|
an actual dog posted:oh my god this is so good. oh my god what the gently caress were they thinking Even with AES-NI, software encryption overhead with an average SDD like an EVO 840 can pretty much saturate an average CPU when its cranking with enough active threads to hit all cores. I 100% guarantee they were trying to avoid that when possible, but did it in the dumbest way possible.
|
# ? Nov 5, 2018 19:38 |
|
|
# ? May 10, 2024 05:28 |
|
Can I be smug about this if I'm using luks/dm-crypt on Linux? I'm guessing that I can, since dm-crypt layers on top of any hardware encryption?
|
# ? Nov 5, 2018 19:50 |
|
apropos man posted:Can I be smug about this if I'm using luks/dm-crypt on Linux? I'm guessing that I can, since dm-crypt layers on top of any hardware encryption?
|
# ? Nov 5, 2018 20:11 |
|
You can be smug whenever you want.
|
# ? Nov 5, 2018 20:23 |
|
anthonypants posted:Would you be smug about software RAID if a hardware RAID controller had problems? taqueso posted:You can be smug whenever you want. I've changed my mind after anthonypants' post. I'll be confused instead.
|
# ? Nov 5, 2018 20:26 |
|
BangersInMyKnickers posted:Even with AES-NI, software encryption overhead with an average SDD like an EVO 840 can pretty much saturate an average CPU when its cranking with enough active threads to hit all cores. I 100% guarantee they were trying to avoid that when possible, but did it in the dumbest way possible. Yea I totally understand why they're pushing for hardware encryption, it's just baffling that there were no checks to make sure it was encrypting correctly. I'm just now realizing that when people switch back to software encryption their computers are gonna start running so much worse.
|
# ? Nov 5, 2018 20:54 |
|
I run software BitLocker on all my mobile computers and I have never felt any performance degradation. Sure copying 50 GB of files might take a bit longer but that is not even remotely part of my daily workload. With an SSD you're not really waiting behind I/O as much as you are waiting behind poorly designed synchronous software that can only do 1 thing at a time.apropos man posted:Can I be smug about this if I'm using luks/dm-crypt on Linux? I'm guessing that I can, since dm-crypt layers on top of any hardware encryption? Yes but only half way because luks/dm-crypt are not able to use the TPM to store the key or verify bootloader authenticity so you're vulnerable to evil maid attacks. Then again, installing VPN drivers recently made Ubuntu tell me "oh btw switch off secure boot thanks" so what the gently caress maybe that is how you roll on Linux apparently.
|
# ? Nov 5, 2018 21:36 |
|
an actual dog posted:oh my god this is so good. oh my god what the gently caress were they thinking "gently caress it gently caress that gently caress everything, compile you pigfucker!" *Ding, firmware compiled with 74837 warnings and NO errors* "Praise Lord Samsung, time to send it to the factory"
|
# ? Nov 5, 2018 21:41 |
|
EssOEss posted:I run software BitLocker on all my mobile computers and I have never felt any performance degradation. Sure copying 50 GB of files might take a bit longer but that is not even remotely part of my daily workload. With an SSD you're not really waiting behind I/O as much as you are waiting behind poorly designed synchronous software that can only do 1 thing at a time. Haha. What a conclusion!
|
# ? Nov 5, 2018 21:44 |
|
EssOEss posted:I run software BitLocker on all my mobile computers and I have never felt any performance degradation. Sure copying 50 GB of files might take a bit longer but that is not even remotely part of my daily workload. With an SSD you're not really waiting behind I/O as much as you are waiting behind poorly designed synchronous software that can only do 1 thing at a time. Keep in mind that bitlocker debuted with Vista where single and dual-core CPUs were still the norm. This decision was made back on those days and the overhead on those older CPUs could be crippling
|
# ? Nov 5, 2018 21:51 |
|
Methylethylaldehyde posted:"gently caress it gently caress that gently caress everything, compile you pigfucker!" loling while thinking about trusting samsung hardware to be secure
|
# ? Nov 5, 2018 21:59 |
|
an actual dog posted:loling while thinking about trusting samsung hardware to be secure How is Samsung better or worse than pretty much any other vendor. This entire industry is a dumpster fire.
|
# ? Nov 5, 2018 22:04 |
|
an actual dog posted:loling while thinking about trusting samsung hardware to be secure I still chuckle when they hardcoded the master encryption password in to their Knox security software and when that was discovered their solution was to throw the device away and use one that is compatible with Knox 2.0 (no upgrade path available)
|
# ? Nov 5, 2018 22:06 |
|
CLAM DOWN posted:How is Samsung better or worse than pretty much any other vendor. This entire industry is a dumpster fire. You're not wrong, I'm just thinking about all the different high profile screwups they've had over the years. The one immediately in my mind is their android alternative tizen.
