Message-ID: <BAY404-EAS15974339B1BF3BAA85FB69BF2270@phx.gbl>
Date: Fri, 30 May 2014 11:21:02 -0400
From: Michael Cramer <mike.cramer@...look.com>
To: Chris Schmidt <chris.schmidt@...trastsecurity.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?

On a technicality,

There has never been a demonstration of a vulnerability in Dual_EC_DRBG. There are only allegations based on ties to the NSA.

-Mike

Sent from my iPhone

> On May 30, 2014, at 11:09, "Chris Schmidt" <chris.schmidt@...trastsecurity.com> wrote:
> 
> Regarding your final statement here, I seem to recall it being reported a
> little company called RSA allowed NSA backdooring and I¹m pretty sure they
> are far from Out-Of-Business. Claiming that giants like MS would go out of
> business if it got out that they were working with the NSA is completely
> naïve. 
> 
>> On 5/29/14, 4:13 PM, "Mike Cramer" <mike.cramer@...look.com> wrote:
>> 
>> I think it¹s more important to have rational discussions. This isn¹t the
>> first time Microsoft has been Œrumored¹ to have backdoors in Windows for
>> the US Government. These rumors have been perpetuated for years. While I
>> don¹t know how long you¹ve been in the industry, it¹s something I recall
>> even being 14 years old and sitting on IRC and having people discuss.
>> 
>> 
>> 
>> The reality now, just as then, is that these are unsubstantiated.
>> 
>> 
>> 
>> A more apt description about the cooperation between the US Government
>> and Microsoft I think falls back onto our old pals ³Alice and Bob². I¹m
>> sure you may recall these names from any sort of discussion about PKI.
>> 
>> 
>> 
>> What people seem to forget in all of these discussions is that Microsoft
>> is Bob. (Microsoft Bob? :P)
>> 
>> 
>> 
>> No amount of encryption, protection, secret keying is going to protect
>> you when one party is going to hand over the information to 3rd parties
>> to review.
>> 
>> 
>> 
>> Based on my Alice and Bob comment above, it¹s reasonable to assume that
>> the encryption itself is 100% fine, so as long as you believe that Bob
>> will never divulge the information you¹ve disclosed.
>> 
>> 
>> 
>> Through all of these discussions surrounding Bitlocker across multiple
>> forums nobody has brought up the fact that Bitlocker in Windows 8 allows
>> you to store recovery key information in OneDrive/²The Cloud². Why bother
>> writing in backdoors to the software when the keys are readily available
>> with a warrant?
>> 
>> 
>> 
>> There are a million and one ways to get access to the information and the
>> absolutely most difficult, most costly, and most potentially damaging is
>> the one people are jumping to first.
>> 
>> 
>> 
>> If it were ever revealed that Microsoft purposefully weakened its
>> encryption systems to allow the NSA access to any Windows device, then it
>> would be the end of the organization. They¹re just not that dumb.
>> 
>> 
>> 
>> Mike
>> 
>> 
>> 
>> From: Justin Bull [mailto:me@...tinbull.ca]
>> Sent: Thursday, May 29, 2014 18:02
>> To: Mike Cramer
>> Cc: fulldisclosure@...lists.org; secuip
>> Subject: RE: [FD] TrueCrypt?
>> 
>> 
>> 
>> Closed source and Microsoft is notoriously known to play ball with LEO
>> and government. It's an ill-fitting shoe.
>> 
>> Sent from mobile. 
>> 
>> On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com
>> <mailto:mike.cramer@...look.com> > wrote:
>> 
>> What is careless about recommending Bitlocker?
>> 
>> -----Original Message-----
>> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org
>> <mailto:fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin Bull
>> Sent: Thursday, May 29, 2014 17:18
>> To: secuip
>> Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org>
>> Subject: Re: [FD] TrueCrypt?
>> 
>> But why go out in that style? Why not be frank? Why be so careless as to
>> recommend BitLocker?
>> 
>> The diff was meticulous but the website and comms were not. It doesn't
>> add up.
>> 
>> Sent from mobile.
>> On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr <mailto:root@...uip.fr>
>>> wrote:
>> 
>>> http://krebsonsecurity.com/2014/05/true-goodbye-using-
>>> truecrypt-is-not-secure/comment-page-1/#comment-255908
>>> 
>>> 
>>> Le 29/05/2014 22:51, uname -a a écrit :
>>> 
>>>> There are several strange behaviors.
>>>> 
>>>> Sitesource is not clean. Just a html that say take now Bitlocker or
>>>> other built-in tools of your OS !?
>>>> 
>>>> New Keys got added to SF 3h before release of 7.2 happened.
>>>> 
>>>> On SF the old versions got removed. For older Versions you've to
>>>> download them elsewhere (there are several sources available).
>>>> 
>>>> Encryption, Help and all traces to truecrypt.org
>>>> <http://truecrypt.org>  got removed in the
>>>> Programsource.
>>>> 
>>>> No explanation for this anywhere. Just speculations.
>>>> 
>>>> Truecrypt isn't available on the webarchive!
>>>> 
>>>> The Wiki got editet massively.
>>>> 
>>>> 
>>>> 
>>>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>>> 
>>>>> I'm surprised I haven't seen any discussion about the recent issues
>>>>> with TrueCrypt.  Links to current discussions follow.
>>>>> 
>>>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>>>> truecrypt_is_dead/
>>>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>>>> truecrypt_development_has_ended_052814/
>>>>> 
>>>>> Thank you,
>>>>> 
>>>>> Anthony Fontanez
>>>>> PC Systems Administrator
>>>>> Client Services - College of Liberal Arts Information & Technology
>>>>> Services, Enterprise Support Rochester Institute of Technology
>>>>> LBR-A290
>>>>> 585-475-2208 <tel:585-475-2208>  (office)
>>>>> ajfrcc@....edu <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu
>>>>> <mailto:ajfrcc@....edu> >
>>>>> 
>>>>> Submit a request via email: servicedesk@....edu
>>>>> <mailto:servicedesk@....edu> <mailto:ser <mailto:ser>
>>>>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of an
>>>>> active request:
>>>>> footprints.rit.edu <http://footprints.rit.edu> <https://
>>>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
>>>>> account and computers: start.rit.edu <http://start.rit.edu>
>>>>> <https://start.
>>>>> rit.edu/ <http://rit.edu/> >
>>>>> 
>>>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>>>> attachments, is intended only for the person(s) or entity to which
>>>>> it is addressed and may contain confidential and/or privileged
>>>>> material. Any review, retransmission, dissemination or other use of,
>>>>> or taking of any action in reliance upon this information by persons
>>>>> or entities other than the intended recipient is prohibited. If you
>>>>> received this in error, please contact the sender and destroy any
>>>>> copies of this information.
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Sent through the Full Disclosure mailing list
>>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>>> 
>>>>> _______________________________________________
>>>> Sent through the Full Disclosure mailing list
>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>> 
>>> 
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>> 
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>> 
>> 
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists