Black Hat Presentation – Bypassing Local Windows Authentication to Defeat Full Disk Encryption

Ian Haken makes a fascinating presentation of his research on bypassing Bitlocker on a Windows machine if you have physical access to the machine you’re trying to crack into. Especially interesting is the point Haken makes at the end that this particular attack worked (Microsoft has since fixed this particular issue)  because of assumptions about the security model that Microsoft made years ago that are no longer true–but those assumptions are instantiated in the way that various parts of Windows authentication works.


Noisecrypt–A Distributed, Encrypted Social Network

Noisecrypt is a github-hosted project aimed at creating “a decentralized social network with end-to-end encryption. You can save your user data on a server of your choice while you can still interact (write messages, visit profiles, etc.) with people on other servers. Furthermore messages, private posts and private profile information are end-to-end encrypted.”

Still in active development, although there are preview versions of the client and the server available at github (both of which, the project maintainers make clear, are for testing purposes only as the encryption and identity protection features are both in active development).


Noisecrypt Screenshot

DiskCryptor – Open Source Whole Disk Encryption for Windows

Bruce Sterling has said he’s been using Symantec’s Endpoint Encryption software for full disk encryption ever since the demise of TrueCrypt. I used Symantec’s product — which is really just a commercialization of PGP — many years ago before TrueCrypt became so popular. It worked well and I’m sure it is still a great solution IF you can afford the $85/workstation license.

So instead, I’ve been using the open source DiskCryptor for all of my whole disk encryption needs for Windows.So far I haven’t had any issues with it and from what I can tell it is a least as secure as TrueCrypt was (i.e., it’s likely to stymie local cops, but state actors have many ways to obtain passphrases if they want to devote sufficient resources — not sure they’re likely to do so for my porn collection, however).




Encryption for the Masses?

With the ongoing security-pocalypse, we’d all like to see effective, easy-to-use encryption tools that even people with little technical knowledge could use. Over at Mashable, Matthew Hughes thinks he’s found a company that might fit the bill.

According to Hughes, takes the otherwise confusing world of encryption products and simplifies them. How does it do this?

Messages can be encrypted through a relatively intuitive Node.js based command-line application, or through the Keybase website.

Wait, what? Nowhere in a story headlined “Encryption for the Masses” should the phrase “relatively intuitive Node.js based command-line application” ever appear.

Okay, but maybe the website will be easier to use. The screenshot that Hughes posts does look fairly nice, but is immediately followed by this explanation:

This first requires that you upload your private key to their servers. This is the key which is unique to you, and allows you to encrypt and decrypt messages. As the name implies, this is something which you need to keep absolutely, 100% secret.

How helpful of them!

In fairness to Keybase.IO, the company seems to be trying to solve a different problem — if I want to securely send a PGP message to Alice, how do I make certain I’ve Alice’s public key.  Keybase appears to use PGP signed messages in Twitter and other social media sites to verify identity and then pairs that with a client that facilitates accessing the correct public key for that user.

We’re not reinventing any cryptography here – the goal is a simple way to look up and trust keys, based on known public identities.

AirVPN’s Responses to TorrentFreak’s VPN Questions

Back in 2011, TorrentFreak did a survey of third party VPN services in response to some high-profile incidents in which companies running VPNs ratted out their customers. Recently, TorrentFreak did a similar survey that had a fairly striking omission–TorrentFreak didn’t include and apparently didn’t bother to even ask its questions of AirVPN, which I and others concluded was the best VPN available based on its 2011 survey. TorrentFreak hasn’t explained why AirVPN was left out, but AirVPN went ahead and answered TorrentFreak’s questions in their user forums, and TorrentFreak finally got around to updating its original story to include AirVPN’s answers.

Anyway, since I don’t like the format in which TorrentFreak offered up the answers, here are their questions with AirVPN’s answers, which  highlight why I continue to be a loyal AirVPN customer.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

No, we don’t keep any log that might be exploited to reveal customers’ personal data during connections, including real IP address. For example OpenVPN logs are sent to /dev/null (Air is based on OpenVPN). Our privacy policy is available here:

On top of that our VPN servers do not maintain any account database.

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

Italy. We do not share any information with any 3rd party.

3. What tools are used to monitor and mitigate abuse of your service?

Automatic triggering based on patterns to detect and if possible block as soon as possible various types of attacks (for example UDP floods) against or from our servers.

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

They are ignored. Now and then we reply asking for a more substantiated proof and asking to disclose the technical method according to which a takedown notice has been prepared, but so far none of the entities we queried disclosed such information, in absence of which the notices pertaining to p2p are simply vague and unproven claims from some private entity.

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

No help can be given about past connections because we don’t log, monitor or inspect our clients traffic, and we don’t and can’t require a proof of identity from our customers. However, if the court order pertains to presumed actions which infringe our Terms of Service and in particular that in any way violate, directly or indirectly, or aid the violation of, the ECHR, we can try to help the court in the best way we can with subsequent investigations and if possible with the help of proper and competent authorities.

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

Yes. p2p protocols are perhaps a set of the most exciting protocols invented in the last 12-13 years, so they are actively encouraged on every server. We do not discriminate against any application or protocol, in compliance with our mission and to stay a mere conduit of data.

7. Which payment systems do you use and how are these linked to individual user accounts?

We accept Bitcoin, many credit cards, PayPal. Each payment is linked to an account only in order to provide service delivery and to comply to our refund policy.

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

We put into practice the recommendations of security expert and best practices on our setup, based exclusively on OpenVPN with the following features:

Data Channel: AES-256-CBC
Control Channel: HMAC SHA1
RSA keys size: 2048 bit
PFS (Perfect Forward Secrecy): yes. TLS re-keying is performed by default every 60 minutes through DHE as well as at each new connection. As an additional option the re-keying time interval can be lowered by the client unilaterally.

The client key is used to authorize the access to the system, not to encrypt the data channel, so that even if an adversary catches the client private key, the client traffic can’t be decrypted.