lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Jun 2014 12:09:57 +0100
From: Dave Howe <davehowe.pentesting@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] TrueCrypt?

On 30/05/2014 14:40, Philip Cheong wrote:
> So a good friend of mine explained...
>
> *"...to suspect a "National Security Letter" from the FBI is just stupid.
It is indeed stupid, but not for that reason.

The issue we have with the current TC builds is that they are not
reproducible.

The source code is available online, and is in the process of being
audited, but there is no guarantee the installer almost all the users
have installed TC with contained code actually built from that source.

The audit therefore would be a red herring; should the NSA (or FBI, or
some other agency) build their own installer binary with a backdoor in
it, and demand both the signing key used by the TC guys to sign their
uploads, and the upload credentials for the website itself, there would
be no trace of that (they would of course need to also provide some
reason for the changes, but usefully, something as simple as increasing
the number of iterations for the password hash for new containers would
justify that)

Assuming that was true, then the result wouldn't be what we see today;
the changes represent a significant number of hours of work, and I can't
imagine a NSL giving that sort of breathing space between the demand for
keys and either a backdoored update or the changes we see.

The idea that the original author(s) has/have simply thrown in the
towel, taken their ball and gone home makes more sense - the post here:

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/comment-page-1/#comment-255908

Pretty much matches my opinion on the matter - having a group get a $45K
cash pool in order to critique ten years of your freely-given hard work
(but not provide any actual help) has got to sting a bit, and this could
well be the response.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists