[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] TrueCrypt?

To: "'Justin Bull'" <me@xxxxxxxxxxxxx>
Subject: Re: [FD] TrueCrypt?
From: Mike Cramer <mike.cramer@xxxxxxxxxxx>
Date: Thu, 29 May 2014 18:13:12 -0400

I think it’s more important to have rational discussions. This isn’t the first 
time Microsoft has been ‘rumored’ to have backdoors in Windows for the US 
Government. These rumors have been perpetuated for years. While I don’t know 
how long you’ve been in the industry, it’s something I recall even being 14 
years old and sitting on IRC and having people discuss.

The reality now, just as then, is that these are unsubstantiated.

A more apt description about the cooperation between the US Government and 
Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure you 
may recall these names from any sort of discussion about PKI.

What people seem to forget in all of these discussions is that Microsoft is 
Bob. (Microsoft Bob? :P)

No amount of encryption, protection, secret keying is going to protect you when 
one party is going to hand over the information to 3rd parties to review.

Based on my Alice and Bob comment above, it’s reasonable to assume that the 
encryption itself is 100% fine, so as long as you believe that Bob will never 
divulge the information you’ve disclosed.

Through all of these discussions surrounding Bitlocker across multiple forums 
nobody has brought up the fact that Bitlocker in Windows 8 allows you to store 
recovery key information in OneDrive/”The Cloud”. Why bother writing in 
backdoors to the software when the keys are readily available with a warrant?

There are a million and one ways to get access to the information and the 
absolutely most difficult, most costly, and most potentially damaging is the 
one people are jumping to first.

If it were ever revealed that Microsoft purposefully weakened its encryption 
systems to allow the NSA access to any Windows device, then it would be the end 
of the organization. They’re just not that dumb.

Mike

From: Justin Bull [mailto:me@xxxxxxxxxxxxx] 
Sent: Thursday, May 29, 2014 18:02
To: Mike Cramer
Cc: fulldisclosure@xxxxxxxxxxxx; secuip
Subject: RE: [FD] TrueCrypt?

Closed source and Microsoft is notoriously known to play ball with LEO and 
government. It's an ill-fitting shoe. 

Sent from mobile. 

On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@xxxxxxxxxxx 
<mailto:mike.cramer@xxxxxxxxxxx> > wrote:

What is careless about recommending Bitlocker?

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx 
<mailto:fulldisclosure-bounces@xxxxxxxxxxxx> ] On Behalf Of Justin Bull
Sent: Thursday, May 29, 2014 17:18
To: secuip
Cc: fulldisclosure@xxxxxxxxxxxx <mailto:fulldisclosure@xxxxxxxxxxxx> 
Subject: Re: [FD] TrueCrypt?

But why go out in that style? Why not be frank? Why be so careless as to 
recommend BitLocker?

The diff was meticulous but the website and comms were not. It doesn't add up.

Sent from mobile.
On May 29, 2014 5:13 PM, "secuip" <root@xxxxxxxxx <mailto:root@xxxxxxxxx> > 
wrote:

> http://krebsonsecurity.com/2014/05/true-goodbye-using-
> truecrypt-is-not-secure/comment-page-1/#comment-255908
>
>
> Le 29/05/2014 22:51, uname -a a écrit :
>
>> There are several strange behaviors.
>>
>> Sitesource is not clean. Just a html that say take now Bitlocker or
>> other built-in tools of your OS !?
>>
>> New Keys got added to SF 3h before release of 7.2 happened.
>>
>> On SF the old versions got removed. For older Versions you've to
>> download them elsewhere (there are several sources available).
>>
>> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org>  got 
>> removed in the
>> Programsource.
>>
>> No explanation for this anywhere. Just speculations.
>>
>> Truecrypt isn't available on the webarchive!
>>
>> The Wiki got editet massively.
>>
>>
>>
>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>
>>> I'm surprised I haven't seen any discussion about the recent issues
>>> with TrueCrypt.  Links to current discussions follow.
>>>
>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>> truecrypt_is_dead/
>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>> truecrypt_development_has_ended_052814/
>>>
>>> Thank you,
>>>
>>> Anthony Fontanez
>>> PC Systems Administrator
>>> Client Services - College of Liberal Arts Information & Technology
>>> Services, Enterprise Support Rochester Institute of Technology
>>> LBR-A290
>>> 585-475-2208 <tel:585-475-2208>  (office)
>>> ajfrcc@xxxxxxx <mailto:ajfrcc@xxxxxxx> <mailto:ajfrcc@xxxxxxx 
>>> <mailto:ajfrcc@xxxxxxx> >
>>>
>>> Submit a request via email: servicedesk@xxxxxxx 
>>> <mailto:servicedesk@xxxxxxx> <mailto:ser <mailto:ser> 
>>> vicedesk@xxxxxxx <mailto:vicedesk@xxxxxxx> > Check the status of an active 
>>> request:
>>> footprints.rit.edu <http://footprints.rit.edu> <https:// 
>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
>>> account and computers: start.rit.edu <http://start.rit.edu> <https://start.
>>> rit.edu/ <http://rit.edu/> >
>>>
>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>> attachments, is intended only for the person(s) or entity to which
>>> it is addressed and may contain confidential and/or privileged
>>> material. Any review, retransmission, dissemination or other use of,
>>> or taking of any action in reliance upon this information by persons
>>> or entities other than the intended recipient is prohibited. If you
>>> received this in error, please contact the sender and destroy any copies of 
>>> this information.
>>>
>>>
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>>  _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list 
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] TrueCrypt?
  - From: Chris Schmidt
- Re: [FD] TrueCrypt?
  - From: Jeffrey Walton
- Re: [FD] TrueCrypt?
  - From: Not EcksKaySeeDee
- Re: [FD] TrueCrypt?
  - From: Philip Cheong

References:
- [FD] TrueCrypt?
  - From: Anthony Fontanez
- Re: [FD] TrueCrypt?
  - From: uname -a
- Re: [FD] TrueCrypt?
  - From: secuip
- Re: [FD] TrueCrypt?
  - From: Justin Bull
- Re: [FD] TrueCrypt?
  - From: Justin Bull

Prev by Date: Re: [FD] Full disk encryption for OS X alternative to TrueCrypt
Next by Date: Re: [FD] TrueCrypt?
Previous by thread: Re: [FD] TrueCrypt?
Next by thread: Re: [FD] TrueCrypt?
Index(es):
- Date
- Thread