AFAIK Microsoft gave the keys for Bitlocker to goverments before,So Classic Microsoft.
That is true. When people have saved them to their Microsoft account, then Microsoft has access to them.
Microsoft is a malware developer, plain and simple.
They assumed they could get away with anything cause they had so much of a marketshare, imo.
ig “Proprietary software is often malware” is kinda not a exaggeration.
If you’re running Windows, always assume that if the US Authorities or Microsoft itself want to spy on you as an individual or on do a little industrial espionage on your company (which US agencies also do), they’ll just use a backdoor already present or at worse push an update to your machines(s) to create said backdoor.
Treat any and all software made by US companies as a foreign agent.
All the shit that the US Government and companies say about China, is pure Projection - the result of a mental process of “what would we do if we were the ones making those devices”. (And, yeah, China probably does that shit too)
If it ain’t Open Source, you got it as a binary or can self-update that software is somebody else’s agent and you’re trusting their ethics and goodwill when you have it running in your system outside a sandbox.
What’s unfortunate is a significant number of people don’t like hearing this and instead choose to project onto other countries. Most of our governments aren’t our friends, regardless if you’re American or not.
I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
In all honesty, even that is an improvement. You’re effectively segregating the access to your data already. I also started with Eero because I didn’t know better. Since you already invested in Amazon’s devices, I would start by using the main network for your devices and that of your family (computers, phones, game consoles and media devices) in the main network, and if you have IoT devices, put those kn the guest network. That way the insecure IoT devices are segregated from your data. If you don’t have IoT devices at home (smart cameras, robot vacuums, light switches and such), then I would move the media devices to the guest network.
After that, I would suggest you start, at your own pace, slowly, researching moving to Infrastructures that will give you more ckntrol. But again, slowly. Don’t make the mistake I made of doing it all at once, which lead me to making too many mistakes like buying stuff only to find something better 2 days later. I even made the mistake of getting a full unifi infrastructure, and while its a huge improvement in terms of segregation control, it lacks too many features and is, by all intents and purposes, yet another US tech company, so I can’t trust them.
Do some research on OPNSense (some people would point you to PFSense, which is also better than closed source stuff) and then start looking into more open access points like Grandstream or similar if you want vlan tagging.
The possibilities are endless, but fair warning, this turns into a rabbit hole real fast. Once you’re here you’ll be wanting to add adguard home or pihole, then you’ll be looking at self-hosting everything (still looking into self-hosting our fridge 🤣).
But don’t fret, you’re at a good start, and there is no rush. You’ll see that, if you start by asking here in Lemmy, maybe also in Mastodon and some forums dedicated to this workflow, you’ll find the path that best adheres to your specific needs. As long as you don’t allow the pressure of getting it done get to you (good luck with that, as I think that’s the toughest battle) you can do this one step at a time. For example, you can start at the root by researching open source router OSs (OpenWRT, OPNSense, PFSense, IPFire, etc.), and once you find the one you’re comfortable with, you can deploy it between your ISPs modem and your Eeros to start. That’s a huge step up, and probably will take you about 60 - 75% to where you need to be in terms of control of your networks.
Come and ask in Lemmy. Yes, you will have ro face some assholes, but most of the folks here are passionate about these topics and are happy to help bring in more to the community.
Thank you so much for this write up! I may PM you if I come across questions, if that’s okay. It’ll be likely down the line though, have a few things to sort out before going back into my network.
By all means. I enjoy helping in what I can to make more people take back control. And if I already messed up spectacularly, I see no reason to see others go through that as well if they can learn from my mistakes.
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Yeah, you’re absolutely correct here. But him having already made the investment and removing some of the control over his network from his ISP is a step in the right direction. It should also be noted that, for someone that does not have the knowledge yet, one step at a time is the sanest path, and I say this from my own experience. I went all in, and that led me to making many mistakes.
As you say, adding something like OPNSense or OpenWRT between the Eeros and the ISP modem is the next logical step. Then, getting a switch (or some switches depending on his needs) and ssid-vlan taggable APs to replace the Eeros. After that, its time to have 7 or more local networks in the house 🤣. It can get wild, and its so much fun. The feeling of empowerment this provides is second to none.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
By all means man. Full disclosure, what I suggest is because it worked for me, so it’s always wise to research based on anyone’s suggestions and then choose the path that would work best for your intentions. In my case, I have a VLAN for my kids because their access goes away every night at 8pm on weekdays, for example. My wife has her own VLAN because there some stuff I have blocked that she wants access to. Then I have a media VLAN for gaming consoles and streaming devices, IOT is separate, CCTV in it’s own VLAN, etc. I you scroll up a bit, you’ll find another reply I just added. If you can tell us what you’re looking to achieve, and what infrastructure you currently run, I know some of us will love to suggest options to point you in the right direction.
