Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday June 06 2015, @06:34AM   Printer-friendly
from the in-ms-we-trust dept.

The Intercept's Micah Lee wrote a guide explaining how to encrypt a hard drive but was criticized for recommending Microsoft's BitLocker disk encryption utility for Windows users. Microsoft has responded to some of the criticisms by providing more details about how BitLocker works:

The company told me which random number generator BitLocker uses to generate encryption keys, alleviating concerns about a government backdoor in that subsystem; it explained why it removed the Elephant diffuser, citing worries over performance and compatibility that will appease some, but certainly not all, concerned parties; and it said that the government-compromised algorithm it bundles with Windows to generate encryption keys is, by default, not used at all.

Significant questions remain about BitLocker, to be sure, and because the source code for it is not available, those questions will likely remain unanswered. As prominent cryptographer Bruce Schneier has written, "In the cryptography world, we consider open source necessary for good security; we have for decades." Despite all of this, BitLocker still might be the best option for Windows users who want to encrypt their disks.

Microsoft cryptographer Niels Ferguson gave a presentation in 2007 suggesting that Dual_EC_DRBG might have a backdoor. These suspicions were confirmed by the Snowden documents. Microsoft says that the default pseudorandom number generator for Windows is CTR_DRBG, and that BitLocker uses it when it generates a new key.

BitLocker uses an encoding engine, AES-CBC, and originally used the "Elephant diffuser" to protect encrypted files from being modified to become malicious by an attacker with physical access. Microsoft removed the Elephant diffuser because it hurt performance and is not compliant with Federal Information Processing Standards. Linux systems using LUKS disk encryption are vulnerable to the same kind of attack.

Microsoft says that it does not build backdoors into its products, but that it doesn't consider building methods to bypass their security in order to comply with legitimate legal requests "backdoors." It also shares its source code with governments so that they can check for backdoors... or for vulnerabilities which they could use as backdoors. A Microsoft spokesperson would not answer whether Microsoft could comply with a lawful request to unlock a BitLocker-encrypted disk.

TrueCrypt and its VeraCrypt and CipherShed forks do not play well with post-Windows 8 UEFI and GPT partition tables. Bruce Schneier recommends the proprietary BestCrypt full-disk encryption for Windows users. How does he reconcile this recommendation with what he wrote in 1999? "I do recommend BestCrypt because I have met people at the company and I have a good feeling about them. Of course I don't know for sure; this business is all about trust. But right now, given what I know, I trust them."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by anubi on Saturday June 06 2015, @08:16AM

    by anubi (2828) on Saturday June 06 2015, @08:16AM (#192816) Journal

    I wonder if, given their track record, Microsoft could ever release a product people would actually trust, no matter how rigorous the code actually is?

    I believe their image has gone the same way the perceptions of quality of American cars went in the 70's.

    All this talk of NSA backdoors, "working with" selected technology partners for yet more backdoors, disappointments like "plays for sure" and "trustworthy computing", while still having a dozen companies in their wake working to patch up their code isn't helping their image much.

    From what I see, Microsoft is not going to survive by the soundness of their product, but I believe they will survive on their legal ability to enforce monopoly with patent.

    I would not be surprised at all to see Google come up with and release something that works, even if the MAFIAA's have a royal hissyfit over it. You know, payback for all the headaches that group has given Google over YouTube.

    I believe the main thing Linux has going against it is that has become fragmented across too many variants, leading to a lack of knowledgeable people who know Linux well enough to administer it. Its almost like trying to codify law, but each region has a different dialect and slightly different meanings for words.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  

    Total Score:   4  
  • (Score: -1, Offtopic) by Anonymous Coward on Saturday June 06 2015, @08:54AM

    by Anonymous Coward on Saturday June 06 2015, @08:54AM (#192820)

    Hey! Cool, bro! Could you, like, post a selfie of the Anti-Microsoft Bunker you are standing in front of? That would make your post soo much cooler and believable, in a social media kinda way.

    • (Score: 0) by Anonymous Coward on Saturday June 06 2015, @11:31AM

      by Anonymous Coward on Saturday June 06 2015, @11:31AM (#192848)

      A basement is now a bunker?

  • (Score: 3, Informative) by gidds on Monday June 08 2015, @01:21PM

    by gidds (589) on Monday June 08 2015, @01:21PM (#193628)

    I wonder if, given their track record, Microsoft could ever release a product people would actually trust, no matter how rigorous the code actually is?

    I think the bigger problem is not whether we can trust a Microsoft product; it's that people aren't asking that question — either because they don't know enough to ask it, or because they don't think the answer could ever affect them personally.

    It's true that Microsoft has a bad reputation, but for most people, that's solely based on their annoyances with the Windows interface, with the cost of MS Office, or (slightly more relevantly) hassle and damage caused by Windows viruses.  The possibility of 'authorities' gaining access to their data simply isn't on their radar.  And for many people, there's an implicit assumption that, even if that happens, they'll be OK as they're not a terrorist or hacker.

    That assumption is the next major barrier.

    First, it was "The technology doesn't exist to access my private data/communications."  That's been known to be false for a good while now.

    Then, it was "The Powers That Be don't have that sort of technology."  Recent revelations have shown that to be false.

    Then, it was "If TPTB have that technology, they only spy on eeevil terrrrists/hackers/furriners."  We now know that to be false too.

    We're now at "TPTB may have all this data from spying, but they only use it against eeevil terrrrists/hackers/furrniers."

    We'll need to demonstrate that to be false, too — giving people a personal stake in the matter — for them to care.

    --
    [sig redacted]