lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY404-EAS16562FC965EEEA87AA36E23F2260@phx.gbl>
Date: Fri, 30 May 2014 22:27:58 -0400
From: Mike Cramer <mike.cramer@...look.com>
To: "'Rikairchy'" <blakcshadow@...il.com>,
	<fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?

When used in FIPS compliance mode, AD storage of keys is disabled. I believe
they changed this with Windows 8/2012 but I haven't done an implementation
of that yet.

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf
Of Rikairchy
Sent: Friday, May 30, 2014 22:21
To: fulldisclosure@...lists.org
Subject: Re: [FD] TrueCrypt?

When I was in the military, we enforced bitlocker compliance on all
networked machines. Part of that policy required us to upload the keys to
active directory, allowing anyone with AD access to view the full recovery
keys. The main reason it was enforced was because it prevented offline
attacks of machines. Doesn't hurt that bitlocker is also bundled with
Windows as well.
On May 30, 2014 10:00 PM, "mal" <mal@....gd> wrote:

> So why doesn't the DoD use bitlocker? ^.^
>
> http://www.gsa.gov/portal/content/102647
>
>
> On 05/30/2014 04:35 PM, Michael Cramer wrote:
> >
> > For the most part I rely on Bitlocker for all of my encryption needs.
> The goal isn't to prevent super secret shadowy organizations from 
> accessing my data, but to prevent data being obtained from my devices 
> in the event of theft or being lost.
> > Because I travel a lot, I would willingly enter crypto passwords 
> > into my
> devices when crossing the border.
> >
> > I ultimately know that if my devices are stolen or lost, that I have 
> > as
> much time as I want until I need to change any passwords. It is this 
> peace of mind that I'm looking for. Not to prevent the NSA from 
> accessing my photo library.
> >
> >
> > I used to use TC until Bitlocker became standard. I leveraged it 
> > quite
> often, and still occasionally used it when cross platform needs were 
> required.
> >
> >
> >
> > To address your other concerns, you have to understand that the 
> > "super
> secret uber NSA backdoors in Windows products" has been told time and 
> time again for decades. I feel ashamed that the "Information Security" 
> community is fretting over such things, especially given that the US 
> Government is the largest buyer of Information Security products and 
> services. They use Windows pretty extensively across all ranges of the 
> DOD and Microsoft isn't providing them different binaries than anyone 
> else. They do work together for hardening procedures, but the Windows 
> that the DOD uses for its systems is the same Windows that you will find
in the stores.
> >
> >
> > To suggest that the NSA would ask Microsoft and other vendors to
> introduced intentional backdoors into their products is to severely 
> underestimate the people that work for those agencies that work on the US'
> critical infrastructure. They're just not that stupid. Some of the 
> best and brightest minds in the world have consulted for or worked 
> with the NSA, and I'm guessing this includes revered
> > security researchers and open source developers that some would be
> surprised that may be approached by the US Government.
> >
> > I think the whole "many eyes" thing has now been debunked--repeatedly.
> "Many eyes" is another way for people to not assume responsibility for 
> ensuring the integrity of their products and services. "If other 
> people use it, someone else must have audited it, or else it would not 
> be in such wide use everywhere! It must be good!" OpenSSL's Heartbleed 
> incident has proven this to be absolutely far from the truth. In 
> addition, I know it can be a bit more challenging to find flaws in 
> unmaintainable code, but the Debian OpenSSL bug 
> (http://www.debian.org/security/2008/dsa-1571) was inexcusable. The 
> issue was merely commented out code on a commit that sat around for 2
years. It wasn't even intended to be an underhanded change.
> >
> > The good news is that the OSS community is now starting to enter 
> > another
> age of maturity. It will be interesting to see where everything falls 
> into place. The Linux Foundation has announced they will be performing 
> a full code audit on "critical" applications such as OpenSSL, NTP, and 
> OpenSSH(
http://gigaom.com/2014/05/29/openssl-security-project-gets-some-much-needed-
funding/).
> This is fantastic news all around and has long been needed considering 
> Linux is used in a very wide range of products and services.
> >
> >
> > As far as closed source versus open source, this is the type of 
> > thing
> that will ultimately bring out "religious" arguments. There was a time 
> when closed source solutions were terrible. And many closed solutions 
> may still be terrible. But on some of the larger products, for 
> example, Windows--the people that work on that are highly paid and 
> many are highly skilled in their craft. Microsoft hired some of the 
> best engineers in the industry to develop the platforms that Windows still
uses today, such as NTFS.
> >
> >
> > Linux has had some massive changes to its underlying infrastructure.
> Since I've been using Linux we've gone from ext2 to ext3 to ext4. 
> We've gone from "dependency hell" to having reliable package managers. 
> They are just now moving away from SYSVINIT in greater fashion after 
> realizing that asynchronous daemon startup and other daemon management 
> features are required for modern computing.
> >
> >
> > Microsoft has had many of these features for coming up on 2 decades, 
> > so
> they've gotten great mileage out of the decisions they made as a 
> closed source solution because they can simply say "make it so" 
> without much larger debates and committees.
> >
> >
> > Ultimately, what you choose to use is up to you. I use what serves 
> > my
> needs, and I use what serves the needs of the organizations for which 
> I work.
> >
> >
> > Bitlocker and Truecrypt aren't the ONLY FDE and removable media
> platforms that are out there. While TC offered incredible portability 
> of the data (since it was all file containers that could be moved 
> between platforms easily), as far as encryption itself goes, Bitlocker 
> should provide the same level of security as TC for when your devices 
> fall into the wrong hands. You an also leverage products from McAfee, 
> Symantec, and CheckPoint. YMMV.
> >
> >
> > To use Bitlocker "properly" in a major organization your best bet is 
> > to
> use smart cards. The hefty requirements for TPM-enabled devices and 
> smart cards for optimal security and ease-of-use can be daunting to most.
> >
> >
> > -Mike Cramer
> >
> >
> > Sent from Windows Mail
> >
> >
> >
> >
> >
> > From: Not EcksKaySeeDee
> > Sent: Friday, May 30, 2014 14:42
> > To: Michael Cramer
> > Cc: Justin Bull, fulldisclosure@...lists.org
> >
> >
> >
> >
> >
> > May 30, 2014
> >
> >
> >
> > Greetings,
> >
> >
> >
> >
> > New subscriber to FD here. I've been in systems/networking, and by
> default dealt with security and encryption issues/topics, but not at 
> the depth that most(?) of the folks on FD have. So I have a few 
> questions &
> thoughts:
> >
> >
> >
> >
> > 1. Where do we go from here? What do you, as the experts, suggest 
> > for
> people like me who are in IT, but not dedicated security pros, and 
> especially for average users who are now increasing their security 
> awareness in a post-Snowden world?
> >
> >
> >
> >
> >
> > 2. Does anyone else on this list actively use TC, and if so, what 
> > are
> your plans now?
> >
> >
> >
> >
> > I am wary of the whole "use Bitlocker" suggestion because: A) it's
> closed code, and B) it's Microsoft. Not that I hate Microsoft, it's 
> just that I don't know if/when they will roll over whenever the g-men 
> show up and demand keys to the backdoors (if any).
> >
> >
> >
> >
> > Of-course, open source is not perfect either, but, so the reasoning,
> goes, you have the "many eyes" argument in support of it. This begs 
> another question (apologies), how many eyes are actually actively and 
> consistently reviewing/auditing open source code?
> >
> >
> >
> >
> > As far as I am aware (correct me if I'm wrong), there isn't a single
> neutral group or entity staffed by people whose sole purpose is to 
> audit critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe 
> there is a need for such a group of people? Of-course the counter will 
> be, who is going to pay/feed/clothe these people to spend 24x7 
> auditing it? I wouldn't trust the big corporations again because of 
> their influence and possible ties to the g-men and/or willingness to 
> roll-over when the legal paperwork starts to fly.
> >
> >
> > And now for some reason, I'm reminded of Descartes First Meditation:
> discarding belief in all things that are not certain (apologies to any 
> philosophy majors or lovers out there). All of the trust/faith we put 
> into people and companies (open and closed source) to produce this 
> s/ware that we build our lives on, how can we be sure that they are no 
> cracks in our foundations?
> >
> >
> >
> >
> > Anyhow.
> >
> >
> >
> >
> > Cheers,
> >
> > not xkcd.
> >
> >
> >
> >
> >
> >
> >
> >
> > On Thu, May 29, 2014 at 6:13 PM, Mike Cramer 
> > <mike.cramer@...look.com>
> wrote:
> >
> > I think it's more important to have rational discussions. This isn't 
> > the
> first time Microsoft has been 'rumored' to have backdoors in Windows 
> for the US Government. These rumors have been perpetuated for years. 
> While I don't know how long you've been in the industry, it's 
> something I recall even being 14 years old and sitting on IRC and having
people discuss.
> >
> >
> >
> > The reality now, just as then, is that these are unsubstantiated.
> >
> >
> >
> > A more apt description about the cooperation between the US 
> > Government
> and Microsoft I think falls back onto our old pals "Alice and Bob". 
> I'm sure you may recall these names from any sort of discussion about PKI.
> >
> >
> >
> > What people seem to forget in all of these discussions is that 
> > Microsoft
> is Bob. (Microsoft Bob? :P)
> >
> >
> >
> > No amount of encryption, protection, secret keying is going to 
> > protect
> you when one party is going to hand over the information to 3rd 
> parties to review.
> >
> >
> >
> > Based on my Alice and Bob comment above, it's reasonable to assume 
> > that
> the encryption itself is 100% fine, so as long as you believe that Bob 
> will never divulge the information you've disclosed.
> >
> >
> >
> > Through all of these discussions surrounding Bitlocker across 
> > multiple
> forums nobody has brought up the fact that Bitlocker in Windows 8 
> allows you to store recovery key information in OneDrive/"The Cloud". 
> Why bother writing in backdoors to the software when the keys are 
> readily available with a warrant?
> >
> >
> >
> > There are a million and one ways to get access to the information 
> > and
> the absolutely most difficult, most costly, and most potentially 
> damaging is the one people are jumping to first.
> >
> >
> >
> > If it were ever revealed that Microsoft purposefully weakened its
> encryption systems to allow the NSA access to any Windows device, then 
> it would be the end of the organization. They're just not that dumb.
> >
> >
> >
> > Mike
> >
> >
> >
> > From: Justin Bull [mailto:me@...tinbull.ca]
> > Sent: Thursday, May 29, 2014 18:02
> > To: Mike Cramer
> > Cc: fulldisclosure@...lists.org; secuip
> > Subject: RE: [FD] TrueCrypt?
> >
> >
> >
> > Closed source and Microsoft is notoriously known to play ball with 
> > LEO
> and government. It's an ill-fitting shoe.
> >
> > Sent from mobile.
> >
> > On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@...look.com <mailto:
> mike.cramer@...look.com> > wrote:
> >
> > What is careless about recommending Bitlocker?
> >
> > -----Original Message-----
> > From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org
> <mailto:fulldisclosure-bounces@...lists.org> ] On Behalf Of Justin 
> Bull
> > Sent: Thursday, May 29, 2014 17:18
> > To: secuip
> > Cc: fulldisclosure@...lists.org <mailto:fulldisclosure@...lists.org>
> > Subject: Re: [FD] TrueCrypt?
> >
> > But why go out in that style? Why not be frank? Why be so careless 
> > as to
> recommend BitLocker?
> >
> > The diff was meticulous but the website and comms were not. It 
> > doesn't
> add up.
> >
> > Sent from mobile.
> > On May 29, 2014 5:13 PM, "secuip" <root@...uip.fr 
> > <mailto:root@...uip.fr>
> > wrote:
> >
> >> http://krebsonsecurity.com/2014/05/true-goodbye-using-
> >> truecrypt-is-not-secure/comment-page-1/#comment-255908
> >>
> >>
> >> Le 29/05/2014 22:51, uname -a a écrit :
> >>
> >>> There are several strange behaviors.
> >>>
> >>> Sitesource is not clean. Just a html that say take now Bitlocker 
> >>> or other built-in tools of your OS !?
> >>>
> >>> New Keys got added to SF 3h before release of 7.2 happened.
> >>>
> >>> On SF the old versions got removed. For older Versions you've to 
> >>> download them elsewhere (there are several sources available).
> >>>
> >>> Encryption, Help and all traces to truecrypt.org 
> >>> <http://truecrypt.org>
>  got removed in the
> >>> Programsource.
> >>>
> >>> No explanation for this anywhere. Just speculations.
> >>>
> >>> Truecrypt isn't available on the webarchive!
> >>>
> >>> The Wiki got editet massively.
> >>>
> >>>
> >>>
> >>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> >>>
> >>>> I'm surprised I haven't seen any discussion about the recent 
> >>>> issues with TrueCrypt.  Links to current discussions follow.
> >>>>
> >>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
> >>>> truecrypt_is_dead/
> >>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
> >>>> truecrypt_development_has_ended_052814/
> >>>>
> >>>> Thank you,
> >>>>
> >>>> Anthony Fontanez
> >>>> PC Systems Administrator
> >>>> Client Services - College of Liberal Arts Information & 
> >>>> Technology Services, Enterprise Support Rochester Institute of 
> >>>> Technology
> >>>> LBR-A290
> >>>> 585-475-2208 <tel:585-475-2208>  (office) ajfrcc@....edu 
> >>>> <mailto:ajfrcc@....edu> <mailto:ajfrcc@....edu
> <mailto:ajfrcc@....edu> >
> >>>>
> >>>> Submit a request via email: servicedesk@....edu <mailto:
> servicedesk@....edu> <mailto:ser <mailto:ser>
> >>>> vicedesk@....edu <mailto:vicedesk@....edu> > Check the status of 
> >>>> an
> active request:
> >>>> footprints.rit.edu <http://footprints.rit.edu> <https://
> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
> >>>> account and computers: start.rit.edu <http://start.rit.edu> <
> https://start.
> >>>> rit.edu/ <http://rit.edu/> >
> >>>>
> >>>> CONFIDENTIALITY NOTE: The information transmitted, including 
> >>>> attachments, is intended only for the person(s) or entity to 
> >>>> which it is addressed and may contain confidential and/or 
> >>>> privileged material. Any review, retransmission, dissemination or 
> >>>> other use of, or taking of any action in reliance upon this 
> >>>> information by persons or entities other than the intended 
> >>>> recipient is prohibited. If you received this in error, please 
> >>>> contact the sender and destroy any
> copies of this information.
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Sent through the Full Disclosure mailing list 
> >>>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>>
> >>>>  _______________________________________________
> >>> Sent through the Full Disclosure mailing list 
> >>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>
> >>
> >>
> >> _______________________________________________
> >> Sent through the Full Disclosure mailing list 
> >> http://nmap.org/mailman/listinfo/fulldisclosure
> >> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list 
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list 
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list 
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