Talk:BitLocker
BitLocker has been listed as one of the Engineering and technology good articles under the good article criteria. If you can improve it further, please do so. If it no longer meets these criteria, you can reassess it. Review: December 25, 2016. (Reviewed version). |
This article is rated GA-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||||||||||||||||||||||||||||||||||||
|
The usage of boot
[edit]The usage of boot and system partitions was reversed - the boot drive has the OS, whereas the system drive has ntldr. It's counter-intuitive. See the linked article System partition and boot partition SenorBeef 01:50, 28 July 2007 (UTC)
Are we gonna mention this?
[edit]New Research Result: Cold Boot Attacks on Disk Encryption —Preceding unsigned comment added by 82.134.121.18 (talk) 23:04, 21 February 2008 (UTC)
What is this paragraph supposed to mean?
[edit]According to Microsoft sources,[6] BitLocker does not contain an intentionally built-in backdoor; there is no way for law enforcement to have a guaranteed passage to the data on the user's drives that is provided by Microsoft. This has been one of the main concerns among power-users since the announcement of built-in encryption in Vista. —Preceding unsigned comment added by 41.241.41.220 (talk) 19:19, 30 April 2008 (UTC)
- Microsoft: Vista won't get a backdoor Socrates2008 (Talk) 21:33, 30 April 2008 (UTC)
- I'm pretty sure it is meant to say that some power-users have been concerned that Microsoft may have deliberately built a backdoor into BitLocker so that, for example, the data could be decrypted by law enforcement personal without the proper password. Microsoft denies that such a back door exists. I don't think people are concerned that Microsoft says there is no back door (which is what it seems to imply now). I'll change it. (edit. forgot to sign my post) Karadoc** (talk) 23:17, 24 August 2008 (UTC)
- It is a legitimate concern - though saying that "Microsoft has stated there's no backdoor" is pretty pointless; they'd hardly admit to it if they had! 23:26, 24 August 2008 (UTC)
- No it's not pointless - it's a public statement by a public company. Their share price will get hammered if it turns out they've lied over something as serious as this. In any event, even if you don't believe them, the statement is notable, given the conerns that some people raised. Socrates2008 (Talk) 23:55, 24 August 2008 (UTC)
EFS and Bitlocker
[edit]I didn't understand either of these two sentences:
- Encrypting File System usage may also be required in addition to BitLocker, since BitLocker protection effectively ends once the OS kernel has been loaded. BitLocker and EFS therefore offer protection against different classes of attacks.
Could a knowledgeable person expand on both statements? They both need more explanation. Tempshill (talk) 00:10, 16 June 2008 (UTC)
- Bitlocker does not offer any protection once Windows is running. e.g. if you have two people both with access to a machine, Bitlocker cannot be used to secure their data from one another. Socrates2008 (Talk) 12:09, 16 June 2008 (UTC)
BitLocker compatibility with NTFS Compression
[edit]There should be a section about BitLocker compatibility with NTFS Compression. Are they compatible? It should be discussed... —Preceding unsigned comment added by 68.100.26.167 (talk) 19:30, 17 May 2009 (UTC)
Performance is a four letter word =
[edit]NOTHING on the performance hit?? Why NOT! ? 71.31.154.68 (talk) 19:31, 5 July 2009 (UTC)
- The performance hit of AES encryption on any modern hardware is negligible. New Intel and AMD CPUs have a specific instruction set AES-NI that allow them to perform encryption at several gigabytes per second, making the extra load quite irrelevant even on systems equipped with extremely fast SSDs. Older CPUs that lack the hardware acceleration can still easily surpass the speeds of mechanical HDDs, especially so in the case of fragmented data (small files). Possibly this should be mentioned but I think that a more proper place for that would be a generic article on full disk encryption, unless there are concerns *specific* to BitLocker. Tronic2 (talk) 00:38, 30 May 2013 (UTC)
Should we mention this?
