| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 26 May 2006 22:01:00 -0000 From: thesinoda@...mail.com To: bugtraq@...urityfocus.com Subject: RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA , PGP 8.x & 9.x and Truecrypt. Firstly, we appricate truecrypt team comments but on the other hand we do not agree on some. --Adonis Comment-- I do not agree with some of truecrypt comments specially the quoted text below. What if you had created a virtual disk and give that to someone. That someone use it as his/her own disk and decided to change the password because they own the disk now (You give them to them with the pass). So they did change the passowrd, but the originator can still access that disk if he/she replace the passphrase bytes in the binary file. So I consider this an attack on data INTEGRITY and data AVAILABILITY since the legitimate user will be denied access to the disk after replacing the passphrase bytes. -- End Comment-- ==================================================================== "In conclusion, this is not a "security bug", but design/feature. Also, to exploit the design, the adversary would have to know your password first (or have your keyfiles). That means, for example, that he would capture it using a keystroke logger. If that was the case, then all security would be practically lost on that machine." ==================================================================== Peace
Powered by blists - more mailing lists