In other news today...
-
‘Two years on, I’m still dealing with my dead husband’s digital legacy’
Untangling a web of online accounts has made grieving even harder for Hayley Smith
Reminds me I need to set up a dead man's switch to delete everything when I die. I can just imagine my family going through my stuff when I die from a cardiac incident brought on by a sudden interest in getting healthy.
There are thousands and thousands of images about weebs. Is it a porn thing?
It's much worse than that.
-
Mysterious shipwreck washes up on Canadian coast ‘centuries after it sank’
Eighty foot ship may have been dredged up by Storm Fiona before it was spotted by residents of Cape Ray
Nothing good can come of this.
-
@boomzilla said in In other news today...:
9.5 hours/frame. So an FPS of about 0,00003. The competetive FPS scene gonna be all over this!
-
@Atazhaia and I thought ZeroMaster’s 100% kills run of Nuts was slow…
This Doom 'speedrun' took more than three weeks
The level's called Nuts, and this challenge lives up to it.
-
@Arantor Yeah, they calculated an average playthrough taking 5 hours would take 600 years to finish with the speed of the "display" in this case.
-
Of course the Please Sign Up popup appeared right after I started the YT video.
I like her earring. I dislike how she said "mediums". I liked the credits on the video.
-
'Jellyfish', 'Chandelier' latest reported UFOs caught on video to stoke public interest
Video from Iraq posted this week appears to show a UFO seen flying near a U.S. operations base, putting 'Jellyfish' in unique company among UAPs.
-
@DogsB I want to believe, but a smudge of bird shit doesn't come any more convincing.
(of course, birds aren't real, so there goes that argument)
-
@DogsB said in In other news today...:
Slightly lower if you order your steak well done, but where's the fun in that?
-
@da-Doctah don't understand the revenge kill factor.
-
Keeping up with traditions ... guy in transport in between prisons jumps out of the car window
then later posts on the socials while criticizing the news broadcast about his escape only to get captured again later that day.
-
Rusty news. Microsoft is hiring Rust coders - to rewrite apps written in C#.
Will I still have to learn how to rust before I can retire?
Edit:
Oh
- 
the 
was faster...
-
@BernieTheBernie said in In other news today...:
Will I still have to learn how to rust before I can retire?
There's a lot of money in old tech. I'm sure somebody out there will need people to maintain their crusty legacy C# punch cards.
-
Tech staff rebel over flexible working ‘betrayal’
Thousands of employees sign petition after SAP demands three days a week in office
A study by the European Central Bank last year found that a third of eurozone workers wanted to work from home more than their employers allowed and were willing to quit if they found a better deal.
Who's offering this better deal? Get back in the office or be fired is the message from everyone at the moment.
-
@Luhmann said in In other news today...:
posts on the socials ... captured again
Criminals tend not to be the brightest bulbs on the Christmas tree, and when you consider how dim the average bulb is, ...
Filed under: @Bulb
-
@HardwareGeek said in In other news today...:
@Luhmann said in In other news today...:
posts on the socials ... captured again
Criminals tend not to be the brightest bulbs on the Christmas tree, and when you consider how dim the average bulb is, ...
Filed under: @Bulb
The successful ones you either never hear about or are politicians that have legalised their own criminality…
-
@DogsB said in In other news today...:
Get back in the office or be fired is the message from everyone at the moment.
Not my client. I'm "permanently" remote (and I know of at least two others). If they require me to be in the office any number of days per week, I'd definitely quit, because that would require me to move to a different state. I don't mind having to go into an office, but the office needs to be within reasonable commuting distance of where I live now.
-
@Applied-Mediocrity said in In other news today...:
@DogsB I want to believe, but a smudge of bird shit doesn't come any more convincing.
(of course, birds aren't real, so there goes that argument)
-
@DogsB said in In other news today...:
Who's offering this better deal? Get back in the office or be fired is the message from everyone at the moment.
I come to the office about once a month on average. I still haven't made it there this year.
