> -----Original Message----- > From: Bronek Kozicki [mailto:[EMAIL PROTECTED]] > > I have read very carefully article "Cracking Win2000 EFS!" but still I > have questions: Ditto. Here's a half-educated guess to one of yours (I've hardly touched W2K and don't have one to hand). > 1) where private/public key pair is stored ? In the local Administrator account's certificate store. It's clearly not in the SAM because that gets zapped at the start of the exploit. So does a new identical EFS key pair get created? Or does the new Administrator get access to the previous one's certificate store? Perhaps someone could install another second personal cert and see if it's available to the new Administrator account i.e. does this exploit expose *all* the certificates belonging to the original local Administrator account? Musing on workarounds.. it *might* help if there is still something like SYSKEY in W2K(?), you use it and then make another account the recovery agent, rather than the default local Administrator. > "export version" security thanks to poor keys used. Will ever > Microsoft decide to use something more secure The US government doesn't let them make that decision. -Alan-
