Undocumented Bypass in PGP Whole Disk Encryption 316
A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."
Fine by me.. (Score:1, Interesting)
Interesting... (Score:1, Interesting)
Did anyone read the response? (Score:5, Interesting)
Why does crap like this make it to the front page of Slashdot?
Re:to put out some of the flames (Score:5, Interesting)
Which full disk encryption to use? (Score:3, Interesting)
"Unnamed Customers" (Score:4, Interesting)
How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?
Takers?
There was GPGDisk (Score:5, Interesting)
There is/was a program around that used GPG to do FDE, called GPGDisk. I'm not sure whether it used your installed copy of GPG to do the heavy lifting, or if it just included the same code, or worked using the same algorithms but had its own totally separate crypto engine. It was reasonably popular for a while, but I think a lot of people who were using it have now switched to TrueCrypt.
However, GPGDisk did offer some unique features, like the ability to encrypt a disk using a GPG key, and some fairly fine-grained access controls that you could set up for multiple users (IIRC). Every once in a while someone will mention it on the comments on Bruce Schneier's blog, so apparently it's still getting some use. But it doesn't offer some of the neater features that TrueCrypt does, like plausible deniability or containers-in-containers, I don't believe.
Re:Fine by me.. (Score:1, Interesting)
Unlike the captcha: succinct.
Re:And People Wonder Why Open Source! (Score:3, Interesting)
For now anyway.
If people complete various "hard" problems on quantum computers then the non-people at the NSA can probably afford to throw two billion (or whatever) at it to crack ALL MODERN ENCRYPTION that doesn't use quantum devices for keys.
Re:unnamed customers (Score:3, Interesting)
Re:Fine by me.. (Score:4, Interesting)
Re:Fine by me.. (Score:3, Interesting)
Re:And People Wonder Why Open Source! (Score:3, Interesting)
Ah, but that's not necessarily a defence against the NSA! Their backdoors might not be hidden in closed source binaries, or in obfuscated source code, or in your CPU hardware, or even injected covertly by your copy of GCC when it recognises encryption code. They might be mathematical backdoors, hidden inside well-known ciphers that are generally thought to be secure. There's the old story about DES, and how the NSA improved the cipher, but refused to say exactly why the new version was better... [wikipedia.org] Don't trust anyone, especially if their name is a three letter acronym!