@Pete-S said in Local Encryption Scenarios: @DustinB3403 said in Local Encryption Scenarios: @Pete-S said in Local Encryption Scenarios: @DustinB3403 said in Local Encryption Scenarios: @Pete-S said in Local Encryption Scenarios: Anyway, in the case of the CPA we are talking about material that is not really sensitive at all. The data files could be secured the same way as any paper records. Locked in a safe when not in use. That would be the same as being encrypted, since the lock on a safe = encryption and the physical key = the passphrase to decrypt the drive or data. Well, in principle only. You can walk away with the encrypted computer but it would be harder with the safe. In most cases physical security is about delaying. You can smash and grab a laptop from the office window but it would require a lot more time to break in properly and then open a safe before someone shows up. You have those examples a bit mixed up. The comparable scenario would be "getting to the data" The physical medium housing that data doesn't matter. You break the lock, you get the data. If you break the encryption key you get the data. But a physical lock is likely easier to break and get into whatever than it would to decrypt a encrypted volume. Reminds me of this classic: there is ALWAYS a relevant xkcd

@dbeato I forgot you are an MSP.

https://www.itnews.com.au/news/qld-it-minister-cautions-feds-over-interference-516628 Queensland’s IT minister Mick de Brenni has urged the federal government not to use its newly created Australian Digital Council as a way to dilute state regulation.   He has also accused the Canberra of not consulting with state and territory governments prior to releasing its inaugural digital transformation strategy last month So it seems that only Canberra is keen on it.

I use Veracrypt. It's compatible with TrueCrypt but It uses his own encryption mode by default.

@vhinzsanchez said in Re-Enable BitLocker on Windows 10 Home: Thanks SAM, we are accepting the fact that the encryption will not be done at this moment. Regards, VhinzSanchez https://www.howtogeek.com/234826/how-to-enable-full-disk-encryption-on-windows-10/

@stacksofplates said in Encryption FS on the Cloud and Remote SSH: To play devil's advocate, if you're using LUKS the data is encrypted in transit also. So it's not just at rest. I can't remember off of the top of my head, but you might need FIPS mode enabled for dm-crypt to encrypt in motion as well. I'm lazy and don't feel like looking it up.

I've heard of it, but never looked into it. If it's looking at every message on the line, it sounds like it could be block chain based.

Do you have .net4 installed on this xp client?

PTT is a way of provider TPM, they are not two separate things. PTT is a non-dedicated hardware approach to TPM 2.0. PTT is designed for low power devices, often used in industrial computing. Traditionally TPM requires a TPM module, a dedicated hardware processor and firmware for security. With TPM 2.0 dedicated hardware is no longer required. PTT is Intel's implementation of TPM 2.0 for low power systems.

@dashrender said in US DOJ Continues Its Attack on User Privacy: @scottalanmiller said in US DOJ Continues Its Attack on User Privacy: @dashrender said in US DOJ Continues Its Attack on User Privacy: @scottalanmiller said in US DOJ Continues Its Attack on User Privacy: @dustinb3403 said in US DOJ Continues Its Attack on User Privacy: Rosenstein also said "...People want to secure their houses, but they still need to get in and out. Same issue here." Not even close, those people are welcome to come and go in their damn house. You on the other hand might get shot in the face if you just walk into someone's house uninvited. People can still get in and out of their phone. I don't have to give my door key to the DoJ. Yeah - I'm trying to come up with a physical example to compare to digital security - but I'm coming up blank. Doors aren't bad. You lock your door, the DoJ is an intruder, the key company does not send copies of your keys to the DoJ. It's really not good enough. The DOJ can hack your door with lock picks or just bust it down. I suppose a better example would be a universal garage door opener that only the government is supposed to have, but of course, once the bad guys know about that, they will keep hacking the government until they steal one of those universal door openers. Secure keys for encryption would be the same. The government is as leaky as a cauldron, there's almost no chance they could keep keys like this from the hackers. Then instantly everyone would be vulnerable. Everyone that uses a mainstream OS or device that operates anywhere in the world that has any operations within the US. Yup

@scottalanmiller said in What Exactly Is a VPN, Is HTTPS a VPN SAMIT Video: A lot of them get posted on SW first as a response post because someone will do something that warrants a video so I make it and post as a response, but then dole them out on an even pace over here with a spot to discuss them. How do you know you're an idiot? SAM replies to you with a video

I saw something about this the other day... It is interesting to say the least.

I've used tor, it's functional, but removes a lot of what most people consider useful from most websites.

@Breffni-Potter said in The SHA1 hash function is now completely unsafe: If you burn 110K in cash. And have a team of cyber security experts. Today, yes. But in six months it'll be a script and $30K in compute power. In two years it'll be $500 of AWS time.

Can't reply on SW, it's having one of its "this thread won't let you respond" hiccups.

@JaredBusch Awesome. Tks Jared. Tested and works beautifully!

Yes, I have. It was talked about on Security Now a few years ago. It allows TNO (Trust No One) on cloud storage . You control the keys for encryption. of course, if you don't have the keys, the data is useless.

@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon: I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server. That's confusing because it isn't email at that point but is just an internal application API. If it is Outlook, for example, it talks directly with Exchange as a client manipulating stuff on Exchange. If it is OWA, it's Exchange that you are looking at directly (the "email" is still on Exchange.)

@scottalanmiller said in Let's Encrypt stats: @Jason said in Let's Encrypt stats: I'm guessing a lot of kids/teens and college age are using let's encrpyt hence the .ninja I'm confused, aren't all those domains only used by ninjas? Go Ninja, Go Ninja, Go!

Only the other night for me and it was all on one project so I'm not sure what it was, yet.

@thwr said in Kickstart with LUKS: @scottalanmiller said in Kickstart with LUKS: @thwr said in Kickstart with LUKS: @thwr said in Kickstart with LUKS: But if the server walks, the TPM walks with it and the security has been totally bypassed. In fact, IMHO, if you have the key on TPM and it decrypts automatically on start up and you had to state if the system was encrypted or not, at best you could say "sort of." While you might get away with saying that it is encrypted, if asked the other way "is the data wide open", the answer would also be yes because it's not encrypted when someone looks at it. Ah, sorry, misunderstood your posting in the first place. Well, that's chicken-egg. You can either have it decrypt automatically or not. If going for automatic decryption, we have to make sure the machine can't decrypt e.g. when it gets stolen or sold. For this, storing the key on the host alone, even with TPM, may not be enough (don't know enough about TPM at this point. Sealing to system state seems quite safe, but...). Thus, we need to bring in another factor. Let's call it "location awareness", e.g. pulling the actual key from the network and TPM stores just something to authenticate against the "key server". Server offsite -> no decryption. Past boot, it is up to you to secure the server by traditional means. Strong passwords, no or strongly secured RS232 TTY and so on. Exactly, something externally has to trust that the system is where it is supposed to be physically so that it will release the key. We considered using this but decided that security trumped downtime and kept the system requiring human intervention and just accepted large downtimes in the event of a reboot. Agree, downtime due to a misconfiguration, some failure on the network or the key server would be an issue. What if we look at some back approach: If some removeable storage with a key is present at boot, LUKS will use this key. Otherwise, it tries to pull it from the key server as described above? Should be pretty solid and a backup is in place (key on USB stick) in case something goes south. This surely is an approach for environments requiring a very high level of security, but I like the idea. I've seen places do that, pop in a key and use that, but you have to trust that people will remove it immediately and store it somewhere.

Hmmm, if he cares so much about security he should disable the Universe repository, it's full of security holes. Essentially, installing anything from there is an exercise in installing a backdoor. Of course, there's not much choice, you want that software to be available. Though choice

@tonyshowoff said: @scottalanmiller said: @tonyshowoff said: @Dashrender said: @scottalanmiller said: @Dashrender said: Frankly, I'm frustrated that ICANN has allows so many registrars and SSL cert providers. There are over 1400 CAs trusted by Windows in 2010. Any one of those CAs can be compromised and their root cert used to sign fake certs for any site on the internet, instantly having Windows trust those certs. The whole security model on the internet is just broken. We don't have secure DNS or reliable Certificate Pinning. It would be a monopoly if they didn't make it basically open. Or monopoly-ish. Not an open market. Frankly, in this case, a monopoly, like you want for healthcare, seems like the better play. The fees should either be free or extremely low, only enough to handle the costs of administration and hardware required. Universal coverage does not imply monopolistic treatment. Further, most countries with universal health coverage also have private systems too. Like Panama... good healthcare for free or suckers can pay for private American healthcare from Johns Hopkins. Or Bosnia, the only place I know of where the "free" is way worse than private to an insane degree, and that's because of a war so at least that's an excuse. Johns Hopkins is the hospital that thought that nut job who thinks the pyramids were grain stores and all kinds of whacky things led their surgical department. You'd have to be insane to get treated at a hospital letting crazies like that even work there let alone run departments. (Working there as a janitor would be okay, just not in healthcare portions of the business.) That's the kind of hospital that removes your spleen because "if God wanted you to have it, he'd not have made it make you sick." Those people scare me.

Do they support booting from UEFI yet?

That was a good show, really was. I should email that to everyone here.