So why doesn't the DoD use bitlocker? ^.^ http://www.gsa.gov/portal/content/102647 On 05/30/2014 04:35 PM, Michael Cramer wrote: > > For the most part I rely on Bitlocker for all of my encryption needs. The > goal isn’t to prevent super secret shadowy organizations from accessing my > data, but to prevent data being obtained from my devices in the event of > theft or being lost. > Because I travel a lot, I would willingly enter crypto passwords into my > devices when crossing the border. > > I ultimately know that if my devices are stolen or lost, that I have as much > time as I want until I need to change any passwords. It is this peace of mind > that I’m looking for. Not to prevent the NSA from accessing my photo library. > > > I used to use TC until Bitlocker became standard. I leveraged it quite often, > and still occasionally used it when cross platform needs were required. > > > > To address your other concerns, you have to understand that the “super secret > uber NSA backdoors in Windows products” has been told time and time again for > decades. I feel ashamed that the “Information Security” community is fretting > over such things, especially given that the US Government is the largest > buyer of Information Security products and services. They use Windows pretty > extensively across all ranges of the DOD and Microsoft isn’t providing them > different binaries than anyone else. They do work together for hardening > procedures, but the Windows that the DOD uses for its systems is the same > Windows that you will find in the stores. > > > To suggest that the NSA would ask Microsoft and other vendors to introduced > intentional backdoors into their products is to severely underestimate the > people that work for those agencies that work on the US’ critical > infrastructure. They’re just not that stupid. Some of the best and brightest > minds in the world have consulted for or worked with the NSA, and I’m > guessing this includes revered > security researchers and open source developers that some would be surprised > that may be approached by the US Government. > > I think the whole “many eyes” thing has now been debunked--repeatedly. “Many > eyes” is another way for people to not assume responsibility for ensuring the > integrity of their products and services. “If other people use it, someone > else must have audited it, or else it would not be in such wide use > everywhere! It must be good!” OpenSSL‘s Heartbleed incident has proven this > to be absolutely far from the truth. In addition, I know it can be a bit more > challenging to find flaws in unmaintainable code, but the Debian OpenSSL bug > (http://www.debian.org/security/2008/dsa-1571) was inexcusable. The issue was > merely commented out code on a commit that sat around for 2 years. It wasn’t > even intended to be an underhanded change. > > The good news is that the OSS community is now starting to enter another age > of maturity. It will be interesting to see where everything falls into place. > The Linux Foundation has announced they will be performing a full code audit > on “critical” applications such as OpenSSL, NTP, and > OpenSSH(http://gigaom.com/2014/05/29/openssl-security-project-gets-some-much-needed-funding/). > This is fantastic news all around and has long been needed considering Linux > is used in a very wide range of products and services. > > > As far as closed source versus open source, this is the type of thing that > will ultimately bring out “religious” arguments. There was a time when closed > source solutions were terrible. And many closed solutions may still be > terrible. But on some of the larger products, for example, Windows--the > people that work on that are highly paid and many are highly skilled in their > craft. Microsoft hired some of the best engineers in the industry to develop > the platforms that Windows still uses today, such as NTFS. > > > Linux has had some massive changes to its underlying infrastructure. Since > I’ve been using Linux we’ve gone from ext2 to ext3 to ext4. We’ve gone from > “dependency hell” to having reliable package managers. They are just now > moving away from SYSVINIT in greater fashion after realizing that > asynchronous daemon startup and other daemon management features are required > for modern computing. > > > Microsoft has had many of these features for coming up on 2 decades, so > they’ve gotten great mileage out of the decisions they made as a closed > source solution because they can simply say “make it so” without much larger > debates and committees. > > > Ultimately, what you choose to use is up to