Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TrueCrypt?

From: Philip Cheong <philip.cheong () elastx se>
Date: Fri, 30 May 2014 15:40:44 +0200
So a good friend of mine explained...

*"...to suspect a "National Security Letter" from the FBI is just stupid.
An NSL is issued to an organization that actually has some involvement with
someone/group of "interest". The source code for Truecrypt is publicly
available. So how would such a letter be of any use? There is a current
very public audit of the Truecrypt code underway. So if the NSA/FBI/CIA/TLA
"requested" the Truecrypt authors to insert some sort of backdoor now, then
it would be identified almost immediately.*

*But this article is peddling baseless conspiracy, conflating Lavabit
(running a service), Apple's "warrant canary" (also runs a service) versus
Truecrypt's supply of source code (ie, not a service).*




2014-05-30 0:13 GMT+02:00 Mike Cramer <mike.cramer () outlook com>:


I think it’s more important to have rational discussions. This isn’t the
first time Microsoft has been ‘rumored’ to have backdoors in Windows for
the US Government. These rumors have been perpetuated for years. While I
don’t know how long you’ve been in the industry, it’s something I recall
even being 14 years old and sitting on IRC and having people discuss.



The reality now, just as then, is that these are unsubstantiated.



A more apt description about the cooperation between the US Government and
Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure
you may recall these names from any sort of discussion about PKI.



What people seem to forget in all of these discussions is that Microsoft
is Bob. (Microsoft Bob? :P)



No amount of encryption, protection, secret keying is going to protect you
when one party is going to hand over the information to 3rd parties to
review.



Based on my Alice and Bob comment above, it’s reasonable to assume that
the encryption itself is 100% fine, so as long as you believe that Bob will
never divulge the information you’ve disclosed.



Through all of these discussions surrounding Bitlocker across multiple
forums nobody has brought up the fact that Bitlocker in Windows 8 allows
you to store recovery key information in OneDrive/”The Cloud”. Why bother
writing in backdoors to the software when the keys are readily available
with a warrant?



There are a million and one ways to get access to the information and the
absolutely most difficult, most costly, and most potentially damaging is
the one people are jumping to first.



If it were ever revealed that Microsoft purposefully weakened its
encryption systems to allow the NSA access to any Windows device, then it
would be the end of the organization. They’re just not that dumb.



Mike



From: Justin Bull [mailto:me () justinbull ca]
Sent: Thursday, May 29, 2014 18:02
To: Mike Cramer
Cc: fulldisclosure () seclists org; secuip
Subject: RE: [FD] TrueCrypt?



Closed source and Microsoft is notoriously known to play ball with LEO and
government. It's an ill-fitting shoe.

Sent from mobile.

On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer () outlook com <mailto:
mike.cramer () outlook com> > wrote:

What is careless about recommending Bitlocker?

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org <mailto:
fulldisclosure-bounces () seclists org> ] On Behalf Of Justin Bull
Sent: Thursday, May 29, 2014 17:18
To: secuip
Cc: fulldisclosure () seclists org <mailto:fulldisclosure () seclists org>
Subject: Re: [FD] TrueCrypt?

But why go out in that style? Why not be frank? Why be so careless as to
recommend BitLocker?

The diff was meticulous but the website and comms were not. It doesn't add
up.

Sent from mobile.
On May 29, 2014 5:13 PM, "secuip" <root () secuip fr <mailto:root () secuip fr>

wrote:



http://krebsonsecurity.com/2014/05/true-goodbye-using-
truecrypt-is-not-secure/comment-page-1/#comment-255908


Le 29/05/2014 22:51, uname -a a écrit :


There are several strange behaviors.

Sitesource is not clean. Just a html that say take now Bitlocker or
other built-in tools of your OS !?

New Keys got added to SF 3h before release of 7.2 happened.

On SF the old versions got removed. For older Versions you've to
download them elsewhere (there are several sources available).

Encryption, Help and all traces to truecrypt.org <http://truecrypt.org>

 got removed in the

Programsource.

No explanation for this anywhere. Just speculations.

Truecrypt isn't available on the webarchive!

The Wiki got editet massively.



Am 29.05.2014 04:21, schrieb Anthony Fontanez:


I'm surprised I haven't seen any discussion about the recent issues
with TrueCrypt.  Links to current discussions follow.

/r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
truecrypt_is_dead/
/r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
truecrypt_development_has_ended_052814/

Thank you,

Anthony Fontanez
PC Systems Administrator
Client Services - College of Liberal Arts Information & Technology
Services, Enterprise Support Rochester Institute of Technology
LBR-A290
585-475-2208 <tel:585-475-2208>  (office)
ajfrcc () rit edu <mailto:ajfrcc () rit edu> <mailto:ajfrcc () rit edu <mailto:

ajfrcc () rit edu> >


Submit a request via email: servicedesk () rit edu <mailto:

servicedesk () rit edu> <mailto:ser <mailto:ser>

vicedesk () rit edu <mailto:vicedesk () rit edu> > Check the status of an

active request:

footprints.rit.edu <http://footprints.rit.edu> <https://

footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT

account and computers: start.rit.edu <http://start.rit.edu> <

https://start.

rit.edu/ <http://rit.edu/> >

CONFIDENTIALITY NOTE: The information transmitted, including
attachments, is intended only for the person(s) or entity to which
it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon this information by persons
or entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and destroy any

copies of this information.




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

 _______________________________________________

Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/




_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/





-- 
*Philip Cheong*
*Elastx *| Public and Private PaaS
email: philip.cheong () elastx se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx <https://twitter.com/Elastx>
http://elastx.se

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: