|
goddamnedtwisto posted:that's what tpm is for, surely? Sure if it's a physical box. I'm not sure how full disk encryption would store keys in hardware for VMs though, you'd probably need some kind of HSM.
|
#
?
Feb 26, 2019 21:58
|
|
|
|
| # ? May 20, 2024 09:36 |
|
|
ewiley posted:Sure if it's a physical box. I'm not sure how full disk encryption would store keys in hardware for VMs though, you'd probably need some kind of HSM. But it is a physical box.
|
|
#
?
Feb 26, 2019 22:05
|
|
|
goddamnedtwisto posted:that's what tpm is for, surely? No. If you can power on the device, and the device unlocks itself on boot, the TPM is useless.
|
|
#
?
Feb 26, 2019 22:16
|
|
|
ratbert90 posted:No. If you can power on the device, and the device unlocks itself on boot, the TPM is useless. the specific case of "if you can get the hard drive out of the thing, either directly or just finding it after it's been improperly disposed of" would be fixed even if the TPM just auto-unlocked everything
|
|
#
?
Feb 26, 2019 22:19
|
|
|
useless for a full physical compromise. it would allow partial compromises (e.g. stolen drive) to be mitigated define your threat models
|
|
#
?
Feb 26, 2019 22:19
|
|
|
Wiggly Wayne DDS posted:useless for a full physical compromise. it would allow partial compromises (e.g. stolen drive) to be mitigated The threat model is "Somebody walking away with the box and putting malware on it."
|
|
#
?
Feb 26, 2019 22:25
|
|
|
ozymandOS posted:otoh, if the box can unlock its own encryption on boot, so can an attacker while the computer is running other mechanisms are in place to protect the data.
|
|
#
?
Feb 26, 2019 22:30
|
|
|
Shaggar posted:while the computer is running other mechanisms are in place to protect the data. that depends on how the bootloader and unlock is set up the implication is that they only care about encryption, so they would approve a system where you can boot into an attacker-supplied OS while still being able to unlock the disk
|
|
#
?
Feb 26, 2019 23:10
|
|
|
ozymandOS posted:otoh, if the box can unlock its own encryption on boot, so can an attacker if the TPM is releasing the DEK then its going to validate the enclave before doing so and you'll have to yank the entire system instead of just the drive. with appropriate physical security its probably not worth doing FDE but ifs its platter disk or a low-IO the CPU overhead is barely measurable so why not do it on the off-hand chance that something is mishandled during decommissioning
|
|
#
?
Feb 27, 2019 00:00
|
|
|
ewiley posted:Sure if it's a physical box. I'm not sure how full disk encryption would store keys in hardware for VMs though, you'd probably need some kind of HSM. hyper-v supports a virutal tpm for this purpose. it's p.slick and I wish vmware would get off their rear end and make parity
|
|
#
?
Feb 27, 2019 00:01
|
|
|
ratbert90 posted:No. If you can power on the device, and the device unlocks itself on boot, the TPM is useless. lol no
|
|
#
?
Feb 27, 2019 00:01
|
|
|
x-postingLain Iwakura posted:So in an effort to get back into doing fun coding things again, I'm going to probably demonstrate how I worked with breach data via Twitch streams. Still trying to come up with an angle I like but I feel like it's time to let people know that I am a terrible software developer and have bad ideas on how I approached the entire mess.
|
|
#
?
Feb 27, 2019 00:04
|
|
|
BangersInMyKnickers posted:lol no Ok, let me be more clear: If you can power on the device, and the device unlocks itself on boot, the key stored in the TPM for encryption is useless. The TPM also stores the update binary key, which is still useful.
|
|
#
?
Feb 27, 2019 00:19
|
|
|
full disk encryption is there to improve confidentiality and kinda integrity at the expense of availability for lots of computer poo poo availability is more important than confidentiality or integrity, especially if it's like a cable box or something where it's the buyer of the equipment that'll pay support costs if it loses availability but doesn't actually stand to lose much if confidentiality or integrity fail otherwise i.e. comcast doesn't want you hacking your cable box to get all the porn channels or w/e for free but they definitely don't want you spending an hour on the phone if some part of the encryption stack has a fucky-wucky that would otherwise just be a weird glitch that the end user can deal with
|
|
#
?
Feb 27, 2019 00:27
|
|
|
BangersInMyKnickers posted:hyper-v supports a virutal tpm for this purpose. it's p.slick and I wish vmware would get off their rear end and make parity 6.7 just got TPM's i think, Needs a KMS system but I saw something in the release notes
|
|
#
?
Feb 27, 2019 00:44
|
|
|
Beccara posted:6.7 just got TPM's i think, Needs a KMS system but I saw something in the release notes Well that's cool, maybe in ten years when our virtualization team get their poo poo together I can actually roll it out
|
|
#
?
Feb 27, 2019 03:28
|
|
|
ratbert90 posted:If you can power on the device, and the device unlocks itself on boot, the key stored in the TPM for encryption is useless. but... not necessarily? like, this is still new enough in security land (like 10 years old lol) that bugs are aplenty, but the whole point of a TPM is that it divulges the DEK if it's booting the exact hardware/firmware/software it should be. Barring a security bug (however common), that's supposed to make it impossible for an attacker to get the DEK short of like spying on DRAM traces after boot or something wild like that
|
|
#
?
Feb 27, 2019 03:29
|
|
|
ratbert90 posted:Ok, let me be more clear: FDE also lets you do instant-erase by deleting the key
|
|
#
?
Feb 27, 2019 04:07
|
|
|
Cocoa Crispies posted:full disk encryption is there to improve confidentiality and kinda integrity at the expense of availability This is true but Comcast is also beholden to a set of criteria that the content providers set, and the specifications of the Conditional Access System supplier.
|
|
#
?
Feb 27, 2019 06:37
|
|
|
crazypenguin posted:but... not necessarily? and you can't even sniff the TPM PCIe/LPC/i2c bus with session secrets, nor sniff the DRAM thatsensitive data is in (with AMD SME or Intel SGX) maybe you can sniff the communication or firmware of the storage device? idk about those
|
|
#
?
Feb 27, 2019 07:24
|
|
|
oh hey Gandi supports DNSSEC finally, when did that happen
|
|
#
?
Feb 27, 2019 18:28
|
|
|
gandi seems more of a WinNuke kinda guy
|
|
#
?
Feb 27, 2019 19:43
|
|
|
Krankenstyle posted:gandi seems more of a WinNuke kinda guy
|
|
#
?
Feb 27, 2019 19:45
|
|
|
Krankenstyle posted:gandi seems more of a WinNuke kinda guy
|
|
#
?
Feb 27, 2019 20:33
|
|
|
Shame Boy posted:oh hey Gandi supports DNSSEC finally, when did that happen At least a year Op
|
|
#
?
Feb 27, 2019 22:36
|
|
|
Shame Boy posted:oh hey Gandi supports DNSSEC finally, when did that happen 2012, they just hosed up including it in the first versions of the recent v5 website design, so you had to manually use v4.gandi.net
|
|
#
?
Feb 27, 2019 22:46
|
|
|
wonder if route 53 will ever support dnssec (not as a registrar, gently caress off)
|
|
#
?
Feb 28, 2019 00:26
|
|
|
Krankenstyle posted:gandi seems more of a WinNuke kinda guy
|
|
#
?
Feb 28, 2019 00:32
|
|
|
Krankenstyle posted:gandi seems more of a WinNuke kinda guy 
|
|
#
?
Feb 28, 2019 04:08
|
|
|
Lain Iwakura posted:x-posting Id watch this
|
|
#
?
Mar 2, 2019 20:19
|
|
|
tangential but I just tested club mate for the first time now and I dont get the appeal, ccc lied to me
|
|
#
?
Mar 3, 2019 00:48
|
|
|
ymgve posted:tangential but I just tested club mate for the first time now and I dont get the appeal, ccc lied to me It's bad
|
|
#
?
Mar 3, 2019 03:30
|
|
|
It's a bit of an acquired taste, but it's much, much better tasting than red bull or monster or whatever, imo.
|
|
#
?
Mar 3, 2019 09:04
|
|
|
the Christmas stuff is okay
|
|
#
?
Mar 3, 2019 16:07
|
|
|
I like it well enough, but I don't think a lot of people actually like it, and drink it just because it's a cultural thing.
|
|
#
?
Mar 3, 2019 16:53
|
|
|
spankmeister posted:I like it well enough, but I don't think a lot of people actually like it, and drink it just because it's a cultural thing. stay out of the coffee thread op
|
|
#
?
Mar 3, 2019 16:56
|
|
|
Nah coffee is actually good.
|
|
#
?
Mar 3, 2019 17:17
|
|
|
https://twitter.com/rqou_/status/1101331385632022528 https://twitter.com/bofh453/status/1101335595916451840 ascii or bust
|
|
#
?
Mar 4, 2019 03:52
|
|
|
Acer Pilot posted:https://twitter.com/rqou_/status/1101331385632022528 Time to update them ripper dictionaries
|
|
#
?
Mar 4, 2019 04:33
|
|
|
|
| # ? May 20, 2024 09:36 |
|
|
Acer Pilot posted:https://twitter.com/rqou_/status/1101331385632022528 哈哈哈
|
|
#
?
Mar 4, 2019 04:52
|
|