-
Apple Fans Horrified to Discover Vision Pro Can’t Play VR Porn
Apple's new Vision Pro headset VR doesn't support "immersive" adult content — and the people who bought it for that are not happy.
-
@DogsB Here is the correct response:
If they are Apple fans, they should be pretty damn aware of Apple's policy on lewd content.
-
@Atazhaia From the viewpoint of the VR headset, what's the difference between immersive adult content and any other immersive content? How can it know it's "adult"?
-
@HardwareGeek If it's played through SexyVids.app, it's adult content. If it's accessed through the Safari web browser, it is always family friendly and needs no restriction
-
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
I like to shit on Microsoft but... this is up there with some of the Apple stuff people went crazy about but kept forgetting to mention: you need physical access to the device.
Microsoft does note that these attacks are possible but says it will require sophisticated tools
We need to start calling out this bullshit. It's kind of how security breaches come with the "Possibly an attack by a sophisticated nation-state actor" crap but usually, Dave in security was just phished again. It was a Raspberry Pi and freely available open-source software that a hobbyist put together.
-
@DogsB said in In other news today...:
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
The Raspberry Pi was set to capture the binary 0s and 1s
The hydroencabulator was calibrated to reabjurate the information
-
@DogsB said in In other news today...:
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
I like to shit on Microsoft but... this is up there with some of the Apple stuff people went crazy about but kept forgetting to mention: you need physical access to the device.
Given the whole point of BitLocker is to prevent attackers who do have physical access to the device from reading the data (e.g. if they stole your laptop, or you forgot to pick it up from a repair shop), it does not reduce the severity of the attack a iota.
Microsoft does note that these attacks are possible but says it will require sophisticated tools
We need to start calling out this bullshit. It's kind of how security breaches come with the "Possibly an attack by a sophisticated nation-state actor" crap but usually, Dave in security was just phished again. It was a Raspberry Pi and freely available open-source software that a hobbyist put together.
In a sense everything involving computers can be called “sophisticated”—fact is that the attack is within capability of anybody who might have a reason.
-
@DogsB said in In other news today...:
you need physical access to the device.
Isn't BitLocker's reason to exist basically in case somebody gets (unsupervised) physical access to a device? Even Microsoft claims that:
Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.
It mentions stolen, lost and decommissioned devices. Those are all cases when somebody will have physical access to the device.
I agree with the youtuber (who AFAIK is a security professional?) - if you have a machine with a separate TPM chip (not in the CPU), BitLocker seems mostly like a minor inconvenience to somebody wanting to get your data. In this case Lenovo even left some nice debug pads to attach a device to. Matter of seconds, no soldering required. In that case, it's easy enough that people might just do it for shits and giggles.
The video mentions attacks against in-CPU TPM chips being possible. That, on the other hand, sounds much more difficult and awkward to me.
Edit:
@Bulb.
-
@hungrier said in In other news today...:
@HardwareGeek If it's played through SexyVids.app, it's adult content. If it's accessed through the Safari web browser, it is always family friendly and needs no restriction
Are there stereoscopic video formats for that could be played in a generic video app or a browser? Or does actual stereoscopic 3D video require making an app to access some API?
Because who would buy goggles just to watch flat video?
-
BitLocker is supposed to do something? TIL Microsoft appears to be fucking awful at everything these days.
*edit although technically this is a lenovo thing.
@Bulb said in In other news today...:
In a sense everything involving computers can be called “sophisticated”—fact is that the attack is within capability of anybody who might have a reason.
No. We have to stop letting them mask their incompetence.
-
@acrow said in In other news today...:
Because who would buy goggles just to watch flat video?
Certainly not flat. All round... hills... full... juicy... fruit... eh, what were you talking about?
-
@DogsB said in In other news today...:
BitLocker is supposed to do something?
Microsoft again:
Typically, there's a small performance overhead, often in single-digit percentages
It makes your storage slower.
Our IT believes it's absolutely necessary lest hackers spread all our data across the interwebs.
If it worked reliably, it probably wouldn't be a terrible idea for portable devices.
although technically this is a lenovo thing
Video briefly mentions that the problem also exists in some of Microsoft's recent Surface products (Surface Pro)...
-
@acrow said in In other news today...:
Are there stereoscopic video formats for that could be played in a generic video app or a browser?
There are. I think Google/Youtube worked on this for a while. They used to have a demo on Youtube. I think it needs support from the browser (i.e., some sort of VR integration) to work correctly.
If you're out to explore some holes in VR, Scott Manley has a VR 360 video on his Youtube channel.
-
-
@cvi said in In other news today...:
I agree with the youtuber (who AFAIK is a security professional?) - if you have a machine with a separate TPM chip (not in the CPU), BitLocker seems mostly like a minor inconvenience to somebody wanting to get your data. In this case Lenovo even left some nice debug pads to attach a device to. Matter of seconds, no soldering required. In that case, it's easy enough that people might just do it for shits and giggles.
The video mentions attacks against in-CPU TPM chips being possible. That, on the other hand, sounds much more difficult and awkward to me.
Just find the debug pads, duh...
-
@DogsB said in In other news today...:
*edit although technically this is a lenovo thing.
It isn't specifically Lenovo thing, but it is a hardware thing, so a different encryption-at-rest implementation on the same hardware will have the same problem and Microsoft can't really do anything about it in software.
-
@cvi said in In other news today...:
@DogsB said in In other news today...:
you need physical access to the device.
Isn't BitLocker's reason to exist basically in case somebody gets (unsupervised) physical access to a device? Even Microsoft claims that:
Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.
It mentions stolen, lost and decommissioned devices. Those are all cases when somebody will have physical access to the device.
I agree with the youtuber (who AFAIK is a security professional?) - if you have a machine with a separate TPM chip (not in the CPU), BitLocker seems mostly like a minor inconvenience to somebody wanting to get your data. In this case Lenovo even left some nice debug pads to attach a device to. Matter of seconds, no soldering required. In that case, it's easy enough that people might just do it for shits and giggles.
The video mentions attacks against in-CPU TPM chips being possible. That, on the other hand, sounds much more difficult and awkward to me.
Edit:
@Bulb.I have no idea how the hardware side of these things work, but isn't the whole idea of this "TPM" / "secure enclave" / whatever stuff that you can't just dump the encryption key out of it? Because "encrypted data + access to key" is just as good as no encryption at all, making all of full disk encryption useless.
I thought it goes something like this: User enters a password, CPU hands password (or a hash after some key strengthening, or whatever) over to TPM, TPM gives back encryption key. And you cannot just physically break into the TPM to get the encryption key without the authentication step. No idea if that's because the key is itself encrypted with the user password, is "physically secured" so you'd need very advanced lab equipment to get at it, or hopefully both.
-
@topspin The video explains it fairly well.
From what I understood: The way Bitlocker apparently works is that it needs to decrypt the drive to boot. This takes place before any user interaction. So, on boot, an early bootloader gathers some information about the environment, sends it to the TPM, and the TPM responds with the key (assuming the environment was right). This is sufficient to decrypt the drive (and what is being intercepted here).
All of this happens before any user ever interacts with the machine.
It seems like just encrypting user data would have been more useful (no key needed at early boot), but I guess the way user data hangs out everywhere in Windows, isolating it in such a way isn't really feasible.
-
@topspin said in In other news today...:
I thought it goes something like this: User enters a password, CPU hands password (or a hash after some key strengthening, or whatever) over to TPM, TPM gives back encryption key. And you cannot just physically break into the TPM to get the encryption key without the authentication step. No idea if that's because the key is itself encrypted with the user password, is "physically secured" so you'd need very advanced lab equipment to get at it, or hopefully both.
In this case a raspberry pi pico!
I think the bones of this is it's just a man-in-the-middle attack. The pico in this case hoovered up the bytes necessary to unlock the device. At some point, the correct input will yield the desired output.