[edit]On February 25th, Cryptome released LE(Law Enforcement) sensitive documents regarding security in WIN7 that allows anyone to get access to the key to any BitLocker locked drive by going to C:\Windows\system32 in a command prompt and entering manage-bde-protectors -get c:. The original file comes from http://publicintelligence.net/microsoft-windows-7vista-advanced-forensics-guides-for-law-enforcement/. It seems like information that would be useful in the public domain, or at least help convince Microsoft to close the loophole. —Preceding unsigned comment added by Avialexander (talk • contribs) 22:52, 7 March 2010 (UTC)
- Just for completeness, I thought I should add the fact that Cryptome is a bit late: Microsoft documented this command in or before May 2008: [1]. Also, isn't linking to leaked confidential files explicitly forbidden by Wikipedia rules? And, I've been looking through those docs, and it's not a BitLocker crack: "Dealing with BitLocker on a Live System" --> "Note: You must run as Administrator". You're already admin on the PC containing the BitLocker drive... So you can't go around, stealing BitLocked devices and crack them at home, so there is no loophole for Microsoft to close. --DanielPharos (talk) 01:11, 17 April 2010 (UTC)
- There's no vulnerability here - this functionality is by design and does not make the machine exploitable when the OS is not running, so it's doing what it's suppoed to do. Sounds like you're maybe getting confused with EFS or DRM, which is the encryption used when the platform is running. Socrates2008 (Talk) 07:34, 17 April 2010 (UTC)
It uses AES in CBC mode?
[edit]CBC = Cipher Block Chaining. That means that any block of ciphertext depends on all the blocks before. As BitLocker is used to encrypt a whole drive (!!) isn't this mode infeasible? I mean flip a single bit in sector 1 and have every following sector reencrypted? Most drive encryption utilities use CTR mode for this reason. I don't want to express any doubt on BitLocker using CBC, but are there any details of how exactly this block cipher mode of operation is used in practice? 217.94.192.205 (talk) 23:43, 2 March 2011 (UTC)
- Luckily there are people much smarter than you or I that have published papers on this very topic. Socrates2008 (Talk) 10:36, 3 March 2011 (UTC)
- Thanks. Makes sense now. 217.94.189.239 (talk) 14:43, 3 March 2011 (UTC)
Cold boot
[edit]The cold boot section for TPM only is perhaps not well explained. From what I can tell (and reading the paper), what's being said is you can recover the keys at any time. This seems rather obvious, if you don't require a password or something from the user to decrypt but get the keys from something on the computer, then you can decrypt the content at any time. I guess the point here is you don't have to work out some way to break in to the machine if you don't know the logon password (although I would think it obvious a logon password is little protection if the data is decrypted) and more importantly you don't have to logon (or properly start Windows?) and risk contaminating data (since any decent forensics expert is going to want to make an image rather then working on the original data). I personally wouldn't call this a cold boot attack (although the paper does so I guess we have to follow). You are just relying on the fact the keys can be recovered at any time without requiring something from the user by design although perhaps a cold boot attack is needed (I'm a bit unclear on the process, it may be what's being described is start up the computer, let it load the keys, do a hard shut down then a cold boot attack although you could also do other things like try to read the RAM while the computer is running or whatever albeit these are likely to be more difficult). Nil Einne (talk) 03:46, 18 June 2011 (UTC)
Master password?
[edit]According to [2], which isn't a great RS, at least one computer vendor regularly implements some sort of master password they can provide to decrypt the data which caries obvious security implications. Nil Einne (talk) 03:48, 18 June 2011 (UTC)
- The weakest point in the implementation of any cryto system is usually the humans involved. This example is like someone having a long, complex password that they then wite on Postit note and attach to the computer. If companies like Dell are keeping record of recovery keys, then the paranoid obviously need to reset the TPM and Bitlocker keys to something that is unknown to the vendor when buying a new machine. 220.239.104.140 (talk) 10:40, 18 June 2011 (UTC)
Link to unlicensed materials in violation in Wikipedia policy
[edit]There are at least three problems with the following paragraph in the article:
'Notwithstanding the claims of Niels Ferguson and others, Microsoft Services states in Exploration of Windows 7, Advanced Forensics Topic (page 70), "BitLocker has a number of 'Recovery' scenarios that we can exploit", and "BitLocker, at its core, is a password technology, we simply have to get the password...".'
1) It is in clear violation of Wikipedia policy regarding linking to unlicensed copyrighted works, as detailed at http://en.wiki.x.io/wiki/Wikipedia:Copyrights#Linking_to_copyrighted_works,
2) It dishonestly represents the original content by truncating the quoted text, removing the qualifying context,
3) It is contradictory to other established content in the article, which indicates that there are "TPM + USB Key" and "USB Key" modes of operation, which do not involve a PIN or a password.
Mhalcrow (talk) 18:13, 17 November 2011 (UTC)
Full Disk vs Full Volume
[edit]BitLocker is either full disk, or full volume encryption, but not both. First paragraph starts as BitLocker Drive Encryption is a full disk encryption feature..., but later on states It is designed to protect data by providing encryption for entire volumes.
BitLocker, technically is a full volume encryption. It cannot encrypt a full disk. 207.87.238.194 (talk) 14:37, 25 April 2013 (UTC)
- There's no product in existence that can encrypt a full disk (i.e. every sector) and still be bootable, yet there's a category of products from different vendors that is commonly called full disk encryption systems. The point that you've chosen to home in on appears to concern where the Bitlocker boot code (that mounts and decrypts the encrypted data) happens to reside? Socrates2008 (Talk) 11:35, 26 April 2013 (UTC)
- There are full disk encryption options that are implemented at least partially if not entirely at the firmware/hardware level, requiring a passphrase before the disk will even power on. In some cases, IIRC, the encryption is actually handled by firmware on the drive itself. --Dewiniaid (talk) 15:18, 15 May 2013 (UTC)
- Hardware based is of course possible - but I assumed we're talking here about software based systems in the same class as Bitlocker, such as TruCrypt, FileVault, McAfee Endpoint Encryption etc. Socrates2008 (Talk) 09:48, 16 May 2013 (UTC)
- There are full disk encryption options that are implemented at least partially if not entirely at the firmware/hardware level, requiring a passphrase before the disk will even power on. In some cases, IIRC, the encryption is actually handled by firmware on the drive itself. --Dewiniaid (talk) 15:18, 15 May 2013 (UTC)
Rabbit hole. Yes, there are full disk encryption drives. BitLocker is the topic. BitLocker encrypts volumes, not drives. Either present it incorrectly as whole disk encryption, or correctly as whole volume encryption. 207.87.238.194 (talk) —Preceding undated comment added 17:22, 31 May 2013 (UTC)
Requested move : BitLocker Drive Encryption → BitLocker
[edit]- The following discussion is an archived discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review. No further edits should be made to this section.
The result of the move request was: page moved. Andrewa (talk) 07:41, 27 April 2014 (UTC)
BitLocker Drive Encryption → BitLocker – Hi. As you might know, Wikipedia naming policy states that commonly used names are preferred over official names. I've never seen the phrase "BitLocker Drive Encryption" used outside Microsoft-published sources. Those that I have seen just call it BitLocker. Event the article uses BitLocker, except once in the lead. Best regards, Codename Lisa (talk) 08:11, 19 April 2014 (UTC) Codename Lisa (talk) 08:11, 19 April 2014 (UTC)
- Support: indeed, in independent sources "BitLocker" alial appears more then full title. In fact I didn't see any mention of "BitLocker Drive Encryption" that wouldn't be linked either to this article or to some Microsoft page. — Dmitrij D. Czarkoff (talk•track) 14:49, 20 April 2014 (UTC)
- Support: No objections here. Indrek (talk) 14:50, 20 April 2014 (UTC)
- The above discussion is preserved as an archive of a requested move. Please do not modify it. Subsequent comments should be made in a new section on this talk page or in a move review. No further edits should be made to this section.
Copyright problem removed
[edit]Prior content in this article duplicated one or more previously published sources. The material was copied from: http://spi.unob.cz/presentations/23-May/07-Rosendorf%20The%C2%A0BitLocker%C2%A0Schema.pdf. Copied or closely paraphrased material has been rewritten or removed and must not be restored, unless it is duly released under a compatible license. (For more information, please see "using copyrighted works from others" if you are not the copyright holder of this material, or "donating copyrighted materials" if you are.) For legal reasons, we cannot accept copyrighted text or images borrowed from other web sites or published material; such additions will be deleted. Contributors may use copyrighted publications as a source of information, and according to fair use may copy sentences and phrases, provided they are included in quotation marks and referenced properly. The material may also be rewritten, but only if it does not infringe on the copyright of the original or plagiarize from that source. Therefore such paraphrased portions must provide their source. Please see our guideline on non-free text for how to properly implement limited quotations of copyrighted text. Wikipedia takes copyright violations very seriously, and persistent violators will be blocked from editing. While we appreciate contributions, we must require all contributors to understand and comply with these policies. Thank you. Codename Lisa (talk) 19:25, 2 June 2014 (UTC)
Elephant Diffuser
[edit]https://cryptoservices.github.io/fde/2014/12/08/code-execution-in-spite-of-bitlocker.html may contain more information as to why Elephant Diffuser was removed in Windows 8. 2A01:2B0:305A:54:C138:F5E:FCF:7CEC (talk) 14:05, 27 April 2015 (UTC)
XTS mode
[edit]Microsoft has added XTS mode
https://technet.microsoft.com/en-us/library/mt403325.aspx?f=255&MSPPError=-2147217396 OneGuy (talk)
External links modified
[edit]Hello fellow Wikipedians,
I have just modified 2 external links on BitLocker. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
- Corrected formatting/usage for http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx
- Added archive https://web.archive.org/web/20160522145507/http://spi.unob.cz/presentations/23-May/07-Rosendorf%20The%C2%A0BitLocker%C2%A0Schema.pdf to http://spi.unob.cz/presentations/23-May/07-Rosendorf%20The%C2%A0BitLocker%C2%A0Schema.pdf
When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}
).
