Windows Fix? Who knew...
- Thread starter mscard88
- Start date
denverpilot
Tied Down
Pretty much describes every erosion of Windows as an OS... a ring zero kernel with crap bolted on in awkward ways.
They finally learned their lesson on the security stuff, or so folks thought, and then it was found there was a massive on-purpose back door in Bitlocker...
They finally learned their lesson on the security stuff, or so folks thought, and then it was found there was a massive on-purpose back door in Bitlocker...
WannFly
Final Approach
denverpilot
Tied Down
The Bitlocker thing? Articles on it weeks ago. All one has to do is boot into some maintenance thing and completely bypass it. MSFT said they couldn't patch it because it was designed to help manufacturers do something, I forget. Google around, you'll find it.
But beyond that, my airplane co-owner who runs a computer store had a laptop with Bitlocker and then a number of lost passwords that needed to have something retrieved off of it, including the BIOS security password.
The techs had figured out how to access the BIOS via JTAG on the motherboard (may have even had to solder leads to the pads, I don't know) and disable/rewrite that password in an hour, and as he put it, "Bitlocker was the easy part". The third lost password was the OS login password, and that presented no particular problem to the techs either.
He doesn't share his tech's tricks, both because it would hurt business and also because most folks believe the stuff is actually secure, so why worry them? Most don't even know what JTAG is.
I remember the Bitlocker bypass article because I sent it to some do-workers and we had a good chuckle because a couple of our customers think it's secure, and require it on mobile systems like laptops. They probably think it's secure because they tie it to the BIOS trusted computing stuff, but things like accessing the BIOS via JTAG aren't usually protected against.
If you have physical access and unlimited time with the hardware, there's always a way. But the BIOS stuff is, in the grand scheme of things, relatively easy if your techs know some electronics. Every board needs a way for the manufacturer to test it and program it during assembly.
Other attacks that have been really successful on both Windows and Mac take advantage of the I/O interfaces like USB having DMA built into the hardware. If the machine is booted and the desired information is in RAM, it's accessible. Even on machines with the USB ports disabled, there's usually a pin header or pads inside where USB is alive and well... maybe ten seconds of tack soldering required to get at it.
WannFly
Final Approach
I would still call it secure. I agree if you have enough time, resources and knowledge anything can be broken, it's designed by a program and by definition can be broken into. Question is how many people can do it? It's like securing your house, u can put as many security systems and bolts on your door, no one is stopping anyone taking a chain saw and making a whole in the wall to get in, unless you leave in a nuke proof bunker that is, and from what I have seen, our navy guys still busted something like that and busted someone's behind from there in Iraq
Sent from my SM-G935V using Tapatalk
denverpilot
Tied Down
Anyone with Google and another laptop, which is exactly what Bitlocker is supposed to guard against -- someone stealing the device. For what it was created for, it blows chunks. Technicolor chunks.
JimNtexas
Pattern Altitude
- Joined
- Dec 21, 2006
- Messages
- 2,259
- Location
- Austin, Texas
- Display Name
Display name:
Jim - In Texas!
Bitlocker is excellent, especially with the Trusted Platform Module.
Don't blame MS if you can't remember the password.
Don't blame MS if you can't remember the password.
WannFly
Final Approach
I will have to respectfully disagree, with TPM, and if the boot drive is protected, there is no way a joe blow can Crack it. Now if I have access to a Datacenter, I can Crack 2048 bit encryption as well, doesn't mean it's not secure
Sent from my SM-G935V using Tapatalk
denverpilot
Tied Down
I'll let the folks know who did it ... that they didn't do it. LOL.
WannFly
Final Approach
I don't think you got the point. A firm got around apple security in iPhone on a legal case, doesn't mean u and I can do it. A lot of hackers get around a lot of federal security sites, doesn't and Bobby, my next door neighbor is going to get it done.
Anyway, security is overrated , I will leave it that. Every security can be broken, be it computer security, a bank vault, a VIP detail, or the door knob. Doesn't mean it's weak, it just mean the right person is not aiming for it.
Peace
Sent from my SM-G935V using Tapatalk
denverpilot
Tied Down
I got the point fine. Most security is crap and it takes very little to get around it if you have physical access to the device. Bitlocker is extremely weak sauce and is breakable by a teenager with a laptop because the morons at MSFT built a back door into it, and the BIOS stuff is often breakable because manufacturers are lazy and trying to mass produce motherboards so the JTAG and other programming pads are completely accessible.
Put it this way... ever worked on any security tech you knew was absolutely "done right"? Not "met the standard" or "passed the audits" but really done exactly right? Very few have.
It's economics. It's too expensive to do it right because there's too many bugs and too many holes.
Most consumer grade stuff just simply isn't secure even with all the "right" things turned on. And Windows desktop OS' are definitely consumer grade. One MIGHT secure Windows server products correctly with a team doing it at high cost and get "close enough but not truly right" as an individual.
Not too surprisingly, mobile devices are actually a little better -- they got built in an era where integration of security in the hardware was both wanted by carriers and by consumers. But desktop OS' are a disaster.
All one has to do is watch how much code has to be replaced on a weekly or even faster schedule to patch security holes on them to see how slapped together a house of cards they really are. Microsoft gave up on "Patch Tuesday" as a monthly only schedule already quite some time ago. Apple stuck to their hideously slow release schedule for security bugs and is usually about three months behind the bugs being found in the underlying open source projects. So that means there's always a PUBLISHED attack vector someone can use to target the OS.
Web code and frameworks and languages? They're the worst of them all. Holes the size of a Mack truck and one could argue for a daily patch cycle if any business could afford to do it.
Tarheelpilot
Final Approach
- Joined
- Dec 5, 2010
- Messages
- 7,396
- Location
- North Carolina once again.
- Display Name
Display name:
Tarheelpilot
Lock engineers nemesis
WannFly
Final Approach
WannFly
Final Approach
not disagreeing with you on the overall computer security thing, but I do disagree with the statement above. its not as u describe, to prove it I am more than happy to send you a drive/USB in mail, bitlocker encrypted, you take your time, open it and let me know the name of the file and the contents in it. and do by whatever internet article claims it can be cracked by a teenager and have a step by step article for it. if you can, will talk.
I will say this again, its a software based encryption and with right resources it can be cracked. the operative word being "right resources". there is a reason every enterprise out there destroys there hard drive physically, because if u don't and just wipe it with a secure wipe, even with DOD standards, that data can be recovered with the "right resources"
denverpilot
Tied Down
You missed completely how it was bypassed and can still be. The auth step prior to boot can be fooled into unlocking the drive. Nobody is silly enough to attack the encryption directly, that's like walking into a brick wall for anyone without GovBucks. You attack the back and side doors not the brick wall. Bitlocker on a typical laptop is toast. That's how the folks I know got past it.
GovBucks buys a LOT of custom parallel processing hardware on open, grey, and black budgets these days and have for a decade.
As far as encrypting things goes, lots of evidence of math being slid into algorithms by folks that isn't audited well. MSFT being one of the worst on that their code isn't even available to audit, let alone been audited by thousands and holes as broad as a barn door still being found in wrapper implementations around the encryption like OpenSSL's debacle a year or so ago.
This hole in Bitlocker auth existed from day one until 2015, as an example:
https://www.google.com/amp/www.comp...rivial-windows-authentication-bypass.amp.html
WannFly
Final Approach
I didn't, BitLocker is an drive encryption tool. it protects against someone gaining access to your data when the laptop is stolen. the recommended steps to set up bitlocker is to set up a boot up TPM + PIN + USB and that cannot be cracked (just because Jonny don't want to go through the hassle of protecting his computer the right way, doesn't make the algorithm vulnerable). if the "Folks" you are referring to had admin access, there were no Boot PIN and just grabbed the decryption key from the memory, that's not cracking BitLocker, that's like grabbing my door lock key from under a stone and opening the door. most people use hibernation / sleep - that's live as far as RAM is concerned, that's not the way you want to protect your computer if you are serious about it. the article you shared was long before boot PIN was introduced via TPM. in Vista days very few computer actually had TPM and the article is based on a computer that didn't have pre-boot PIN, which is a recommended step
so, yeah any teenager with an internet connection cracking bitlocker .. not gonna happen. the sole purpose of bitlocker is encrypting the drive, take up on my offer, and send my USB to the "Folks" who claimed to crack bitlocker and have them do it in my lifetime.