It's probably like locks. BitLocker will probably keep most people out but you can't really stop a determined thief and guarding your company's long-term strategy analysis is a very different kettle of fish needing different measures than what is offered by off-the-shelf Lenovo laptops.
The video is pretty cool and I learned what BitLocker actually is.
-
@cvi that’s for unsupervised booting - it is possible to configure BitLocker to decrypt just enough of the drive to get some UI going to ask the user for a password, before unlocking anything else.
-
@topspin said in In other news today...:
I have no idea how the hardware side of these things work, but isn't the whole idea of this "TPM" / "secure enclave" / whatever stuff that you can't just dump the encryption key out of it? Because "encrypted data + access to key" is just as good as no encryption at all, making all of full disk encryption useless.
I think it works like this: The TPM has an RSA private key that it never gives out, only offers a function for encrypting or decrypting something with it. But RSA is slow, and in the TPM it's even slower, because the TPM doesn't have much performance to begin with. So instead one encrypts a second key with the RSA and then encrypts the data with a symmetric cypher like AES or ChaCha20. This is also how the recovery disks, or recovery records in the directory, work: they store the same key encrypted with a password or domain certificate or something, so if the TPM, or the motherboard, dies, the legitimate user still can read the disk.
The attack intercepts this secondary key as it is returned from the TPM to the main CPU where the symmetric cypher will run. It's not possible to perfectly prevent this, only make it harder by tighter integration.
… which brings me to: for a while I had a customer notebook where the disk was encrypted using the TPM only, which was then likely susceptible to that attack. But my normal work notebook is protected by the TPM and a passphrase, so if someone stole it, they still shouldn't be able to pull off this attack.
-
@cvi said in In other news today...:
@topspin The video explains it fairly well.
Yeah, I'll have a look at it later. Meanwhile ...
So, on boot, an early bootloader gathers some information about the environment, sends it to the TPM, and the TPM responds with the key (assuming the environment was right). This is sufficient to decrypt the drive (and what is being intercepted here).
All of this happens before any user ever interacts with the machine.
How is that supposed to be secure? That only prevents putting both the hard drive and TPM but not the rest of the hardware into a different machine. Doesn't sound like the "stolen laptop" attack scenario at all.
-
@Bulb said in In other news today...:
@topspin said in In other news today...:
I have no idea how the hardware side of these things work, but isn't the whole idea of this "TPM" / "secure enclave" / whatever stuff that you can't just dump the encryption key out of it? Because "encrypted data + access to key" is just as good as no encryption at all, making all of full disk encryption useless.
I think it works like this: The TPM has an RSA private key that it never gives out, only offers a function for encrypting or decrypting something with it. But RSA is slow, and in the TPM it's even slower, because the TPM doesn't have much performance to begin with. So instead one encrypts a second key with the RSA and then encrypts the data with a symmetric cypher like AES or ChaCha20. This is also how the recovery disks, or recovery records in the directory, work: they store the same key encrypted with a password or domain certificate or something, so if the TPM, or the motherboard, dies, the legitimate user still can read the disk.
That sounds basically like I assumed it works.
But RSA is slow, and in the TPM it's even slower
Probably a feature.
The attack intercepts this secondary key as it is returned from the TPM to the main CPU where the symmetric cypher will run. It's not possible to perfectly prevent this, only make it harder by tighter integration.
And that's where "easy to intercept with hobby hardware" breaks the whole concept.
-
@topspin said in In other news today...:
How is that supposed to be secure? That only prevents putting both the hard drive and TPM but not the rest of the hardware into a different machine. Doesn't sound like the "stolen laptop" attack scenario at all.
The thief can boot the laptop, but presumably doesn't know any account to log into the operating system that starts (otherwise they'd have pwned the user long ago already). So they have two options:
- Pull the disk out and read it in another computer. Which is prevented by not having the TPM there.
- Boot the notebook from some other disk. But then the bootloader will tell the TPM what it is booting, and not get the key back.