An editor has reviewed this edit and fixed any errors that were found.
- If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
- If you found an error with any archives or the URLs themselves, you can fix them with this tool.
Cheers.—InternetArchiveBot (Report bug) 08:55, 3 November 2016 (UTC)
- Checked. Strange though because the second link is not dead.
- Best regards,
- Codename Lisa (talk) 19:16, 3 November 2016 (UTC)
The article BitLocker you nominated as a good article has been placed on hold . The article is close to meeting the good article criteria, but there are some minor changes or clarifications needing to be addressed. If these are fixed within 30 days, the article will pass; otherwise it may fail. See Talk:BitLocker for things which need to be addressed. Hawkeye7 (talk) 21:26, 11 December 2016 (UTC)
External links modified
[edit]Hello fellow Wikipedians,
I have just modified 2 external links on BitLocker. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
- Corrected formatting/usage for https://technet.microsoft.com/en-us/library/cc725719%28v%3Dws.10%29.aspx
- Added archive https://web.archive.org/web/20080219172251/http://support.microsoft.com/kb/930063 to http://support.microsoft.com/kb/930063
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
An editor has reviewed this edit and fixed any errors that were found.
- If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
- If you found an error with any archives or the URLs themselves, you can fix them with this tool.
Cheers.—InternetArchiveBot (Report bug) 03:46, 21 July 2017 (UTC)
- Checked. But both URLs were actually working fine, so I updated the
deadurl
parameter accordingly. Indrek (talk) 05:33, 21 July 2017 (UTC)
Availability
[edit]Section "Availability" starts quite misleading in my opinion. I assume the way of presenting the information originates from some Microsoft marketing material.
In my understanding there are different versions or feature sets of bitlocker on different operating systems (OS). While some operating system versions support most (or all) features (may be Windows 10 Enterprise?) others support only certain features. E.g., later on in the text it is mentioned that Windows XP can read bitlocker encrypted volumes (when the required software is installed) and from my own experience I know that Windows 8 Home supports read and write access to encrypted external media, even though, creating new encrypted volumes is not supported.
Therefore, the section "Availability" should be either a table with OS's and supported features or, alternatively, different subsections starting with a description of the supported features and then the OS's providing these features.
Currently, the text gives the impression that I best buy one of the recommended OS's listed here or otherwise I must purchase an upgrade for my Windows 8 Home, if I later want to read my friend's encrypted USB-stick, which is wrong.--85.181.125.24 (talk) 17:41, 7 October 2017 (UTC)
- The list of supported operating systems was presented as sentences when I first put the information in this article back in 2007. It was changed to be a bullet-point list last year, probably to make it easier to read. It has nothing to do with how Microsoft presents the information, and everything to do with making the encyclopedia usable. As for your "understanding" and "experiences" regarding this subject, please remember our goal is to build an encyclopedia based on any reliable sources we can find, not based on our personal experiences. If you can find an article that describes you're talking about, great, let use it. Warren -talk- 18:04, 7 October 2017 (UTC)
- Hello
- Wikipedia is written based on the cardinal principle that reader must not assume what is not explictly written. Editors take no responsibility for someone's pet peeve or active imaginative mind. Your last paragraph has such a quality.
- The section explicitly talks about BitLocker itself (defined as "a full disk encryption feature"), and not whatever means of reading BitLocker-encrypted volumes that is not "a full disk encryption feature". Of course, if you had read further, you'd have seen that there is a "device encryption" feature in the core edition of Windows 8.1 anyway.
- If you want us to add information about means to read BitLocker volume on operating systems without BitLocker, please ask politely.
- Best regards,
Codename Lisa (talk) 06:36, 8 October 2017 (UTC)
Infineon
[edit]Hello, everyone
Today, I made a correction to a contribution made by Zazpot in revision 805728599. I did the following:
- Removed a link to BitLocker because no article links to itself
- Removed a repeated link to Trusted Platform Module because of WP:REPEATLINK
- Fixed a CS1 citation by adding publisher name, removing unsanctioned language parameter, etc.
- Removed repetitions of the same citation
- Removed redundant attempt to define what BitLocker is, because the whole article does it already
- Added a correction: BitLocker is only affected by a TPM problem when it uses a TPM protector (Obvious, isn't it?)
Items 1, 4 and 5 show that the contribution has actually come from outside, but it is pointless now: I do know that it has come from the Infineon article and it was Zazpot's own contribution. So, nothing to worry about there.
Zazpot reverted the whole corrections with no reason whatsoever in Revision 805758858. This amounts to disruptive editing. I performed a somewhat different version of these changes in the Infineon article too, but there was a blanket reversion there as well. Now, that reversion had an actual reason: Inbound link getting broken. Nevertheless Zazpot could have simply fixed this problem instead of resorting to such an aggressive revert.
I am starting this thread to help Zazpot set the record right, tell us what his concern exactly was, and perform something less aggressive than a blanket revert.
Best regards,
Codename Lisa (talk) 14:18, 17 October 2017 (UTC)
- @Codename Lisa: thank you for your thorough explanation above, and also for the informative edit summaries you left in your reversions of my reverts. Had those explanations been present initially, please be assured that I would not have reverted your edits.
- For anyone following along, here is the timeline as far as it matters:
- I added text to the Infineon article to note the recently-disclosed weak key vulnerability, and to note that it affects some TPM-protected BitLocker deployments.
- I copy-pasted a slight variation of that text to the BitLocker article. (Looking back now, I see that I remembered to Wikilink Infineon in this edit, but forgot to un-wikilink "TPM" and "BitLocker". Mea culpa.)
- Codename Lisa copy-edited my addition to the BitLocker article. That copy-edit had six characteristics worth mentioning. Three of these were constructive but insubstantial changes to the text (i.e. changes that would count as minor edits):
- needless replacement of Template:Cite news with Template:Cite web;
- addition of a couple of wikilinks and removal of a couple of others;
- adding the publisher to an already adequate citation.
- However, the other three characteristics were problematic:
- transforming a true statement supported by the cited source ("Laptops whose encrypted hard drives are protected with TPM-based Microsoft BitLocker implementations are among the devices potentially affected.") into an overstatement unsupported by the cited source ("This impacts BitLocker when a TPM protector is used.");
- removal of a footnote in a densely technical section, despite WP:INTEGRITY;
- an edit summary seeming to imply WP:COPYPASTE as the justification for the edit, despite the fact that WP:NOATT applied (as could be seen by quickly reviewing my edit history).
- Codename Lisa copy-edited my addition to the Infineon article. As above, this copy-edit introduced a perfectly fine minor change or two (e.g. added publishers to already adequately-cited sources; needlessly changed "cite news" to "cite web"). But, also as above, this copy-edit introduced non-minor unwelcome changes: it
- changed a true statement supported by the cited source into an overstatement unsupported by the cited source (as with the edit above);
- removed a footnote in a densely technical section, despite WP:INTEGRITY (as with the edit above);
- removed section headings, breaking at least one inbound link in the process;
- failed to explain or justify any of these changes in the edit summary.
- I took the view that Codename Lisa had made those two edits in good faith, but that due to the problems with them, as listed above, reversion was appropriate. I explained the basis for my reversions as far as the limited length of the edit summaries would allow, and noted good faith.
- Codename Lisa reverted my reversions with some strongly-worded edit summaries, and posted above, and here we are. Thanks to Codename Lisa's edits, there are still overstatements in the articles, unsupported by the cited source, and the text-source integrity is lower than it was. But on the plus side, the wikilinks are fixed, the source's publisher is given, and Codename Lisa has put anchors in place of the deleted section headings, which fixes the inbound link issue.
