> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.

The CCC (Chaos Computer Club) in germany will probably do the same.

I should have known this exists, yet I didn't. Thanks for pointing it out.

This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...

In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.

Were you somehow able to intuit that parent is Finnish?

I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.

You now have the worst of both worlds.

You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.

All of that without any benefits.

2026-09-11, save the date folks. That's when all companies selling products with digital elements in the EU have to have a reporting pipeline for actively exploited vulnerabilities and severe incidents.

The German "Chaos Computer Club" (hacker club) has a disclosure service. They approach the affected party as the club, hiding the persons identity. Not sure if they do it internationally as the page is in German. But nice idea and not a government agency.

https://www.ccc.de/disclosure

So they can exploit it in secret for their own benefit?

It should be obvious who the real criminals are in this case.

If you were using bitlocker to replace truecrypt, you'd have a boot password and this would not affect you at all.

I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.

And where's the claimed version that works when a PIN is set?

It's not a backdoor, Microsoft doesn't need a backdoor to bypass BitLocker because they can sign payloads that'll pass the TPM.

They're not. These programs make decisions I wouldn't make all the time (though for reasons more complicated than message board discussions capture). I'm making a much narrower claim than you think I am.

They also silently patched RedSun, didn't issue a CVE until much later.

There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.

It’s a post-boot authentication bypass exploit. Any post-boot authentication bypass exploit against TPM-only sealed BitLocker effectively bypasses it. The user doesn’t have a key to start with in this setup, just the machine.

This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.

I wouldn't be surprised if this was intentionally put in, but I think its important to clarify that the encryption itself wasn't broken, and with this exploit specifically the drive also has to remain inside the original PC/TPM. It's a boot authentication bypass, not an encryption break.

As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.

They are supposedly disgruntled ex microsoft. I dont know if they would accept a payout

ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?

Ever considered these aren't the full set of exploits the researcher discovered? Or that he can find more since he found these? If I found a bunch, I'd certainly withhold a few as insurance.

I'm not sure if this is an unintentional mistake. Gitlab did not perform a ban. Github performed the ban. Github is fully-owned by Microsoft.

Well, after they didn't pay him for previous bugs. Not an excuse but certainly a reason.

Are you sure?

Yep, and its a really small world out there.

If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.

Not to mention all the startups being founded right now. Sure, github's still the default, and maybe you can still monetize stars or something, but it's also a clown show from an availability, feature roadmap and company policy perspective.

Is it really fiscally responsible to tie your company's future to that?

I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?

These get trained to be able to reason about why the flowchart is the way it is or outright to construct it. If you can't create a flowchart yourself, you shouldn't direct work following it. Following the flowchart is, so that you don't make mistakes on execution, because there will eventually be mistakes, it's not intended that it saves you from knowing what you do in the first place. In other words: you follow a flowchart to prevent accidental deviations from the process. Once you question, what you actually should do, the flowchart is useless as guidance.

And in other blue collar union environments, following the book is known as "work to rule" and considered a mild form of sabotage/industrial action.

It depends, flowcharts are great for defined processes, but troubleshooting (which vulnerability research mirrors) is not a flowchart or checklist or task list.

I am all in favor for extensive logging, documentation and following the processes, especially regarding safety. But there will always be miscommunication and cases where some thinking or adaptation of those processes are required. Stopping that for cost reduction will eventually lead to enshittification.

FDE is meant to protect data at rest.

Hardware access is a given.

The fde encryption exploit is only for volumes that auto decrypt anyway. So it's a know (accepted) that the model doesn't really try to avoid.

You guys need to stop reaching for conspiracy

Legally? I don’t know.

More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.

> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.

> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

selling to the highest bidder doesn’t generate headlines though.

> and the response was flow chart tech support with a "buy a webcam" cherry on top

I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.

What were the "so many better options" during that period? Have we found the only remaining CP/M fan?

I was forced to use ms basic on my c64. Never forgive, never forget.

The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.

It's not a dichotomy either, they can both have put the customers at risk.

Especially since the only explanation for why this exists is as a backdoor.

I don’t like the idea Microsoft can bully other websites into blocking content they don’t like.

Forks are still alive on github, so it seems unlikely microsoft did this to suppress the code. Unless they are wildly incompetent, which I don't want to outright reject as a possibility.

https://github.com/xiaoji235/bitlocker-bypass-tool-for-winre

Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.

SandboxEscaper and Nightmare Eclipse both explicitly deny this, but I'm pretty sure they're the same person.

The style is the same, and it appears that SandboxEscaper has previously been fired by MSFT. (they are not dead) https://github.com/BigPolarBear1/The_story

SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com

OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459

The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.

  > most expert researchers, all a bit quirky.

SandboxEscaper is still alive, but yeah, Eclipse's prolific vuln dropping reminds me of her.

This the same person? https://www.patreon.com/SandboxEscaper

Passed away? What evidence do you have around that statement?

palantir embraces the neurodivergent.

https://x.com/PalantirTech/status/2057157517969445252

Or being forced into homelessness by Microsoft

ahh, the false analogy comment.

Also, as a practical matter, maybe do as someone says if they have this many zero days sitting around?

While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.

Maybe don't piss off your betters?

People with skills/means don't want to live in the cheap city/suburb where they have offices. Work from home obviously isn't a thing.

Government work also usually means relocating. The money wouldn't be good enough for me to uproot my family.

"People with skills" just don't care for corporate or government bullshit. You may know them as "not being employed in a technical field", but it's just because you got filtered out.

Worse, cant be trusted to have secure products.

"Write better code more slowly" is just regular software development, without the LLM.

Transforming 'Micro$oft's' name as a form of commentary is a time-honored tradition.

I disagree with policing someone elses language like this in the first place, but it's only one insult and it's just "Microslop".

Ooops. Just copilot-made mistake of 30% comment that been AI generated. Kidding.

Actually I was a reference of Microsoft banning people on their Discord.

Because out of top "evil corps" Microsoft seem to have worst PR department.

> I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.

I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.

Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.

There are more similar ones

A quote from Billy G comes to mind

> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.

Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.