|
# ? Nov 5, 2018 22:16 |
|
an actual dog posted:You're not wrong, I'm just thinking about all the different high profile screwups they've had over the years. The one immediately in my mind is their android alternative tizen. Oh yeah don't get me wrong, they've had some total messes on their hands. I just don't think they're any worse than anyone else. Everything is terrible and on fire.
|
# ? Nov 5, 2018 22:18 |
|
OSX and iOS are just fine, thank you.
|
# ? Nov 5, 2018 22:21 |
|
BangersInMyKnickers posted:OSX and iOS are just fine, thank you.
|
# ? Nov 5, 2018 22:27 |
|
BangersInMyKnickers posted:OSX and iOS are just fine, thank you. ahahahahahahhahahahahahaha macOS security in enterprise environments is a pathetic joke this is literally the company that let you have sudoers access by entering a blank passcode
|
# ? Nov 5, 2018 22:30 |
|
Thank you for posting this graphic of the dawning and inescapable realization that apple is the only player in the market with their poo poo together
|
# ? Nov 5, 2018 22:30 |
|
The Iron Rose posted:ahahahahahahhahahahahahaha how long did that go from disclosure to patch, exactly?
|
# ? Nov 5, 2018 22:31 |
anthonypants posted:Would you be smug about software RAID if a hardware RAID controller had problems? Although yes, I do feel the tiniest bit smug about both that and using GELI or GBDE depending on circumstances. BangersInMyKnickers posted:Keep in mind that bitlocker debuted with Vista where single and dual-core CPUs were still the norm. This decision was made back on those days and the overhead on those older CPUs could be crippling
|
|
# ? Nov 5, 2018 22:49 |
|
CLAM DOWN posted:How is Samsung better or worse than pretty much any other vendor. This entire industry is a dumpster fire.
|
# ? Nov 5, 2018 22:51 |
|
D. Ebdrup posted:It's not like there weren't good examples of how to do it; GBDE was included in FreeBSD 5 which was released in 2003, and it's design included attempting to not be subject to rubberhost cryptography.
|
# ? Nov 5, 2018 22:57 |
anthonypants posted:Was that the part where they hardcoded it to use only AES-128, or the one where they wrote their own PRNG From memory, I do believe phk tried to address the issues pointed out in the analysis that was made - but I don't think anyone designing crypto-anything in 2003 could've foreseen graphics cards or ASICs which we have today. One thing that I don't know I've seen outside of GBDE is the idea that it shouldn't be possible to find the encrypted data by forensic analysis of the disk. Can anyone tell me if that's been attempted outside of GBDE? BlankSystemDaemon fucked around with this message at 23:24 on Nov 5, 2018 |
|
# ? Nov 5, 2018 23:21 |
BangersInMyKnickers posted:Even with AES-NI, software encryption overhead with an average SDD like an EVO 840 can pretty much saturate an average CPU when its cranking with enough active threads to hit all cores.. What are you considering an "average CPU" here? Software Bitlocker on my 950 Pro (thanks for never actually enabling eDrive like you said you would, Samsung ) with a 6700k has zero performance impact in disk benchmarks and CPU usage low enough that it more or less blends into the background noise of how much CPU gets used when hitting a disk hard anyway. Theris fucked around with this message at 01:19 on Nov 6, 2018 |
|
# ? Nov 6, 2018 01:15 |
|
D. Ebdrup posted:One thing that I don't know I've seen outside of GBDE is the idea that it shouldn't be possible to find the encrypted data by forensic analysis of the disk. Can anyone tell me if that's been attempted outside of GBDE?
|
# ? Nov 6, 2018 01:23 |
|
Theris posted:What are you considering an "average CPU" here? Software Bitlocker on my 950 Pro (thanks for never actually enabling eDrive like you said you would, Samsung ) with a 6700k has zero performance impact in disk benchmarks and CPU usage low enough that it more or less blends into the background noise of how much CPU gets used when hitting a disk hard anyway. is it actually enabled? you do need to disable and then re-enable bitlocker on the drive after toggling it.
|
# ? Nov 6, 2018 08:21 |
Daman posted:is it actually enabled? you do need to disable and then re-enable bitlocker on the drive after toggling it. I have to enter the Bitlocker passphrase (I don't have a TPM) to boot, so I assume so. Maybe not? Edit: Seriously misremembered Veracrypt benchmark results, deleted the part of the post based on that. Theris fucked around with this message at 09:13 on Nov 6, 2018 |
|
# ? Nov 6, 2018 08:59 |
anthonypants posted:Are you seriously trying to claim that GBDE is the only disk encryption method that prevents forensic analysis from recovering encrypted data?
|
|
# ? Nov 6, 2018 12:57 |
|
D. Ebdrup posted:If you're just going to ignore that it's phrased as a question, and contains a questionmark, why even respond to it without providing an answer.
|
# ? Nov 6, 2018 16:37 |
EDIT: No, you know what, nevermind. Life's too loving short.
