67 posts in this topic

Thanks everyone, I'll look into the various alternatives you've suggested. :)

 

 

...Windows 8.1, 8, and 7 pro all have Bitlocker. What OS are you using?

Windows 8.1 Home Premium. I would need to buy the 8.1 Pro Pack ($100) to get BitLocker. I'm not necessarily opposed to that, because there are other good features that come with the Pro Pack, but I want to see what my options are before spending that much money.

 

Want to keep those Bieber albums top secret, huh? :laugh:

 

Seriously though, why would you want to encrypt a drive with only music on it? Just asking.

Because I don't want some thieving jackhole enjoying the close to 2TB of music and concert videos I have on my external drive. I live on Long Beach, where property theft is an unfortunate reality.

Share this post


Link to post
Share on other sites

What does the fork mean with regards to the project? Is it possible that we might see a continuing trusted release?

Their first goal is to make 7.1a available again, which they have done, and then they will wait for the full results of the audit and then fix vulnerabilities and bugs.

Share this post


Link to post
Share on other sites

And NO I'm not going to use Bitlocker. With everything Snowden has released about wiretapping and backdoors I wouldn't rely on closed-source technology.

heartbleed, cough.

Share this post


Link to post
Share on other sites

Windows 8.1 Home Premium

Including results for windows 8.1.

Do you want results only for windows 8.1 home premium?

 

Microsoft only has 2 consumer SKUs now, Windows 8.1, and Windows 8.1 Pro.

Share this post


Link to post
Share on other sites

As of right now you can't claim any of that, we don't know if TC is safe, or if anyone with the right tool can bust open any TC volume in seconds and the devs found out and simply closed shop.

As for BitLocker. Again there's no magic key that can open all volumes it's pretty much impossible and any back doors would be detectable with the amount of scrutiny the code of such apps go through, you don't need the source to find such obvious exploits like back doors.

I'd rather trust a public audit on publicly available source code than rely on the assumption that Microsoft is incorruptible. I don't see for what reason you would think that if a backdoor was present in Bitlocker, it would be obvious to find. And while Bitlocker probably goes through a lot of scrutiny, none of it is independent and none is publicly available, which means you can only rely on assumptions of good will and incorruptibility.

 

See https://www.grc.com/misc/truecrypt/truecrypt.htm

Share this post


Link to post
Share on other sites

heartbleed, cough.

Your point?

2 people like this

Share this post


Link to post
Share on other sites

heartbleed, cough.

Again, just because something is open source, doesn't mean it has no vulnerabilities and it doesn't mean it has more vulnerabilities.

Open source software just means:

1. There are more eyes that can review vulnerabilities

2. The software is more transparent, meaning the developers can't hide anything

Additionally, OpenSSL has been known to have many vulnerabilities in the past, I really think that people who use OpenSSL are at fault, there are many more secure open source alternatives. I wouldn't trust OpenSSL in the light of 7 major vulnerabilities in about 10 years, and when Steve Marquess, a former military consultant in Maryland started the OpenSSL Software Foundation for donations and consultancy contracts and garnered sponsorship from the United States Department of Homeland Security and the United States Department of Defense. [Source] (which has a lot more interesting things). OpenSSL is known as an atrocity in the open source community, and is a horrible example in this regard.

And you're just mentioning one vulnerability, which only affected 1.0.1 to 1.0.1f of OpenSSL, which wasn't even the latest version at the time. A fixed version of OpenSSL was released on the same day Heartbleed was publicly disclosed.

Share this post


Link to post
Share on other sites

So you are setting this up under the premise if someone steals your stuff - you want to make them not have access to your music ??  What ???

If someone steals your external - chances are they will wipe it and move on

If it gets stolen, they already have the thing thats valuable to them. --  your music is only valuable to you.  Unless, of course, this would be thief just happens to have the same taste in music as you do.

 

I'll tell you the same thing I tell people who ask me if "hackers will attack them" ---   nobody cares about your stuff.