On a separate note, I still want someone to tell me if there’s anything else I can do on my ONT modem to harden it even more.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
I mean yeah, but I was hoping the people I share living space with would have at least been smart enough to work that out.
No Shit Sherlock. Not as if it would be required by US law to have a backdoor or anything…
No no, PatriotACT, CloudACT and stuff like PRISM just do not exist…
Yeah, the NSA proved that when their exploits leaked. Eternal blue and I’m sure they have a much more stuff we can only guess at.
Yet another reason to switch to Linux.
Copy Fail, Dirty Frag and Fragnesia exist. What are you going to switch to now?
There were always some known exploits for Linux, some required you to know what hardware the target had.
Of course there are! The only truly secure computer system is one that’s not powered up, after all.
Those are ‘vulnerabilities’ being exploited, and software will always have those, and when found, in Linux, they are patched, rather quickly in some cases. Microsoft develops Windows with the intention of making it vulnerable, so it is effectively commercial malware.
Those are 2 entirely different things.
Microsoft develops Windows with the intention of making it vulnerable, so it is effectively commercial malware
The intention is currently suggested by a disgruntled ex-employee. I’d say that warrants caution before making such broad statements.
No microsoft bad. /s
No, Microsoft BAD! Now, does the fact that this is an allegedly diagruntled employee removes all the predatory bullshit and malware Microsoft does all the time? Just think about it, research a bit how Microsoft drives its business and revenue. It’s all there for anyone to see.
They will be patched. There is also no indication that they 'be been known and exploited till recently.
This was allegedly deliberately non patched to be exploited.
Getting a system without bugs and security issues is impossible, you can at least avoid intentional compromise.
They will be patched. There is also no indication that they 'be been known and exploited till recently.
Two of the three are being used in the wild, with Copy Fail being retroactively found at least 9 days before the disclosure.
What are the indications that the BitLocker vulnerability is already being utilised?
This was allegedly deliberately non patched to be exploited.
Alleged by a guy who was fired from Microsoft. I’d take that with a pinch of salt.
Getting a system without bugs and security issues is impossible, you can at least avoid intentional compromise.
I agree! But other than one angry dude, not much else is pointing towards this being intentional - so far! Let’s see how things go.
That being said, open source repos are being attacked constantly with attempts at intentional malicious code injection - I’m sure you’ve heard of XZ Utils? How many others went through and are being exploited without anyone noticing?
Dude, enjoy your Windows then. This is not Twitter (or X or whatever) where you can go do your master’s bidding of creating noise to try and control the normies. Here most of us know how to do research and have the ability to differentiate bots (human or otherwise) from actual thinking individuals with a modicum of common sense and more than 2 functioning brain cells.
Look at your down-votes and take a hint. That bullshit has no effect here.
Dude, enjoy your Windows then.
Well, I’m a Linux user so I can’t.
This is not Twitter (or X or whatever) where you can go do your master’s bidding of creating noise to try and control the normies
Of course you can! Just like on every other social media! What are you even talking about? :D
Here most of us know how to do research and have the ability to differentiate bots (human or otherwise) from actual thinking individuals with a modicum of common sense and more than 2 functioning brain cells.
You’d think that, but if you actually know a bit about tech, this community is hilariously ignorant most of the time - on all the matters you mentioned. :D
Look at your down-votes and take a hint. That bullshit has no effect here.
The hint is that this community is extremely aggressive towards language that goes against the hive-mind. The bullshit has no effect because people can’t differentiate what’s bullshit and what isn’t, so they just automatically assume any statement that isn’t violently anti-MS is bullshit spewed by bots at their master’s bidding.
Take your comment as example…
I’ll absolutely agree on that one part of your comment. At this point, any comment that remotely seems like its defending anything Microsoft does to me is now considered bullshit attempts by MS to clear their name to some extent. When a company is so consistently voicing lies all over the place, their actions display those lies in clear light, and someone is defending any of it, yeah, no use in even looking into it, so it goes into the ‘planted bot’ bag out of principle alone.
