The Infosec Thread: Yes, time to move off Entrust

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off Entrust

«‹›507 »

RFC2324: Jun 7, 2012; http 418

Dadbod Apocalypse posted:

when the feds ask me what my password is, i’ll tell them “i don’t know what my password is” and they’ll get super mad that i owned them but that’s literally my password

I used "I can't remember!" for a while in my WiFi

# ? Jan 22, 2018 06:21

Adbot: ADBOT LOVES YOU

# ? May 10, 2024 08:29

ElCondemn: Aug 7, 2005

Powered Descent posted:

Got into a fun discussion today that this thread might enjoy pondering.

Let's say that, for bullshit legal reasons, you want to encrypt something and NOT keep the password in your memory or anywhere in your possession. So for the password, you use the hash signature of a particular file, and then you don't keep a copy of that file yourself, anywhere. Whenever the time comes to decrypt -- and it will likely be many years in the future -- you'll have your encrypted data, and the software to do the decryption, but not the file whose hash is the key. You'll have to trust in your ability to track down another copy of that same file. Remember, it has to be bit-for-bit identical or it won't work.

Put aside the question of whether the legal trick would work (spoiler: no) and just go with the premise. What file do you choose? What are you confident you'll still be able to find in the future, let's say 25 years from now?

We kicked this around and arrived at what I think is a great answer: The ROM of a reasonably popular old video game cartridge. You aren't depending on a single source (which might go out of business or something), there isn't going to be a new edition of it (at least not one that would displace the original version), and it's not the sort of thing that would be casually altered (like an image or sound file being re-encoded in a new file format). Someone out there will still be preserving these things as a hobby. And hell, if it came right down to it, you could even try to track down original hardware and re-rip the data yourself.

Other ideas?

You're just asking us "if you could use a file as your password what file would it be?"

I would say, don't use a password that is public, it isn't any more secure than using a random string of characters that you write down somewhere public.

# ? Jan 22, 2018 06:58

Powered Descent: Jul 13, 2008; We haven't had that spirit here since 1969.

ElCondemn posted:

You're just asking us "if you could use a file as your password what file would it be?"

I would say, don't use a password that is public, it isn't any more secure than using a random string of characters that you write down somewhere public.

I'd say it boils down more to "what files are you most certain you'll still be able to find an exact copy of in the year 2043?".

You already CAN use a file as a password if you so choose, either by using a hash value, or (in some applications like KeePassX or VeraCrypt) directly as a keyfile. But you typically keep that file around.

I'm not claiming that this method would provide good security or any actual legal protection. But it was a fun little discussion that I thought this thread might enjoy kicking around too.

# ? Jan 22, 2018 07:09

poisonpill: Nov 8, 2009; The only way to get huge fast is to insult a passing witch and hope she curses you with Beast-strength.

Security people never answer the question you asked. They just attack the premise and discuss all the flaws with your setup.

I believe it's what's known as a "side channel attack"

# ? Jan 22, 2018 07:25

Proteus Jones: Feb 28, 2013

poisonpill posted:

Security people never answer the question you asked. They just attack the premise and discuss all the flaws with your setup.

I believe it's what's known as a "side channel attack"

Well, there's literally no upside to his hypothetical. I can't imagine any file staying absolutely pristine to the point the hashes match over a 25 year span. Unless you store the file yourself, it's either going to be format shifted or stuck on a list of "this *used* to be available online". And if you store it yourself, that's only slightly less dumb than using Spaceballs the Password.

# ? Jan 22, 2018 11:16

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

Absurd Alhazred posted:

"So what is your password?"
"What."
"The password to your computer!"
"What!"
"The password you use to login to your computer!"
"What!!"
"Stop saying "what" or so help me God I will kill you!"
"I'm just trying to help!"

https://www.youtube.com/watch?v=qo5jnBJvGUs&t=28s

# ? Jan 22, 2018 17:25

stoopidmunkey: May 21, 2005; yep

On the password chat, a lawyer friend of mine told me that you can invoke the 5th to not give your password to a computer as it may incriminate you. They can, however, compel biometrics, so I was told the safest thing is long, unique password to decrypt the drive, then either account password or biometric login. I was told this way if they come for your machine, you're pretty safe if you can power it off so they can't get through drive encryption. Did I get misinformed?

