Microsoft claims that businesses planning to use Vista together with its BitLocker hard-drive encryption technology will have an easy and safe way to dispose of their hard disks.
The software giant said on Tuesday that Vista will be so secure that businesses will no longer need to worry about data being compromised when hard disks are sent for disposal, in line with upcoming "green" legislation designed to reduce waste.
"With Vista and BitLocker, businesses will be able to throw hard disks away and be sure (they are) secure," Nick McGrath, head of platform strategy for Microsoft UK, said at Infosecurity 2006.
"The technology itself is 100 percent secure--we will not be producing any backdoors," said McGrath. "There are no backdoors in BitLocker technology."
BitLocker encryption uses a Trusted Platform Module (TPM), a chip that sits on the motherboard and contains an encryption key. According to Microsoft Technical Security Advisor Steve Lamb, the key both encrypts and decrypts data on the hard disk using the Advanced Encryption Standard (AES), which is also used by the U.S. government.
Microsoft denied that the encryption technology would enable criminals to store data so securely that it would be out of reach of the police.
"You can always break an encryption algorithm if you throw enough horsepower at it," said Lamb. The security advisor admitted that businesses could be at risk from hackers breaking the encryption but said the amount of power needed to do that was usually only available to governments.
Choosing a disposal method for encrypted hard disks would be a policy-based decision, Lamb said.
"Using BitLocker dramatically reduces the risk to data. I don't want to teach anyone to suck eggs, but you've got to ask 'What's my appetite for risk?' and apply the appropriate constraints. Some enterprises may decide it's a low risk, while in a military environment they may decide to smash the TPM to pieces," Lamb told ZDNet UK.
A security expert at mail services company MessageLabs said that, in theory, criminals can encrypt data and communicate with a fair degree of assurance using Pretty Good Privacy encryption.
"You can do an awful lot with PGP. You can encrypt things in a way that governments would find difficult to decrypt," said Mark Sunner, MessageLabs' chief technical officer.
Criminals were unlikely to use hard disks to store information, but theoretically gangs could use the Internet to host encrypted information.
"It's an interesting argument--because the Internet 'bad-guy rings' can use these techniques to send information around," said Sunner.
"Another use for a botnet is for hosting information, and it's constantly moving, making it difficult to intercept. Abuse of technology takes on a completely different meaning," Sunner added.
The board or power supply go awry and the TPM chip goes away with them. "That's ok, throw the machine away, nobody will be able to read your hard drive..." someone will say "... even the guy that has to recover the data from that machine because someone forgot to make a backup...?!" while hitting the wall. Whoops!
And that's the catch: how many users will implement that basic and simple security feature of perform backups? Not many, but it will be "fun" to see if they will learn it finally.
The board or power supply go awry and the TPM chip goes away with them. "That's ok, throw the machine away, nobody will be able to read your hard drive..." someone will say "... even the guy that has to recover the data from that machine because someone forgot to make a backup...?!" while hitting the wall. Whoops!
And that's the catch: how many users will implement that basic and simple security feature of perform backups? Not many, but it will be "fun" to see if they will learn it finally.
Thats not any different from the hard disk failing or someone stealing the PC. There are already plenty of ways to loose your data if you don't take backups.
Is there still anyone who believes a single word said by anyone working or owning microsoftwarez??? This thing looks more like some ŽuserlockerŽ to me. Once someone uses it, heŽll feel locked. Forever.
That rather unlikely baring either major advances in cryptoanalysis or some very very fast computers.
If you include weak keys a 128 bit key has 2^128 - 1 or 340,282,366,920,938,463,463,374,607,431,768,211,455 possible keys. It's likely the TPM uses cryptographicly strong keys so brute forcing is out of the question.
Quite likely a government would have the resources to simply decap the TPM chip and read the key though. Plenty of commercial companies can do that if you can afford it.
TPM isn't going to ensure that it's safe to dispose of a drive, and it may even complicate things by making it difficult to take more proactive measures to eliminate the information (TPM failure would prohibit erasing the information).
The most effective way of making it safe to dispose of a hard disk is still a properly applied 10lb sledgehammer.
If you want to reuse a disk, writing over every sector with random information a hundred times is a pretty effective measure and considerably more secure on relying encryption to protect it. The fact of the matter is that encryption is just enhanced obfuscation -- all the data is still present, just difficult to access. With age, encryption techniques become less effective as attacks against them become more advanced and compute resources for breaking them are cheaper and more powerful. Relying on TPM to make it safe to dispose of a drive is like relying on a post it with "do not enter" on it to keep people out of your house while away on vacation.
Data recovery for redundant HDD's ; for the greater good.
Dunt-dunt dunt-du Du! Remember when we only had five seconds to un-plug or throw the switch into an off position during a lan-minig experience online?
Well, today's SSL/SQL environment could shed the maturity of substantiating such a need as locking data; seperate from the opeating system's EFI or boot registry. depending on the level of security your IT Supervisor has on the table.
Nick McGrath, head of platform strategy for Microsoft UK says, "The technology itself is 100 percent secure--we will not be producing any backdoors. There are no backdoors in Bitlocker technology."
Microsoft Technical Security Advisor Steve Lamb says, "You can always break an encryption algorithm if you throw enough horsepower at it."
Does anyone see something wrong here?
"You can do an awful lot with PGP. You can encrypt things in a way that governments would find difficult to decrypt," said Mark Sunner, MessageLabs' chief technical officer.
PGP has it's source code available for peer review. If big brother or anyone else was able to break it, we would all hear about it.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Game on: European Union grants unconditional approval for $12.5 billion deal, but says it will keep an eye on Google. The company says it aims to "supercharge" Android with the acquisition.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
And that's the catch: how many users will implement that basic and simple security feature of perform backups? Not many, but it will be "fun" to see if they will learn it finally.
And that's the catch: how many users will implement that basic and simple security feature of perform backups? Not many, but it will be "fun" to see if they will learn it finally.
Safe disposal is just a Red Herring.
This thing looks more like some ŽuserlockerŽ to me. Once someone uses it, heŽll feel locked.
Forever.
If you include weak keys a 128 bit key has 2^128 - 1 or 340,282,366,920,938,463,463,374,607,431,768,211,455 possible keys. It's likely the TPM uses cryptographicly strong keys so brute forcing is out of the question.
The most effective way of making it safe to dispose of a hard disk is still a properly applied 10lb sledgehammer.
If you want to reuse a disk, writing over every sector with random information a hundred times is a pretty effective measure and considerably more secure on relying encryption to protect it. The fact of the matter is that encryption is just enhanced obfuscation -- all the data is still present, just difficult to access. With age, encryption techniques become less effective as attacks against them become more advanced and compute resources for breaking them are cheaper and more powerful. Relying on TPM to make it safe to dispose of a drive is like relying on a post it with "do not enter" on it to keep people out of your house while away on vacation.
Well, today's SSL/SQL environment could shed the maturity of substantiating such a need as locking data; seperate from the opeating system's EFI or boot registry. depending on the level of security your IT Supervisor has on the table.
Please confirm: do you wish to delete all dataa?
reformating the disk will lose all information currently stored. this is not reversable.
and
Are you sure?
Microsoft Technical Security Advisor Steve Lamb says, "You can always break an encryption algorithm if you throw enough horsepower at it."
Does anyone see something wrong here?
"You can do an awful lot with PGP. You can encrypt things in a way that governments would find difficult to decrypt," said Mark Sunner, MessageLabs' chief technical officer.
PGP has it's source code available for peer review. If big brother or anyone else was able to break it, we would all hear about it.
Kristopher Steadman
PGP Corporation
ksteadman@pgp.com
Walt
What was considered to take 27,000 years to decrypt back in the early 1990's is now breakable within 15 seconds.
That said... I think Bill Gates needs to take a leap from a tall building like superman... and I'll provide him with a cape for free... (* LOL *)
FWIW