undefined | Better HN

0 pointsDylan1680711d ago0 comments

1) It is semantics to dispute this and certainly fits "downplaying."

It's not semantics. A true bitlocker backdoor would let you in even if it's passworded.

And is it really downplaying? The ability to shove in a USB stick and get control over the drive is mostly equivalent to a bitlocker exploit when it comes to laptop theft. But for quick access to a desktop without bitlocker, and without the ability to open it and pull the drive, it's actually more damaging than a bitlocker exploit.

2) I am not personally being dismissive of the claim. I'm saying it's fine to hold off, and even if we assume the PIN version is real we shouldn't assume we know exactly what it looks like.

3) Saying it's not a backdoor distracts from the point? Can't agree with you there at all. The comments saying it's definitely a backdoor are the ones I point to as distracted.

4) Maybe it's downplaying but it's true. Replying on TPM-based bitlocker is a lot more dangerous than having a secure password. It's chosen because it's easier to enforce.

0 comments

iscoelho11d ago

If the device doesn't have BitLocker, this exploit is pointless because you can already boot any OS USB and immediately have full access to the unencrypted disk.

This exploit is only ever relevant with BitLocker enabled (as a method to "bypass" BitLocker's security premise [categorically classifying this as, dare I say, a "BitLocker bypass"]).

To avoid typing 1)2)3)4) a bunch of more times, I'll just say 2/3/4) all still fit the definition of downplaying the situation.

Dylan16807OP11d ago

> If the device doesn't have BitLocker, this exploit is pointless because you can already boot any OS USB

For this hypothetical, assume the owner took basic precautions to lock booting to the hard drive and password protect the BIOS.

But I'm not 100% familiar with how recovery mode normally works, so maybe it doesn't matter.

> To avoid typing 1)2)3)4) a bunch of more times, I'll just say 2/3/4) all still fit the definition of downplaying the situation.

I think that level of pushback against the claims is a valid (and small) amount of "downplaying". I haven't seen anyone claiming this isn't a serious issue.

iscoelho11d ago

If the device does not have BitLocker, WinRE already by default provides full Administrator access to the unencrypted disk via Command Prompt.

> I think that level of pushback against the claims is a valid (and small) amount of "downplaying". I haven't seen anyone claiming this isn't a serious issue.

If you look in the other threads about this, it's much more obvious. Look for brand new users. There's comparatively few in this thread, but the pattern is there: if the user's name is green, they're downplaying this.

j / k navigate · click thread line to collapse

0 comments

iscoelho11d ago

If the device doesn't have BitLocker, this exploit is pointless because you can already boot any OS USB and immediately have full access to the unencrypted disk.

This exploit is only ever relevant with BitLocker enabled (as a method to "bypass" BitLocker's security premise [categorically classifying this as, dare I say, a "BitLocker bypass"]).

To avoid typing 1)2)3)4) a bunch of more times, I'll just say 2/3/4) all still fit the definition of downplaying the situation.

Dylan16807OP11d ago

> If the device doesn't have BitLocker, this exploit is pointless because you can already boot any OS USB

For this hypothetical, assume the owner took basic precautions to lock booting to the hard drive and password protect the BIOS.

But I'm not 100% familiar with how recovery mode normally works, so maybe it doesn't matter.

> To avoid typing 1)2)3)4) a bunch of more times, I'll just say 2/3/4) all still fit the definition of downplaying the situation.

I think that level of pushback against the claims is a valid (and small) amount of "downplaying". I haven't seen anyone claiming this isn't a serious issue.

iscoelho11d ago

If the device does not have BitLocker, WinRE already by default provides full Administrator access to the unencrypted disk via Command Prompt.

> I think that level of pushback against the claims is a valid (and small) amount of "downplaying". I haven't seen anyone claiming this isn't a serious issue.

j / k navigate · click thread line to collapse