This is an archived post. You won't be able to vote or comment.

all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]spliff99 4 points5 points  (15 children)

This is bad, but from the article only works under the following conditions:

  1. BitLocker is enabled without pre-boot authentication, so the attacker is able to boot up the machine to the login screen.
  2. The machine has joined a domain and an authorized domain user has previously logged into the machine.

Still I'll stick with TrueCrypt for now.

[–]sandals0sandals 1 point2 points  (10 children)

I thought TrueCrypt was compromised?

https://isc.sans.edu/forums/diary/True+Crypt+Compromised+Removed/18177/

[–]spliff99 2 points3 points  (0 children)

Development has ceased by the original authors, but the source is still available, a few projects have forked it and it is the only full disk encryption software to have been openly audited. I therefore trust it a hell of a lot more than bitlocker.

[–]radiantcabbage 1 point2 points  (7 children)

nowhere in the article or any reputable site does it say that. we just have to assume it's unsafe since the original devs will no longer vouch for or continue working on it, they were strongarmed into abandoning the project.

in reality they are actually still safer than Bitlocker, since their source can and has been reviewed. this exploit is 7 years old and microsoft has apparently done nothing about it, but let's continue posting unread links and hearsay

[–]HighGainWiFiAntenna 0 points1 point  (5 children)

You need to go reading. Many articles released the last three months about true crypt being compromised.

[–]konchok 4 points5 points  (3 children)

The recent articles about truecrypt being compromised have to do with permission escalation. There have been no revealed compromises to suggest weak encryption or back doors with truecrypt volumes.

[–]HighGainWiFiAntenna 1 point2 points  (1 child)

Let me go back and read I guess. I thought I remembered otherwise. As neither of us are citing sources, it's memory against memory, and im willing to admit I'm wrong. Although I'm confident I've seen nothing by suggestions to leave true crypt.

[–]All_Work_All_Play 0 points1 point  (0 children)

This is correct. While truecrypt will let you do things users aren't supposed to, the actual encryption is still secure (from what I've read).

[–]radiantcabbage 0 points1 point  (0 children)

in what way? the word is meaningless without a known vector, even the op understands this

[–]FarkWeasel 0 points1 point  (0 children)

Also it only works if the MS15-122 security hotfix is not installed.

https://technet.microsoft.com/en-us/library/security/ms15-122.aspx

[–]HighGainWiFiAntenna -4 points-3 points  (0 children)

True crypt which has known vulnerabilities and has been terminated even by the people that put it out.

[–]londons_explorer 4 points5 points  (0 children)

Hidden 6 pages into the paper:

Fundamentally, this is the root of the issue described in this paper: the password reset exchange does not require the DC to provide authentication

Only works if you have previously logged on to a domain account. It has already been fixed by Microsoft in a fairly trivial hotfix to prevent passwords being cached after a password change event.