lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEjRxXs1dqaw6U9FrAPnhBeYY-EwE-Ufde-+yXcD-LkL9zEo0A@mail.gmail.com>
Date: Fri, 30 May 2014 15:40:44 +0200
From: Philip Cheong <philip.cheong@...stx.se>
To: Mike Cramer <mike.cramer@...look.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?

So a good friend of mine explained...

*"...to suspect a "National Security Letter" from the FBI is just stupid.
An NSL is issued to an organization that actually has some involvement with
someone/group of "interest". The source code for Truecrypt is publicly
available. So how would such a letter be of any use? There is a current
very public audit of the Truecrypt code underway. So if the NSA/FBI/CIA/TLA
"requested" the Truecrypt authors to insert some sort of backdoor now, then
it would be identified almost immediately.*

*But this article is peddling baseless conspiracy, conflating Lavabit
(running a service), Apple's "warrant canary" (also runs a service) versus
Truecrypt's supply of source code (ie, not a service).*




2014-05-30 0:13 GMT+02:00 Mike Cramer <mike.cramer@...look.com>:

> I think it’s more important to have rational discussions. This isn’t the
> first time Microsoft has been ‘rumored’ to have backdoors in Windows for
> the US Government. These rumors have been perpetuated for years. While I
> don’t know how long you’ve been in the industry, it’s something I recall
> even being 14 years old and sitting on IRC and having people discuss.
>
>
>
> The reality now, just as then, is that these are unsubstantiated.
>
>
>
> A more apt description about the cooperation between the US Government and
> Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure
> you may recall these names from any sort of discussion about PKI.
>
>
>
> What people seem to forget in all of these discussions is that Microsoft
> is Bob. (Microsoft Bob? :P)
>
>
>
> No amount of encryption, protection, secret keying is going to protect you
> when one party is going to hand over the information to 3rd parties to
> review.
>
>
>
> Based on my Alice and Bob comment above, it’s reasonable to assume that
> the encryption itself is 100% fine, so as long as you believe that Bob will
> never divulge the information you’ve disclosed.
>
>
>
> Through all of these discussions surrounding Bitlocker across multiple
> forums nobody has brought up the fact that Bitlocker in Windows 8 allows
> you to store recovery key information in OneDrive/”The Cloud”. Why bother
> writing in backdoors to the software when the keys are readily available
> with a warrant?
>
>
>
> There are a million and one ways to get access to the information and the
> absolutely most difficult, most costly, and most potentially damaging is
> the one people are jumping to first.
>
>
>
> If it were ever revealed that Microsoft purposefully weakened its
> encryption systems to allow the NSA access to any Windows device, then it
> would be the end of the organization. They’re just not that dumb.
>
>
>
> Mike
>
>
>
> From: Justin Bull [mailto:me@...tinbull.ca]
> Sent: Thursday, May 29, 2014 18:02
> To: Mike Cramer
> Cc: fulldisclosure@...lists.org; secuip
> Subject: RE: [FD] TrueCrypt?
>
>
>
> Closed source and Microsoft is notoriously known to play ball with LEO and
> government. It's an ill-fitting shoe.
>
> Sent from mobile.
>
> On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com <mailto:
> mike.cramer@...look.com> > wrote:
>
> What is careless about recommending Bitlocker?
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org <mailto:
> fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin Bull
> Sent: Thursday, May 29, 2014 17:18
> To: secuip
> Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org>
> Subject: Re: [FD] TrueCrypt?
>
> But why go out in that style? Why not be frank? Why be so careless as to
> recommend BitLocker?
>
> The diff was meticulous but the website and comms were not. It doesn't add
> up.
>
> Sent from mobile.
> On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr <mailto:root@...uip.fr>
> > wrote:
>
> > http://krebsonsecurity.com/2014/05/true-goodbye-using-
> > truecrypt-is-not-secure/comment-page-1/#comment-255908
> >
> >
> > Le 29/05/2014 22:51, uname -a a écrit :
> >
> >> There are several strange behaviors.
> >>
> >> Sitesource is not clean. Just a html that say take now Bitlocker or
> >> other built-in tools of your OS !?
> >>
> >> New Keys got added to SF 3h before release of 7.2 happened.
> >>
> >> On SF the old versions got removed. For older Versions you've to
> >> download them elsewhere (there are several sources available).
> >>
> >> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org>
>  got removed in the
> >> Programsource.
> >>
> >> No explanation for this anywhere. Just speculations.
> >>
> >> Truecrypt isn't available on the webarchive!
> >>
> >> The Wiki got editet massively.
> >>
> >>
> >>
> >> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> >>
> >>> I'm surprised I haven't seen any discussion about the recent issues
> >>> with TrueCrypt.  Links to current discussions follow.
> >>>
> >>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
> >>> truecrypt_is_dead/
> >>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
> >>> truecrypt_development_has_ended_052814/
> >>>
> >>> Thank you,
> >>>
> >>> Anthony Fontanez
> >>> PC Systems Administrator
> >>> Client Services - College of Liberal Arts Information & Technology
> >>> Services, Enterprise Support Rochester Institute of Technology
> >>> LBR-A290
> >>> 585-475-2208 <tel:585-475-2208>  (office)
> >>> ajfrcc@....edu <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu <mailto:
> ajfrcc@....edu> >
> >>>
> >>> Submit a request via email: servicedesk@....edu <mailto:
> servicedesk@....edu> <mailto:ser <mailto:ser>
> >>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of an
> active request:
> >>> footprints.rit.edu <http://footprints.rit.edu> <https://
> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
> >>> account and computers: start.rit.edu <http://start.rit.edu> <
> https://start.
> >>> rit.edu/ <http://rit.edu/> >
> >>>
> >>> CONFIDENTIALITY NOTE: The information transmitted, including
> >>> attachments, is intended only for the person(s) or entity to which
> >>> it is addressed and may contain confidential and/or privileged
> >>> material. Any review, retransmission, dissemination or other use of,
> >>> or taking of any action in reliance upon this information by persons
> >>> or entities other than the intended recipient is prohibited. If you
> >>> received this in error, please contact the sender and destroy any
> copies of this information.
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Sent through the Full Disclosure mailing list
> >>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>
> >>>  _______________________________________________
> >> Sent through the Full Disclosure mailing list
> >> http://nmap.org/mailman/listinfo/fulldisclosure
> >> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>
> >
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



-- 
*Philip Cheong*
*Elastx *| Public and Private PaaS
email: philip.cheong@...stx.se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx <https://twitter.com/Elastx>
http://elastx.se

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