[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] TrueCrypt?

For the most part I rely on Bitlocker for all of my encryption needs. The goal 
isn’t to prevent super secret shadowy organizations from accessing my data, but 
to prevent data being obtained from my devices in the event of theft or being 
lost.
Because I travel a lot, I would willingly enter crypto passwords into my 
devices when crossing the border.

I ultimately know that if my devices are stolen or lost, that I have as much 
time as I want until I need to change any passwords. It is this peace of mind 
that I’m looking for. Not to prevent the NSA from accessing my photo library.


I used to use TC until Bitlocker became standard. I leveraged it quite often, 
and still occasionally used it when cross platform needs were required.



To address your other concerns, you have to understand that the “super secret 
uber NSA backdoors in Windows products” has been told time and time again for 
decades. I feel ashamed that the “Information Security” community is fretting 
over such things, especially given that the US Government is the largest buyer 
of Information Security products and services. They use Windows pretty 
extensively across all ranges of the DOD and Microsoft isn’t providing them 
different binaries than anyone else. They do work together for hardening 
procedures, but the Windows that the DOD uses for its systems is the same 
Windows that you will find in the stores.


To suggest that the NSA would ask Microsoft and other vendors to introduced 
intentional backdoors into their products is to severely underestimate the 
people that work for those agencies that work on the US’ critical 
infrastructure. They’re just not that stupid. Some of the best and brightest 
minds in the world have consulted for or worked with the NSA, and I’m guessing 
this includes revered 
security researchers and open source developers that some would be surprised 
that may be approached by the US Government.

I think the whole “many eyes” thing has now been debunked--repeatedly. “Many 
eyes” is another way for people to not assume responsibility for ensuring the 
integrity of their products and services. “If other people use it, someone else 
must have audited it, or else it would not be in such wide use everywhere! It 
must be good!” OpenSSL‘s Heartbleed incident has proven this to be absolutely 
far from the truth. In addition, I know it can be a bit more challenging to 
find flaws in unmaintainable code, but the Debian OpenSSL bug 
(http://www.debian.org/security/2008/dsa-1571) was inexcusable. The issue was 
merely commented out code on a commit that sat around for 2 years. It wasn’t 
even intended to be an underhanded change.

The good news is that the OSS community is now starting to enter another age of 
maturity. It will be interesting to see where everything falls into place. The 
Linux Foundation has announced they will be performing a full code audit on 
“critical” applications such as OpenSSL, NTP, and 
OpenSSH(http://gigaom.com/2014/05/29/openssl-security-project-gets-some-much-needed-funding/).
 This is fantastic news all around and has long been needed considering Linux 
is used in a very wide range of products and services.


As far as closed source versus open source, this is the type of thing that will 
ultimately bring out “religious” arguments. There was a time when closed source 
solutions were terrible. And many closed solutions may still be terrible. But 
on some of the larger products, for example, Windows--the people that work on 
that are highly paid and many are highly skilled in their craft. Microsoft 
hired some of the best engineers in the industry to develop the platforms that 
Windows still uses today, such as NTFS.


Linux has had some massive changes to its underlying infrastructure. Since I’ve 
been using Linux we’ve gone from ext2 to ext3 to ext4. We’ve gone from 
“dependency hell” to having reliable package managers. They are just now moving 
away from SYSVINIT in greater fashion after realizing that asynchronous daemon 
startup and other daemon management features are required for modern computing.


Microsoft has had many of these features for coming up on 2 decades, so they’ve 
gotten great mileage out of the decisions they made as a closed source solution 
because they can simply say “make it so” without much larger debates and 
committees.


Ultimately, what you choose to use is up to you. I use what serves my needs, 
and I use what serves the needs of the organizations for which I work.


Bitlocker and Truecrypt aren’t the ONLY FDE and removable media platforms that 
are out there. While TC offered incredible portability of the data (since it 
was all file containers that could be moved between platforms easily), as far 
as encryption itself goes, Bitlocker should provide the same level of security 
as TC for when your devices fall into the wrong hands. You an also leverage 
products from McAfee, Symantec, and CheckPoint. YMMV.


