Re: BugTraq: EFS Win 2000 flaw

[Attonbitus Deus <Thor () HAMMEROFGOD COM>]

> When I got to Start-Help-"File Encryption", it does tell me that I should
> encrypt the folder and the file, but does not tell me that I should never
> have created the file in an unencrypted state to begin with.  So, to get
the
> MS-recommended procedure, you do have to run to the docs (or Bugtraq).

Hmmm. I noticed that the docs also fail to notify me that if I printed out
copies of my previously unencrypted files, that the print-outs are not
automatically converted with the file.  Should they also explicitly point
out that if I save a piece of text from an email and encrypt it, that the
original email is not automatically destroyed?

The fate of original plain text copies of documents we choose to
subsequently encrypt is absolutely the responsibility of the user.  This
thread has mutated into a different being from the original issue, which is
that if an unencrypted file outside an encrypted directory is encrypted in
said unencrypted directory, that the .tmp file created in the unencrypted
dir and subsequently deleted is not then securely wiped.

So, yes, if one did encrypt a file in this manner, AND someone breaks in and
rips off your hard drive, AND they don't figure out your password is
"#BrittanySpears" AND you have correctly removed the restore cert AND the
data has not been overwritten AND they decide to go through a
sector-by-sector scan of your drives then they MAY actually see little bits
of text here and there alluding the to secret hiding place of your porno
collection.

As Dan Kaminski said, MS may actually add a wipe function to the crypto
procedure, but I'm not holding my breath.  Like any potentially complex
technology, find out what you are doing before you jump in, and don't expect
a dialog box to pop up warning you of the consequences of every conceivable
circumstance, and don't expect Microsoft to have someone walk behind you
with a giant pooper-scooper.

Now, all that being said, I would like to point out that I do not intend to
belittle Rickard's find in and of itself- I simply exert, as if my opinion
really means
anything, that it is not a major security issue.  I find the issue itself
fascinating, and it is something that I would not have ever discovered on my
own.  Rickard, Ryan, Dan, and others have lead many of us to more deeply
explore EFS, and that is a good thing.  I even learned a new acronym "RTFM,"
which I initially thought was a disparaging remark towards my mother.

Whew.  I'm done now.
AD