Microsoft does that now. They may not be requring a monetary ransom like others, but it is a ransom nevertheless.
I know this is controversial. Bitlocker helps protect one's property and information when used intentionally. And that being impacted is a shame.
I recently (last week) had to drive over to a parent's house and "fix" their (pre-online accounts) win 11 computer used for sewing because it had become a blue screen saying aka.ms was required. They did not know how it happened and are not very technical users so I imagine they were tricked by some click-through dialog. It is not something they would ever do intentionally. All that computer ever does is run sewing pattern/control software.
https://support.microsoft.com/en-us/windows/find-your-bitloc...
There other 2 options are enterprise or online account (the very thing we're talking about) don't apply in this context.
I do not want someone stealing my laptop on a train ride potentially being able to have all of that data.
With a proper real backup strategy, i have everything save. I do not need easy access to a hard drive from a broken computer.
But hey you do you :)
Everyone's threat model is different, but some are better than others, and maybe we shouldn't equate taking time to explain why with throwing stones.
The Snowden leaks revealed that the NSA is flummoxed on how to tackle variable character lengths. However, they've cracked rot26 using custom ASIC supercomputers, so it should be considered insecure even though it's twice as good as rot13.
Every machine is encrypted, unlocked per login.
Encryption is basically free so.
An advantage of encryption is that it makes it easier to give away or resell devices. With recent encryption schemes (well the ones on Linux, given this article), I feel confident that overwriting the encryption keys gets me close enough to not leaking my data once I get rid of an old hard drive.
* Your preferred memorized passphrase and will never be written down anywhere.
* A random key you can print and store in a box somewhere.
Then if your backup paper gets lost, you can revoke/replace it without having to abandoned your memorized favorite.
Just choose a good quality one....
* Split the recovery key in two, store each half with a different friend. (If you're feeling fancy, XOR the halves and store that with a third friend, then any two out of three will work.)
* Sneak the key into something you know friends/family won't throw away while you're still alive, like stuck to the back of a sentimental photo in a frame.
____
That said, I think I'm wandering from the original "accumulating dusty old drives in a box" scenario, which has a simpler solution: Keep a growing old_drives_keys.txt file on your current (encrypted) main device.
If you keep it in a dark environment that's not super humid the ink should last a really long time. Even in non-optimal conditions (NY summers with high humidity, etc.) I've had regular pen ink last for decades with no signs of fading away.
But I'm sure that some of the millions of things that I've missed as windows has become what it has become makes this simplicity seem like a scifi absurdity. I don't think that they can even log into their own computers without asking Microsoft for permission over the network. I'm sure the idea of encryption must have been overcomplicated to the point of absurdity in order to trap customers too, I just don't know about it.
I suppose you should just count your blessings (of ignorance) and be available to help your friends with cryptsetup if they decide to flee windows.
I suppose this makes some sense for home computers (burglars and police raids are rare) but for a laptop, you really don't want thieves getting all your details.
Ironically -- this probably was paranoid a few years ago, but now -- "ChatGPT, use this prepared prompt to extract all useful info from this hard drive"
What does this even mean? Nobody is using multiple encryption schemes on top of each other, are they?
If you want to encrypt some data that gets stored persistently somewhere on your machine, rather than invent an application-specific encryption scheme for that data alone, instead use a mainstream full-partition encryption mechanism, then store the data as plaintext within said partition.