To use Bitlocker “properly” in a major organization your best bet is to use 
smart cards. The hefty requirements for TPM-enabled devices and smart cards for 
optimal security and ease-of-use can be daunting to most.


-Mike Cramer


Sent from Windows Mail





From: Not EcksKaySeeDee
Sent: ‎Friday‎, ‎May‎ ‎30‎, ‎2014 ‎14‎:‎42
To: Michael Cramer
Cc: Justin Bull, fulldisclosure@xxxxxxxxxxxx





May 30, 2014



Greetings,




New subscriber to FD here. I've been in systems/networking, and by default 
dealt with security and encryption issues/topics, but not at the depth that 
most(?) of the folks on FD have. So I have a few questions & thoughts:




1. Where do we go from here? What do you, as the experts, suggest for people 
like me who are in IT, but not dedicated security pros, and especially for 
average users who are now increasing their security awareness in a post-Snowden 
world?





2. Does anyone else on this list actively use TC, and if so, what are your 
plans now?




I am wary of the whole "use Bitlocker" suggestion because: A) it's closed code, 
and B) it's Microsoft. Not that I hate Microsoft, it's just that I don't know 
if/when they will roll over whenever the g-men show up and demand keys to the 
backdoors (if any). 




Of-course, open source is not perfect either, but, so the reasoning, goes, you 
have the "many eyes" argument in support of it. This begs another question 
(apologies), how many eyes are actually actively and consistently 
reviewing/auditing open source code? 




As far as I am aware (correct me if I'm wrong), there isn't a single neutral 
group or entity staffed by people whose sole purpose is to audit critical 
source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a need for 
such a group of people? Of-course the counter will be, who is going to 
pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't trust the 
big corporations again because of their influence and possible ties to the 
g-men and/or willingness to roll-over when the legal paperwork starts to fly.


And now for some reason, I'm reminded of Descartes First Meditation: discarding 
belief in all things that are not certain (apologies to any philosophy majors 
or lovers out there). All of the trust/faith we put into people and companies 
(open and closed source) to produce this s/ware that we build our lives on, how 
can we be sure that they are no cracks in our foundations?




Anyhow.




Cheers,

not xkcd.








On Thu, May 29, 2014 at 6:13 PM, Mike Cramer <mike.cramer@xxxxxxxxxxx> wrote:

I think it’s more important to have rational discussions. This isn’t the first 
time Microsoft has been ‘rumored’ to have backdoors in Windows for the US 
Government. These rumors have been perpetuated for years. While I don’t know 
how long you’ve been in the industry, it’s something I recall even being 14 
years old and sitting on IRC and having people discuss.



The reality now, just as then, is that these are unsubstantiated.



A more apt description about the cooperation between the US Government and 
Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure you 
may recall these names from any sort of discussion about PKI.



What people seem to forget in all of these discussions is that Microsoft is 
Bob. (Microsoft Bob? :P)



No amount of encryption, protection, secret keying is going to protect you when 
one party is going to hand over the information to 3rd parties to review.



Based on my Alice and Bob comment above, it’s reasonable to assume that the 
encryption itself is 100% fine, so as long as you believe that Bob will never 
divulge the information you’ve disclosed.



Through all of these discussions surrounding Bitlocker across multiple forums 
nobody has brought up the fact that Bitlocker in Windows 8 allows you to store 
recovery key information in OneDrive/”The Cloud”. Why bother writing in 
backdoors to the software when the keys are readily available with a warrant?



There are a million and one ways to get access to the information and the 
absolutely most difficult, most costly, and most potentially damaging is the 
one people are jumping to first.



If it were ever revealed that Microsoft purposefully weakened its encryption 
systems to allow the NSA access to any Windows device, then it would be the end 
of the organization. They’re just not that dumb.