denverpilot
Tied Down
Most consumer laptops still don't have the capability to do TPM. Those that do often have ways to snag the things stored in them out via JTAG. Almost nobody in the consumer space does the dual-factor thing with the USB stick.
It can be done right, but I asked you a solid question you never answered: Ever worked somewhere that did all of it right?
It's one thing to say it's possible to do it right. It's completely another to see it being all done right in practice. If I had to guess, I'd say less than one in ten organizations follows all published best practices and easily 9 out of 10 have something done so wrong their most important data is at risk. Just nobody wants it bad enough to go get it. Yet.
A friend at a very well known national financial firm anyone here would recognize sent a phishing email to the entire staff nationwide as part of a pen-test (authorized by C-level but only three humans knew about it) back some time ago and 70% of the company responded to an email from a Yahoo account with their SSO usernames and passwords, including the CEO.
This was a while back, but it was the real impetus for setting up dual-factor across the entire organization when they'd decided not to spend over $100M doing it. They claimed right up to and through that whole thing to customers that they met all sorts of security standards and did at the time, but all it took was a bulk email from a Yahoo account that looked like an email from their IT department, to topple the entire company's defenses.
Social engineering is still the best and always works. Always. It's why the majority of questions asked of character interviewers for security clearances are about money of everyone who knows the applicant.
All sorts of corroborated stories out there of nearly every major firm not implementing something they should have, after folks leave the organization. Whether it's a business or a TLA, nearly nobody does it right.
Saw a PCI cert (which is a lot of work but misses incredibly obvious things in most environments and auditors are easily fooled) nearly get thrown in the garbage by a business acquisition of the PCI rated firm by one that wasn't who THOUGHT they knew security, started making major changes to architecture without talking to the acquired company's staff. (I may or may not have been part of the acquired and chuckled deeply watching the morons at the new HQ destroying years of work... and may or may not have enjoyed saying things on conference calls like, "No that system may NOT be connected to that VLAN unless you want an instant fail on next quarter's audit.")
Even at that, I still knew where the real holes were and where the skeletons were hiding in the security closet. Stuff like the acquisition just burnt so much time nobody ever had time to plug the obscure holes -- we had co-workers making new ones for us daily, why worry about the hard to find ones? Weren't enough hours in the day to plug the holes in the dam when your own team is busting holes in it with high explosives.
WannFly
Final Approach
I don't even know what we are arguing about anymore. My comment was on the fact that any teenager with a laptop and Google can Crack bit locker, no they can't. Just because one doesn't pay for a laptop with TPM, or doesn't use the recommended settings, doesn't make it msfts fault, or any software vendors fault. It's a software, they will have glitches, a security researcher finding a flaw, doesn't make it insecure for general public. If one doesn't want to follow the steps to do it right, I don't think complaining about it and blaming it on the software helps. But again, that may be just me.
Sent from my SM-G935V using Tapatalk
Sent from my SM-G935V using Tapatalk
WannFly
Final Approach
And yes, I do work somewhere where we do it right and a part of my job is to ensure other companies do it right, some pay attention, some don't. Those who don't comes back months /years later after learning the hard way and then do it right
Sent from my SM-G935V using Tapatalk
Sent from my SM-G935V using Tapatalk
denverpilot
Tied Down
And you still missed the point that MSFT markets it as "security". Without digging into their best practices Docs, something a consumer will NEVER do, and reading about this stuff, they'll follow on-screen instructions.