This leaves the thief with needing to boot the regular system, intercept the key, and then reboot to something else or move the disk somewhere else to read it. This demonstrates how easy that is.
-
@Arantor said in In other news today...:
@cvi that’s for unsupervised booting - it is possible to configure BitLocker to decrypt just enough of the drive to get some UI going to ask the user for a password, before unlocking anything else.
OK, that makes more sense.
This leaves the thief with needing to boot the regular system, intercept the key, and then reboot to something else or move the disk somewhere else to read it. This demonstrates how easy that is.
But the described attack wouldn't give them access to the whole disk's contents then still? They'd only intercept one of the early keys (unless they also get a user to log on). Or am I missing something with the attack?
-
@cvi said in In other news today...:
@Arantor said in In other news today...:
@cvi that’s for unsupervised booting - it is possible to configure BitLocker to decrypt just enough of the drive to get some UI going to ask the user for a password, before unlocking anything else.
OK, that makes more sense.
This leaves the thief with needing to boot the regular system, intercept the key, and then reboot to something else or move the disk somewhere else to read it. This demonstrates how easy that is.
But the described attack wouldn't give them access to the whole disk's contents then still? They'd only intercept one of the early keys (unless they also get a user to log on). Or am I missing something with the attack?
That depends on whether the early key is actually only for part of the data.
All I know is how it works on linux. In linux, the bootloader, kernel, and initramfs are stored under the directory
/boot, and if your system uses software RAID, full disk encryption, and possibly some other features that will be a separate partition which is not encrypted.
This means on boot-up, the encryption key is only required after the kernel and initramfs have already loaded, and the initramfs can easily contain a graphical application which asks the user for their decryption passphrase.
-
@cvi said in In other news today...:
But the described attack wouldn't give them access to the whole disk's contents then still? They'd only intercept one of the early keys (unless they also get a user to log on). Or am I missing something with the attack?
It depends on how it is set up. As I mentioned above, I have one notebook where I need to give password to the bootloader—and then the attack is basically useless—and had another where it only used the TPM—and then it'd give them the whole disk.
-
@DogsB said in In other news today...:
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
I like to shit on Microsoft but... this is up there with some of the Apple stuff people went crazy about but kept forgetting to mention: you need physical access to the device.
But that's the whole point of encrypting your disk. In case you lose it.
-
@boomzilla said in In other news today...:
@DogsB said in In other news today...:
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
I like to shit on Microsoft but... this is up there with some of the Apple stuff people went crazy about but kept forgetting to mention: you need physical access to the device.
But that's the whole point of encrypting your disk. In case you lose it.
Stop trying to make me learn new things.
-
@DogsB said in In other news today...:
@boomzilla said in In other news today...:
@DogsB said in In other news today...:
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
I like to shit on Microsoft but... this is up there with some of the Apple stuff people went crazy about but kept forgetting to mention: you need physical access to the device.
But that's the whole point of encrypting your disk. In case you lose it.
Stop trying to make me learn new things.
I don't care if you learn. Only that you feel bad for not already knowing.
-
@boomzilla said in In other news today...:
@DogsB said in In other news today...:
@boomzilla said in In other news today...:
@DogsB said in In other news today...:
YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico
Microsoft's BitLocker encryption offers a way for users to secure their data from prying eyes. However, it has a major flaw that can allow a hacker to decrypt data within minutes with basic tools.
I like to shit on Microsoft but... this is up there with some of the Apple stuff people went crazy about but kept forgetting to mention: you need physical access to the device.
But that's the whole point of encrypting your disk. In case you lose it.
Stop trying to make me learn new things.
I don't care if you learn. Only that you feel bad for not already knowing.
Belligerence and ignorance are my strengths.
I will never feel bad on their paths. 
Gevangene die ontsnapte uit gevangenis van Lantin en pronkte met de beelden ervan, is weer gevat
Microsoft seeks Rust developers to rewrite core C# code