BlankSystemDaemon fucked around with this message at 21:14 on Nov 6, 2018 |
|
# ? Nov 6, 2018 21:09 |
|
D. Ebdrup posted:One thing that I don't know I've seen outside of GBDE is the idea that it shouldn't be possible to find the encrypted data by forensic analysis of the disk. Can anyone tell me if that's been attempted outside of GBDE? truecrypt hidden volumes? where there is plausible deniability whether there are 1 or 2 encrypted volumes? or do you want to be able to plausibly claim there are 0 of them?
|
# ? Nov 6, 2018 21:41 |
|
Rufus Ping posted:truecrypt hidden volumes? where there is plausible deniability whether there are 1 or 2 encrypted volumes? or do you want to be able to plausibly claim there are 0 of them?
|
# ? Nov 6, 2018 22:03 |
GBDE has steganography support, as well as positive denial facilities.
|
|
# ? Nov 6, 2018 22:55 |
|
D. Ebdrup posted:GBDE has steganography support, as well as positive denial facilities.
|
# ? Nov 6, 2018 23:08 |
|
anthonypants posted:My favorite part of the manpage is the bolded notice at the top. lmao
|
# ? Nov 6, 2018 23:15 |
|
anthonypants posted:Because if that is the premise of your question, then it is far too stupid to deserve an answer. You're joking, right? There's nothing stupid about that, just ignorant. This is some advanced computer science stuff, dude, chill. You don't need to flex your very smart brain.
|
# ? Nov 7, 2018 06:25 |
|
Cup Runneth Over posted:You're joking, right? There's nothing stupid about that, just ignorant. This is some advanced computer science stuff, dude, chill. You don't need to flex your very smart brain.
|
# ? Nov 7, 2018 06:29 |
|
anthonypants posted:My favorite part of the manpage is the bolded notice at the top. This was my favorite part: Buy a new laptop with cash and remove the hard drive. Install your favorite Linux (encrypted, of course) to an SD card or USB stick, and boot from that. Install a vault with walls of several hundred meters thick solid steel. This vault can only be feasibly accessed using the single key, which has a complexity comparable to a number with 600 digits, inside a new VM that's running something reasonably common like Ubuntu. Leave absolutely everything, right down to the screen resolution, in four copies, each of which is stored in one of four small safes, each of which can be opened with unique key resembling a unique fingerprint. Now set up your laptop's actual OS to use a good VPN -- containing the exact locations of all four key-safes which are located in randomly chosen places on the outside surface of the vault where they are practically impossible to detect when they are closed -- and pay for it by mailing cash in an envelope (using small bills that you got in change somewhere; bills out of an ATM might be logged). Finally, each safe contains four switches which are wired to a bar of dynamite connected to the VPN via Tor. Now take your laptop to a coffeeshop that's not too close to home (if you're driving, park some ways off), get a drink (not your usual!) and open the safe for which he has the key, take out the master-key and access the vault. When done, lock up the master-key in the safe again and pay with cash, then sit down, connect to the wifi (spoofing your MAC address or better still, use a USB wifi adapter that you bought with cash, and still spoof the MAC. If a keyholder-X for some reason distrusts keyholder-Y, she has the option of double-checking to make sure it's going out via the the laptop's Tor/VPN connection and it isn't using anything like a virtual adapter to connect itself directly to the coffeeshop wifi and detonating the bar of dynamite in safe-Y. This will obliterate the master-key in that safe and thereby deny keyholder-Y access to the vault and do your crime. Should the facility come under attack, overwrite the USB stick you booted off of with random data to detonate all four bars of dynamite and thereby make sure that access to the vault is denied to everybody before physically destroying it. If you used a USB wifi adapter, do so in confidence that the contents of his safe will not yield access to the vault to destroy that as well. For maximum security, should the facility fall to the enemy, and a keyholder be forced to apply his personal key, he can do so in confidence that the contents of his safe will not yield access to the vault, and the enemy will hopefully disassemble and destroy the entire laptop.
|
# ? Nov 7, 2018 09:18 |
|
|
# ? May 10, 2024 05:28 |
|
EssOEss posted:Yes but only half way because luks/dm-crypt are not able to use the TPM to store the key or verify bootloader authenticity Technically you're right, but this is a really poorly worded assertion. Does LUKS itself have support for directly reading the TPM or altering the NVRAM? No. Should it? Probably not, as that's the job of tools such as tcsd, tpm_nvread, tpm_nvdefine, tpm_nvwrite, etc. You can verify bootloader authenticity and retrieve keys from the TPM to unlock drives at boot time automatically by using TrustedGRUB and clevis, respectively. Two things that can be said are that there's no real official support for verifying bootloader authenticity (thus the need for TrustedGRUB, mjg59's grub fork, etc), and that as far as I'm aware extending bootloader PCRs with UEFI bootloaders doesn't really exist yet for Linux. Sheep fucked around with this message at 13:39 on Nov 7, 2018 |
# ? Nov 7, 2018 13:07 |