Black Hat Presentation – Bypassing Local Windows Authentication to Defeat Full Disk Encryption

Ian Haken makes a fascinating presentation of his research on bypassing Bitlocker on a Windows machine if you have physical access to the machine you’re trying to crack into. Especially interesting is the point Haken makes at the end that this particular attack worked (Microsoft has since fixed this particular issue)  because of assumptions about the security model that Microsoft made years ago that are no longer true–but those assumptions are instantiated in the way that various parts of Windows authentication works.


Noisecrypt–A Distributed, Encrypted Social Network

Noisecrypt is a github-hosted project aimed at creating “a decentralized social network with end-to-end encryption. You can save your user data on a server of your choice while you can still interact (write messages, visit profiles, etc.) with people on other servers. Furthermore messages, private posts and private profile information are end-to-end encrypted.”

Still in active development, although there are preview versions of the client and the server available at github (both of which, the project maintainers make clear, are for testing purposes only as the encryption and identity protection features are both in active development).


Noisecrypt Screenshot

DiskCryptor – Open Source Whole Disk Encryption for Windows

Bruce Sterling has said he’s been using Symantec’s Endpoint Encryption software for full disk encryption ever since the demise of TrueCrypt. I used Symantec’s product — which is really just a commercialization of PGP — many years ago before TrueCrypt became so popular. It worked well and I’m sure it is still a great solution IF you can afford the $85/workstation license.

So instead, I’ve been using the open source DiskCryptor for all of my whole disk encryption needs for Windows.So far I haven’t had any issues with it and from what I can tell it is a least as secure as TrueCrypt was (i.e., it’s likely to stymie local cops, but state actors have many ways to obtain passphrases if they want to devote sufficient resources — not sure they’re likely to do so for my porn collection, however).




Encryption for the Masses?

With the ongoing security-pocalypse, we’d all like to see effective, easy-to-use encryption tools that even people with little technical knowledge could use. Over at Mashable, Matthew Hughes thinks he’s found a company that might fit the bill.

According to Hughes, takes the otherwise confusing world of encryption products and simplifies them. How does it do this?

Messages can be encrypted through a relatively intuitive Node.js based command-line application, or through the Keybase website.

Wait, what? Nowhere in a story headlined “Encryption for the Masses” should the phrase “relatively intuitive Node.js based command-line application” ever appear.

Okay, but maybe the website will be easier to use. The screenshot that Hughes posts does look fairly nice, but is immediately followed by this explanation:

This first requires that you upload your private key to their servers. This is the key which is unique to you, and allows you to encrypt and decrypt messages. As the name implies, this is something which you need to keep absolutely, 100% secret.

How helpful of them!

In fairness to Keybase.IO, the company seems to be trying to solve a different problem — if I want to securely send a PGP message to Alice, how do I make certain I’ve Alice’s public key.  Keybase appears to use PGP signed messages in Twitter and other social media sites to verify identity and then pairs that with a client that facilitates accessing the correct public key for that user.

We’re not reinventing any cryptography here – the goal is a simple way to look up and trust keys, based on known public identities.