2 thoughts on “NC #595 Two-Factor Authentication with Apple Watch and Apple TV, Android Apps on Chrome OS, Security Bits

  1. Bruce Wilson - October 3, 2016

    A couple of comments regarding Security Bits:
    1) Brian Krebs was _not_ a paying customer of Akamai, in contrast to Bart’s comments. See http://krebsonsecurity.com/tag/akamai/ where he clearly states he was a pro-bono customer of Akamai.

    2) When your Mac is awake, the password you enter to unlock has nothing to do with hard disk encryption. Wake from hibernate, perhaps. But not wake from sleep. Further, because Firewire and Thunderbolt are DMA, methods at least have existed (https://nakedsecurity.sophos.com/2012/02/02/filevault-encryption-broken/ ) to read the decryption keys from memory. I think Apple was working on ways to block this, but I’ve not seen updates. And, with respect to the iTunes encryption issue for iOS backups — how many people encrypt their FileVault, Carbon Copy Cloner, SuperDuper, … backups?

  2. Bart Busschots - October 7, 2016

    Hi Bruce,

    The fact that Krebs was being hosted pro-bono makes it a little more OK that Akamai cast him to the curb when he became the victim of a crime, but only a little IMO.

    There are definitely levels of sleep where your disk does get encrypted. I am sometimes asked for my password twice, once to unlock the disk, and once to unlock the screen.

    As for things getting better in the future, one of the things Apple’s new file system supports is per-folder encryption, so, the OS would be able to lock user data down in sleep while still keeping the bits of the OS needed to properly wake up again unencrypted.

    The DMA issue is an issue with FW and TB because they are in effect external extensions of motherboard busses. I think the only protection we can hope for in that regard is the differential locking of different parts of the OS during sleep.

    As for keeping backups encrypted, I certainly do. Also, Apple offer to encrypt your TB backup for you when you enable it, so I think more people encrypt that than you might imagine.

Leave a Reply

Your email address will not be published.

Scroll to top