|
Klyith posted:This was my favorite part: Bravo!
|
#
?
Nov 7, 2018 14:16
|
|
|
|
| # ? May 2, 2024 22:39 |
|
|
EssOEss posted:I run software BitLocker on all my mobile computers and I have never felt any performance degradation. Sure copying 50 GB of files might take a bit longer but that is not even remotely part of my daily workload. With an SSD you're not really waiting behind I/O as much as you are waiting behind poorly designed synchronous software that can only do 1 thing at a time. Bitlocker totally off loads all crypto work to hardware acceleration when an SSD with said acceleration is detected. So people using bitlocker with an SSD that has a broken encryption implementation are getting effectively zero security and would never know it. Some of the performance difference comes down the mode of cipher operation. CBC for example cannot be multi threaded when encrypting but can be multi threaded when decrypting. GCM can be done multi threaded when both encrypting and decrypting. Antillie fucked around with this message at 15:29 on Nov 7, 2018 |
|
#
?
Nov 7, 2018 15:26
|
|
|
Klyith posted:snip This is good stuff
|
|
#
?
Nov 7, 2018 18:25
|
|
|
Theris posted:What are you considering an "average CPU" here? Software Bitlocker on my 950 Pro (thanks for never actually enabling eDrive like you said you would, Samsung I was testing on a 6th gen i5 quad core mobile and whatever mid-range rebrand SSD Dell ships these days. A single IO heavy thread (think steam doing an update) was enough to saturate one of the cores and bottleneck IO. Running a db synthetic load (4 thread, random IO, queue depth 8) took all 4 cores to 100% which bottlenecked IO and the disk had plenty more to give e: XTS mode, 128 and 256bit both gave effectively the same results BangersInMyKnickers fucked around with this message at 19:11 on Nov 7, 2018 |
|
#
?
Nov 7, 2018 19:09
|
|
) with a 6700k has zero performance impact in disk benchmarks and CPU usage low enough that it more or less blends into the background noise of how much CPU gets used when hitting a disk hard anyway.
|
Antillie posted:Bitlocker totally off loads all crypto work to hardware acceleration when an SSD with said acceleration is detected. So people using bitlocker with an SSD that has a broken encryption implementation are getting effectively zero security and would never know it.
|
|
#
?
Nov 7, 2018 19:19
|
|
|
How does that work? If a drive has been encrypted with broken hardware, and then you turn on software encryption... isn’t it still broken? Or will bitlocker slowly reencrypt the drive?
|
|
#
?
Nov 7, 2018 19:54
|
|
|
The drive is unlocked, then re-encrypted.
|
|
#
?
Nov 7, 2018 20:05
|
|
|
Yeah, you’re basically unencrypting and then turning it back on and making the OS handle things and re-encrypting the drive.
|
|
#
?
Nov 7, 2018 21:14
|
|
|
Well at least there is a work around. I wonder how many people will just keep on trucking totally oblivious to the issue.
|
|
#
?
Nov 7, 2018 23:45
|
|
|
We encrypt every drive, mobile or not, with bitlocker. I feel bad for my helpdesk.
|
|
#
?
Nov 8, 2018 00:36
|
|
|
Apart from the low level attack the original researchers used, has anyone come up with an easy way to test from Windows to see if any drive's TCG Opal implementation is broken?
|
|
#
?
Nov 8, 2018 00:49
|
|
|
From this tweet: https://twitter.com/MattiasBorg82/status/1060053502267981825code:edit: Mr Chips posted:Apart from the low level attack the original researchers used, has anyone come up with an easy way to test from Windows to see if any drive's TCG Opal implementation is broken? Upon re-reading, I don't think I actually answered your question. The above will tell you if bitlocker is using hardware encryption. At this point in time, I am not aware of an easy way to detect if a given ssd has the vulnerability, so we should assume all ssd hardware encryption is suspect. The Fool fucked around with this message at 00:55 on Nov 8, 2018 |
|
#
?
Nov 8, 2018 00:53
|
|
|
Edit2: The Fool posted:You're too fast, see my edit. New question edit: https://imgur.com/a/19ToXVb If a Samsung Evo 850 can be configured with the ATA Master Password Capability set to Max, it's apparently not vulnerable to the attack methods the researchers use. Is setting that value a BIOS/UEFI config item? RTFMing at the moment but it will take me some time Mr Chips fucked around with this message at 04:04 on Nov 8, 2018 |
|
#
?
Nov 8, 2018 00:56
|
|
|
You're too fast, see my edit.
|
|
#
?
Nov 8, 2018 00:57
|
|
|
I have about four 850 Evo's, ranging back to about 3 years old for the first one I bought. Man, it would be loving cool if we could all return them and get replacement 860's. That's never gonna happen though. It would make a huge dent in Samsung's accounts, considering how many they must've sold.
|
|
#
?
Nov 8, 2018 07:18
|
|
|
Mr Chips posted:Apart from the low level attack the original researchers used, has anyone come up with an easy way to test from Windows to see if any drive's TCG Opal implementation is broken? they're unaudited black boxes so its best to treat them all as broken at this point until some kind of proper standard and validation program is created
|
|
#
?
Nov 8, 2018 16:01
|
|
|
adorai posted:We encrypt every drive, mobile or not, with bitlocker. I feel bad for my helpdesk. Not necessarily too hard to fix, if you have sccm or some other tool that can turn bde off and on after you update your GPO Otherwise, wolololo  Edit: Heck, you can even set up a Desired State Config pull or push server really drat quick following tutorials on YouTube. Or even just an arbitrary script host permitted to access your fleet via winrm that slowly churns though a big powershell background job. You can MacGuyver a halfway decent tool to help you out here if you've got thousands of machines is what I'm saying. Potato Salad fucked around with this message at 19:23 on Nov 8, 2018 |
|
#
?
Nov 8, 2018 19:14
|
|
|
In an unrelated note, The Infosec Thread: The Fault in Our JARs
|
|
#
?
Nov 8, 2018 19:17
|
|
|
Enjoying that we have hundreds of 840s and 850s in production with BitLocker and I've heard jack nor poo poo from our CISO on this.
|
|
#
?
Nov 8, 2018 20:10
|
|
|
Don't you have to go out of your way to enable the hardware encryption on Samsung SSDs, anyway? If you/they didn't take the time to enable it, Bitlocker just uses software encryption. And afaik even if it is enabled on the drive, if you chose a cipher/strength via group policy that the drive doesn't natively support, Bitlocker uses software encryption.
|
|
#
?
Nov 8, 2018 20:41
|
|
|
astral posted:Don't you have to go out of your way to enable the hardware encryption on Samsung SSDs, anyway? If you/they didn't take the time to enable it, Bitlocker just uses software encryption. Yes. We have roughly 300 EVO 850s in the environment and none are vulnerable. The encryption process done during imaging (Lenovo firmware) defaults to software encryption. Pretty sure you have explicitly enable hardware encryption via Samsung Magician and then do a full re-install.
|
|
#
?
Nov 8, 2018 21:44
|
|
|
astral posted:Don't you have to go out of your way to enable the hardware encryption on Samsung SSDs, anyway? If you/they didn't take the time to enable it, Bitlocker just uses software encryption. Bitlocker will automatically use drive HW encryption unless you specify otherwise via GP or during bitlocker setup on the computer.
|
|
#
?
Nov 8, 2018 22:05
|
|
|
Proteus Jones posted:Bitlocker will automatically use drive HW encryption unless you specify otherwise via GP or during bitlocker setup on the computer. Right, and the Samsung drive itself doesn't offer the HW encryption unless you go through a process (described by Diva Cupcake) to enable that.
|
|
#
?
Nov 8, 2018 22:07
|
|
|
astral posted:Right, and the Samsung drive itself doesn't offer the HW encryption unless you go through a process (described by Diva Cupcake) to enable that. Ah, I see. I misunderstood, thanks.
|
|
#
?
Nov 8, 2018 22:21
|
|
|
Here is that process: https://www.itsupportguides.com/knowledge-base/tech-tips-tricks/how-to-enable-disk-encryption-on-samsung-evo-ssd-hard-drive/ What Astral said. It's a big pain in the rear end that I can't imagine too many enterprises have gone through just for a mild performance increase.
|
|
#
?
Nov 8, 2018 22:22
|
|
|
astral posted:Right, and the Samsung drive itself doesn't offer the HW encryption unless you go through a process (described by Diva Cupcake) to enable that. That's a pretty big fuckin' relief.
|
|
#
?
Nov 8, 2018 22:39
|
|
|
Potato Salad posted:Not necessarily too hard to fix, if you have sccm or some other tool that can turn bde off and on after you update your GPO
|
|
#
?
Nov 10, 2018 16:05
|
|
|
You need to: -totally turn bitlocker OFF, not just disabled -wait for decryption to complete -re-ecnrypt
|
|
#
?
Nov 11, 2018 19:24
|
|
|
Who wants good new for your favorite Math based security tool?
|
|
#
?
Nov 11, 2018 20:22
|
|
|
Potato Salad posted:You need to: During which time, Windows restarts to apply an update to fix the Bitlocker problem, and you're left with half-disk encryption!
|
|
#
?
Nov 11, 2018 20:25
|
|
|
Hey maybe they'll make their cloud offering not poo poo now  Good software but managing that thing was awful and the client was hilariously bad on macs.
|
|
#
?
Nov 11, 2018 20:28
|
|
Cat Army
|
Wow, Crackberry is still going
|
|
#
?
Nov 11, 2018 20:32
|
|
|
The samsung attack is clear, but getting the drive into the vulnerable state is not so much. * Enable encryption with the MPC bit set to HIGH. * Drive creates a configuration table with a password validation hash and an unrelated randomly-generated DEK. * Set the MPC bit to MAXIMUM * Drive writes a new configuration table with the previous DEK encrypted by a key derived from the password, and stores it to disk. * The old configuration is still sitting in the system reserved space, able to be read via forensics, and you can recover the data via a vendor internal command re-instituting the previous configuration then bypassing the password via jtag. Obviously the fault is on samsung for not supporting writing zeros to partially-used sectors to completely wipe them prior to erase, but why would the OS setup the drive encryption this way? If you're going to be using maximum master password capability, do it from the outset. In that setup, the DEK is always encrypted with a password.
|
|
#
?
Nov 12, 2018 03:26
|
|
|
bitlocker doesn't even default to hw encryption for any ssds I've seen, including my 850 evo running in transparent mode.
|
|
#
?
Nov 12, 2018 04:04
|
|
|
One of my co-workers recommended the bandit series from over the wire, so I just wanted to pass it along here if anyone is looking for a good refresher or introduction to *nix command line and whatnot. That is all... 
|
|
#
?
Nov 13, 2018 04:34
|
|
|
I guess this question is semi-related to InfoSec... Anyone have a go-to tool for data recovery? Like, is there anything that'll recover from a formatted SSD, or am I pretty boned? ETA I do not know what kind of formatting was performed. my cat is norris fucked around with this message at 20:32 on Nov 13, 2018 |
|
#
?
Nov 13, 2018 20:28
|
|
|
my cat is norris posted:I guess this question is semi-related to InfoSec... Never done it on an SSD, but GetDataBack has saved me a few times. Free trial will at least show you what it can get. If the drive was just quick formatted, then the blocks were marked empty, but the data is still there.
|
|
#
?
Nov 14, 2018 20:45
|
|
|
apropos man posted:During which time, Windows restarts to apply an update to fix the Bitlocker problem, and you're left with half-disk encryption! If the bde vbs that ships with mdt is used it can be pretty resilient
|
|
#
?
Nov 15, 2018 04:09
|
|
|
I was flippantly joking.
|
|
#
?
Nov 15, 2018 13:03
|
|
|
|
| # ? May 2, 2024 22:39 |
|
|
i claim immunity under Poe's Law, forgive me my sins
|
|
#
?
Nov 15, 2018 13:17
|
|