| ▲ | embedding-shape 4 hours ago |
| Seems this traces back almost a week, from Nightmare-Eclipse who is the researcher who found this: Tuesday, 12 May 2026 - "Here are the links, yes, two vulnerabilities this time [YellowKey] [GreenPlasma] [...] Next patch tuesday will have a big surprise for you Microsoft" Wednesday, 13 May 2026 - "I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft." Author's blog: https://deadeclipse666.blogspot.com/ First post in March 2026 is "[...] someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine." I'm not sure what to make of it, is this someone essentially "leaking" things from the inside? Sure sounds like it, and others are able to reproduce the results. |
|
| ▲ | krisbolton 4 hours ago | parent | next [-] |
| I read it as the author is / was going through the vulnerability disclosure process with Microsoft and they're annoyed for unclear reasons and decided to publicly disclose, rather than being an insider. |
| |
| ▲ | mr_mitm 3 hours ago | parent [-] | | How would that leave them homeless? | | |
| ▲ | 866-RON-0-FEZ an hour ago | parent | next [-] | | Many brilliant people have serious mental health issues that preclude their ability to regulate their emotions and act maturely in serious situations e.g. responsible vulnerability disclosure. I've watched genius-level IQ people get fired time and again because they don't know how to work with others at a basic kindergarten level. | | |
| ▲ | gusfoo 31 minutes ago | parent | next [-] | | There is, sadly, no place for non-standard ICs in corpos nowadays. HR will enforce that. | | |
| ▲ | david-gpu 25 minutes ago | parent [-] | | Emotionally immature people tend to be a liability, not an asset. Therapy can help, but they first need a willingness to do better. |
| |
| ▲ | BoorishBears 24 minutes ago | parent | prev [-] | | This is an oddly passive-aggressive comment when a much more likely read is they were relying on the funding and the large tech company did what large tech companies do and started moving slowly. And I can see others already blaming them for relying on the vulnerability for living expenses, but if we can hold the hyper-rationalization for a second, we shouldn't be against the person who expected an organization with more money than God to uphold a deal for relative peanuts, right? Like yes we all get that large orgs make spending $5 very hard, many claps for being the in-group, but their frustration would be understandable. | | |
| ▲ | 866-RON-0-FEZ 17 minutes ago | parent [-] | | I'm supposed to feel bad that Microsoft didn't immediately wire him an advance on the bounty before validating anything? Have you ever tried to get anything corrected with a corporate payroll department? Try three months minimum. It's like suggesting someone was relying on a lottery ticket to payout to survive. | | |
| ▲ | BoorishBears 5 minutes ago | parent [-] | | I tried to be as coddling with my language as possible. Acknowledged how orgs work, separated blaming the org from sympathizing with their reaction, tried to separate the prudence of their actions from the sticky situation they'd still be left in by the orgs actions... But it was for naught: people are really ingrained in a weird "might-makes-right" model of corporate operations. "Larry Ellison is a lawnmower" was supposed to be a jeremiad but now it's more like a guiding principle that we browbeat anyone for questioning. |
|
|
| |
| ▲ | allset_ 3 hours ago | parent | prev | next [-] | | Presumably, not paying out for these bugs which often take weeks of research to find. | | |
| ▲ | mr_mitm 3 hours ago | parent [-] | | Who in their right mind bets on bug bounties to cover their basic needs? They should be highly employable with these kind of skills. | | |
| ▲ | michaelt 2 hours ago | parent | next [-] | | > Who in their right mind bets on bug bounties to cover their basic needs? Someone with a vulnerability worth as much as a two bedroom apartment? | |
| ▲ | brudgers an hour ago | parent | prev | next [-] | | If you take the statement at face value, that does not appear to be the case. If you don’t take it at face value, the underlying presumptions might be a lot of why they may not be employable. | |
| ▲ | etchalon 2 hours ago | parent | prev | next [-] | | Someone who doesn't have better options? | | |
| ▲ | cortesoft 2 hours ago | parent [-] | | If you have those sorts of skills with a computer, you will have other options | | |
| ▲ | 0x3f 2 hours ago | parent | next [-] | | Really depends on your background doesn't it? You could have convictions, be sanctioned, have visa problems, or all kinds of things that are not easily solvable. | | |
| ▲ | qingcharles an hour ago | parent | next [-] | | Indeed, and this guy's personality seems a little "difficult" which might make the interview process short. I've known people with insane skills who have such weird personalities that they never get hired. Doing remote bug bounty stuff is a blessing for them. | |
