lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 30 May 2014 22:02:35 +0200
From: uname -a <sec.list@....net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] TrueCrypt?

Really?
https://blog.0xbadc0de.be/archives/155


Am 30.05.2014 17:21, schrieb Michael Cramer:
> On a technicality,
> 
> There has never been a demonstration of a vulnerability in Dual_EC_DRBG. There are only allegations based on ties to the NSA.
> 
> -Mike
> 
> Sent from my iPhone
> 
>> On May 30, 2014, at 11:09, "Chris Schmidt" <chris.schmidt@...trastsecurity.com> wrote:
>>
>> Regarding your final statement here, I seem to recall it being reported a
>> little company called RSA allowed NSA backdooring and I¹m pretty sure they
>> are far from Out-Of-Business. Claiming that giants like MS would go out of
>> business if it got out that they were working with the NSA is completely
>> naïve. 
>>
>>> On 5/29/14, 4:13 PM, "Mike Cramer" <mike.cramer@...look.com> wrote:
>>>
>>> I think it¹s more important to have rational discussions. This isn¹t the
>>> first time Microsoft has been Œrumored¹ to have backdoors in Windows for
>>> the US Government. These rumors have been perpetuated for years. While I
>>> don¹t know how long you¹ve been in the industry, it¹s something I recall
>>> even being 14 years old and sitting on IRC and having people discuss.
>>>
>>>
>>>
>>> The reality now, just as then, is that these are unsubstantiated.
>>>
>>>
>>>
>>> A more apt description about the cooperation between the US Government
>>> and Microsoft I think falls back onto our old pals ³Alice and Bob². I¹m
>>> sure you may recall these names from any sort of discussion about PKI.
>>>
>>>
>>>
>>> What people seem to forget in all of these discussions is that Microsoft
>>> is Bob. (Microsoft Bob? :P)
>>>
>>>
>>>
>>> No amount of encryption, protection, secret keying is going to protect
>>> you when one party is going to hand over the information to 3rd parties
>>> to review.
>>>
>>>
>>>
>>> Based on my Alice and Bob comment above, it¹s reasonable to assume that
>>> the encryption itself is 100% fine, so as long as you believe that Bob
>>> will never divulge the information you¹ve disclosed.
>>>
>>>
>>>
>>> Through all of these discussions surrounding Bitlocker across multiple
>>> forums nobody has brought up the fact that Bitlocker in Windows 8 allows
>>> you to store recovery key information in OneDrive/²The Cloud². Why bother
>>> writing in backdoors to the software when the keys are readily available
>>> with a warrant?
>>>
>>>
>>>
>>> There are a million and one ways to get access to the information and the
>>> absolutely most difficult, most costly, and most potentially damaging is
>>> the one people are jumping to first.
>>>
>>>
>>>
>>> If it were ever revealed that Microsoft purposefully weakened its
>>> encryption systems to allow the NSA access to any Windows device, then it
>>> would be the end of the organization. They¹re just not that dumb.
>>>
>>>
>>>
>>> Mike
>>>
>>>
>>>
>>> From: Justin Bull [mailto:me@...tinbull.ca]
>>> Sent: Thursday, May 29, 2014 18:02
>>> To: Mike Cramer
>>> Cc: fulldisclosure@...lists.org; secuip
>>> Subject: RE: [FD] TrueCrypt?
>>>
>>>
>>>
>>> Closed source and Microsoft is notoriously known to play ball with LEO
>>> and government. It's an ill-fitting shoe.
>>>
>>> Sent from mobile. 
>>>
>>> On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com
>>> <mailto:mike.cramer@...look.com> > wrote:
>>>
>>> What is careless about recommending Bitlocker?
>>>
>>> -----Original Message-----
>>> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org
>>> <mailto:fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin Bull
>>> Sent: Thursday, May 29, 2014 17:18
>>> To: secuip
>>> Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org>
>>> Subject: Re: [FD] TrueCrypt?
>>>
>>> But why go out in that style? Why not be frank? Why be so careless as to
>>> recommend BitLocker?
>>>
>>> The diff was meticulous but the website and comms were not. It doesn't
>>> add up.
>>>
>>> Sent from mobile.
>>> On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr <mailto:root@...uip.fr>
>>>> wrote:
>>>
>>>> http://krebsonsecurity.com/2014/05/true-goodbye-using-
>>>> truecrypt-is-not-secure/comment-page-1/#comment-255908
>>>>
>>>>
>>>> Le 29/05/2014 22:51, uname -a a écrit :
>>>>
>>>>> There are several strange behaviors.
>>>>>
>>>>> Sitesource is not clean. Just a html that say take now Bitlocker or
>>>>> other built-in tools of your OS !?
>>>>>
>>>>> New Keys got added to SF 3h before release of 7.2 happened.
>>>>>
>>>>> On SF the old versions got removed. For older Versions you've to
>>>>> download them elsewhere (there are several sources available).
>>>>>
>>>>> Encryption, Help and all traces to truecrypt.org
>>>>> <http://truecrypt.org>  got removed in the
>>>>> Programsource.
>>>>>
>>>>> No explanation for this anywhere. Just speculations.
>>>>>
>>>>> Truecrypt isn't available on the webarchive!
>>>>>
>>>>> The Wiki got editet massively.
>>>>>
>>>>>
>>>>>
>>>>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>>>>
>>>>>> I'm surprised I haven't seen any discussion about the recent issues
>>>>>> with TrueCrypt.  Links to current discussions follow.
>>>>>>
>>>>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>>>>> truecrypt_is_dead/
>>>>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>>>>> truecrypt_development_has_ended_052814/
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> Anthony Fontanez
>>>>>> PC Systems Administrator
>>>>>> Client Services - College of Liberal Arts Information & Technology
>>>>>> Services, Enterprise Support Rochester Institute of Technology
>>>>>> LBR-A290
>>>>>> 585-475-2208 <tel:585-475-2208>  (office)
>>>>>> ajfrcc@....edu <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu
>>>>>> <mailto:ajfrcc@....edu> >
>>>>>>
>>>>>> Submit a request via email: servicedesk@....edu
>>>>>> <mailto:servicedesk@....edu> <mailto:ser <mailto:ser>
>>>>>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of an
>>>>>> active request:
>>>>>> footprints.rit.edu <http://footprints.rit.edu> <https://
>>>>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
>>>>>> account and computers: start.rit.edu <http://start.rit.edu>
>>>>>> <https://start.
>>>>>> rit.edu/ <http://rit.edu/> >
>>>>>>
>>>>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>>>>> attachments, is intended only for the person(s) or entity to which
>>>>>> it is addressed and may contain confidential and/or privileged
>>>>>> material. Any review, retransmission, dissemination or other use of,
>>>>>> or taking of any action in reliance upon this information by persons
>>>>>> or entities other than the intended recipient is prohibited. If you
>>>>>> received this in error, please contact the sender and destroy any
>>>>>> copies of this information.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Sent through the Full Disclosure mailing list
>>>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>>>>
>>>>>> _______________________________________________
>>>>> Sent through the Full Disclosure mailing list
>>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>>
>>>>
>>>> _______________________________________________
>>>> Sent through the Full Disclosure mailing list
>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists