Encryption news and developer summaries

Researcher Nightmare-Eclipse identified YellowKey, a vulnerability enabling full-volume BitLocker bypass via Windows Recovery Environment. The exploit allegedly suggests an intentional backdoor, affecting Windows 11 and Server editions. Security experts recommend diversifying encryption strategies and considering alternatives like VeraCrypt while awaiting official Microsoft patches.

Oura faces scrutiny for its lack of transparency regarding government data requests. Despite health concerns about its privacy practices, including the absence of end-to-end encryption, Oura has failed to provide a promised transparency report. As a major health wearable company, critics argue that publishing data on government demands is essential for maintaining user trust and accountability.

SecurityBaseline.eu monitors the security and privacy of government websites across 32 European-affiliated countries. Recent findings reveal significant issues: 3,000 sites use illegal tracking cookies, over 1,000 database management interfaces are publicly exposed, and 99% of government email lacks proper encryption. The initiative aims to transparently improve digital governance for citizen protection.

Apple has integrated quantum-secure ML-KEM and ML-DSA algorithms into its corecrypto library to combat future quantum threats. To ensure implementation correctness, Apple developed rigorous formal verification methods, using tools like Isabelle, SAW, and Cryptol to mathematically prove that its optimized C and ARM64 assembly code faithfully matches FIPS specifications.

Cloudflare's lava lamps are clever marketing but provide no significant security benefit. True encryption relies on modern cryptographically secure pseudorandom number generators (CSPRNGs) and stream ciphers like ChaCha20. Hard-coded random seeds generated locally on servers are more secure, practical, and minimize attack surfaces compared to complex physical entropy setups.