Those instructions also DO NOT include any of this info that you or I know about how to implement Bitlocker and barely even mentions it as you enable it.
The average user will turn it on, set a password only for authentication, and then leave their computer turned on in sleep mode, or let it go into hibernation mode in their laptop bag for the entire lifetime of the laptop and never know that Bitlocker literally isn't doing anything at all for them. Zero. Nothing. Nada.
But the sceen instructions and all the public marketing will say it's "security".
And you still didn't answer the question. Is every single system and every single project and company you've ever worked at doing every single best security practice? Ever work at one that did or think you ever will? Ever work at any organization that didn't have at least one gaping security hole caused by an exec who didn't want to be bothered with something inconvenient?
Like I said, Fortune 100 financial company, one email, 70% of the staff sent passwords.
There's so few places that are actually even close to being secure about computing, it's laughable at how much money pours into that sector for so little gain.
We already know via credible sources that various insanely expensive and large IT segments attached to government TLAs have been successfully attacked. Some more than once. DOI had a great "run" there for a couple of years there where they were completely shut down for days cleaning up malware and virii nearly every month.
If the average coder codes even two bugs for every bug they fix, and most researchers say that number is way too low, but we'll use it for the discussion, the number of bugs overall and security bugs as a ride-along, is a multiplier. Think compound interest. That's where the industry continues to go with a wall of excuses for it and very little thought going into how to reverse that ratio.
denverpilot
Tied Down
Can you identify it by name? I'd be curious who it is. Obviously identifying it by name adds no risk whatsoever to the org, since it's security is perfect. LOL.
Translation: I do not believe you. I've never met a senior admin who in person wouldn't admit their organIzation had at least one enormous security hole somewhere -- some would only admit it after they left the company or organization however, especially the "security" sellers or audit firms. But all did admit it eventually.
I do very much understand what's said in public isn't what's said in private, however.
Also these are always "in the trenches doing the work" folk. Their bosses and PMs never admitted or often even knew of these things. Most didn't want to know. They wanted to know the audit passed, and the business revenue threat was handled, they didn't want to ask if the security was really right.
In fact in over two decades of senior systems work I can count the number of execs who asked that question on less fingers than I have on one hand. All asked if the audits passed. Plausible deniability is a real thing.
denverpilot
Tied Down
PS... as you well know to have a really secure system you need some jerks around with an "I can beat this security" mindset.
I make people grumpy when I rake open their cheap padlocks they bought at WalMart and hand them to them. Haha.
I use the same silly padlocks on stuff, though because they're mostly a visual deterrent.
Nobody who really knows padlocks would find any of mine to take more than a few seconds to rake open.
Breaking into your own stuff is just a way of life if you're doing security right. I know a number of ways our stuff can be broken into or our security circumvented. None would be noticed by a "security" auditor.
Padlocks are a great example of security overall. You want a padlock that actually will slow even a good lockpick down? $120 minimum to pay to play in that game. Per lock.
Most businesses don't spend anywhere near the time and money necessary to even slow down the average lock picker. Mostly because at some point, insurance is cheaper, and a good PR person can handle the press. Hahaha.
As mentioned in another thread the median household income is $50,000. Most households have more than one desktop or laptop computer. It's really no economic surprise the world is full of botnets. It always comes back to money and time. MSFT and Apple and the hardware folks give nice lip service to security but that's all it is at the $300 laptop with no tech support price point. There's millions of those on the Internet.
Exponentially worse is all it'll get. Thats just the reality of the numbers.
I make people grumpy when I rake open their cheap padlocks they bought at WalMart and hand them to them. Haha.
I use the same silly padlocks on stuff, though because they're mostly a visual deterrent.
Nobody who really knows padlocks would find any of mine to take more than a few seconds to rake open.
Breaking into your own stuff is just a way of life if you're doing security right. I know a number of ways our stuff can be broken into or our security circumvented. None would be noticed by a "security" auditor.
Padlocks are a great example of security overall. You want a padlock that actually will slow even a good lockpick down? $120 minimum to pay to play in that game. Per lock.
Most businesses don't spend anywhere near the time and money necessary to even slow down the average lock picker. Mostly because at some point, insurance is cheaper, and a good PR person can handle the press. Hahaha.
As mentioned in another thread the median household income is $50,000. Most households have more than one desktop or laptop computer. It's really no economic surprise the world is full of botnets. It always comes back to money and time. MSFT and Apple and the hardware folks give nice lip service to security but that's all it is at the $300 laptop with no tech support price point. There's millions of those on the Internet.
Exponentially worse is all it'll get. Thats just the reality of the numbers.
Shepherd
Final Approach
About 3 years before I retired from IBM, I wrote a bit of code that will let me hack any Windows 7 password (it also worked on XP and 98). I just dusted it off a week ago and used it to unlock a Windows 10 machine.
Apparently, MIcrosoft hasn't really improved their security, ever.
Hint: Boot from a Linux CD or USB key, so the WinWhatever is not running at all.
BTW: If you don't have bootable cd's with Bit Defender and AVG (you need to run both), your AntiVirus software (I don't care what version or how much you paid for it) isn't getting everything off your machine.
I check my remaining WinLoser machine once a week, and I run the best AntiVirus protection in the world (I should know, I was one of the original creators).
Last edited:
WannFly
Final Approach
I cannot dual boot if the machine is protected with bit locker the rt way
Sent from my SM-G935V using Tapatalk
WannFly
Final Approach
That's not the bit lockers fault , is it? It's the fault of the user who didn't bother to read instructions.
Sent from my SM-G935V using Tapatalk
JimNtexas
Pattern Altitude
- Joined
- Dec 21, 2006
- Messages
- 2,259
- Location
- Austin, Texas
- Display Name
Display name:
Jim - In Texas!
The 2015 Bitlocker vulnerability (long since patched) required that the target machine be logged into a domain when stolen. The attacker then needed to set up a fake duplicate domain controller configured in such a way that then the stolen computer tried to log in with the cached username the hacker figured out a way to alter the client OS code in such a way that the fake domain controller would offer to reset the users password.
That wasn't really a Bitlocker bug, it was a windows authentication bug. And setting up that duplicate domain controller is not 'trivial'.
Computers not under domain control didn't have the problem. Computers with a boot time bitlocker PIN or password didn't have the problem.
In any case, this bug was fixed long ago.
https://technet.microsoft.com/library/security/MS15-122
That wasn't really a Bitlocker bug, it was a windows authentication bug. And setting up that duplicate domain controller is not 'trivial'.
Computers not under domain control didn't have the problem. Computers with a boot time bitlocker PIN or password didn't have the problem.
In any case, this bug was fixed long ago.
https://technet.microsoft.com/library/security/MS15-122
denverpilot
Tied Down
That IS trivial. Setting up a DC is "start up the VM I published and change the domain name" level of easy, these days. (And no, the kids doing it don't care in the slightest they don't have a legitimate copy of Windows Server inside their VMs the pass around. Five minutes of work, tops.
I don't think you guys realize how the newbies work on these things. Nobody is walking across the room to the big tower with a stack of floppy disks to install Windows NT 3.5.1 these days.
Spinning up any OS to mess with it on a virtualization platform and network is maybe Jr High level work in this field today. Anybody loading OSs by hand is truly doing dinosaur age work at this point. Entire racks of hardware have been being loaded with automation for over a decade, and doing it on the desktop is kiddie stuff these days.
WannFly
Final Approach
I don't think you are getting the point. The point is if u set up bit locker right, average Joe, and super Joe cannot Crack it, that's includes the people u mentioned claim to Crack it. Ask them what the situation was, did they have admin access? Boot pin? Was the laptop sleeping? Hibernating? If any of the answers to the questions above is yes, then no, sorry to break the bubble, they didn't Crack anything, they recovered the decryption key from memory. It's not rocket science. And they claim to bypass the boot pin using JTAG , and the pc was not sleeping and they didn't have access to the decryption key in the memory, we'll then they are just bragging something that's not possible. Because if the drove was cold and the pc was shut down the only way to bypass bitlocker is via brute force, and good luck with that.
The fact that people don't bother to read instructions doesn't mean it's softwares fault. If u don't read the auto pilot documentation and understand its limitation, it's the fault of the pilot, not the aircraft manufacturer or Garmin. The issue is the people, not the software. Every example u have provided is related to that, people responding to fishing emails, that's not the fault of Google because the own Gmail not is it the fault of the engineers who wrote the ssl. It's the the person who thinks his great great grandfather left him a billion dollars in South Africa and volunteers his bank information. Nothing to do with ssl, email, encryption or anything else for that matter. When u put a boot pin and use TPM, none of those hacks work. None.
Sure someone could bypass TPM, that doesn't make it insecure. Someone posted a video above where someone cracked a commercial bank vault in little over 5 mins, doesn't make that vault insecure.
You may be able to set up a DC in 5 mins, won't work with a consumer laptop, if it's a enterprise laptop and has boot up pin, set up all DC u want, doesn't mean much. If an enterprise doesn't bother to enforce security doesn't make the software less secure. Password inherently is not secure, it has been that way since ages, that's where MFA comes into play, that's where biometrics come into play.
So the statement bit locker is not secure and any 19 yr old with access to Internet can Crack it is simply incorrect. If u use bit locker the way it's intended and follow proper procedures, it's one of the best ways to secure ur data. Other software vendors that have hard drive encryption software works in very similar ways.
Sent from my SM-G935V using Tapatalk
denverpilot
Tied Down
You met a computer user who has read anything that wasn't placed directly on the screen in twenty years? Not a tech, a user. I haven't.
Most click "OK" through all of it even if it is on the screen.
Read the Docs. Pffft. Right. Nobody does. Only us geeks. The above phrase is the biggest cop-out the industry has ever convinced people of.
It's possible to force the user to actually do it correctly by offering no other option. No software maker does it because they only need to say, "You didn't read document five million on our website? Oh, no wonder you didn't do it right. It's all user error."
As far as the sleep/hibernate thing - haven't seen a laptop anyone uses daily get shut all the way down in a decade either ... or anyone force disabling hibernation mode on laptops. Good luck enforcing that. I can't think of a single CxO who wouldn't whine to the high heavens if anyone forced that on them. Power off a computer? LOL. Welcome to 1997. Got a nice Pentium II in that thing?
Love to see your solution for how to force that on a Mac that isn't $10K worth of management software. Maybe it's out there, but I've never seen anyone using it.
You sound like a lot of younger engineers I've worked with over the years. I don't know your age, but they all say the same stuff -- it's part of the brainwashing done inside corporate IT land, not really their fault -- and they all figure it out eventually... that NOTHING they worked on for 70 hour workweeks was ever actually secure, eventually. Oh look at that cool patch that just came out. Wait, WHAT had a huge hole in it?! But that means all that work I did in XXXX was useless... I busted my butt for weeks on that!
THEN... they realize someone was crazy enough to pay them to do it, and they shut up and hang out a few more years until retirement making great money pretending the security stuff they're doing, matters.
You and I agree that systems CAN be secured. The point you and I disagree on is the real world cost of doing so and whether it was really secure in the first place.
I don't need to go call up and grill someone I've known for two decades when they say getting past Bitlocker was "the easy part" from a discussion at a party of breaking into a laptop they were authorized to break into by none less than one of the Undersecretaries of Cybersecurity at DHS (not really relevant but it was why they were sharing the story... it's fun when someone with a title like that needs a little helping hand on a non-work project) and that they didn't need any heavy hitter tools or knowledge to do it. I've worked with them long enough to know they aren't lying about it. They've been legally breaking into things since before anyone even knew what "security" was on computers. They're from my generation who started on systems that booted from ROM and didn't bother with usernames or passwords, even. Which means anything is bypassable, it only matters how hard you want in, not whether you can get in. Brute forcing encryption is expensive but not hard if the data is needed THAT badly and isn't time sensitive. Bribing the cleaning crew to put a USB stick in a machine after hours is way easier though.
The real world screams bloody murder when you turn off their USB ports and don't give them BIOS access to turn it back on. You can show them the documentation all day long and they'll tell you you can do it for "those people over there" in the low level jobs, and to leave theirs alone. They'll never lose their laptop while it's hibernating... They're impervious to such mistakes. They make more money than you so they must be smarter. LOL. BTDT got the t-shirt.
This place you say you work for who does it all correctly, is every USB port disabled on every portable device and all hibernation disabled and people fired if they attempt to turn it on?
I still don't believe you about this nirvana you say exists.
I know for solid fact that I've only ever run into one person in the field who complained their company laptop had this configuration and you know what they did about it? They carried a second one they did all their work on. Haha. Even that "security aware" company didn't fire them for it, either.
Their "security" wasn't worth the loss of revenue created by that staffer in the real world of business, so they pretended he didn't have it. As long as they had plausible deniability, "He was issued a secure laptop and didn't use it Your Honor..."
That's always where computer security fails. When someone who makes or saves the company multiples of dollars over the entire cost of the "security department" decides they want conveniences, they get them. Every single time.
That dude with the two laptops? DOE nuclear contractor. I'm sure his secure laptop passed all the audits just fine. It just never did any real work for the company sitting at his house on his end table.
You really need to meet some white hats who break into stuff all day for a living and all night for fun. They're not slowed down much year after year by stuff that comes out. There's always a mistake to be exploited.
One Yahoo email, 70% of a Fortune 100's passwords. All that was needed was a template that looked like it came from IT. That's the reality of what security staff are up against.
Someone broke the rules at our place and we had our annual "malware tried to do bad things internally" day not too long ago. They were told tsk tsk and we cleaned up the mess like the good little network and systems janitors that we are and nobody cared 48 hours later. The contract that person signed said they could be immediately terminated for what they did. They weren't. Long term employee, makes the company money, keeps customers happy, damned hard to find those on the street. Putting the entire internal infrastructure at risk? Didn't even get a formal reprimand.
Ten years ago it might have bothered me -- I wrote that policy, briefed al sorts of people on it, spent days making sure the systems were "right" for attacks like that, and penned the contract document that the lawyers looked over. Effect in the real world? Zero.
Doesn't bother me at all anymore. They pay real well and if they decide to not do the stuff I worked days on because they need the employee worse than they need security policy followed? Fine by me. The checks cash.
You'll get here eventually. Nothing is really secure and the work pays great but is mostly busiwork. Good backups save your ass more than good security does, because security is always bypassed by someone.
I highly recommend if you can, finding a role in security that's paid hourly. You'll never be hungry ever again. It's a never ending cash cow.
I'm too lazy to travel that much, so I just play nice with those poor kids who show up in dress clothes the first day who audit it all, while living out of a hotel, and ask them what hobbies their travel lifestyle affords them when they're home. Most have really expensive ones. Nice folks. They check their little lists off and we have a beer at the end and the go home.
I got over thinking that lifestyle was fun a decade ago.
I also know they badly want to get on that airplane and go home and not stay another weekend and week and miss the kid's party, and that knowledge can be leveraged in so many ways... even the single guys and gals don't want to tack on a week because an audit failed. Find a way to check their box, and send them home, you're their hero. Human nature doesn't change.
deonb
Pattern Altitude
- Joined
- Aug 17, 2015
- Messages
- 2,266
- Display Name
Display name:
deonb
Do you have a link to the back door in Bitlocker?
I know of a well published back door from last year, but that had to do with UEFI Secure Boot - but that's different from Bitlocker.
Between Windows 10 Fast Startup mode and Intel's Management Engine Interface, does powering off really make much difference any more?
denverpilot
Tied Down
If you want Bitlocker to work, it does. Hehehe. "Didn't you read the instructions?!" LOL.
Haven't seen any lappies at the price points we are buying at, show up with MEI in them yet, though.
