Recent Posts

Pages: 1 ... 5 6 7 8 9 [10]
91
Discussions - Public / Re: Hard drive encryption
« Last post by The Gorn on April 12, 2017, 10:15:45 AM »
I have had a lot of grief in the past with whole drive encryption including being locked out of the system. I have experience with both the Symantec and Winmagic solutions. Both have lots of issues. I remember one time the machine crashed during boot up, so after that the encrypted boot loader would not work no matter what they did. The certificate got damaged and it would not communicate with the encryption end point. What a nightmare, took them about a week to get back into it.

On my personal computers I dont use it. If it goes bad what do you do?

I never heard of a desktop encryption product that used a security certificate that demanded validation from a central server, like an SSL certificate, but it kind of makes sense...

ONLY for data that could in theory be subject to "man in the middle" attacks or a hard drive being replaced with one with spoofed data.

Anyone normal and any normal business user should be OK with encryption keys entered at the point of use.
92
Discussions - Public / Re: Hard drive encryption
« Last post by ilconsiglliere on April 12, 2017, 09:31:32 AM »
They are all paranoid about the hackers and other stealing their data yet at the same time they have outsourced everything. Whats to prevent these outsourcing company people to just take stuff?

With large outsourcing organizations like WIPRO or TATA, they take precautions to prevent their customer code from being compromised or stolen by their employees.  They would need to otherwise they would lose most of their business if a theft of code or data became public.  Now the smaller outsourcing organizations may not be so careful.

I laugh at this. Anything can be taken no matter what measure are put in place. From my experience with these big companies nothing is guarded.

An example, I used to work at a well known life insurance company. They jealously guarded their list of policy holders. You were not allowed to take it off your computer via email, file sharing or the stick. You could not use memory sticks on the computer.

Than one day at a meeting I said whats to prevent someone from just printing it out and than walking out with the print out. Than stopping at Staples on the way home and have them scan it into a PDF?

Or someone sits there with their phone taking pictures?

They were not happy with those answers and these are low tech.
93
Discussions - Public / Re: Hard drive encryption
« Last post by pxsant on April 12, 2017, 04:35:51 AM »
They are all paranoid about the hackers and other stealing their data yet at the same time they have outsourced everything. Whats to prevent these outsourcing company people to just take stuff?

With large outsourcing organizations like WIPRO or TATA, they take precautions to prevent their customer code from being compromised or stolen by their employees.  They would need to otherwise they would lose most of their business if a theft of code or data became public.  Now the smaller outsourcing organizations may not be so careful.
94
Discussions - Public / Re: Hard drive encryption
« Last post by ilconsiglliere on April 12, 2017, 04:11:12 AM »
I have had a lot of grief in the past with whole drive encryption including being locked out of the system. I have experience with both the Symantec and Winmagic solutions. Both have lots of issues. I remember one time the machine crashed during boot up, so after that the encrypted boot loader would not work no matter what they did. The certificate got damaged and it would not communicate with the encryption end point. What a nightmare, took them about a week to get back into it.

On my personal computers I dont use it. If it goes bad what do you do?

Here is a thought that I think is funny though - think about the following: All these companies have outsourced everything in sight to India/China/Russia/Mexico and who knows where else. At the same time companies are rolling out this whole disk encryption to every single PC in the company.

They are all paranoid about the hackers and other stealing their data yet at the same time they have outsourced everything. Whats to prevent these outsourcing company people to just take stuff?
95
Discussions - Public / Re: Hard drive encryption
« Last post by The Gorn on April 11, 2017, 05:05:39 PM »
It hurts my head to read, but a casual Google of the topic will yield a ton of respectable articles.

Essentially there is a so called "system diagnostic" coprocessor embedded within the die of later Intel CPUs that Intel doesn't disclose any API or access information about whatsoever. This is what Code Refugee is describing.
96
Discussions - Public / Re: Hard drive encryption
« Last post by benali72 on April 11, 2017, 04:26:30 PM »
You can switch to Linux, or even a custom OS you spent 30 years building from scratch to be the most secure OS in history. But if you are running on Intel chips, there's a fully backdoored coprocessor in there that runs during idle time and has complete access to every keystroke, every packet, and every byte of memory.