One more thing I’ll agree on is the hive mind mentality, and we all live through that to some degree, no exceptions. We would all like to think we’re this individual entity with minds of our own influenced by nothing and no-one, but we all know that’s bullshit, unless you live in a cave at the top of mount Everest and your community IA made out of fucking squirrels and frozen rocks (no idea if there are caves or squirrels on mount Everest, or rocks for that matter, I pulled those out of my ass). We do have the ability to question everything.
Now, while there’s all kinds of people in Lemmy, there are only 2 main groups that then brach out to the other sub-groups. There’s those of us that want a less “moderated by what may damage the ‘company’” content and discussions, and then there’s those that are here to disrupt and misinform, regardless of if it’s of their own volition or if there’s someone above them pushing it, whatever the intention may be. You’re so clearly part of the latter that blocking you, like you suggested to someone else, would be to your advantage alone, not the community’s. For example, why did you only take a snippet of my comment about how this is not Twitter instead of the whole paragraph? I’ll tell you why. This is the same behavior used by some Christian pastors to manipulate people by reading some small parts of the bible to eliminate the original context and inject their own. You’re too fucking transparent, try harder.
That’s all I have in terms of responses to your
I wish you all the luck in regaining a bit of happiness in life, so that you can stop with this insane “us vs them” bullshit. It’s unhealthy, mate.
What are the indications that the BitLocker vulnerability is already being utilized?
Microsoft shipping a vulnerable version of the recovery environment. It is the ‘exploit’.
Alleged by a guy who was fired from Microsoft. I’d take that with a pinch of salt.
Such is the nature of closed source software. You select people who will remain complicit till they have a grievance against you. Even if they don’t and talked for moral reasons do you think they would not been fired for it?
That being said, open source repos are being attacked constantly with attempts at intentional malicious code injection - I’m sure you’ve heard of XZ Utils? How many others went through and are being exploited without anyone noticing?
Who knows. How many more went through at closed source software a limited amount of people can test in the same way?
Microsoft shipping a vulnerable version of the recovery environment. It is the ‘exploit’.
Red Hat and Canonical shipped a vulnerable version of SSH, the thing was caught basically hours before hitting all devices around the world.
Should Red Hat and Canonical be now considered hostile as much as MS is?
You select people who will remain complicit till they have a grievance against you. Even if they don’t and talked for moral reasons do you think they would not been fired for it?
I can only answer by saying this: I wish you luck in the job market and hope you’ll eventually find an employer you don’t assume to be a hostile entity towards you.
Who knows. How many more went through at closed source software a limited amount of people can test in the same way?
This is the equivalent of “prove that God doesn’t exist”. We can’t know because they haven’t been found, mate.
Were they the developers of the ssh package? Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.
I am employed, most employers are obviously not as corrupt as the biggest corporations on the planet, they simply can’t afford to.
I agree we can’t know. We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That’s dishonest, lad.
Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.
… one guy claims.
Another possibility is that they have two separate builds fro BitLocker, and the one used in WinRE is vulnerable which they missed.
We don’t have enough information to clearly state that they did this on purpose.
We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That’s dishonest, lad.
Again, read up about the XZ Utils vulnerability. We technically can know, but we don’t know, which was a statement by the guy responsible for package. It’s not dishonest, it’s a statement of fact.
What are you going to switch to now?
You’re right, we should burn all computers and return to use dead tree matter to write things down, and abaci for math operations.
Yeah, that’s kind of the exact opposite of the point I was making, but you do you.
Those are potential vulnerabilities that can be patched. This is an indication that MS intends for bitlocker which you really need to be secure to bother using windows on a laptop to never be secure by design.
Those are potential vulnerabilities that can be patched
“Potential”? They are actively being exploited. And they don’t require physical access to the device.
The require the person to have already compromised you and be running software on your machine
At least one of them only needs a remote session and access to any account on the device.
Only doing a bit of heavy lifting there.
They dont require physical access, but they require access to a non-root account on the machine. How often do you create accounts on your local machine for malicious actors to use?
When you do a new OS install, do you create a separate user account for guests and then share the login details with random people?
Right, because it’s impossible to get a person’s credentials in this day and age.
I always wonder whether to block people like you.
Sometimes I see your comments and get angry at how stupid you are.
Other times I see your comments and become really aware of how intelligent I am compared to… whatever the hell you are.
