| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 May 2014 15:40:44 +0200 From: Philip Cheong <philip.cheong@...stx.se> To: Mike Cramer <mike.cramer@...look.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] TrueCrypt? So a good friend of mine explained... *"...to suspect a "National Security Letter" from the FBI is just stupid. An NSL is issued to an organization that actually has some involvement with someone/group of "interest". The source code for Truecrypt is publicly available. So how would such a letter be of any use? There is a current very public audit of the Truecrypt code underway. So if the NSA/FBI/CIA/TLA "requested" the Truecrypt authors to insert some sort of backdoor now, then it would be identified almost immediately.* *But this article is peddling baseless conspiracy, conflating Lavabit (running a service), Apple's "warrant canary" (also runs a service) versus Truecrypt's supply of source code (ie, not a service).* 2014-05-30 0:13 GMT+02:00 Mike Cramer <mike.cramer@...look.com>: > I think it’s more important to have rational discussions. This isn’t the > first time Microsoft has been ‘rumored’ to have backdoors in Windows for > the US Government. These rumors have been perpetuated for years. While I > don’t know how long you’ve been in the industry, it’s something I recall > even being 14 years old and sitting on IRC and having people discuss. > > > > The reality now, just as then, is that these are unsubstantiated. > > > > A more apt description about the cooperation between the US Government and > Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure > you may recall these names from any sort of discussion about PKI. > > > > What people seem to forget in all of these discussions is that Microsoft > is Bob. (Microsoft Bob? :P) > > > > No amount of encryption, protection, secret keying is going to protect you > when one party is going to hand over the information to 3rd parties to > review. > > > > Based on my Alice and Bob comment above, it’s reasonable to assume that > the encryption itself is 100% fine, so as long as you believe that Bob will > never divulge the information you’ve disclosed. > > > > Through all of these discussions surrounding Bitlocker across multiple > forums nobody has brought up the fact that Bitlocker in Windows 8 allows > you to store recovery key information in OneDrive/”The Cloud”. Why bother > writing in backdoors to the software when the keys are readily available > with a warrant? > > > > There are a million and one ways to get access to the information and the > absolutely most difficult, most costly, and most potentially damaging is > the one people are jumping to first. > > > > If it were ever revealed that Microsoft purposefully weakened its > encryption systems to allow the NSA access to any Windows device, then it > would be the end of the organization. They’re just not that dumb. > > > > Mike > > > > From: Justin Bull [mailto:me@...tinbull.ca] > Sent: Thursday, May 29, 2014 18:02 > To: Mike Cramer > Cc: fulldisclosure@...lists.org; secuip > Subject: RE: [FD] TrueCrypt? > > > > Closed source and Microsoft is notoriously known to play ball with LEO and > government. It's an ill-fitting shoe. > > Sent from mobile. > > On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com <mailto: > mike.cramer@...look.com> > wrote: > > What is careless about recommending Bitlocker? > > -----Original Message----- > From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org <mailto: > fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin Bull > Sent: Thursday, May 29, 2014 17:18 > To: secuip > Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org> > Subject: Re: [FD] TrueCrypt? > > But why go out in that style? Why not be frank? Why be so careless as to > recommend BitLocker? > > The diff was meticulous but the website and comms were not. It doesn't add > up. > > Sent from mobile. > On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr <mailto:root@...uip.fr> > > wrote: > > > http://krebsonsecurity.com/2014/05/true-goodbye-using- > > truecrypt-is-not-secure/comment-page-1/#comment-255908 > > > > > > Le 29/05/2014 22:51, uname -a a écrit : > > > >> There are several strange behaviors. > >> > >> Sitesource is not clean. Just a html that say take now Bitlocker or > >> other built-in tools of your OS !? > >> > >> New Keys got added to SF 3h before release of 7.2 happened. > >> > >> On SF the old versions got removed. For older Versions you've to > >> download them elsewhere (there are several sources available). > >> > >> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org> > got removed in the > >> Programsource. > >> > >> No explanation for this anywhere. Just speculations. > >> > >> Truecrypt isn't available on the webarchive! > >> > >> The Wiki got editet massively. > >> > >> > >> > >> Am 29.05.2014 04:21, schrieb Anthony Fontanez: > >> > >>> I'm surprised I haven't seen any discussion about the recent issues > >>> with TrueCrypt. Links to current discussions follow. > >>> > >>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/ > >>> truecrypt_is_dead/ > >>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/ > >>> truecrypt_development_has_ended_052814/ > >>> > >>> Thank you, > >>> > >>> Anthony Fontanez > >>> PC Systems Administrator > >>> Client Services - College of Liberal Arts Information & Technology > >>> Services, Enterprise Support Rochester Institute of Technology > >>> LBR-A290 > >>> 585-475-2208 <tel:585-475-2208> (office) > >>> ajfrcc@....edu <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu <mailto: > ajfrcc@....edu> > > >>> > >>> Submit a request via email: servicedesk@....edu <mailto: > servicedesk@....edu> <mailto:ser <mailto:ser> > >>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of an > active request: > >>> footprints.rit.edu <http://footprints.rit.edu> <https:// > footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT > >>> account and computers: start.rit.edu <http://start.rit.edu> < > https://start. > >>> rit.edu/ <http://rit.edu/> > > >>> > >>> CONFIDENTIALITY NOTE: The information transmitted, including > >>> attachments, is intended only for the person(s) or entity to which > >>> it is addressed and may contain confidential and/or privileged > >>> material. Any review, retransmission, dissemination or other use of, > >>> or taking of any action in reliance upon this information by persons > >>> or entities other than the intended recipient is prohibited. If you > >>> received this in error, please contact the sender and destroy any > copies of this information. > >>> > >>> > >>> > >>> _______________________________________________ > >>> Sent through the Full Disclosure mailing list > >>> http://nmap.org/mailman/listinfo/fulldisclosure > >>> Web Archives & RSS: http://seclists.org/fulldisclosure/ > >>> > >>> _______________________________________________ > >> Sent through the Full Disclosure mailing list > >> http://nmap.org/mailman/listinfo/fulldisclosure > >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > >> > > > > > > _______________________________________________ > > Sent through the Full Disclosure mailing list > > http://nmap.org/mailman/listinfo/fulldisclosure > > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > -- *Philip Cheong* *Elastx *| Public and Private PaaS email: philip.cheong@...stx.se office: +46 8 557 728 10 mobile: +46 702 8170 814 twitter: @Elastx <https://twitter.com/Elastx> http://elastx.se _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists