Hacker News new | ask | show | jobs
by akersten 32 days ago
Long time ago TrueCrypt suddenly and abruptly shut down with a vague goodbye message saying "everyone please move on and use bitlocker instead"

Prevailing theory is they were pressured to put in a backdoor and couldn't disclose it, so they had to make a seemingly ridiculous statement (because who in their right mind would trust bitlocker) to call attention that "something is very wrong"
2 comments
dist-epoch 32 days ago
seems like nobody here knows the history

https://en.wikipedia.org/wiki/Paul_Le_Roux

link
gruez 32 days ago
>so they had to make a seemingly ridiculous statement (because who in their right mind would trust bitlocker) to call attention that "something is very wrong"

Alternately, they don't want people to rely on abandonware for security.

Also, despite the conspiracy theories of backdoors I'm not aware of any bitlocker exploits that work on TPM + pin, which is the intended "secure" configuration[1]. All exploits rely on TPM-only (ie. ez-mode), which is basically the security equivalent of running https/ssh without certificates and blindly accepting whatever keys shows up.

[1] https://learn.microsoft.com/en-us/windows/security/operating...

link
cubefox 32 days ago
Why do you need a separate PIN anyway? Shouldn't your Windows password be enough? Having to enter two different codes makes it unlikely a majority would use the system. I would be surprised if iOS or Android required a separate PIN for encryption.
link
bootsmann 32 days ago
You need a separate pin because windows lives on the encrypted disk so you need to decrypt it before you can boot completely.
link
cubefox 32 days ago
Couldn't they just use the PIN also Windows password? Then the PIN screen would have to look like the Windows login screen.
link
majorchord 31 days ago
what about systems with multiple users?
link
rafram 32 days ago
macOS solved this (and a lot of other problems) by putting the OS on a separate read-only partition - technically an APFS volume - that doesn’t get encrypted. Microsoft’s backwards-compatibility obsession might not let them make that the default, but they could at least make it an option.
link
ranger_danger 31 days ago
Not encrypting the OS means it's no longer considered FDE in my opinion.

But Windows doesn't need the OS to decrypt a BitLocker volume anyway because the bootloader can do it... otherwise how could a FDE disk ever boot in the first place?

link
rafram 31 days ago
Why not? The macOS OS partition is signed and read-only. Unless you disable SIP (which you shouldn't), your OS partition is bit-for-bit identical to everyone else's.
link
ranger_danger 31 days ago
Whose/Which Windows password? The OS is inherently multi-user.

Plus if you ever needed to change or reset your password, that complicates the encryption.

link
cubefox 31 days ago
On the other hand, Microsoft has thousands of SWEs, surely a few of them must be smart enough to figure this out.
link