[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5388F727.9010801@sec.gd>
Date: Fri, 30 May 2014 17:24:55 -0400
From: mal <mal@....gd>
To: fulldisclosure@...lists.org
Subject: Re: [FD] TrueCrypt?
So why doesn't the DoD use bitlocker? ^.^
http://www.gsa.gov/portal/content/102647
On 05/30/2014 04:35 PM, Michael Cramer wrote:
>
> For the most part I rely on Bitlocker for all of my encryption needs. The goal isn’t to prevent super secret shadowy organizations from accessing my data, but to prevent data being obtained from my devices in the event of theft or being lost.
> Because I travel a lot, I would willingly enter crypto passwords into my devices when crossing the border.
>
> I ultimately know that if my devices are stolen or lost, that I have as much time as I want until I need to change any passwords. It is this peace of mind that I’m looking for. Not to prevent the NSA from accessing my photo library.
>
>
> I used to use TC until Bitlocker became standard. I leveraged it quite often, and still occasionally used it when cross platform needs were required.
>
>
>
> To address your other concerns, you have to understand that the “super secret uber NSA backdoors in Windows products” has been told time and time again for decades. I feel ashamed that the “Information Security” community is fretting over such things, especially given that the US Government is the largest buyer of Information Security products and services. They use Windows pretty extensively across all ranges of the DOD and Microsoft isn’t providing them different binaries than anyone else. They do work together for hardening procedures, but the Windows that the DOD uses for its systems is the same Windows that you will find in the stores.
>
>
> To suggest that the NSA would ask Microsoft and other vendors to introduced intentional backdoors into their products is to severely underestimate the people that work for those agencies that work on the US’ critical infrastructure. They’re just not that stupid. Some of the best and brightest minds in the world have consulted for or worked with the NSA, and I’m guessing this includes revered
> security researchers and open source developers that some would be surprised that may be approached by the US Government.
>
> I think the whole “many eyes” thing has now been debunked--repeatedly. “Many eyes” is another way for people to not assume responsibility for ensuring the integrity of their products and services. “If other people use it, someone else must have audited it, or else it would not be in such wide use everywhere! It must be good!” OpenSSL‘s Heartbleed incident has proven this to be absolutely far from the truth. In addition, I know it can be a bit more challenging to find flaws in unmaintainable code, but the Debian OpenSSL bug (http://www.debian.org/security/2008/dsa-1571) was inexcusable. The issue was merely commented out code on a commit that sat around for 2 years. It wasn’t even intended to be an underhanded change.
>
> The good news is that the OSS community is now starting to enter another age of maturity. It will be interesting to see where everything falls into place. The Linux Foundation has announced they will be performing a full code audit on “critical” applications such as OpenSSL, NTP, and OpenSSH(http://gigaom.com/2014/05/29/openssl-security-project-gets-some-much-needed-funding/). This is fantastic news all around and has long been needed considering Linux is used in a very wide range of products and services.
>
>
> As far as closed source versus open source, this is the type of thing that will ultimately bring out “religious” arguments. There was a time when closed source solutions were terrible. And many closed solutions may still be terrible. But on some of the larger products, for example, Windows--the people that work on that are highly paid and many are highly skilled in their craft. Microsoft hired some of the best engineers in the industry to develop the platforms that Windows still uses today, such as NTFS.
>
>
> Linux has had some massive changes to its underlying infrastructure. Since I’ve been using Linux we’ve gone from ext2 to ext3 to ext4. We’ve gone from “dependency hell” to having reliable package managers. They are just now moving away from SYSVINIT in greater fashion after realizing that asynchronous daemon startup and other daemon management features are required for modern computing.
>
>
> Microsoft has had many of these features for coming up on 2 decades, so they’ve gotten great mileage out of the decisions they made as a closed source solution because they can simply say “make it so” without much larger debates and committees.
>
>
> Ultimately, what you choose to use is up to you. I use what serves my needs, and I use what serves the needs of the organizations for which I work.
>
>
> Bitlocker and Truecrypt aren’t the ONLY FDE and removable media platforms that are out there. While TC offered incredible portability of the data (since it was all file containers that could be moved between platforms easily), as far as encryption itself goes, Bitlocker should provide the same level of security as TC for when your devices fall into the wrong hands. You an also leverage products from McAfee, Symantec, and CheckPoint. YMMV.
>
>
> To use Bitlocker “properly” in a major organization your best bet is to use smart cards. The hefty requirements for TPM-enabled devices and smart cards for optimal security and ease-of-use can be daunting to most.
>
>
> -Mike Cramer
>
>
> Sent from Windows Mail
>
>
>
>
>
> From: Not EcksKaySeeDee
> Sent: Friday, May 30, 2014 14:42
> To: Michael Cramer
> Cc: Justin Bull, fulldisclosure@...lists.org
>
>
>
>
>
> May 30, 2014
>
>
>
> Greetings,
>
>
>
>
> New subscriber to FD here. I've been in systems/networking, and by default dealt with security and encryption issues/topics, but not at the depth that most(?) of the folks on FD have. So I have a few questions & thoughts:
>
>
>
>
> 1. Where do we go from here? What do you, as the experts, suggest for people like me who are in IT, but not dedicated security pros, and especially for average users who are now increasing their security awareness in a post-Snowden world?
>
>
>
>
>
> 2. Does anyone else on this list actively use TC, and if so, what are your plans now?
>
>
>
>
> I am wary of the whole "use Bitlocker" suggestion because: A) it's closed code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I don't know if/when they will roll over whenever the g-men show up and demand keys to the backdoors (if any).
>
>
>
>
> Of-course, open source is not perfect either, but, so the reasoning, goes, you have the "many eyes" argument in support of it. This begs another question (apologies), how many eyes are actually actively and consistently reviewing/auditing open source code?
>
>
>
>
> As far as I am aware (correct me if I'm wrong), there isn't a single neutral group or entity staffed by people whose sole purpose is to audit critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a need for such a group of people? Of-course the counter will be, who is going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't trust the big corporations again because of their influence and possible ties to the g-men and/or willingness to roll-over when the legal paperwork starts to fly.
>
>
> And now for some reason, I'm reminded of Descartes First Meditation: discarding belief in all things that are not certain (apologies to any philosophy majors or lovers out there). All of the trust/faith we put into people and companies (open and closed source) to produce this s/ware that we build our lives on, how can we be sure that they are no cracks in our foundations?
>
>
>
>
> Anyhow.
>
>
>
>
> Cheers,
>
> not xkcd.
>
>
>
>
>
>
>
>
> On Thu, May 29, 2014 at 6:13 PM, Mike Cramer <mike.cramer@...look.com> wrote:
>
> I think it’s more important to have rational discussions. This isn’t the first time Microsoft has been ‘rumored’ to have backdoors in Windows for the US Government. These rumors have been perpetuated for years. While I don’t know how long you’ve been in the industry, it’s something I recall even being 14 years old and sitting on IRC and having people discuss.
>
>
>
> The reality now, just as then, is that these are unsubstantiated.
>
>
>
> A more apt description about the cooperation between the US Government and Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure you may recall these names from any sort of discussion about PKI.
>
>
>
> What people seem to forget in all of these discussions is that Microsoft is Bob. (Microsoft Bob? :P)
>
>
>
> No amount of encryption, protection, secret keying is going to protect you when one party is going to hand over the information to 3rd parties to review.
>
>
>
> Based on my Alice and Bob comment above, it’s reasonable to assume that the encryption itself is 100% fine, so as long as you believe that Bob will never divulge the information you’ve disclosed.
