by _wldu on 11/7/22, 11:14 PM with 74 comments
by sedatk on 11/8/22, 4:33 AM
People who advise not using cloud for backups, suggesting cold wallets and whatnot as blanket advice have been harmful by giving way to the orders of magnitude more likely but the catastrophic scenario that is simple data loss.
Some people bash on Microsoft for backing up your drive encryption keys in the cloud for example, but it's the most common failure mode they're trying to address. No thief would access your cloud, no state-level actor would be deterred by lack of cloud (see: xkcd wrench), no rogue employee could make use of your hard drive encryption keys.
Get your priorities based on your threat model, and get your threat model right, people.
by dspillett on 11/7/22, 11:46 PM
In a commercial environment there are ways and means¹ but getting a non-technical user to securely and safely manage access credentials is can be a time consuming education process. Especially after the first time someone comes to you to hack their stuff because they've lost their keys & they never did do that backup thing you good then about³ and you tell them it simply isn't possible.
Even those of us with experience in the field sometimes make mistakes that we can't revert, so people without that experience can be forgiven to an extent for trading security for what they think is safety (but is really just convenience).
Solutions, that don't involve someone being an unpaid 24/7 infrastructure support tech, on a postcard please!
----
[1] if procedures are properly followed² code is in source control and documents are in equivalent storage, the most you should be able to lose is today's work
[2] yeah, I know…
[3] or that uses the same, now lost, credentials
by ok_dad on 11/8/22, 5:00 AM
The password is quite a few random characters that I memorized when I first used FDE decades ago and I’ve never had reason to change it.
I rotate my other passwords often and never use this one anywhere other than a boot loader; I don’t even type it into a running operating system to save it.
I’ll never forget it, but if I had to change it then I think I would go with the “battery horse stapler” method of pass phrase.
by userbinator on 11/8/22, 12:55 AM
If you're looking for something in between, then deliberately weaker encryption might be what you want, although almost no one seems to mention that much.
by nottorp on 11/8/22, 9:13 AM
A couple years ago someone lent me an Android phone to do some development on (it had some hardware feature I didn't already have on my testing phones). I don't use my main google account on dev phones so I promptly set it up with whatever google generated for me and I forgot both the email and the password.
6 months later I have to give it back, and I hit reset to defaults. Surprise! The phone asks me for the previous account and password!
Back then the feature was new, which is why I didn't know about it. Fortunately, being new it was also buggy.
I managed to complete the factory reset through a complicated process that involved going through accessibility options, replacing some system apk with an older version (via adb i think) and some other trickery that I forget. But the stuff was mostly in the open on youtube.
This being strictly a dev phone, I had no data to lose. It only had on it apps I was working on and thus I had the full source code in git. Still, it was good to not create more ewaste.
I've been paying attention on newer test phones though. I don't think that security feature is as easy to bypass these days...
by pvg on 11/8/22, 12:04 AM
by kstenerud on 11/8/22, 11:40 AM
FDE doesn't protect against remote attacks, and anyone who would physically make off with my devices (a VERY unlikely event) is either:
* A thief who will turn around and sell them to someone who will erase them.
* A state actor who will get the data no matter what I do (and find it of no interest anyway).
by GauntletWizard on 11/7/22, 11:53 PM
by nutto on 11/8/22, 12:52 AM
The BSDs and Linux have a lot of catching up to do.
by cassepipe on 11/8/22, 12:46 AM
by llui85 on 11/7/22, 11:47 PM