Not that I'm paying much attention -- our Jr Sysadmin unboxes and images them and our vendor is known for changing motherboards -- I think we're up to five times -- when ordering the same model number. Over two years. Makes his images useless about every three to four months which usually means he gets about four laptops worth of loading out of all that work. Heh.
Nothing like IT to burn hours and hours getting nothing done!
Laptops have impressively become pretty much throwaway items after two years in the business world. Maybe three. If they're not handed down to lower level staff. Then five. And that's pushing it. They're nearly useless by then from bloatware.
I suspect this last batch will just be tossed at three. Something new to bother the accountant with, he loves accelerated depreciation.
denverpilot
Tied Down
That's probably the one. The argument that it's "not Bitlocker" is technically correct, but when the house of cards needs one to make the other secure... physical access to a number of BIOS implementations in hardware has always been a problem for security. Once you have the thing in your hand (stolen or otherwise) a great many ways to bypass things become possible.
I did some VERY light Googling for it last night but didn't immediately find it in all the trash Google tossed up for the previous insecurities in BL, and then got sucked into reading about FBI and others being quite determined to get a REAL back door in it on Schneier's blog, back in 2005 and how likely that was... that it essentially turned into a "Squirrel!" moment. Haha. Some fun reading there if you apply what's been known to change in the law and the attitudes toward LE access to things in the last 12 years to where that all likely went. Probably not somewhere good.
In this case when I said "back door" I didn't mean a deliberate one, but it was an auth issue that allowed you to blow right past the auth stage and I remembered MSFT defended it as "necessary for our largest customers" which means "government" and "mega corps" in PR doublespeak, but not necessarily in a malicious way, just for lab work and testing.
Essentially if I cared and didn't think there'd be another hole in it "soon" I might have bothered to keep the links back when it happened, but there will be more and one doesn't have to wait very long. Especially since "nobody reads the directions" or makes anyone follow them anyway.
WannFly
Final Approach
Everything u mentioned only points out to what I said, it's not the software , it's the people who uses them and how they choose to use it. As a pilot u read the POH, u don't expect every word in the POH transcribed on the dash do ya? the folks u are describing didn't bypass bitlocker, they got the decryption key from memory. Ask them. And if they are legit, they will tell u, if configured correctly they can't brute force a bitlocker in this lifetime. Ohh by the way, I am guessing they are not 19 yr old old with access to Internet, which is exactly my point. Given the right resources anything can be broken, if not there would never be a heist or a presidential assassination.
Just because someone is out there who can magically get into a laptop that wasn't secured the right way, doesn't make the technology insecure, which is exactly what you are trying to imply. And by the way, the word backdoor has nothing to do with this discussion and is actually irrelevant. They the firm used a backdoor to get into laptop, they didn't Crack anything either
Sent from my SM-G935V using Tapatalk
Just because someone is out there who can magically get into a laptop that wasn't secured the right way, doesn't make the technology insecure, which is exactly what you are trying to imply. And by the way, the word backdoor has nothing to do with this discussion and is actually irrelevant. They the firm used a backdoor to get into laptop, they didn't Crack anything either
Sent from my SM-G935V using Tapatalk
I thought ME was a non-optional hardware component in all chipsets Haswell and newer.
denverpilot
Tied Down
Hmm. Like I said, I don't pay much attention to them anymore. Just get sucked into debates about what to pay for them. Commodity hardware not worth spending much time on these days. Company picks a price point and we hunt for the best we can get at that price point.
The MacBooks were real contenders for a while there, but they've dropped that ball, hard. We bought one more this year but it was a new old stock older model than the current and it's going to be a fight again with folks who want them when we can get twice the machine for half the Apple price.
BigBadLou
Final Approach
- Joined
- Aug 6, 2014
- Messages
- 5,166
- Location
- TX - the friendliest state
- Display Name
Display name:
Lou
Love it!
(the picture, not the virus which is the most famous virus in the world because millions of idiots have infected themselves voluntarily
)