>
>
>
> Through all of these discussions surrounding Bitlocker across multiple forums nobody has brought up the fact that Bitlocker in Windows 8 allows you to store recovery key information in OneDrive/”The Cloud”. Why bother writing in backdoors to the software when the keys are readily available with a warrant?
>
>
>
> There are a million and one ways to get access to the information and the absolutely most difficult, most costly, and most potentially damaging is the one people are jumping to first.
>
>
>
> If it were ever revealed that Microsoft purposefully weakened its encryption systems to allow the NSA access to any Windows device, then it would be the end of the organization. They’re just not that dumb.
>
>
>
> Mike
>
>
>
> From: Justin Bull [mailto:me@...tinbull.ca]
> Sent: Thursday, May 29, 2014 18:02
> To: Mike Cramer
> Cc: fulldisclosure@...lists.org; secuip
> Subject: RE: [FD] TrueCrypt?
>
>
>
> Closed source and Microsoft is notoriously known to play ball with LEO and government. It's an ill-fitting shoe.
>
> Sent from mobile.
>
> On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com <mailto:mike.cramer@...look.com> > wrote:
>
> What is careless about recommending Bitlocker?
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org <mailto:fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin Bull
> Sent: Thursday, May 29, 2014 17:18
> To: secuip
> Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org>
> Subject: Re: [FD] TrueCrypt?
>
> But why go out in that style? Why not be frank? Why be so careless as to recommend BitLocker?
>
> The diff was meticulous but the website and comms were not. It doesn't add up.
>
> Sent from mobile.
> On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr <mailto:root@...uip.fr> > wrote:
>
>> http://krebsonsecurity.com/2014/05/true-goodbye-using-
>> truecrypt-is-not-secure/comment-page-1/#comment-255908
>>
>>
>> Le 29/05/2014 22:51, uname -a a écrit :
>>
>>> There are several strange behaviors.
>>>
>>> Sitesource is not clean. Just a html that say take now Bitlocker or
>>> other built-in tools of your OS !?
>>>
>>> New Keys got added to SF 3h before release of 7.2 happened.
>>>
>>> On SF the old versions got removed. For older Versions you've to
>>> download them elsewhere (there are several sources available).
>>>
>>> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org> got removed in the
>>> Programsource.
>>>
>>> No explanation for this anywhere. Just speculations.
>>>
>>> Truecrypt isn't available on the webarchive!
>>>
>>> The Wiki got editet massively.
>>>
>>>
>>>
>>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>>
>>>> I'm surprised I haven't seen any discussion about the recent issues
>>>> with TrueCrypt. Links to current discussions follow.
>>>>
>>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>>> truecrypt_is_dead/
>>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>>> truecrypt_development_has_ended_052814/
>>>>
>>>> Thank you,
>>>>
>>>> Anthony Fontanez
>>>> PC Systems Administrator
>>>> Client Services - College of Liberal Arts Information & Technology
>>>> Services, Enterprise Support Rochester Institute of Technology
>>>> LBR-A290
>>>> 585-475-2208 <tel:585-475-2208> (office)
>>>> ajfrcc@....edu <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu <mailto:ajfrcc@....edu> >
>>>>
>>>> Submit a request via email: servicedesk@....edu <mailto:servicedesk@....edu> <mailto:ser <mailto:ser>
>>>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of an active request:
>>>> footprints.rit.edu <http://footprints.rit.edu> <https:// footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
>>>> account and computers: start.rit.edu <http://start.rit.edu> <https://start.
>>>> rit.edu/ <http://rit.edu/> >
>>>>
>>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>>> attachments, is intended only for the person(s) or entity to which
>>>> it is addressed and may contain confidential and/or privileged
>>>> material. Any review, retransmission, dissemination or other use of,
>>>> or taking of any action in reliance upon this information by persons
>>>> or entities other than the intended recipient is prohibited. If you
>>>> received this in error, please contact the sender and destroy any copies of this information.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Sent through the Full Disclosure mailing list
>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>>
>>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists