Hacker News new | comments | show | ask | jobs | submit login

Out of curiosity, wouldn't the open-source TrueCrypt be better than the closed BitLocker? (assuming, of course, that TrueCrypt was not already compromised)



I don't believe BitLocker can be considered secure. Cross-post (mine) from the previous thread:

> Not "backdoors" but it seems Microsoft stores the BitLocker decryption key, based on this leaked slide (just found on twitter): https://twitter.com/TheBlogPirate/status/471759810644283392/... > edit: Confirmed Microsoft stores your recovery key on their servers if you're not connected to a domain: http://windows.microsoft.com/en-AU/windows-8/bitlocker-recov...


> Not "backdoors" but it seems Microsoft stores the BitLocker decryption key, based on this leaked slide (just found on twitter): https://twitter.com/TheBlogPirate/status/471759810644283392/....

That looks dubious to me - if you were creating a slide, would you use 90-degree-rotated text?

> edit: Confirmed Microsoft stores your recovery key on their servers if you're not connected to a domain: http://windows.microsoft.com/en-AU/windows-8/bitlocker-recov....

"There are several locations in which your BitLocker recovery key might have been saved" - emphasis mine - doesn't this mean they'll store the key if you log into "Your Microsoft account"? I have to admit I don't use Windows 8 so I don't know if this is mandatory or not? What about Windows 7?


Previous poster's confirmation is misleading -- it does not appear to be mandatory. I just went through the process on my Windows 8 machine, and you can choose to save to the recovery key to a file or print it out in lieu of storing it with your Microsoft Account (http://imgur.com/J0zk6I5).

Two caveats:

(1) It's possible Microsoft could choose to store the keys online regardless of what the user picks, but it's certainly not their official stance.

(2) Microsoft does automatically store keys online if you're using "Device Encryption" in Windows 8.1 (http://arstechnica.com/information-technology/2013/10/window...). This uses Bitlocker code but is distinct from using Bitlocker itself though -- i.e. if you do a vanilla Bitlocker encryption, your system should not send the keys to MS without a user (or admin) explicitly telling it to.


Using a Microsoft account for login is not mandatory on Windows 8.


It's not mandatory to use a Microsoft account for login, but they've been hiding the option not to in increasingly obscure locations in the installer. At one point, the easiest way to do it was apparently to just unplug your internet connection!


Maybe Microsoft asks or somehow prompts the user to back up their encryption keys? I mean, a user-focused OS certainly wouldn't include such a feature, right?


The question was not whether or not they might do it but whether or not they always did it. If a user is required to submit their encryption key to a third party for storage then the encryption solution is limited by their trust in the third party.


In the Greenwald book (No Place to Hide) he describes how Microsoft made a real effort with Skype and their Dropbox clone to open them up to the NSA.

Now I have read these revelations, I feel that not trusting Microsoft is a sensible default.


Now I have read these revelations, I feel that not trusting Microsoft is a sensible default.

You make it sound as if trusting Microsoft was ever an option to begin with...


There are pros and cons to both closed source and open source. Open source is nice because the community can audit the code and see for themselves, but closed-source is nice because a company generally has the resources to maintain and build software correctly.

Both of these are hypothetical, however. We've seen tons of vulnerabilities from both. IMHO Open Source works a lot better on paper but once projects get very large auditing them is really hard...which definitely cuts down on the amount of eyes looking at them.


>>closed-source is nice because a company generally has the resources to maintain and build software correctly.

These two things are orthogonal, IMHO.


My post is "on paper". In reality, projects are squeezed for nickels and dimes.

My point is that while open-source should be better, right now it seems that everything is equally not good enough.


Surely it would also take very little effort to implement an alternative to truecrypt? What's the big deal


If you are being sarcastic, you should be aware of Poe's law, which means we can't tell.


Security is hard. Encryption is hard. And don't call me Shirley!


Well implement one. While getting the encryption right is possible. There comes the pesky problems with presenting stuff to windows as a volume that works as well.


Well peer reviewed encryption libraries would take care of a huge proportion of that.

http://dokan-dev.net/en/ might work on windows for implementing something you might otherwise do via FUSE. Can't speak for windows as ive not used it for a decade or more.


I do believe that open-source solutions are better when concerned about privacy and security. But why would a user of a mostly closed-source OS bother about the open-source nature of one component of that OS?


That would be my opinion, but then I'd probably bet everything I own on BitLocker containing a backdoor of some sort.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: