Say your roomie gets your HD, puts it in his box. It's not a matter of "clearing the encryption bit". Sure, to encrypt a file it's a simple matter of checking the box to encrypt the file/folder. BUT.... the file must be decrypted before it can be saved in cleartext. And since the recovery key wasn't encrypted with any key on your roomie's box, it's not going to happen until he does some serious haX0ring.
when was the last windows EFS release that was not just a vulnerability patch?
by the way, when was the last vulnerability patch?
According to this there aren't any hotfixes for EFS itself. There is a hotfix to upgrade the encryption that houses the container where the keys are kept, but that's it.
Turns out that NTFS cannot be used on removable disks, even though the NTFS semantics are better suited (think what happens when a disk is unmounted unexpectedly.
Actually, NTFS can be used for removable media now. The NTFS driver might not be able to handle a Flash card as an NTFS mountable volume, though. You did set the flash up as a dynamic volume, right? I've seen Zipdisks that work just fine formatted NTFS, but haven't had the chance to play with Flash cards.
Can anyone fill us in on this windows folder/file encryption? How does it work? What does it use as a key, and how is that key accessed?
I read it uses AES
I would assume a key/certificate/whatever is stored in the user account profile....
But what prevents Administrator from changing your password, and signing into your account to read your files? I suppose this leaves a trail... but still.
The certificate is stored on the user's workstation. If they use multiple workstations, the user must carry their certificate with them. EFS works using 128-bit DESX. A symmetrical recovery key is generated and is encrypted using the Recovery Agent(s) public key, so that those people designated as people who can decrypt other's files can do so.
For those who still can't understand this, and think that a cracked account/BO Trojan and other absurd conditions are going to make a difference, the answer is Very Little. An agent still needs the certificate installed on the workstation that he/she is going to be recovering files from. Microsoft even recommends that a certificate be generated, the public key added as a recovery agent, and the certificate kept on removable media and stored securely until it is needed. They also recommend storing the certificate as a PKCS#12 cert since you can lock the private key with a password.
An Admin can't just change your password and sign in as you, unless he can do it at your workstation or wherever you have your certificate installed. He may be a designated Recovery Agent, though in which he can look at your files anyway. But this has always been the case on windows network, but even on Unix/Linux nobody can stop root from reading a file, right?
So cracking the password on that one account will make all the encryption useless? Wouldn't suprise me.
Nope. You also need the Recovery Certificate for the cracked account to the be installed on your workstation. Merely cracking the account won't give you automatic rights to recover files. EFS security is certificate based.
That sounds.... umm... insecure. *smack* Windows... right
You don't understand how EFS works, do you? ummm... Slashdotter taking time to do something besides railing about windows....right...
I'll break it down for you: EFS Recovery Agents require that 1) a File Recovery certificate be issued, 2) the public key for that certificate be added by an Enterprise Admin as a designated Recovery Agent, and 3) the Agent have possession of the certificate, since you will need the private key in order to decrypt the encryption key for the file.
Any questions, or have I sufficiently blown away your FUD?
$900m in software + 200,000 reconditioned computers + $90m in teacher training + $38m in technical support + $250m for the foundation + $160 to teach kids how to work with computers, guys, basic math.
900 + 90 + 38 + 250 + (est $40m for the computers) + 160 = $1478m... this is NOT EQUAL TO $1.1B.
The costs of using an open-source calculator, I guess. At least calc.exe in Windows is capable of adding correctly. BWAH!
Was it me or are jamie's comments just a little biased against Microsoft? I think at this point, MS could donate eleventy billion dollars to the Red Cross, WHO, and several other charities and there would be Slashdotters would would find fault with it. It turns into a kneejerk reaction that lost is charm years ago.
It is not unreasonable to ask Microsoft to consider customer need's and abilities when releasing product.
If that were the case, I would think that Linux would have a very very limited distribution. Business is a Darwinian affair. If the market is saturated, natural selection will kill off all but the most fit to turn a profit. If MS has released too many OSs at one time, I'm certain that the least robust and least workable ones will suffer poor sales. Of course Microsoft is going to look after their bottom line. That's why they're in business. If you want altruism, head on over to the Linux side.
If Micro$oft keeps wants to release operating systems based on it's own profit needs. It will have to expect others will only adopt based on on their own needs and abilities.
Is Microsoft supposed to release software on some other timetable? You make it sound like trying to make some money is an evil thing. What profit-minded company doesn't release products based on its business model?
I didn't realize you could run MacOS on an Intel platform. Wonders never cease. I bet you didn't know that Microsoft provides ports of MSIE for Macintosh and Unix? So once again: Why would someone pay for to buy an OS just to get a browser, when the browser is free to begin with?
The other formats will die, slowing down innovation despite what Microsoft may claim and giving Microsoft a monopoly in yet another field, and
It's up to the vendors of alternate streaming formats to make sure that their product is superior in contrast to Media Player's availibility. A 5 meg download is nothing today, on DSL and cablemodems. But if Real, Apple or other companies don't provide anything new or better to bring to the table, then yes, Media Player will win out. Now, is this a bad thing, or a good thing?
Personally, I don't like Media Player that much, and I really hate its "content rights management" crap. I don't even use it to listen to MP3s (I prefer WinAmp, which has a lot more features).
What moron (except maybe the deposed dictator of an Eastern European nation) would buy an operating system just to have a browser that is available for free from the vendor's site?
While I hate MicroShaft (ask anyone at my job) and TheCabal appears to have a slight slant towards BillCo, I must reply to this!
Heaven forfend that I don't toe the/. line and Love Linux, hate Microsoft and have the latest disto of Debian running on my toilet. If that makes me a MS lover, feel free to apply that label. I, on the other hand, prefer to use the right OS for the job. And sometimes that is Microsoft. Maybe some day soon, more people will realize that, and get away from this asnine OS bigotry.
They are pretty good at putting out fixes (if more than a little low key on the announcement thereof)
Strange. I get announcements delivered to my inbox not only from Microsoft's Security Notification service, but their security guys are pretty active on NTBugtraq. And the latest patch announcments are always available on the TechNet homepage. Would you rather that they send a man with a bullhorn out to your house and shout the URLs for the latest bulletins? Have a skywriter spell it out for you in the sky? Burn the URL on the moon, a la Chairface Chippendale? Is it lack of effort on Microsoft's part, or lack of effort on someone else's part?
They certainly deserve a good bashing from time to time. However, please keep the bashing based on real facts, not generic BS. (we like to bash them for their FUD, let's not spread FUD ourselves)
I wish a lot more people would adhere to this rule... I see a LOT of award-winning fiction being written here on Slashdot about the (imagined/exaggerated) wrongs of Microsoft and Windows in general... I urge the authors to leave the IS/IT field and get into writing fulltime.
Does being less than hypercritical of Microsoft make one a MS-lover? I've never said anything bad of *nix, but then, I've also never painted *nix in glowing, flowery prose, either.
I think that there is some confusion between the iishack exploit for IIS 4.0 and the new IIS exploit implemented in Code Red. When iishack was reported and released by Eeye MS had taken their sweet time releasing a fix. This is clearly not the case with Code Red.
I think there is some confusion. The patch for the.ida buffer overflow that Code Red exploits existed weeks before the release of the worm. Clearly, Microsoft responded in a timely fashion with a patch before it was a problem. To blame MS for administrators not applying patches is lunacy. Are we going to lay the same level of bile on say... Paul Vixie, for releasing a version of BIND that gives any skiddy root access with a simple buffer overflow? What was HIS solution to that problem?
You're nothing more than a pompous M$ lover. They deserve to be bashed because of the business practices they stand for and the crappy software they produce. I suggest that if you don't like the comments then don't read em. Damn Jerk!!!
Wow. My Linux based Irony Meter just coredumped from an impossibly large input. Here: let me help you-
I suggest that if you don't like my comments, then don't read them. Anonymous Coward!!!1!!!
...instead of a tap on the shoulder. Some companies need some "convincing" to make the necessary changes in a timely manner. Microsoft is definitely one those companies.
Unrepentant bullshit. Microsoft is very good at getting fixes out. Some bug-hunters expect a 2 hour turnaround time on their reports before "forcing MS to fix this by going public". Eeye even says that MS was quick in putting out a patch to fix the hole. The vast majority of bug hunters that actually take the time to work WITH Microsoft say that MS is quick in getting patches developed and in the hands of administrators, where they aren't applied (but that's a different story). Where's the sledgehammer? Can you support your claim with any evidence of any kind, or is this merely Yet Another Case of Uninformed Microsoft Bashing?
Slashdot Mirror
Pure absolute bullshit.
Say your roomie gets your HD, puts it in his box. It's not a matter of "clearing the encryption bit". Sure, to encrypt a file it's a simple matter of checking the box to encrypt the file/folder. BUT.... the file must be decrypted before it can be saved in cleartext. And since the recovery key wasn't encrypted with any key on your roomie's box, it's not going to happen until he does some serious haX0ring.
FUD. It doesn't work on me.
when was the last windows EFS release that was not just a vulnerability patch?
by the way, when was the last vulnerability patch?
According to this there aren't any hotfixes for EFS itself. There is a hotfix to upgrade the encryption that houses the container where the keys are kept, but that's it.
Turns out that NTFS cannot be used on removable disks, even though the NTFS semantics are better suited (think what happens when a disk is unmounted unexpectedly.
Actually, NTFS can be used for removable media now. The NTFS driver might not be able to handle a Flash card as an NTFS mountable volume, though. You did set the flash up as a dynamic volume, right? I've seen Zipdisks that work just fine formatted NTFS, but haven't had the chance to play with Flash cards.
Can anyone fill us in on this windows folder/file encryption? How does it work? What does it use as a key, and how is that key accessed?
I read it uses AES
I would assume a key/certificate/whatever is stored in the user account profile....
But what prevents Administrator from changing your password, and signing into your account to read your files? I suppose this leaves a trail... but still.
The certificate is stored on the user's workstation. If they use multiple workstations, the user must carry their certificate with them. EFS works using 128-bit DESX. A symmetrical recovery key is generated and is encrypted using the Recovery Agent(s) public key, so that those people designated as people who can decrypt other's files can do so.
For those who still can't understand this, and think that a cracked account/BO Trojan and other absurd conditions are going to make a difference, the answer is Very Little. An agent still needs the certificate installed on the workstation that he/she is going to be recovering files from. Microsoft even recommends that a certificate be generated, the public key added as a recovery agent, and the certificate kept on removable media and stored securely until it is needed. They also recommend storing the certificate as a PKCS#12 cert since you can lock the private key with a password.
An Admin can't just change your password and sign in as you, unless he can do it at your workstation or wherever you have your certificate installed. He may be a designated Recovery Agent, though in which he can look at your files anyway. But this has always been the case on windows network, but even on Unix/Linux nobody can stop root from reading a file, right?
So cracking the password on that one account will make all the encryption useless? Wouldn't suprise me.
Nope. You also need the Recovery Certificate for the cracked account to the be installed on your workstation. Merely cracking the account won't give you automatic rights to recover files. EFS security is certificate based.
That sounds.... umm... insecure. *smack* Windows... right
You don't understand how EFS works, do you? ummm... Slashdotter taking time to do something besides railing about windows....right...
I'll break it down for you: EFS Recovery Agents require that 1) a File Recovery certificate be issued, 2) the public key for that certificate be added by an Enterprise Admin as a designated Recovery Agent, and 3) the Agent have possession of the certificate, since you will need the private key in order to decrypt the encryption key for the file.
Any questions, or have I sufficiently blown away your FUD?
"its encrypted because we say it is, and trust us on that"
Isn't that the case with any encryption scheme? The only way you'll ever be sure is if you write your own.
Recovery Agents. Accounts allowed to decrypt an EFS encrypted file.
I tried to use win2k's efs, and it ruined me.
Tell them that!
Ever heard of a File Recovery Agent? There's one set up by default on every Win2k system. And it gets better... you can add more!
$900m in software + 200,000 reconditioned computers + $90m in teacher training + $38m in technical support + $250m for the foundation + $160 to teach kids how to work with computers, guys, basic math.
... this is NOT EQUAL TO $1.1B.
900 + 90 + 38 + 250 + (est $40m for the computers) + 160 = $1478m
The costs of using an open-source calculator, I guess. At least calc.exe in Windows is capable of adding correctly. BWAH!
Was it me or are jamie's comments just a little biased against Microsoft? I think at this point, MS could donate eleventy billion dollars to the Red Cross, WHO, and several other charities and there would be Slashdotters would would find fault with it. It turns into a kneejerk reaction that lost is charm years ago.
Microsoft NT 4.0 is super secure, because we paid lots, right?
It is if you take a little time to make it that way. You don't install Linux and run it stock do you?
It is not unreasonable to ask Microsoft to consider customer need's and abilities when releasing product.
If that were the case, I would think that Linux would have a very very limited distribution. Business is a Darwinian affair. If the market is saturated, natural selection will kill off all but the most fit to turn a profit. If MS has released too many OSs at one time, I'm certain that the least robust and least workable ones will suffer poor sales. Of course Microsoft is going to look after their bottom line. That's why they're in business. If you want altruism, head on over to the Linux side.
If Micro$oft keeps wants to release operating systems based on it's own profit needs. It will have to expect others will only adopt based on on their own needs and abilities.
Is Microsoft supposed to release software on some other timetable? You make it sound like trying to make some money is an evil thing. What profit-minded company doesn't release products based on its business model?
Your URL is wrong, dude. Don't you read the bit which says "Check URLS" anymore?
a rs teeth.html
The One True URL is:
http://dsc.discovery.com/news/briefs/20010827/m
How's that foot taste?
I didn't realize you could run MacOS on an Intel platform. Wonders never cease. I bet you didn't know that Microsoft provides ports of MSIE for Macintosh and Unix? So once again: Why would someone pay for to buy an OS just to get a browser, when the browser is free to begin with?
The other formats will die, slowing down innovation despite what Microsoft may claim and giving Microsoft a monopoly in yet another field, and
It's up to the vendors of alternate streaming formats to make sure that their product is superior in contrast to Media Player's availibility. A 5 meg download is nothing today, on DSL and cablemodems. But if Real, Apple or other companies don't provide anything new or better to bring to the table, then yes, Media Player will win out. Now, is this a bad thing, or a good thing?
Personally, I don't like Media Player that much, and I really hate its "content rights management" crap. I don't even use it to listen to MP3s (I prefer WinAmp, which has a lot more features).
What moron (except maybe the deposed dictator of an Eastern European nation) would buy an operating system just to have a browser that is available for free from the vendor's site?
MICROSOFT, what corner would you prefer being forced into today?
I guess it's a good thing you didn't pay a lot of money for MSIE, did you?
BTW what OS you run.
WinNT, Win2k, some Linux and Solaris.
Ahh that new one with not a single flaw in it right???
I've never said that.
All OS's are explotable. Its up to the administrator to make sure they are up to date and as secure as possible.
If you bothered to read what I've been posting, you'd find that's what I've been saying all this time.
If anyone, I blame Microsoft - they wrote buggy software
To be fair, do you blame the Open Source community for writing buggy software?
While I hate MicroShaft (ask anyone at my job) and TheCabal appears to have a slight slant towards BillCo, I must reply to this!
/. line and Love Linux, hate Microsoft and have the latest disto of Debian running on my toilet. If that makes me a MS lover, feel free to apply that label. I, on the other hand, prefer to use the right OS for the job. And sometimes that is Microsoft. Maybe some day soon, more people will realize that, and get away from this asnine OS bigotry.
Heaven forfend that I don't toe the
They are pretty good at putting out fixes (if more than a little low key on the announcement thereof)
Strange. I get announcements delivered to my inbox not only from Microsoft's Security Notification service, but their security guys are pretty active on NTBugtraq. And the latest patch announcments are always available on the TechNet homepage. Would you rather that they send a man with a bullhorn out to your house and shout the URLs for the latest bulletins? Have a skywriter spell it out for you in the sky? Burn the URL on the moon, a la Chairface Chippendale? Is it lack of effort on Microsoft's part, or lack of effort on someone else's part?
They certainly deserve a good bashing from time to time. However, please keep the bashing based on real facts, not generic BS. (we like to bash them for their FUD, let's not spread FUD ourselves)
I wish a lot more people would adhere to this rule... I see a LOT of award-winning fiction being written here on Slashdot about the (imagined/exaggerated) wrongs of Microsoft and Windows in general... I urge the authors to leave the IS/IT field and get into writing fulltime.
Does being less than hypercritical of Microsoft make one a MS-lover? I've never said anything bad of *nix, but then, I've also never painted *nix in glowing, flowery prose, either.
I think that there is some confusion between the iishack exploit for IIS 4.0 and the new IIS exploit implemented in Code Red. When iishack was reported and released by Eeye MS had taken their sweet time releasing a fix. This is clearly not the case with Code Red.
.ida buffer overflow that Code Red exploits existed weeks before the release of the worm. Clearly, Microsoft responded in a timely fashion with a patch before it was a problem. To blame MS for administrators not applying patches is lunacy. Are we going to lay the same level of bile on say... Paul Vixie, for releasing a version of BIND that gives any skiddy root access with a simple buffer overflow? What was HIS solution to that problem?
I think there is some confusion. The patch for the
You're nothing more than a pompous M$ lover. They deserve to be bashed because of the business practices they stand for and the crappy software they produce. I suggest that if you don't like the comments then don't read em. Damn Jerk!!!
Wow. My Linux based Irony Meter just coredumped from an impossibly large input. Here: let me help you-
I suggest that if you don't like my comments, then don't read them. Anonymous Coward!!!1!!!
...instead of a tap on the shoulder. Some companies need some "convincing" to make the necessary changes in a timely manner. Microsoft is definitely one those companies.
Unrepentant bullshit. Microsoft is very good at getting fixes out. Some bug-hunters expect a 2 hour turnaround time on their reports before "forcing MS to fix this by going public". Eeye even says that MS was quick in putting out a patch to fix the hole. The vast majority of bug hunters that actually take the time to work WITH Microsoft say that MS is quick in getting patches developed and in the hands of administrators, where they aren't applied (but that's a different story). Where's the sledgehammer? Can you support your claim with any evidence of any kind, or is this merely Yet Another Case of Uninformed Microsoft Bashing?