I mean, if you have nothing of value to say, why even make a comment? Just block me and move on, mate.
Or, I don’t know, engage and tell say why you think this comment was stupid?
I’ll gladly take over. The statement is stupid because it is already well known across the board that Microsoft is, by all intents and purposes, a malware developer. The Linux kernel on the other hand, and therefore Linux distros (most of them anyway), by being open source, at least give you the ability to look at the code and see if something IA broken, assuming you have the knowledge and the will, evidently.
Now, blocking you when you’re evidently on Lemmy to spread misinformation, be it of your own will or because you were planted (irrelevant) would be a disservice to people that come in here to interact in ways that may help them escape the grasp big tech and governments currently have on them.
This is not Twitter (or X) where most people just follow the “normy” trends. In here most of us are all too aware of moat of the truth out there, and keep digging ro help each other have the best life we can in these technologically dark times.
So, if you don’t want your easily disproven bullshit comments countered and being downvoted to the point that people will just scroll past your shit, you’re going ro have ro block us. Otherwise, keep them coming, any of us will knock down your sheep-like pushes with sound logic and facts each and every time. Of course, if your comments are accurate, they will be upvoted as well. Cause and effect, you know?
Pathetic response
Oh, another one. They’re multiplying like rabbits 🤣
The statement is stupid because it is already well known across the board that Microsoft is, by all intents and purposes, a malware developer
Hahahahahaha, and you call my comments “stupid”? XD
OK, I’m not even reading the rest, mate. I get it! I really do - “Microsoft bad!”, that’s all there is to it for you. There’s no discussion to be had here, unless someone is also a member of the cult, and then everyone can chant “Microsoft bad! Microsoft bad!”.
Weak sauce, mate. Cheers!
How many more people need to tell you exactly why your comments are ‘stupid’? I also think your comments are stupid, but more than that, I think you’re planted here to throw dirt on open source software in an attempt to lead people to big tech (which is a waste of time on your part).
Like my fellow Lemmy smart users here, your comments also piss me off, just a bit, but there’s going ro be some people here that are looking for reasons and ways to get away from MS, Google, Apple and all other bullshit malware and spyware corporations, and I want to be able to counter bullshit like yours by clarifying how wrong those are and why, so blocking you is not the beat course of action for me. You are, however, welcome to block me, and I will stop following your ill-intended comments to counter them then.
I think you’re planted here to throw dirt on open source software
You have no idea how hilarious this sounds aimed at a Linux user. :D
But I learned to expect nothing else from this community! :D
Like my fellow Lemmy smart users here
XD
deleted by creator
And yet you replied again…
This Chaotic Eclipse/Nightmare Eclipse is the same one whose opening post read:
I never wanted to reopen a blog and a new github account to drop code…
But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.
I’m guessing there’s plenty more to come.
Kinda funny that they’re targeting Microsoft and yet using GitHub to share the PoCs.
Kinda funny that they’re targeting Microsoft and yet using GitHub to share the PoCs.
This is the part I don’t get either. Although - maybe it is because it protects other platforms from legal action by microSLOP? Also, it adds to the Streisand effect should microSLOP remove the proof of concept from its own platform.
Isn’t this the blue hammer guy?
Seems. Like bløgspot is a banned word…
I guess anyone who uses ShitLocker is shit out of LUKS.
i dont so im not
Yeah, Copy Fail, Dirty Frag and Fragnesia are bad but holy fuck.
You mean that thing everyone knew about since the authorities derailed open-source TrueCrypt and forced them to message their users that they should migrate to BitLocker?
There’s an open-source successor to TrueCrypt called VeraCrypt. For that matter, as far as I know, one can still download the last version of TrueCrypt. It hasn’t been disappeared.
It’s true that the TrueCrypt developers retired and said that commercial packages like BitLocker were finally good enough and available enough that they didn’t feel compelled to maintain TrueCrypt. I remember that. I think it’s plausible that Microsoft has (or has provided to someone) back-door access to BitLocker, but I don’t remember any hint that the TrueCrypt developers had been coerced; have you got something you can link to?
Certainly at the time there was talk of coercion, there was talk the developers had been asked to put in a backdoor, had refused and then been encouraged to cease and desist their work on TrueCrypt and provide written recommendation of BitLocker, the wording of which did not seem to be their own. But people like conspiracies, maybe the authors did just move on, and if that was encouraged it probably was not as sinister as suggested. Security and privacy will always be duking it out.
But people like conspiracies,
In spite of the fact that they never happen and that government mass surveillance isn’t a thing and hasn’t been exposed repeatedly for decades and that we all know they have not been aiming to do this exact thing for the better part of a century and that they are genuinely evil and literally never prove themselves to be over and over and over.
There is that, but in a more general sense I think people like conspiracies because they have a deep need to believe that there is an intelligent direction to human affairs, even if it is malign, and that the world is not actually chaotic and uncontrolled at the largest scale. It stems I suppose from infancy when even while we pushed at them we needed to know the unfathomable rules our parents set came from a better understanding of things than was available to us.
This take I buy. My grievance is like, with people who lambast “conspiracy theorists” (because apparently that’s a term for a fucking social identity we actually have to use in 2026) fall in the same trap as those who drop Dunning-Kruger effect- as we all know we all think we are smarter than average, and dumb people especially believe this, alas, just because you think you’re smarter than the average doesn’t necessarily mean you’re wrong.
Just because you believe in a conspiracy doesn’t mean there isn’t one. There are informed opinions. They are rare, and hard to come by, but still. Technically correct = best correct.
These days, if you’re not on Windows you can use luks or just zfs with encryption enabled. Code is open and can be audited by anyone. But yes, VeraCrypt to my knowledge is also still a viable option.
Well, there’s a big difference between “knowing” something and knowing something (i.e proof your intuition is right).
The entire Microsoft, Apple and Google ecosystem is USA backdoors. That’s why I call it American spyware.
And they tell us to worry about China. :)
It’s called misdirection, every magician and thief knows about it :D
Bitlocker is TEMU encryption
It really isn’t. The encryption itself still hasn’t been defeated. The implementation is the problem. Microsoft just can’t get out of their own way. If they ignored all the business majors, nobody would be able to stop them.
Lol, if they ignored that they would have gone extinct in the 90’s
Install Linux, Problem Solved.
More than ever.
Seems like every week there is another reason why I’m thankful I switched to Linux a few years ago.
Only thing I find annoying with full volume LUKS encryption is that it makes it difficult to resize partitions, it’s a whole thing, but it’s a minor hassle and not something I’d do every day anyway.
I have the page with instructions for this prominently bookmarked because it was such a nightmare to figure out the last time I migrated my OS to a differently sized drive.
I like to use btrfs subvolumes inside a luks lvm volume for this reason.
I would like to know more.jpg
VeraCrypt solves this issue. I leave my main OS unencrypted then simply store veracrypt partitions to the size I need and put files inside that as needed. I’ve dealt with resizing luks partitions and its not worth it. Especially if you build, maintain, or otherwise tinker with you system.
I feel like a hermit stumbling upon other hermits complaining about hermit stuff.
What? Btrfs subvolumes are basically the same as logical volumes. That’s somewhat redundant.
Your correct. It is redundant. I think I needed the lvm layer to get an installer to recognize the luks partition. Can’t remember if it’s Pop or Fedora. That installer bug might be fixed now though. One day I’ll check and update my drive so its just using btrfs on luks.
Why not just encrypt the whole drive and then use virtual partitions within the encryption?
Because I twin boot other OSs
Of course they did. They have no interest in protecting your privacy and every interest in making you think they do. I would’ve been way more surprised to learn there wasn’t a backdoor.
I’m left puzzed as to how this works …like… the data on the disk should be encrypted sector by sector…it takes forever to encrypt or decrypt a disk which is consistent with that understanding.
When you boot into PE, I don’t understand how that OS can read anything off the disk, yellowkey or not, without knowing the encryption key…so how does it get that key. Is the vulnerability here that the key is stored in the TPM and win PE can be convinced to retrieve it without the proper credentials being provided ?
If that’s the case, and the TPM can just provide the key on request…then… where is the security here ?
My guess is that the key to decrypt the disk is stored on the disk, encrypted by a Microsoft-known key. This seems to unlock that copy of the key rather than the copy encrypted by your own key.
Though he did say to put the disk back in the original system in part of the instructions, so it might be TPM based. The way to check would be to try this on a system with a disk from another system, or with a wiped TPM.
TPM is not security, it’s security theatre. If you don’t need to type a password in or insert a device with a key on it during boot, then it’s not secure, period.
Tech megacorps are the fifth estate of their home countries, trusting your data to Microsoft or Google is essentially the same as handing it directly to the FBI and CIA.