Mike



From: Justin Bull [mailto:me@xxxxxxxxxxxxx]
Sent: Thursday, May 29, 2014 18:02
To: Mike Cramer
Cc: fulldisclosure@xxxxxxxxxxxx; secuip
Subject: RE: [FD] TrueCrypt?



Closed source and Microsoft is notoriously known to play ball with LEO and 
government. It's an ill-fitting shoe.

Sent from mobile.

On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@xxxxxxxxxxx 
<mailto:mike.cramer@xxxxxxxxxxx> > wrote:

What is careless about recommending Bitlocker?

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx 
<mailto:fulldisclosure-bounces@xxxxxxxxxxxx> ] On Behalf Of Justin Bull
Sent: Thursday, May 29, 2014 17:18
To: secuip
Cc: fulldisclosure@xxxxxxxxxxxx <mailto:fulldisclosure@xxxxxxxxxxxx>
Subject: Re: [FD] TrueCrypt?

But why go out in that style? Why not be frank? Why be so careless as to 
recommend BitLocker?

The diff was meticulous but the website and comms were not. It doesn't add up.

Sent from mobile.
On May 29, 2014 5:13 PM, "secuip" <root@xxxxxxxxx <mailto:root@xxxxxxxxx> > 
wrote:

> http://krebsonsecurity.com/2014/05/true-goodbye-using-
> truecrypt-is-not-secure/comment-page-1/#comment-255908
>
>
> Le 29/05/2014 22:51, uname -a a écrit :
>
>> There are several strange behaviors.
>>
>> Sitesource is not clean. Just a html that say take now Bitlocker or
>> other built-in tools of your OS !?
>>
>> New Keys got added to SF 3h before release of 7.2 happened.
>>
>> On SF the old versions got removed. For older Versions you've to
>> download them elsewhere (there are several sources available).
>>
>> Encryption, Help and all traces to truecrypt.org <http://truecrypt.org>  got 
>> removed in the
>> Programsource.
>>
>> No explanation for this anywhere. Just speculations.
>>
>> Truecrypt isn't available on the webarchive!
>>
>> The Wiki got editet massively.
>>
>>
>>
>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>
>>> I'm surprised I haven't seen any discussion about the recent issues
>>> with TrueCrypt.  Links to current discussions follow.
>>>
>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>> truecrypt_is_dead/
>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>> truecrypt_development_has_ended_052814/
>>>
>>> Thank you,
>>>
>>> Anthony Fontanez
>>> PC Systems Administrator
>>> Client Services - College of Liberal Arts Information & Technology
>>> Services, Enterprise Support Rochester Institute of Technology
>>> LBR-A290
>>> 585-475-2208 <tel:585-475-2208>  (office)
>>> ajfrcc@xxxxxxx <mailto:ajfrcc@xxxxxxx> <mailto:ajfrcc@xxxxxxx 
>>> <mailto:ajfrcc@xxxxxxx> >
>>>
>>> Submit a request via email: servicedesk@xxxxxxx 
>>> <mailto:servicedesk@xxxxxxx> <mailto:ser <mailto:ser>
>>> vicedesk@xxxxxxx <mailto:vicedesk@xxxxxxx> > Check the status of an active 
>>> request:
>>> footprints.rit.edu <http://footprints.rit.edu> <https:// 
>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
>>> account and computers: start.rit.edu <http://start.rit.edu> <https://start.
>>> rit.edu/ <http://rit.edu/> >
>>>
>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>> attachments, is intended only for the person(s) or entity to which
>>> it is addressed and may contain confidential and/or privileged
>>> material. Any review, retransmission, dissemination or other use of,
>>> or taking of any action in reliance upon this information by persons
>>> or entities other than the intended recipient is prohibited. If you
>>> received this in error, please contact the sender and destroy any copies of 
>>> this information.
>>>
>>>
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>>  _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list 
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/