| ▲ | squigz 2 hours ago | parent | prev [-] | | To say nothing of mental health issues. | | |
| |
| ▲ | mfro 2 hours ago | parent | prev | next [-] | | Please let me know when finding a job in software engineering in 2026 is feasible for everyone with ‘computer skills’. | | |
| ▲ | echoangle 2 hours ago | parent [-] | | The guy doesn’t just have „computer skills“ if he found this. | | |
| ▲ | formerly_proven an hour ago | parent [-] | | Good luck convincing a HR automaton not looking at your resume for the job unposting of that. | | |
| ▲ | echoangle 44 minutes ago | parent [-] | | Come on, with these skills you could convince someone to give you a job if you’re on the streets otherwise. You might not be a senior engineer in the exact thing you want but you won’t be on the streets. |
|
|
| |
| ▲ | 866-RON-0-FEZ 21 minutes ago | parent | prev | next [-] | | King Terry was living proof this is not true. | |
| ▲ | GolfPopper an hour ago | parent | prev | next [-] | | Good with computers and good with people/job search/finances are not the same thing, and are often inversely correlated. | |
| ▲ | MrDarcy 2 hours ago | parent | prev | next [-] | | Then you pay him since you see the value he’s creating so clearly. | | |
| ▲ | cortesoft 27 minutes ago | parent [-] | | This is a strange argument. I don't have the capital, desire, or skills to employee this guy, or anyone really. Me not hiring someone doesn't mean the skills aren't valuable. |
| |
| ▲ | estimator7292 2 hours ago | parent | prev [-] | | We are, quite notably, in a huge hiring crisis where vast numbers of programmers and researchers can't even get interviews. It really is not that simple |
|
| |
| ▲ | cowpig 3 hours ago | parent | prev [-] | | people with values different from yours, presumably | | |
| ▲ | dpark 2 hours ago | parent [-] | | This is one it those answers that seems on the surface like it contains insight but on closer inspection it’s vacuous. This could be rewritten as “because they aren’t you”, which is true but not a meaningful or educational answer. | | |
| ▲ | panflute 2 hours ago | parent | next [-] | | Sure sounds like rhetorical questions or attacking the messenger. Someone can think the bounty industry is going to reward them for actually being exceptional and not look soon enough for other options then pivot to a stance that should give them some quick job offers. If I thought I found an intentional back door I would not engage with an embargo system from the same vendor but I am also not them. | | |
| ▲ | dpark 2 hours ago | parent [-] | | > Someone can think the bounty industry is going to reward them for actually being exceptional and not look soon enough for other options then pivot to a stance that should give them some quick job offers Sure. And that’s a meaningful answer to the question. “people with values different from yours, presumably” is a condescending nonanswer. |
| |
| ▲ | breppp an hour ago | parent | prev [-] | | This entire thread is generally weird. If someone has this kind of exploit and can't get a bug bounty for it, and desperately needs the money, he can sell it for 100k+ in a shady black market |
|
|
|
| |
| ▲ | an hour ago | parent | prev [-] | | [deleted] |
|
|
|
| ▲ | bri3d an hour ago | parent | prev | next [-] |
| Previously discussed numerous times on HN, like: https://news.ycombinator.com/item?id=48130519 Whether this is a backdoor or not boils down to whatever your usual proclivities about "bug or backdoor" are; it's not like "if microsoft = 1 hack bitlocker" like the tech press seem to love to report. This is a bug in the NTFS transaction log replay functionality in the Windows Recovery Environment WinRE, where it will read NTFS transaction logs from an external volume and apply them to the mounted filesystem. This allows the attacker to perform an authentication bypass against WinRE. With BitLocker without PIN or Password, _any_ authentication bypass becomes a disk encryption bypass, since the disk is unsealed by the bootloader (this architectural "flaw" is true for Linux with the same configuration, as well, like Ubuntu installed with their newish Hardware Disk Encryption checkbox in the installer). In lieu of additional evidence, whether you think the NTFS transaction log issue is a planted backdoor or a simple enumeration bug depends on your conspiracy theory level, like most things in exploit development. To me, it seems like a plausible bug. The weaknesses in boot-time unseal are well known and obvious and this is just one of many, so I don't see it as an earth-shattering revelation, although it is a fun bug. |
| |
| ▲ | bastawhiz 43 minutes ago | parent [-] | | It's very strange that the same component exists in Windows without the issue, though. Like the author, I'm finding it difficult to come up with reasons why they'd be different. |
|
|
| ▲ | an hour ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | Alifatisk 4 hours ago | parent | prev [-] |
