Daily Archives: 2023-08-24

Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop

Source: OSNews

Article note: Securing a machine an attacker has physical access to is _extremely fucking difficult_... but being able to sniff plaintext keys off an exposed SPI bus is some first decade of the 2000s "an attempt was made" shit. At least they (probably) couldn't just plug into the SPI device and ask for the key offline. Someone buy the person who did it BusPirate and/or a cheap MSO with LA pins, they're going places.

The BitLocker partition is encrypted using the Full Volume Encryption Key (FVEK). The FVEK itself is encrypted using the Volume Master Key (VMK) and stored on the disk, next to the encrypted data. This permits key rotations without re-encrypting the whole disk.

The VMK is stored in the TPM. Thus the disk can only be decrypted when booted from this computer (there is a recovery mechanism in Active Directory though).

In order to decrypt the disk, the CPU will ask that the TPM sends the VMK over the SPI bus.

The vulnerability should be obvious: at some point in the boot process, the VMK transits unencrypted between the TPM and the CPU. This means that it can be captured and used to decrypt the disk.

This seems like such an obvious design flaw, and yet, that’s exactly how it works – and yes, as this article notes, you can indeed capture the VMK in-transit and decrypt the disk.

Posted in News | Leave a comment

No app, no entry: How the digital world is failing the non tech-savvy

Source: Hacker News

Article note: The accessibility issue for elderly/illiterate/unbanked/disabled folks is totally a problem. The fragility is also as least as big a problem, both in the "mobile devices and their connectivity aren't all that trustworthy" and "a small technical glitch can wipe out your only available workflow" sense. And the Intrusiveness issue is a problem for everyone. I'm not going to install your fucking app and let it try to suck every bit of personal information out of my phone to buy a sandwich.
Comments
Posted in News | Leave a comment

Rocky Linux backer CIQ rejects lawsuit’s claims it was founded on stolen IP

Source: The Register

Article note: It sure looks like a situation where Greg (&co.) were doing open-source work to benefit the community and making "enough" off of support and contract dev and such, some folks at Sylabs got greedy, and everyone who was there to do engineering not rentseeking mosied on out. It seems to happen pretty regularly with open source stuff used by enterprise customers, and it's not even the first time it's happened to him.

Brands allegations as 'meritless' after being sued by HPC software provider Sylabs

A recently unsealed lawsuit filed in the US by HPC software provider Sylabs accuses rival outfit Ctrl IQ (CIQ) and its founder Greg Kurtzer of violating Sylab's trade secrets in order to start its business, and of filing its own patents based on that technology.…

Posted in News | Leave a comment