Subject: General Tech | November 6, 2018 - 01:02 PM | Jeremy Hellstrom
Tagged: Samsung, encryption, crucial, bitlocker
The hardware world is full of badly thought out implementations, from the inconvenient to the utterly incompetent, and today we have one of the latter. Bitlocker and other popular encryption tools can use software or hardware to encrypt and store the data encryption key, with many opting for the accelerated hardware encryption baked into many SSDs. This has turned out to be a bad idea, as tests on a variety of models show you can grab an encrypted disk, plug into the debug ports and convince it to accept any value as an authorized DEK and give you full access to the data on that drive. This is in part due to the hardware not using the owner's password for encryption ... at all. The Register's article offers a suggestion, which is to make use of software encryption methods which do incorporate the users password and can be set to actually not use the same DEK across the entire drive.
Read on for suggestions on solutions which should mitigate this flaw and which can coexist peacefully with hardware encryption.
"Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner's password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it's that dumb."
Here is some more Tech News from around the web:
- Robots, Wearables, Renewable Energy, Oh My: The Winners of the 2018 Hackaday Prize Announced
- Intel Skylake and Kaby Lake CPUs vulnerable to Portsmash side-channel attack @ The Inquirer
- Strange snafu misroutes domestic US Internet traffic through China Telecom @ Ars Technica
- Apple's T2 chip is blocking Linux from booting on new Mac hardware @ The Inquirer
- What the PUC: SK Hynix next to join big boys in 96-layer 3D NAND land @ The Register
- Beyond the lithium-ion battery @ Physics World
- Microsoft is porting the SysInternals library to Linux @ The Inquirer
- Cougar Fortress Gaming Backpack @ TechPowerUp
Subject: General Tech | November 30, 2016 - 02:10 PM | Jeremy Hellstrom
Tagged: bitlocker, microsoft, windows 10, security, hack
Is Bitlocker cramping your voyeuristic cravings and preventing you from snooping on your loved ones or strangers? Assuming you do not instead seek medical help for your problem, all you need to do is wait for Windows to perform a version update and for the user to get bored and walk away. Hop onto their machine and press SHIFT+F10 to get a command prompt which will be running at root privileges and take advantage of the fact that Windows disables Bitlocker while installing an updated version of Windows. This will not work for all updates, it needs to be a major OS update such as the move to Anniversary Edition which changes the version of Windows installed on the machine.
Microsoft is working on a fix, in the meantime sticking with Windows Long Term Service Branch or slighly modifying how updates are pushed via WSUS or SCCM will ensure this vulnerability cannot be leveraged. You can also take the simple measure of sticking around when major updates occur. Pop over to Slashdot for more information.
"This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix."
Here is some more Tech News from around the web:
- Internet Archive preps Canadian safe haven to avoid Donald Trump @ The Register
- Intel, Nvidia ready to unveil new platforms for CES 2017 @ DigiTimes
- Mozilla rushes to patch active Firefox zero-day targeting Tor users @ The Inquirer
- GoPro woes continue as the company cuts 15 percent of workforce @ Ars Technica
- Student clusterers blow off steam with VR space shooter at SUSE booth @ The Register
- More Than 1 Million Android Devices Rooted By Gooligan Malware @ Slashdot
- Remote Logging With Syslog, Part 1: The Basics @ Linux.com
- Guru3D Contest 2016: Win a Limited Edition Corsair RM1000i PSU
Microsoft Allegedly Overhauling SkyDrive With Increased Paid Storage, Applications, and Other Goodies
Subject: General Tech | February 20, 2012 - 11:12 AM | Tim Verry
Tagged: storage, skydrive, paid storage, free, cloud backup, bitlocker, app integration
Update: Some of the rumors have been confirmed by Microsoft in a blog post, though the individual file size increase was a bit off. Microsoft will be allowing files up to 2 GB in size as compared to the rumored 300 MB file sizes.
Every so often, I run across a rumor that sounds almost too good to be true. On the other hand, it sounds so good that I just can't stop myself from being excited about it. Over the weekend, I saw an article that talked about Windows Live Skydrive offering paid storage tiers and I now really want this to come to fruition.