| Can’t wait to read the blogpost of what have truly happened and motivated this person to expose M$ like this |
| |
| ▲ | SV_BubbleTime 3 hours ago | parent [-] | | Dude. It’s been like 30+ years. You can drop M$. Yes, they exist to make money. They’re shitty and they make money. Yes. That’s ok. Microslop if you must, but must you? | | |
| ▲ | supern0va 2 hours ago | parent | next [-] | | I hear you. But, I must also admit that reading "M$" in public discourse sure makes me nostalgic for better days on the internet. | |
| ▲ | enopod_ 3 hours ago | parent | prev | next [-] | | Micro$lop it is from now on :) | |
| ▲ | pluc 3 hours ago | parent | prev | next [-] | | Yeah man we've been saying negative things about them for like 40 years must we constantly dwell on what they do wrong? It's time we find positive angles | | |
| ▲ | treyd 3 hours ago | parent | next [-] | | They keep doing negative things that influence the industry and infringe upon the freedoms of hundreds of millions of people. Yes we should keep dwelling on that. | | |
| ▲ | dijit 2 hours ago | parent [-] | | I read the parent as sarcastic. Since the mentioned the continued negative things they do. |
| |
| ▲ | Cthulhu_ 2 hours ago | parent | prev | next [-] | | Positive HN-appropriate angle: they're very financially successful and have been for 40 years. | |
| ▲ | stackghost 3 hours ago | parent | prev [-] | | >Yeah man we've been saying negative things about them for like 40 years Well gee, I wonder why people have been saying negative things about them for so long? Perhaps if it's been that long there's a kernel of truth to the matter. Perhaps they're a shitty company who does shitty things selling shitty products. |
| |
| ▲ | bombcar 2 hours ago | parent | prev | next [-] | | From my basement in Wyoming, I stab at thee! | |
| ▲ | nizbit 3 hours ago | parent | prev | next [-] | | Micro$lop it is! | |
| ▲ | Brian_K_White 3 hours ago | parent | prev | next [-] | | But nothing has changed. It's fair to say it's silly, jeuvenile, but it's also fair to say MS deserve absolutely no normal respect you would pay a turd. Maybe the poster actually is 12 and we all have a right to be 12 for a while. There's always a new generation discovering today what we discovered 30 years ago. | | |
| ▲ | naasking 2 hours ago | parent [-] | | Nothing has changed? Microsoft is a huge open source contributor now, produced one of the largest open source ecosystems in use (.NET) and provides free access to the biggest open source software repositories (GitHub). Sorry to say, but believing nothing with MS has changed is deranged. | | |
| ▲ | edoceo 2 hours ago | parent | next [-] | | I view it as new paint on same crappy house. They had to do the open-source thing for .NET because of external pressure - not because they've changed. They had to get GitHub because of the eyeballs. It's not some altruistic play. In both cases some VPs spun it around, juked the stats and got their bonus. The first E of EEE feels so good makes you forget the inevitable outcome. Like heroin. | |
| ▲ | josefx an hour ago | parent | prev | next [-] | | > produced one of the largest open source ecosystems in use (.NET) Are they going to ship an official cross platform UI library any time the next century? Decades after the Java lawsuit they still ship only a crippled copy of their scrapped Microsoft JVM for other platforms. > Microsoft is a huge open source contributor now Aren't almost all of their contributions for integration with their proprietary technology? > Sorry to say, but believing nothing with MS has changed is deranged. Yes, they got worse. They maintained Windows XP for ages and you could actually feel the improvements they shipped. Windows 11 meanwhile makes me wait for them to add a robotic arm with a knife as hardware requirement, to improve the backstabbing experience. | |
| ▲ | Brian_K_White 2 hours ago | parent | prev [-] | | Nothing has changed except that it's even worse now than before, and the venue or arena changes every few years (os to developer tools to office to cloud etc). vscode or .net core or whatever you think is so valuable does not make MS your friend any more than giving you free IE did. Come the fuck on. It is beyond ignorant to try to make this argument. (or it's perfectly consistent with having a financial interest) I guess if there are always new 20 year olds just discovering something, that must mean there are also always new 15 year olds that haven't discovered it yet, and 80 year olds that have gone Dawkins and lost what they had, and the just plain ignorant or unobservant with no real excuse. |
|
| |
| ▲ | itsthecourier 2 hours ago | parent | prev [-] | | even Bill Gates bailed out of M$ https://finbold.com/bill-gates-foundation-fully-dumps-its-mi... | | |
| ▲ | bananamogul an hour ago | parent [-] | | He personally still owns 100m shares (per your article) and has not bailed out. The B&MG foundation sold their remaining 7.7m shares. |
|
|
|