# ? Jan 23, 2018 14:44

Sheep: Jul 24, 2003

It's not quite that simple, there's a bunch of things involved (foregone conclusion doctrine, testimonial aspect, etc.) not to mention the fact that they may be able to get a court order compelling you to unlock the device without providing them the password, etc. If you absolutely must get into a sort of situation like this then it's probably best to use a secret sharing method to generate a key with k=n and then make sure that at least one of the parts are held by entities outside of the country that authorities can't get to.

Edit: this article sums up a number of these points pretty well.

Sheep fucked around with this message at 15:07 on Jan 23, 2018

# ? Jan 23, 2018 14:54

Proteus Jones: Feb 28, 2013

Also, learn how to turn off biometric auth for your device in an emergency, so it falls back to requiring a passphrase.

For instance, iOS press the power button quickly 5 times and it deactivates TouchID until you unlock the phone with your passphrase. Just make sure you have Auto-Dial in the EmergencySOS settings turned off so the phone doesn't automatically call 911. You'll still have a slider option on the screen to call 911. (for iPhone 8, 8 plus, and X long press of power and volume does same thing)

# ? Jan 23, 2018 15:06

CLAM DOWN: Feb 13, 2007

Apparently Linus Torvalds is refusing to merge Intel's Spectre fixes into the Linux kernel?? Wtf is this about?

# ? Jan 23, 2018 18:14

BangersInMyKnickers: Nov 3, 2004; I have a thing for courageous dongles

code:

 Have you _looked_ at the patches you are talking about? You should
have - several of them bear your name.

The patches do things like add the garbage MSR writes to the kernel
entry/exit points. That's insane. That says "we're trying to protect
the kernel". We already have retpoline there, with less overhead.

So somebody isn't telling the truth here. Somebody is pushing complete
garbage for unclear reasons. Sorry for having to point that out.

If this was about flushing the BTB at actual context switches between
different users, I'd believe you. But that's not at all what the
patches do.

As it is, the patches are COMPLETE AND UTTER GARBAGE.

They do literally insane things. They do things that do not make
sense. That makes all your arguments questionable and suspicious. The
patches do things that are not sane.

WHAT THE F*CK IS GOING ON?

And that's actually ignoring the much _worse_ issue, namely that the
whole hardware interface is literally mis-designed by morons.

It's mis-designed for two major reasons:

- the "the interface implies Intel will never fix it" reason.

See the difference between IBRS_ALL and RDCL_NO. One implies Intel
will fix something. The other does not.

Do you really think that is acceptable?

- the "there is no performance indicator".

The whole point of having cpuid and flags from the
microarchitecture is that we can use those to make decisions.

But since we already know that the IBRS overhead is <i>huge</i> on
existing hardware, all those hardware capability bits are just
complete and utter garbage. Nobody sane will use them, since the cost
is too drat high. So you end up having to look at "which CPU stepping
is this" anyway.

I think we need something better than this garbage.

http://lkml.iu.edu/hypermail/linux/kernel/1801.2/04628.html

He's basically saying that the patches are nonsense and don't actually do anything to fix the problem besides negatively impacting the kernel.

# ? Jan 23, 2018 18:18

CLAM DOWN: Feb 13, 2007

Sigh

# ? Jan 23, 2018 18:19

Proteus Jones: Feb 28, 2013

It's like Intel didn't learn a thing from the FDIV PR disaster.

Proteus Jones fucked around with this message at 18:31 on Jan 23, 2018

# ? Jan 23, 2018 18:29

spaced ninja: Apr 10, 2009; Toilet Rascal

Yeah a bunch of places had to pull their updates because of the lovely microcode. Redhat even went the extra step to say they won't be releasing ANY microcode updates in the future and you should instead talk directly to the silicon providers.

https://www.theregister.co.uk/2018/01/18/red_hat_spectre_firmware_update_woes/

# ? Jan 23, 2018 18:33

Evis: Feb 28, 2007; Flying Spaghetti Monster

https://lkml.org/lkml/2018/1/22/598

quote:

Then there's Skylake, and that generation of CPU cores. For complicated reasons they actually end up being vulnerable not just on indirect branches, but also on a 'ret' in some circumstances (such as 16+ CALLs in a deep chain).

The IBRS solution, ugly though it is, did address that. Retpoline doesn't.

This is such a mess.

# ? Jan 23, 2018 19:05

gourdcaptain: Nov 16, 2012

Evis posted:

https://lkml.org/lkml/2018/1/22/598

This is such a mess.

https://lkml.org/lkml/2018/1/23/25

And now they're discussing some kind of weird method involving using function tracing on Skylake to turn rets into retpolines automatically while still avoiding the insanely costly Intel mictocode hack instructions. Everything keeps making me so glad I went for a X99 Broadwell-E instead of a Skylake CPU when I built my current desktop entirely because of all the weird Skylake related cruft I keep seeing.

# ? Jan 23, 2018 21:21

doctorfrog: Mar 14, 2007; Great.

Password fantasy chat: What about some biometric password thing where if you feel like you're in trouble, the combination of vitals that forms the password won't line up? Like, "here's my body's state when I'm a free person," and that's your password.

# ? Jan 24, 2018 01:05

poisonpill: Nov 8, 2009; The only way to get huge fast is to insult a passing witch and hope she curses you with Beast-strength.

doctorfrog posted:

Password fantasy chat: What about some biometric password thing where if you feel like you're in trouble, the combination of vitals that forms the password won't line up? Like, "here's my body's state when I'm a free person," and that's your password.

*beats you with a wrench until you pass out, in turn relaxing your vitals*

# ? Jan 24, 2018 01:11

The Fool: Oct 16, 2003

Setup an online service that you do a key exchange with, so that this service has to be online and respond properly in order to unlock your file, ala media drm.

Add some sort of canary function, so that if you're logging under duress you can surreptitiously trigger it, and the service would destroy the master key so that you file can never be unlocked again.

# ? Jan 24, 2018 01:13

Last Chance: Dec 31, 2004

poisonpill posted:

*beats you with a wrench until you pass out, in turn relaxing your vitals*

maybe pair it with something that ensures your paying attention

*gets roofied

# ? Jan 24, 2018 01:27

doctorfrog: Mar 14, 2007; Great.

A sustained, 30-day orgasm is my password.

# ? Jan 24, 2018 01:29

Judge Schnoopy: Nov 2, 2005; dont even TRY it, pal

Hey doctor I'm having trouble logging in, if you know what I mean

# ? Jan 24, 2018 01:34

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

doctorfrog posted:

Password fantasy chat: What about some biometric password thing where if you feel like you're in trouble, the combination of vitals that forms the password won't line up? Like, "here's my body's state when I'm a free person," and that's your password.

You mean like how FaceID requires that you look at your phone?

# ? Jan 24, 2018 01:41

Cup Runneth Over: Aug 8, 2009; She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate

The Fool posted:

Setup an online service that you do a key exchange with, so that this service has to be online and respond properly in order to unlock your file, ala media drm.

Add some sort of canary function, so that if you're logging under duress you can surreptitiously trigger it, and the service would destroy the master key so that you file can never be unlocked again.

[FBI serves your service a warrant]

# ? Jan 24, 2018 01:43

Mr Chips: Jun 27, 2007; Whose arse do I have to blow smoke up to get rid of this baby?

Proteus Jones posted:

It's like Intel didn't learn a thing from the FDIV PR disaster.

Even if they did, it was a generation ago now, and they've probably unlearned it all.

# ? Jan 24, 2018 01:47

Trabisnikof: Dec 24, 2005

Hi, my name is Werner Brandes. My angst is my passport. Verify Me.

# ? Jan 24, 2018 01:47

incoherent: Apr 24, 2004; 01010100011010000111001
00110100101101100011011
000110010101110010

spaced ninja posted:

Yeah a bunch of places had to pull their updates because of the lovely microcode. Redhat even went the extra step to say they won't be releasing ANY microcode updates in the future and you should instead talk directly to the silicon providers.

https://www.theregister.co.uk/2018/01/18/red_hat_spectre_firmware_update_woes/

Dell just announced you should roll back all your servers bios\UEFI updates with the specter protections. yikes.

