On Monday, August 24, 2015, Brian Vraamark <brian.vraam...@plandent.dk> wrote:
> > Are you really going to trust a company that staked their future on > Windiws RT tablets and Windows phones? > > Arguments like that pretty much leave no room for ideas based on Microsoft > solutions.... The point is that there is sufficient state of the disk to boot Windows, start a background process, and decrypt a DPAPI blob, then an attacker with inowledge of the DPAPI architecture could do the same. So, if this is possible, then the security is reduced to the obscurity as the DPAPI architecture. The RT tablet and Windows phone have nothing to do with security, but are merely examples of Microsoft's recent failures to accomplish the impossible. > > > One question in regards to your idea. Can gbak run without using the > encryption key? If not how can I make unattended scheduled backups? > > No problem other than this requires that database account credentials be on the client disk and therefor theoretically available to an attacker. There is no way to make any of this easy. > > Brian Vraamark > > --------------------------------------------------------------------- > > Fra: James Starkey [mailto:j...@jimstarkey.net <javascript:;>] > Sendt: 23. august 2015 02:20 > Til: For discussion among Firebird Developers > Emne: Re: [Firebird-devel] Brainstorming Secure Unattended Start w/ > Encrypted Files > > One of the tenants of moderm cryptology is that algorithms and mechanisms > have to be published for analysis and review. The basic idea is that > security is based on a mathematical impossibility that a cryptosystem cabe > be broken within the time remaining in the universe. The once dominant > idea was that a system sufficiently obscure was good enough. I dare say > that the experiece of the third reich demonstrated the weakness of the > latter argument. > > Microsoft is assuming a position that is theoretically impossible and > refuses to publish their system's algorithms for legititate analysis. It > is hard to argue that their system is anything but garbage top to bottom, > waiting only for a disgruntled employee to blw the whole thing sky high. > > It is well understood that security by obscurity is no security at all. > If Microsoft actually believed they had a robus system, they wouldn't > hesitate to publish -- and patent -- their system. > > Possibly it is fairly secure. More likely, it's bullshit. If they > published the details, we would all know. But they won't. > > Once it was belived that nobody could get fired for going IBM (SNA > anyone? Anyone?). Then it was Microsoft instead of IBM. But that was > then abd this is now. > > Are you really going to trust a company that staked their future on > Windiws RT tablets and Windows phones? > > To paraphrase Yoda, break me a frigging give. > > On Saturday, August 22, 2015, Brian Vraamark <brian.vraam...@plandent.dk > <javascript:;>> wrote: > > I have a strong preference for portable, transparent solutions. > > That I can understand and would always be the best solution, but not > always possible. > > > > There is also the small point that it has been broken (see Wikipedia). > > As I read it, it was mostly before Windows XP. Since Windows Server > 2003/Windows 7, a lot of changes in DPAPI has made it more secure. The > security analysis from Passcape concludes: > > "DPAPI deserves such close attention at least for the fact that it's the > only password-based system that provides appropriate and thoroughly thought > out protection of user's personal data. None of the operating systems has a > more viable alternative to DPAPI! > > We should, perhaps, mention that the first implementation of DPAPI had a > number of serious flaws, which could enable a potential malefactor to > easily compromise user's data protected by DPAPI. > > The first pancake is known to be always lumpy. In all the sequel operating > systems, beginning with Windows XP, those vulnerabilities have not merely > been eliminated; the entire DPAPI system has undergone a major revision. In > particular, it has adopted new encryption algorithms; that has made the > Master Key password lookup speed about 1000 (!) times slower. Master Key > encryption errors that potentially allowed any user to gain access to any > files encrypted by EFS were fixed. The local Master Key backup system has > been replaced with the password reset disk, etc. > > Overall, the DPAPI encryption system has become more robust, powerful, > meeting the stringent requirements of password security." > > > Brian Vraamark > > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > > > -- > Jim Starkey > ________________________________________ > Denne mail er blevet scannet for virus af TDC Mailfilter. > ________________________________________ > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
