lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGSH4W=rhoZevW+zX7awQvQVUYfOq-x5f-ASFjEfv5zAS-o94A@mail.gmail.com>
Date: Fri, 30 May 2014 14:42:25 -0400
From: Not EcksKaySeeDee <noteckskayseedee@...il.com>
To: Mike Cramer <mike.cramer@...look.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?

May 30, 2014

Greetings,

New subscriber to FD here. I've been in systems/networking, and by default
dealt with security and encryption issues/topics, but not at the depth that
most(?) of the folks on FD have. So I have a few questions & thoughts:

1. Where do we go from here? What do you, as the experts, suggest for
people like me who are in IT, but not dedicated security pros, and
especially for average users who are now increasing their security
awareness in a post-Snowden world?

2. Does anyone else on this list actively use TC, and if so, what are your
plans now?

I am wary of the whole "use Bitlocker" suggestion because: A) it's closed
code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I
don't know if/when they will roll over whenever the g-men show up and
demand keys to the backdoors (if any).

Of-course, open source is not perfect either, but, so the reasoning, goes,
you have the "many eyes" argument in support of it. This begs another
question (apologies), how many eyes are actually actively and consistently
reviewing/auditing open source code?

As far as I am aware (correct me if I'm wrong), there isn't a single
neutral group or entity staffed by people whose sole purpose is to audit
critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a
need for such a group of people? Of-course the counter will be, who is
going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't
trust the big corporations again because of their influence and possible
ties to the g-men and/or willingness to roll-over when the legal paperwork
starts to fly.

And now for some reason, I'm reminded of Descartes First Meditation:
discarding belief in all things that are not certain (apologies to any
philosophy majors or lovers out there). All of the trust/faith we put into
people and companies (open and closed source) to produce this s/ware that
we build our lives on, how can we be sure that they are no cracks in our
foundations?

Anyhow.

Cheers,
not xkcd.



On Thu, May 29, 2014 at 6:13 PM, Mike Cramer <mike.cramer@...look.com>
wrote:

> I think it’s more important to have rational discussions. This isn’t the
> first time Microsoft has been ‘rumored’ to have backdoors in Windows for
> the US Government. These rumors have been perpetuated for years. While I
> don’t know how long you’ve been in the industry, it’s something I recall
> even being 14 years old and sitting on IRC and having people discuss.
>
>
>
> The reality now, just as then, is that these are unsubstantiated.
>
>
>
> A more apt description about the cooperation between the US Government and
> Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure
> you may recall these names from any sort of discussion about PKI.
>
>
>
> What people seem to forget in all of these discussions is that Microsoft
> is Bob. (Microsoft Bob? :P)
>
>
>
> No amount of encryption, protection, secret keying is going to protect you
> when one party is going to hand over the information to 3rd parties to
> review.
>
>
>
> Based on my Alice and Bob comment above, it’s reasonable to assume that
> the encryption itself is 100% fine, so as long as you believe that Bob will
> never divulge the information you’ve disclosed.
>
>
>
> Through all of these discussions surrounding Bitlocker across multiple
> forums nobody has brought up the fact that Bitlocker in Windows 8 allows
> you to store recovery key information in OneDrive/”The Cloud”. Why bother
> writing in backdoors to the software when the keys are readily available
> with a warrant?
>
>
>
> There are a million and one ways to get access to the information and the
> absolutely most difficult, most costly, and most potentially damaging is
> the one people are jumping to first.
>
>
>
> If it were ever revealed that Microsoft purposefully weakened its
> encryption systems to allow the NSA access to any Windows device, then it
> would be the end of the organization. They’re just not that dumb.
>
>
>
> Mike
>
>
>
> From: Justin Bull [mailto:me@...tinbull.ca]
> Sent: Thursday, May 29, 2014 18:02
> To: Mike Cramer
> Cc: fulldisclosure@...lists.org; secuip
> Subject: RE: [FD] TrueCrypt?
>
>
>
> Closed source and Microsoft is notoriously known to play ball with LEO and
> government. It's an ill-fitting shoe.
>
> Sent from mobile.
>
> On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com <mailto:
> mike.cramer@...look.com> > wrote:
>
> What is careless about recommending Bitlocker?
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org <mailto:
> fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin Bull
> Sent: Thursday, May 29, 2014 17:18
> To: secuip
> Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org>
> Subject: Re: [FD] TrueCrypt?
>
> But why go out in that style? Why not be frank? Why be so careless as to
> recommend BitLocker?
>
> The diff was meticulous but the website and comms were not. It doesn't add
> up.
>
> Sent from mobile.
> On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr <mailto:root@...uip.fr>
> > wrote:
>
> > http://krebsonsecurity.com/2014/05/true-goodbye-using-
> > truecrypt-is-not-secure/comment-page-1/#comment-255908
> >
> >
> > Le 29/05/2014 22:51, uname -a a écrit :
> >
> >> There are several strange behaviors.
> >>
> >> Sitesource is not clean. Just a html that say take now Bitlocker or
> >> other built-in tools of your OS !?
> >>
> >> New Keys got added to SF 3h before release of 7.2 happened.
> >>
> >> On SF the old versions got removed. For older Versions you've to
> >> download them elsewhere (there are several sources available).
> >>
> >> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org>
>  got removed in the
> >> Programsource.
> >>
> >> No explanation for this anywhere. Just speculations.
> >>
> >> Truecrypt isn't available on the webarchive!
> >>
> >> The Wiki got editet massively.
> >>
> >>
> >>
> >> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> >>
> >>> I'm surprised I haven't seen any discussion about the recent issues
> >>> with TrueCrypt.  Links to current discussions follow.
> >>>
> >>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
> >>> truecrypt_is_dead/
> >>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
> >>> truecrypt_development_has_ended_052814/
> >>>
> >>> Thank you,
> >>>
> >>> Anthony Fontanez
> >>> PC Systems Administrator
> >>> Client Services - College of Liberal Arts Information & Technology
> >>> Services, Enterprise Support Rochester Institute of Technology
> >>> LBR-A290
> >>> 585-475-2208 <tel:585-475-2208>  (office)
> >>> ajfrcc@....edu <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu <mailto:
> ajfrcc@....edu> >
> >>>
> >>> Submit a request via email: servicedesk@....edu <mailto:
> servicedesk@....edu> <mailto:ser <mailto:ser>
> >>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of an
> active request:
> >>> footprints.rit.edu <http://footprints.rit.edu> <https://
> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
> >>> account and computers: start.rit.edu <http://start.rit.edu> <
> https://start.
> >>> rit.edu/ <http://rit.edu/> >
> >>>
> >>> CONFIDENTIALITY NOTE: The information transmitted, including
> >>> attachments, is intended only for the person(s) or entity to which
> >>> it is addressed and may contain confidential and/or privileged
> >>> material. Any review, retransmission, dissemination or other use of,
> >>> or taking of any action in reliance upon this information by persons
> >>> or entities other than the intended recipient is prohibited. If you
> >>> received this in error, please contact the sender and destroy any
> copies of this information.
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Sent through the Full Disclosure mailing list
> >>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>
> >>>  _______________________________________________
> >> Sent through the Full Disclosure mailing list
> >> http://nmap.org/mailman/listinfo/fulldisclosure
> >> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>
> >
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