- Having now provided the explanation that Codename Lisa asked for, I don't really want to touch this any more. Codename Lisa's wording, above, and in their most recent edits calls me "aggressive", accuses me of being "hostile", accuses me of "disruptive editing" and says, "What the hell are you doing?". This has left me feeling rather raked over the coals and shouted at for trying to simply add and maintain correct, noteworthy, verifiable information to Wikipedia. I get that Codename Lisa wants, as I do, a good encyclopaedia as the end result, but even so, it was a pretty upsetting experience. Zazpot (talk) 22:21, 17 October 2017 (UTC)
- Hello, Zazpot
- First, the elephant in the room: I see that as the most important reason for your reversion, you have named "needless replacement of Template:Cite news with Template:Cite web". Let's imagine an editor who wanted to do something hostile. What would he or she do? Exactly what you did: A blanket reversion! So, I am afraid, despite your intention, your action is hostile. In Wikipedia the pure intention in your heart must manifest itself. A well-meaning editor never reverts these changes. He/she lets them be. A non-hostile editor only changes "web" to "news".
- As for the rest of your objections:
"addition of a couple of wikilinks and removal of a couple of others"
. That's not an objection."adding the publisher to an already adequate citation"
. The BitLocker article's style is to always mention the publisher. Perhaps you are aware that citation style in Wikipedia is considered optional style; if you weren't, now you are."transforming a true statement supported by the cited source [...] into an overstatement unsupported by the cited source"
. Your source does not say anything about laptops or BitLocker being wholly TPM-based. Furthermore, the article already provides other sources that TPM is only one of the BitLocker protectors. Plus, one must apply common sense. If TPM is compromised, then it affects anything that uses it, be it server, desktop, laptop, tablet, or embedded system."removal of a footnote in a densely technical section"
. You have to give WP:INTEGRITY another read. Your whole contribution was from one source. Repeating insertion of footnote is disruptive."removed section headings, breaking at least one inbound link in the process"
. Still not an excuse for a blanket reversion. What I did in revision 805763539 should be more than adequate for your inbound links; that's what you should have done instead of reverting. And you should have done it in the first place, because not every paragraph needs a separate section of its own. Lastly, I am yet to see an evidence of inbound links.
- Best regards,
Codename Lisa (talk) 06:44, 18 October 2017 (UTC)- @Codename Lisa: let me be clear:
- I do not mind at all whether people use cite news or cite web in cases, like this one, where both are equally appropriate, and I would never revert anyone for switching them.
- I did not revert because of any of the issues that I identified above as minor.
- I reverted solely for the reasons that I identified above as problematic or non-minor.
- Were I not addressing your concerns here, I might have found time to expand the sections whose headings you removed, such that they would have more than one paragraph each, and be even more justifying of separate headings than they already were. This probably won't happen now, but that is OK. I am fine with the anchors you put in in place of the sub-headings, and I agree that they work well.
- I know of at least one inbound link: from Template:Hacking_in_the_2010s. There may be others; I do not know.
- As for TPMs, I believe that you mean well, but that you are mistaken on a technical point. TPM chips are manufactured by a wide variety of vendors and are not identical. Not all TPMs can be assumed to be loaded with the affected Infineon code, nor does the cited source support your generalisation. If you can find a WP:RS that
- Evidently I angered you by reverting, but upsetting other editors never has been and never will be my intention. I was (and still am) surprised by the strength of your reaction, especially given that I noted in my reverts that I believed you had been editing in good faith. If it helps, I apologise for upsetting you.
- The fundamental point is this: I appreciate that you are editing in good faith. So am I. I ask that you stop accusing me of hostility, which is not appropriate, and recognise that I, too, am acting in good faith. Let us work to improve Wikipedia together, rather than in opposition. Thank you, Zazpot (talk) 14:20, 18 October 2017 (UTC)
- @Codename Lisa: let me be clear:
- Best regards,
- Comment – Codename Lisa, while your addition of the publisher parameter to the citation and your removal of the BitLocker circular link were both warranted, I disagree with the modification you made to the second sentence. The only word that potentially needs changed is Laptops, which could be replaced with something like Devices or Computers. The rest of the sentence from Zazpot was well-written and should have been retained. I have restored it for now with a slight rephrasing ("
Laptops and other computing devices
"), but let's have a further discussion here on any additional changes it might need if necessary.Also, repeating the same citation more than once in the same paragraph is permitted. Your assertion that it is disruptive is not backed by policies or guidelines that I'm aware of. Personally, I prefer to use paragraph citations when possible, but per WP:CITETYPE, this is a matter of preference. If an editor wants them to appear after each sentence in the paragraph, nothing in WP:CITE forbids the practice. I have left it as a paragraph citation for now, but this preference is nothing worth fussing over. That leads me to my next point; I think you've assumed bad faith towards Zazpot, who was making an attempt to improve the article and took the time to explain their actions on this talk page. It's all in the past at this point. Let's focus on content moving forward and not on the contributor. Thank you. --GoneIn60 (talk) 03:35, 19 October 2017 (UTC)- Hello, GoneIn60
- If you are looking for a compromise, repetition of the footnote is something I don't mind much.
- However, negotiating on contents, when verifiability comes into play, is tricky. Your sentence
"Laptops and other computing devices whose encrypted hard drives are protected with TPM-based BitLocker implementations are potentially affected"
both fails verification and is partly patent nonsense.- There is no such thing as "TPM-based BitLocker implementations". There is one BitLocker implementation only. (I suspect "implementations" here actually intended to point to instances of encrypted contents, not actual BitLocker forks. I wrote the correct version of it: "when a TPM protector is used.")
- "Potentially" is flagrantly false. The source says the opposite of "potentially".
- The source never said, anything about "drives", "computers", "laptops", "devices" or anything like that being the victim. It only says:
The word "laptop" appears only in the previous sentence and is about the test samples in their applicability research:"The keys it uses to control Microsoft's BitLocker hard-disk encryption are factorizable."
You must not let your imaginations run amok. Of course, you can point out that I too must not put "server, desktop, laptop, tablet, or embedded system" into the article. Well, I didn't."Next, the researchers examined a sampling of 41 different laptop models that used trusted platform modules. They found vulnerable TPMs from Infineon in 10 of them."
- Last but not least, "Laptops and other computing devices" is redundant. If it applies to both laptops and non-laptops, then it applies to everything and you don't need to try to restrict the criteria to everything. Just write "hard drives protected with [...]". (Actually don't. BitLocker can encrypt not just hard drives but SSDs, virtual disks, and literally anything that Windows identifies as a volume.)
- Best regards,
Codename Lisa (talk) 16:48, 19 October 2017 (UTC)- Codename Lisa (CC: GoneIn60), you said:
I wrote the correct version of it: "when a TPM protector is used."
- AFAICT, that version is actually not correct. You can see this from the excerpt you yourself quoted above, which notes that only 10 out of the 41 TPM-protected laptops were affected. What you wrote would have been correct if you had instead put something more like, "when an affected TPM protector is used", or "when a TPM protector is used that is loaded with the affected Infineon code".
- You also said:
There is no such thing as "TPM-based BitLocker implementations". There is one BitLocker implementation only.
- Again, not really correct. Leaving aside the fact that BitLocker has been implemented slightly differently in various different versions of Windows, a person implementing BitLocker protection on their computer's block device(s) can do so in a variety of ways. They can do so using a TPM, if the computer has one; or they can do so using a a USB drive, or simply using a password.[1][2] Or to put it another way, the implementation of BitLocker on your computer might be different to the implementation of BitLocker on my computer, and they might differ in whether they are affected by the Infineon weak key issue.
- All of us here want an accurate article, which is why we are discussing this here. There is WP:NOHURRY - take the time you need - but in the light of the above, please do reconsider that my initial text might have been appropriate after all.
- Thank you, Zazpot (talk) 22:31, 19 October 2017 (UTC)
- @Codename Lisa:
I wrote the correct version of it: "when a TPM protector is used."
- Zazpot and I disagree with your version. As the cited article clearly states, only some TPM chips are affected, which is dependent on manufacturer and version. Your proposed text incorrectly implies all TPM chips. Also, why are we using the term protector? TPM often stands on its own as TPM in running text, or it is followed by the descriptor chip, as in TPM chip. Describing it as TPM protector seems odd to me.
"Potentially" is flagrantly false.
- Your choice to describe it as "flagrantly" false is dishonest. You are attempting to insult when choosing adjectives like this. As stated above, any given TPM chip has the potential of being affected; this is not a given. I'm not sure how you are misunderstanding this simple fact.
The source never said, anything about "drives", "computers", "laptops", "devices" or anything like that being the victim...If it applies to both laptops and non-laptops, then it applies to everything and you don't need to try to restrict the criteria
- I agree and disagree. The vulnerability can apply to any device using an affected TPM chip. Therefore, "Computers" or "Computing devices" would be correct here, since anything using a TPM chip falls into these categories. The source does not need to explicitly point out the obvious for us. I have restored most of the text inserting "Computers" for now, but I'd be fine with "Computing devices" as well.
- Take your hands off the steering wheel and foot off the gas pedal; we are in no rush here. I find it disruptive that you are overly eager to ram your preferred version back into the article, especially after realizing you're in the minority at the moment. Take the time to sort out our differences here. We can always modify the text later after we reach some sort of compromise. The current version is not doing any harm. --GoneIn60 (talk) 05:06, 20 October 2017 (UTC)
- Hi, chiming in on a couple of points here.
Also, why are we using the term protector?
"Protector" is a technical term used for BitLocker authentication mechanisms, of which TPM is one. However, seeing as it's not used anywhere else in this article, it does seem a bit odd to use it just for that one sentence. And yes, the article shouldn't imply all TPM chips are affected when the source does not say that.- I'm not sure I'd use the word "implementation" to mean "the way someone has configured BitLocker on their computer", though. Also, "affected" is a bit vague, the exact security impact should be clarified a little. Maybe something like, "This could allow an attacker with physical access to a computer to bypass BitLocker encryption when an affected TPM chip is used."
- Indrek (talk) 05:35, 20 October 2017 (UTC)
- Indrek: Good suggestion. It avoids the vague use of "implementation" and focuses on the specific impact of the vulnerability. I support your proposed text, and if no one objects, please feel free to insert it. Thanks for weighing in. --GoneIn60 (talk) 05:56, 20 October 2017 (UTC)
- Indrek: I'm not certain that physical access is necessary; for example, if the machine is remotely-bootable and the attacker has access to a graphical or serial console on the machine. Apart from that, I like your suggestion. So, I would support a slight variation on your proposed wording: "This could allow an attacker to bypass BitLocker encryption when an affected TPM chip is used." Zazpot (talk) 07:04, 20 October 2017 (UTC)
- My proposal was based largely on this sentence in the source: "That means anyone who steals or finds an affected computer could bypass the encryption protecting the hard drive and boot sequence." To me, the "steals or finds" part definitely implies physical access, but it admittedly does not rule out remote access as an attack vector. I guess it depends on whether or not what's shown on the display during boot is sufficient to factorise the private key, and the source does not seem to elaborate on that. So I agree with your amended wording and will add it to the article. Indrek (talk) 07:29, 20 October 2017 (UTC)
- Thanks! I have copied the relevant parts of the new wording over to the Infineon article, so that it is consistent with this one. Zazpot (talk) 12:15, 25 October 2017 (UTC)
- Oh, you are welcome. Glad to have been of help!
- Next time, let's do it without the hostile reversions, personal attacks and bitter objections that didn't get implemented, shall we?
- It was a stroke of genuis from Indrek to resolve the dispute by simply shifting the focus from the BitLocker to its output.
- Best regards,
Codename Lisa (talk) 13:00, 25 October 2017 (UTC)
- Thanks! I have copied the relevant parts of the new wording over to the Infineon article, so that it is consistent with this one. Zazpot (talk) 12:15, 25 October 2017 (UTC)
- My proposal was based largely on this sentence in the source: "That means anyone who steals or finds an affected computer could bypass the encryption protecting the hard drive and boot sequence." To me, the "steals or finds" part definitely implies physical access, but it admittedly does not rule out remote access as an attack vector. I guess it depends on whether or not what's shown on the display during boot is sufficient to factorise the private key, and the source does not seem to elaborate on that. So I agree with your amended wording and will add it to the article. Indrek (talk) 07:29, 20 October 2017 (UTC)
- Codename Lisa (CC: GoneIn60), you said:
- Wikipedia good articles
- Engineering and technology good articles
- GA-Class Computing articles
- Low-importance Computing articles
- GA-Class software articles
- Mid-importance software articles
- GA-Class software articles of Mid-importance
- All Software articles
- GA-Class Computer Security articles
- High-importance Computer Security articles
- GA-Class Computer Security articles of High-importance
- All Computer Security articles
- All Computing articles
- GA-Class Microsoft articles
- Low-importance Microsoft articles
- GA-Class Microsoft Windows articles
- Low-importance Microsoft Windows articles
- WikiProject Microsoft Windows articles
- WikiProject Microsoft articles
- Mid-importance Microsoft Windows articles
- Unknown-importance Computing articles