oh lovely, so there's a new evil maid attack vector in 'yellowkey'?
well. that's decidedly unpleasant for y'all windows folks.
1
Post
Replies:
6
@munin to my understanding, the backdoor cannot work if you have a password on bitlocker itself (most people don’t, but if evil maids are a nonhypothetical concern for you, you really should)
3
@0xabad1dea @munin I've seen this debated back and forth and it's unclear if the boot PIN actually blocks this attack.
What I do know is, it's virtually unworkable in a large enough business. The idea of helpdesk talking users through resetting bitlocker boot time PINs which are different to the user passwords they already can't remember just isn't tenable.
@0xabad1dea @munin yeah and it really doesn't look like a backdoor. it's just a bad design.
@Rairii found a second one too, but for leaking files into memory.
1
@gsuberland @munin @Rairii the fundamental problem here with judging if it's malicious is that if you *wanted* to design a highly deniable backdoor that would nonetheless work on 98% of installations, this would be a really good way to do it 😩
1
@[email protected] @[email protected] @[email protected] @[email protected] "They tried to bribe me to add a backdoor, but jokes on them - it's already rushed and full of bugs."
1
@0xabad1dea @munin REALLY glad I'm not in charge of vuln management for fleets of endpoints right now.
But, really sad that I'm not in charge of fleets of endpoints right now.