you. I use what serves my needs, > and I use what serves the needs of the organizations for which I work. > > > Bitlocker and Truecrypt aren’t the ONLY FDE and removable media platforms > that are out there. While TC offered incredible portability of the data > (since it was all file containers that could be moved between platforms > easily), as far as encryption itself goes, Bitlocker should provide the same > level of security as TC for when your devices fall into the wrong hands. You > an also leverage products from McAfee, Symantec, and CheckPoint. YMMV. > > > To use Bitlocker “properly” in a major organization your best bet is to use > smart cards. The hefty requirements for TPM-enabled devices and smart cards > for optimal security and ease-of-use can be daunting to most. > > > -Mike Cramer > > > Sent from Windows Mail > > > > > > From: Not EcksKaySeeDee > Sent: Friday, May 30, 2014 14:42 > To: Michael Cramer > Cc: Justin Bull, fulldisclosure@xxxxxxxxxxxx > > > > > > May 30, 2014 > > > > Greetings, > > > > > New subscriber to FD here. I've been in systems/networking, and by default > dealt with security and encryption issues/topics, but not at the depth that > most(?) of the folks on FD have. So I have a few questions & thoughts: > > > > > 1. Where do we go from here? What do you, as the experts, suggest for people > like me who are in IT, but not dedicated security pros, and especially for > average users who are now increasing their security awareness in a > post-Snowden world? > > > > > > 2. Does anyone else on this list actively use TC, and if so, what are your > plans now? > > > > > I am wary of the whole "use Bitlocker" suggestion because: A) it's closed > code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I > don't know if/when they will roll over whenever the g-men show up and demand > keys to the backdoors (if any). > > > > > Of-course, open source is not perfect either, but, so the reasoning, goes, > you have the "many eyes" argument in support of it. This begs another > question (apologies), how many eyes are actually actively and consistently > reviewing/auditing open source code? > > > > > As far as I am aware (correct me if I'm wrong), there isn't a single neutral > group or entity staffed by people whose sole purpose is to audit critical > source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a need for > such a group of people? Of-course the counter will be, who is going to > pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't trust the > big corporations again because of their influence and possible ties to the > g-men and/or willingness to roll-over when the legal paperwork starts to fly. > > > And now for some reason, I'm reminded of Descartes First Meditation: > discarding belief in all things that are not certain (apologies to any > philosophy majors or lovers out there). All of the trust/faith we put into > people and companies (open and closed source) to produce this s/ware that we > build our lives on, how can we be sure that they are no cracks in our > foundations? > > > > > Anyhow. > > > > > Cheers, > > not xkcd. > > > > > > > > > On Thu, May 29, 2014 at 6:13 PM, Mike Cramer <mike.cramer@xxxxxxxxxxx> wrote: > > I think it’s more important to have rational discussions. This isn’t the > first time Microsoft has been ‘rumored’ to have backdoors in Windows for the > US Government. These rumors have been perpetuated for years. While I don’t > know how long you’ve been in the industry, it’s something I recall even being > 14 years old and sitting on IRC and having people discuss. > > > > The reality now, just as then, is that these are unsubstantiated. > > > > A more apt description about the cooperation between the US Government and > Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure you > may recall these names from any sort of discussion about PKI. > > > > What people seem to forget in all of these discussions is that Microsoft is > Bob. (Microsoft Bob? :P) > > > > No amount of encryption, protection, secret keying is going to protect you > when one party is going to hand over the information to 3rd parties to review. > > > > Based on my Alice and Bob comment above, it’s reasonable to assume that the > encryption itself is 100% fine, so as long as you believe that Bob will never > divulge the information you’ve disclosed. > > > > Through all of these discussions surrounding Bitlocker across multiple forums > nobody has brought up the fact that Bitlocker in Windows 8 allows you to > store recovery key information in OneDrive/”The Cloud”. Why bother writing in > backdoors to the software