 

2 people like this

Share this post


Link to post
Share on other sites

So you are setting this up under the premise if someone steals your stuff - you want to make them not have access to your music ??  What ???

If someone steals your external - chances are they will wipe it and move on

If it gets stolen, they already have the thing thats valuable to them. --  your music is only valuable to you.  Unless, of course, this would be thief just happens to have the same taste in music as you do.

 

I'll tell you the same thing I tell people who ask me if "hackers will attack them" ---   nobody cares about your stuff.

+1 You really only need encryption if you know hackers/the government are specifically looking for you or will look for you in future. Just because Snowden leaked stuff about the NSA doesn't mean you have encrypt everything you have.

Share this post


Link to post
Share on other sites

Your point?

 

i just found it ironic that you're wary about closed source software being backdoored by the NSA when recently we've learned that the NSA has been exploiting for years a hole in open source software that they may have planted in plain sight.

Share this post


Link to post
Share on other sites

i just found it ironic that you're wary about closed source software being backdoored by the NSA when recently we've learned that the NSA has been exploiting for years a hole in open source software that they may have planted in plain sight.

I just found it ironic that the difference between backdoors in open source software and closed source software is that in OSS, backdoors are eventually found and fixed, while in CSS, backdoors can be hidden from the public, never disclosed.

Share this post


Link to post
Share on other sites

Microsoft only has 2 consumer SKUs now, Windows 8.1, and Windows 8.1 Pro.

Oops, was looking at my Windows 7 machine :/

 

I'm using Windows 8.1 (not Pro) on the laptop in question.

Share this post


Link to post
Share on other sites

i just found it ironic that you're wary about closed source software being backdoored by the NSA when recently we've learned that the NSA has been exploiting for years a hole in open source software that they may have planted in plain sight.

Are you seriously suggesting that Robin Seggelman was secretly working for the NSA when he introduced the bug and that Dr Stephen Henson who reviewed his change and overlooked the flaw was an accomplice?

1 person likes this

Share this post


Link to post
Share on other sites

Again, just because something is open source, doesn't mean it has no vulnerabilities and it doesn't mean it has more vulnerabilities.

Open source software just means:

1. There are more eyes that can review vulnerabilities

2. The software is more transparent, meaning the developers can't hide anything

 

you can read closed source software like a book with IDA or windbg. even heavily obfuscated code like in packers,which run code in their own unknown custom VM has been unraveled and made back to be read by any junior reverser.

 

 

I just found it ironic that the difference between backdoors in open source software and closed source software is that in OSS, backdoors are eventually found and fixed, while in CSS, backdoors can be hidden from the public, never disclosed.

 

holes in closed source software are disclosed and fixed all the time

Share this post


Link to post
Share on other sites

 you can read closed source software like a book with IDA or windbg. even heavily obfuscated code like in packers,which run code in their own unknown custom VM has been unraveled and made back to be read by any junior reverser.

I think that you're widely exaggerating. Such tools only do a very mechanical translation that can be very far from the structure of the original code. They're also incapable of dealing with more advanced C++ features like templates as these are erased during compilation. Optimization passes also lose a lot of information about the original structure which cannot be guessed at. On a codebase the size of an advanced cryptographic tool, you would end up with several millions of lines of meaningless identifiers and you'd still have an absolutely daunting reverse-engineering task to make any sense out of it. This makes independent code review practically infeasible, not to mention usually illegal.

2 people like this

Share this post


Link to post
Share on other sites

holes in closed source software are disclosed and fixed all the time

Not the ones that are purposely put in.

It's always better to hide backdoors in closed source software.

Share this post


Link to post
Share on other sites

Are you seriously suggesting that Robin Seggelman was secretly working for the NSA when he introduced the bug and that Dr Stephen Henson who reviewed his change and overlooked the flaw was an accomplice?

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

Share this post


Link to post
Share on other sites

Ok, apparently only 7 ultimate has Bitlocker. Still helpful to know what OS you're running.

Win 7 Enterprise also has Bitlocker. Not that it will help in this situation i'd say...

