Alaknár

If you actually read his github you would know that there is a different version of the responsible component between the recovery environment and an installation. Only the RE has the issue.

I know. It was mentioned in the article. It’s precisely why I said:

Another possibility is that they have two separate builds fro BitLocker, and the one used in WinRE is vulnerable which they missed.

Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.

… one guy claims.

Another possibility is that they have two separate builds fro BitLocker, and the one used in WinRE is vulnerable which they missed.

We don’t have enough information to clearly state that they did this on purpose.

We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That’s dishonest, lad.

Again, read up about the XZ Utils vulnerability. We technically can know, but we don’t know, which was a statement by the guy responsible for package. It’s not dishonest, it’s a statement of fact.

I wish you all the luck in regaining a bit of happiness in life, so that you can stop with this insane “us vs them” bullshit. It’s unhealthy, mate.

Microsoft shipping a vulnerable version of the recovery environment. It is the ‘exploit’.

Red Hat and Canonical shipped a vulnerable version of SSH, the thing was caught basically hours before hitting all devices around the world.

Should Red Hat and Canonical be now considered hostile as much as MS is?

You select people who will remain complicit till they have a grievance against you. Even if they don’t and talked for moral reasons do you think they would not been fired for it?

I can only answer by saying this: I wish you luck in the job market and hope you’ll eventually find an employer you don’t assume to be a hostile entity towards you.

Who knows. How many more went through at closed source software a limited amount of people can test in the same way?

This is the equivalent of “prove that God doesn’t exist”. We can’t know because they haven’t been found, mate.

Yeah, that’s kind of the exact opposite of the point I was making, but you do you.

At least one of them only needs a remote session and access to any account on the device.

Of course there are! The only truly secure computer system is one that’s not powered up, after all.

You don’t understand! Someone doing that on some other social media platform is bad and insane! Him doing that on this social media platform is good and based! Jesus Christ, it’s a simple concept!

Don’t worry about it. You can’t see it anymore so it’s surely fine!

You’re saying they’re going “the wrong way”, but from the standpoint of a publicly traded company it’s literally the best way possible.

You promise to give $1million to Nvidia, Nvidia promises to give $1million to you - wam, bam, suddenly your stock market valuation’s up, people are throwing their money at you, and you didn’t even have to call your bank to make any transfers.

They’re literally printing money out of thin air.

That it will all crash and burn at some point? Who cares? If everyone goes down, you can blame the market. If you’re not in on the bandwagon while everyone else is printing money, you get sacked by the board of directors.

That’s all there is to it.

The statement is stupid because it is already well known across the board that Microsoft is, by all intents and purposes, a malware developer

Hahahahahaha, and you call my comments “stupid”? XD

OK, I’m not even reading the rest, mate. I get it! I really do - “Microsoft bad!”, that’s all there is to it for you. There’s no discussion to be had here, unless someone is also a member of the cult, and then everyone can chant “Microsoft bad! Microsoft bad!”.

Weak sauce, mate. Cheers!

Removed by mod

Microsoft develops Windows with the intention of making it vulnerable, so it is effectively commercial malware

The intention is currently suggested by a disgruntled ex-employee. I’d say that warrants caution before making such broad statements.

Dude, enjoy your Windows then.

Well, I’m a Linux user so I can’t.

This is not Twitter (or X or whatever) where you can go do your master’s bidding of creating noise to try and control the normies

Of course you can! Just like on every other social media! What are you even talking about? :D

Here most of us know how to do research and have the ability to differentiate bots (human or otherwise) from actual thinking individuals with a modicum of common sense and more than 2 functioning brain cells.

You’d think that, but if you actually know a bit about tech, this community is hilariously ignorant most of the time - on all the matters you mentioned. :D

Look at your down-votes and take a hint. That bullshit has no effect here.

The hint is that this community is extremely aggressive towards language that goes against the hive-mind. The bullshit has no effect because people can’t differentiate what’s bullshit and what isn’t, so they just automatically assume any statement that isn’t violently anti-MS is bullshit spewed by bots at their master’s bidding.

Take your comment as example…

Right, because it’s impossible to get a person’s credentials in this day and age.

And yet you replied again…

I mean, if you have nothing of value to say, why even make a comment? Just block me and move on, mate.

Or, I don’t know, engage and tell say why you think this comment was stupid?

They will be patched. There is also no indication that they 'be been known and exploited till recently.

Two of the three are being used in the wild, with Copy Fail being retroactively found at least 9 days before the disclosure.

What are the indications that the BitLocker vulnerability is already being utilised?

This was allegedly deliberately non patched to be exploited.

Alleged by a guy who was fired from Microsoft. I’d take that with a pinch of salt.

Getting a system without bugs and security issues is impossible, you can at least avoid intentional compromise.

I agree! But other than one angry dude, not much else is pointing towards this being intentional - so far! Let’s see how things go.

That being said, open source repos are being attacked constantly with attempts at intentional malicious code injection - I’m sure you’ve heard of XZ Utils? How many others went through and are being exploited without anyone noticing?

Those are potential vulnerabilities that can be patched

“Potential”? They are actively being exploited. And they don’t require physical access to the device.

Copy Fail, Dirty Frag and Fragnesia exist. What are you going to switch to now?