# ? Jan 24, 2018 01:51

Internet Explorer: Jun 1, 2005

Super glad I listened to my gut on this one and waited on patching. I'm generally all gung-ho to patch, but this seemed like it was going to be a disaster.

# ? Jan 24, 2018 01:52

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

incoherent posted:

Dell just announced you should roll back all your servers bios\UEFI updates with the specter protections. yikes.

HP removed more firmware updates today, too https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us

# ? Jan 24, 2018 01:57

Thanks Ants: May 21, 2004; #essereFerrari

https://www.youtube.com/watch?v=_B0CyOAO8y0

# ? Jan 24, 2018 02:00

I would blow Dane Cook: Dec 26, 2008; Can't post for 9 hours!

doctorfrog posted:

A sustained, 30-day orgasm is my password.

"Ve have ways of making you cum, HerrDoctor Frog"

# ? Jan 24, 2018 02:12

Powered Descent: Jul 13, 2008; We haven't had that spirit here since 1969.

doctorfrog posted:

A sustained, 30-day orgasm is my password.

My password is taking a huge bong rip, but the government can't make me do that because it's illegal. Checkmate!

# ? Jan 24, 2018 02:50

18 Character Limit: Apr 6, 2007; Screw you, Abed;
I can fix this!; Nap Ghost

doctorfrog posted:

A sustained, 30-day orgasm is my password.

I would blow Dane Cook posted:

"Ve have ways of making you cum, HerrDoctor Frog"

Solved problem, in animal husbandry.

# ? Jan 24, 2018 03:00

Klyith: Aug 3, 2007; GBS Pledge Week

The Fool posted:

Setup an online service that you do a key exchange with, so that this service has to be online and respond properly in order to unlock your file, ala media drm.

Add some sort of canary function, so that if you're logging under duress you can surreptitiously trigger it, and the service would destroy the master key so that you file can never be unlocked again.

judge doesn't believe you can't decrypt your files, jails you for contempt of court. you finally break and plead guilty, end up serving several extra years because they add a destroyed evidence charge and the DA has no reason to make a deal with you. plus the judge is annoyed enough to reject any time served discount for your contempt stay.

you dorks are just inventing more and more elaborate ways to own yourself

if you are a criminal in the US, or a dissident in a nasty dictatorship, your best bet is security through obscurity. the only way They can't force you to decrypt your poo poo is if they can't even find the storage media in the first place. a 128gb microsd card is the size of your fingernail, buy one of those and hide it somewhere clever. i suggest up your rear end.

# ? Jan 24, 2018 04:15

Trabisnikof: Dec 24, 2005

up you rear end is one of the first places they look

# ? Jan 24, 2018 04:17

I would blow Dane Cook: Dec 26, 2008; Can't post for 9 hours!

18 Character Limit posted:

Solved problem, in animal husbandry.

*Laughs Nazi-ly*

# ? Jan 24, 2018 04:20

I would blow Dane Cook: Dec 26, 2008; Can't post for 9 hours!

Trabisnikof posted:

up you rear end is one of the first places they look

Learned this one the hard way.

# ? Jan 24, 2018 04:20

Klyith: Aug 3, 2007; GBS Pledge Week

Trabisnikof posted:

up you rear end is one of the first places they look

oh gently caress really? looks like i need a new spot to hide my collection of secret nsa dox and embarrassing hentai!

# ? Jan 24, 2018 04:23

Klyith: Aug 3, 2007; GBS Pledge Week

it's really all hentai

but it's in a folder named "nsa dox" so i can pretend i'm jason loving bourne like the rest of the thread

# ? Jan 24, 2018 04:25

Adbot: ADBOT LOVES YOU

# ? May 10, 2024 08:29

Bunni-kat: May 25, 2010; Service Desk B-b-bunny...
How can-ca-caaaaan I
help-p-p-p you?

Stick the microSD card in your foreskin. If you don�t have any either by birth or circumcision, borrow someone else�s.

# ? Jan 24, 2018 05:00

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off Entrust

«‹›507 »