Share this post


Link to post
Share on other sites

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

No software is ever guaranteed to be safe, open source or not, because it's made by humans.

It's just easier to hide a backdoor in a program where source code is not available, since machine code is not human readable, therefore, backdoors cannot be easily found by the community of users of the software.

Share this post


Link to post
Share on other sites

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

The software is not safe because it's open-source; it's safe because there can be independent and public scrutiny that it is indeed safe, that there are no backdoors, etc. The mere fact that it's open-source is no guarantee of safety, but it's a prerequisite for independent and public verification.

1 person likes this

Share this post


Link to post
Share on other sites

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

Ok, let's say OpenSSL was closed source and was called ClosedSSL. What would have happened, since the heartbeat implementation passed review?

Share this post


Link to post
Share on other sites

I thought I knew neowin, but then I keep getting surprised.

When I read the initial posts from OP - I thought - "someone is going to tell him to stop believing what he sees in movies - nobody cares about your little collection"  but 3 pages later there is still discussion.

 

Share this post


Link to post
Share on other sites

I thought I knew neowin, but then I keep getting surprised.

When I read the initial posts from OP - I thought - "someone is going to tell him to stop believing what he sees in movies - nobody cares about your little collection"  but 3 pages later there is still discussion.

 

This thread just isn't about him, it's about other people, who actually need an encryption solution.

1 person likes this

Share this post


Link to post
Share on other sites

I think that you're widely exaggerating. Such tools only do a very mechanical translation that can be very far from the structure of the original code. They're also incapable of dealing with more advanced C++ features like templates as these are erased during compilation. Optimization passes also lose a lot of information about the original structure which cannot be guessed at. On a codebase the size of an advanced cryptographic tool, you would end up with several millions of lines of meaningless identifiers and you'd still have an absolutely daunting reverse-engineering task to make any sense out of it. This makes independent code review practically infeasible, not to mention usually illegal.

nobody is suggesting converting the whole codebase back to C++. that would be a total waste of time. there is plenty info in disassemblies to get a high level view of things, like imports,exports,string, coupled with some excellent tools like IDA graph view and hexrays decompiler. how do you figure holes in closed source software are revealed all the time? because hackers and security researchers are reading this code like a book. take key generators for example. these involve decoding highly obfuscated routines involving highly obfuscated cryptography,yet these things keep being pumped out by some high schoolers( a more mature and intelligent person would seek to get paid with such skill).

 

No software is ever guaranteed to be safe, open source or not, because it's made by humans.

It's just easier to hide a backdoor in a program where source code is not available, since machine code is not human readable, therefore, backdoors cannot be easily found by the community of users of the software.

Ok, let's say OpenSSL was closed source and was called ClosedSSL. What would have happened, since the heartbeat implementation passed review?

The software is not safe because it's open-source; it's safe because there can be independent and public scrutiny that it is indeed safe, that there are no backdoors, etc. The mere fact that it's open-source is no guarantee of safety, but it's a prerequisite for independent and public verification.

again, take a look at the myriad of vulnerabilities and holes in proprietary closed source software revealed on the daily.

Share this post


Link to post
Share on other sites

again, take a look at the myriad of vulnerabilities and holes in proprietary closed source software revealed on the daily.

But will we ever know about the vulnerabilities that are never disclosed by the manufacturer?

 

 

nobody is suggesting converting the whole codebase back to C++. that would be a total waste of time. there is plenty info in disassemblies to get a high level view of things, like imports,exports,string, coupled with some excellent tools like IDA graph view and hexrays decompiler. how do you figure holes in closed source software are revealed all the time? because hackers and security researchers are reading this code like a book. take key generators for example. these involve decoding highly obfuscated routines involving highly obfuscated cryptography,yet these things keep being pumped out by some high schoolers( a more mature and intelligent person would seek to get paid with such skill).

"Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system." - http://en.wikipedia.org/wiki/Vulnerability_(computing)#Identifying_and_removing_vulnerabilities

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.