when the keys are readily available with a warrant? > > > > There are a million and one ways to get access to the information and the > absolutely most difficult, most costly, and most potentially damaging is the > one people are jumping to first. > > > > If it were ever revealed that Microsoft purposefully weakened its encryption > systems to allow the NSA access to any Windows device, then it would be the > end of the organization. They’re just not that dumb. > > > > Mike > > > > From: Justin Bull [mailto:me@xxxxxxxxxxxxx] > Sent: Thursday, May 29, 2014 18:02 > To: Mike Cramer > Cc: fulldisclosure@xxxxxxxxxxxx; secuip > Subject: RE: [FD] TrueCrypt? > > > > Closed source and Microsoft is notoriously known to play ball with LEO and > government. It's an ill-fitting shoe. > > Sent from mobile. > > On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@xxxxxxxxxxx > <mailto:mike.cramer@xxxxxxxxxxx> > wrote: > > What is careless about recommending Bitlocker? > > -----Original Message----- > From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx > <mailto:fulldisclosure-bounces@xxxxxxxxxxxx> ] On Behalf Of Justin Bull > Sent: Thursday, May 29, 2014 17:18 > To: secuip > Cc: fulldisclosure@xxxxxxxxxxxx <mailto:fulldisclosure@xxxxxxxxxxxx> > Subject: Re: [FD] TrueCrypt? > > But why go out in that style? Why not be frank? Why be so careless as to > recommend BitLocker? > > The diff was meticulous but the website and comms were not. It doesn't add up. > > Sent from mobile. > On May 29, 2014 5:13 PM, "secuip" <root@xxxxxxxxx <mailto:root@xxxxxxxxx> > > wrote: > >> http://krebsonsecurity.com/2014/05/true-goodbye-using- >> truecrypt-is-not-secure/comment-page-1/#comment-255908 >> >> >> Le 29/05/2014 22:51, uname -a a écrit : >> >>> There are several strange behaviors. >>> >>> Sitesource is not clean. Just a html that say take now Bitlocker or >>> other built-in tools of your OS !? >>> >>> New Keys got added to SF 3h before release of 7.2 happened. >>> >>> On SF the old versions got removed. For older Versions you've to >>> download them elsewhere (there are several sources available). >>> >>> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org> >>> got removed in the >>> Programsource. >>> >>> No explanation for this anywhere. Just speculations. >>> >>> Truecrypt isn't available on the webarchive! >>> >>> The Wiki got editet massively. >>> >>> >>> >>> Am 29.05.2014 04:21, schrieb Anthony Fontanez: >>> >>>> I'm surprised I haven't seen any discussion about the recent issues >>>> with TrueCrypt. Links to current discussions follow. >>>> >>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/ >>>> truecrypt_is_dead/ >>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/ >>>> truecrypt_development_has_ended_052814/ >>>> >>>> Thank you, >>>> >>>> Anthony Fontanez >>>> PC Systems Administrator >>>> Client Services - College of Liberal Arts Information & Technology >>>> Services, Enterprise Support Rochester Institute of Technology >>>> LBR-A290 >>>> 585-475-2208 <tel:585-475-2208> (office) >>>> ajfrcc@xxxxxxx <mailto:ajfrcc@xxxxxxx> <mailto:ajfrcc@xxxxxxx >>>> <mailto:ajfrcc@xxxxxxx> > >>>> >>>> Submit a request via email: servicedesk@xxxxxxx >>>> <mailto:servicedesk@xxxxxxx> <mailto:ser <mailto:ser> >>>> vicedesk@xxxxxxx <mailto:vicedesk@xxxxxxx> > Check the status of an active >>>> request: >>>> footprints.rit.edu <http://footprints.rit.edu> <https:// >>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT >>>> account and computers: start.rit.edu <http://start.rit.edu> <https://start. >>>> rit.edu/ <http://rit.edu/> > >>>> >>>> CONFIDENTIALITY NOTE: The information transmitted, including >>>> attachments, is intended only for the person(s) or entity to which >>>> it is addressed and may contain confidential and/or privileged >>>> material. Any review, retransmission, dissemination or other use of, >>>> or taking of any action in reliance upon this information by persons >>>> or entities other than the intended recipient is prohibited. If you >>>> received this in error, please contact the sender and destroy any copies >>>> of this information. >>>> >>>> >>>> >>>> _______________________________________________ >>>> Sent through the Full Disclosure mailing list >>>> http://nmap.org/mailman/listinfo/fulldisclosure >>>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >>>> >>>> _______________________________________________ >>> Sent through the Full Disclosure mailing list >>> http://nmap.org/mailman/listinfo/fulldisclosure >>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >>> >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/