Really? Could you please give a link or an explanation. I've never heard this before. Thank you.
97
Discussions - Public / Re: Hard drive encryption
« Last post by Code Refugee on April 09, 2017, 11:19:52 AM »
You can switch to Linux, or even a custom OS you spent 30 years building from scratch to be the most secure OS in history. But if you are running on Intel chips, there's a fully backdoored coprocessor in there that runs during idle time and has complete access to every keystroke, every packet, and every byte of memory.
98
Discussions - Public / Re: Hard drive encryption
« Last post by unix on April 09, 2017, 10:45:09 AM »
I don't trust MS with anything, they are almost like the gov.  Not only that but it's either backdoored or not safe versus a brute force attack.
99
Discussions - Public / Re: the impossibly hopeless task of anonymous polls
« Last post by The Gorn on April 09, 2017, 10:28:45 AM »
... I have an insight to share with you: it's impossible to have a valid anonymous public vote unless you resort to underhanded back door NSA style tracking methods.

Quoted for truth, and thank you for this great insight into a specific problem of our time!

You really hit it out of the park. Most polling is bullshit, basically.
100
Discussions - Public / the impossibly hopeless task of anonymous polls
« Last post by Code Refugee on April 09, 2017, 10:18:38 AM »
A little while back I was asked to implement something to do polling. Among polls of interest are polling employees, polling customers and polling the general public.

The general problem to avoid is people voting more than once and gaming the poll.

We know this is a big problem since the media is constantly having polls with responses that turn out to be bogus, such as who are you going to vote for in the next election, even when they do random phone screening. However, I think random phone screening is pretty solid if you do a big enough sample, the problem was with their "adjustments" to the raw data in order to push their agenda. Let's assume that's not a problem here, we're going with the raw counts and now skewing. Also not concerned with whether the sample is a valid cross section in this case.

When big companies get their polls games we laugh at them. The general public says Clinton has a 99% chance of winning. The general public wants the boat to be named Boaty McBoatface. The general public says their new chip flavor should be an ode to Hitler. Well obviously none of these things were the actual opinions of the general public. The polls were either rigged or culture jammed. What idiots the poll workers and tech guys are. Obviously they used dumb tech noobs. Surely if they implemented simple safeguards none of that would have happened. However, whether they are noobs or not, the problem they are up against is a lot more of a challenge than most people suggest with solutions such as "just require user accounts", "just collect a cell phone number", "just use captchas", etc. and so forth.

Now the case of polling employees reliably is not a hard problem. We know who those employees are and they can be assigned a voting token that allows them to vote once, anonymously. If you have an employee email account on the system I can see that and that you're current, and there's not a bunch of fake accounts or such since accounts are handed out, and not grabbed by random anonymous people. Works probably the same as online election engines in some countries I imagine. Sure maybe their spouse or friend voted, but that's Ok, the problem is with multiple votes, and non-existent people voting, both which are the same problem.

Polling customers is similar to polling employees and is handled in a similar way. So no problems there, other than that of trust - some people don't trust that the system is anonymous and their opinions won't be tracked back to them, so they don't vote. Also people who think they don't care about an issue are less likely to vote. Their not caring can be a useful data point but it's OK to just assume that from their non-vote that they accept the results in advance.

The problem of polling the general public is very different from either of these.

Now a phone poll is maybe a bit more reliable. 4chan can't game it. Maybe you call the same person twice on their two cell phones, but that's not them gaming the system and isn't really going to affect results much.

But anything involving user created and selected accounts open to the general public can be gamed and subverted by a motivated opponent. And that opponent doesn't even need financial incentive. 4chan in particular will spend infinite hours gaming a system to make sure the new Doritos flavor is called "Hitler Did Nothing Wrong". These guys are far more motivated to game systems and have the ability to do so than the most motivated state actors pushing an agenda for actual personal gain. 4chan's motivation of getting "lolz" is much stronger than any other force.

Anything involving cookies and ip addresses can be gamed as well.

The only thing that works at all is weaponized tracking. By this I mean methods of dodgy legality such as persistent zombie cookies that take advantage of security defects in Flash and in browsers, browser fingerprinting, and using toolkits of dubious origin that are able to break the veil of Tor secrecy. And these methods work and you get more valid survey results if used, and you'll definitely find that any survey that becomes notable is massively gamed.

To be clear, I am not asking for any advice at all and don't want any. This is just sharing info, like a public lecture. I feel I've been all up and down studying and experimenting with this for some time. The issue isn't I need advice, the issue is that I understand the fundamental problem and I have an insight to share with you: it's impossible to have a valid anonymous public vote unless you resort to underhanded back door NSA style tracking methods.
Pages: 1 ... 5 6 7 8 9 [10]