For those curious, SkyDrive is Microsoft's "cloud storage" service that gives users 25 GB of free storage space to hold files. There are some restrictions with the individual file size (that can be worked around if you really want to backup a home movie for example), but otherwise it is a boatload of space for free and saved my butt when the, um, "formatting catastrophe" of 2010 happened by having most of my digital photos backed up!
SkyDrive as it is now, funny old photos and all!
The service is connected to your Microsoft Live or hotmail account and can be accessed by navigating to skydrive.live.com. There are some usability issues with the service; however, including the fact that it's a pain in the rear to upload more than one or two files. The website doesn't make it easy to batch upload, say, a folder or folders only a file at a time. Further, it is not nearly as easy to manage those files once they are in the SkyDrive as it should be. Now, if you use IE, the SkyDrive website will allow you to upload multiple files easier; however, the other browsers are left without a way to do it. There is also the aforementioned individual file size limit of 100 MB per file.
The exciting bit about the rumors and (allegedly) leaked screen shots is that if they stay true the service is about to get a whole lot better by offering cheap storage and fixing many of the issues people have had with the service.
The leaked image
On the storage front, Microsoft is allegedly adding new paid storage tiers and increasing the individual file size limit to 300 MB (from 100 MB). Among the new plans are 20 GB, 50 GB, and 100 GB offerings (which is in addition to the free 25 GB of space) for $10, $25, and $50 a year respectively. Not a bad price at all in my opinion! Assuming the pricing is accurate, they are vastly undercutting the competition. Dropbox, for example, is currently offering 50 GB for $99 a year and 100 GB for $199 per year. Granted, Dropbox has syncing functionality, no individual file size limit, and is a much easier to use service with an established user base, but at these prices the Microsoft offering is likely to win over many people who just want some cheap off site backup space!
|Paid Storage Space||SkyDrive (Price Per Year)||Dropbox (Price Per Year)|
Dropbox pricing just for comparision.
While there are currently mobile applications for Windows Phone and Apple iOS smart phones, users must turn to third party explorer extensions (like SDExplorer) for Windows OS integration on the desktop. More leaked images seem to suggest that Microsoft will be launching applications for Windows and Mac operating systems to better integrate SkyDrive into the OS (and hopefully enable easier cloud file management). SDExplorer is a third party extension that I used to upload all my photos to SkyDrive and it allows mounting the SkyDrive account as a "hard drive" under Windows Explorer. Unfortunately, it costs money to get the full feature set, so hopefully Microsoft can provide similar (or more) features for free with their OS.
In addition, Microsoft will allegedly be adding URL shortening for public and shared SkyDrive file links as well as the ability to share files to Twitter and Facebook from within the SkyDrive website. For the latter, there are already APIs and Microsoft is likely just leveraging them to make sharing files a bit more convenient. On the other hand, Microsoft will be using their own URL shortening service via the sdrv.ms domain instead of integrating with an existing service.
As a user of Libre Office (the fork off of what was once Open Office), I deal a lot with .odt files, which is the open document standard. For users of Microsoft's web application of Office, they have been forced to save files to the Microsoft standards; however, rumors suggest that the service will soon support creating and saving to the .odt, .odp, and .ods document formats. If you are using Office Web Apps, then you are already likely fairly integrated into the Office universe, and this feature won't mean much. On the other hand, this will help out others who may need to edit one of the Libre Office created documents backed up to their SkyDrive on the go. Better compatibility is always a step in the right direction for MS after all.
Last up on the rumor pile for SkyDrive is the ability to store BitLocker recovery keys directly to SkyDrive so that you have a backup should you ever forget your encryption password. The flip side of that convenience feature is that it provides another attack vector should someone attempt to get their hands on your encryption keys, and it is a location that you must depend on someone else to keep secure. As weird as it may sound, you might want to encrypt your encryption key before uploading it to any "cloud" service (heh), just in case. Still, it's good to have options.
Needless to say, there was quite the leak this weekend over Microsoft SkyDrive features! It is a lot to take in, but in my opinion it sounds like they are really giving the service special attention it needs to get it into fighting form. And if the rumors hold true it will be much more comptetitive with other cloud storage backup options as a result of the overhaul. I'm excited about this, obviously, but what about you? Do you use SkyDrive?