[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] TrueCrypt?

To: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] TrueCrypt?
From: uname -a <sec.list@xxxxxxx>
Date: Fri, 30 May 2014 22:02:35 +0200

Really?
https://blog.0xbadc0de.be/archives/155


Am 30.05.2014 17:21, schrieb Michael Cramer:
> On a technicality,
> 
> There has never been a demonstration of a vulnerability in Dual_EC_DRBG. 
> There are only allegations based on ties to the NSA.
> 
> -Mike
> 
> Sent from my iPhone
> 
>> On May 30, 2014, at 11:09, "Chris Schmidt" 
>> <chris.schmidt@xxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> Regarding your final statement here, I seem to recall it being reported a
>> little company called RSA allowed NSA backdooring and I¹m pretty sure they
>> are far from Out-Of-Business. Claiming that giants like MS would go out of
>> business if it got out that they were working with the NSA is completely
>> naïve. 
>>
>>> On 5/29/14, 4:13 PM, "Mike Cramer" <mike.cramer@xxxxxxxxxxx> wrote:
>>>
>>> I think it¹s more important to have rational discussions. This isn¹t the
>>> first time Microsoft has been Œrumored¹ to have backdoors in Windows for
>>> the US Government. These rumors have been perpetuated for years. While I
>>> don¹t know how long you¹ve been in the industry, it¹s something I recall
>>> even being 14 years old and sitting on IRC and having people discuss.
>>>
>>>
>>>
>>> The reality now, just as then, is that these are unsubstantiated.
>>>
>>>
>>>
>>> A more apt description about the cooperation between the US Government
>>> and Microsoft I think falls back onto our old pals ³Alice and Bob². I¹m
>>> sure you may recall these names from any sort of discussion about PKI.
>>>
>>>
>>>
>>> What people seem to forget in all of these discussions is that Microsoft
>>> is Bob. (Microsoft Bob? :P)
>>>
>>>
>>>
>>> No amount of encryption, protection, secret keying is going to protect
>>> you when one party is going to hand over the information to 3rd parties
>>> to review.
>>>
>>>
>>>
>>> Based on my Alice and Bob comment above, it¹s reasonable to assume that
>>> the encryption itself is 100% fine, so as long as you believe that Bob
>>> will never divulge the information you¹ve disclosed.
>>>
>>>
>>>
>>> Through all of these discussions surrounding Bitlocker across multiple
>>> forums nobody has brought up the fact that Bitlocker in Windows 8 allows
>>> you to store recovery key information in OneDrive/²The Cloud². Why bother
>>> writing in backdoors to the software when the keys are readily available
>>> with a warrant?
>>>
>>>
>>>
>>> There are a million and one ways to get access to the information and the
>>> absolutely most difficult, most costly, and most potentially damaging is
>>> the one people are jumping to first.
>>>
>>>
>>>
>>> If it were ever revealed that Microsoft purposefully weakened its
>>> encryption systems to allow the NSA access to any Windows device, then it
>>> would be the end of the organization. They¹re just not that dumb.
>>>
>>>
>>>
>>> Mike
>>>
>>>
>>>
>>> From: Justin Bull [mailto:me@xxxxxxxxxxxxx]
>>> Sent: Thursday, May 29, 2014 18:02
>>> To: Mike Cramer
>>> Cc: fulldisclosure@xxxxxxxxxxxx; secuip
>>> Subject: RE: [FD] TrueCrypt?
>>>
>>>
>>>
>>> Closed source and Microsoft is notoriously known to play ball with LEO
>>> and government. It's an ill-fitting shoe.
>>>
>>> Sent from mobile. 
>>>
>>> On May 29, 2014 5:47 PM, "Mike Cramer" <mike.cramer@xxxxxxxxxxx
>>> <mailto:mike.cramer@xxxxxxxxxxx> > wrote:
>>>
>>> What is careless about recommending Bitlocker?
>>>
>>> -----Original Message-----
>>> From: Fulldisclosure [mailto:fulldisclosure-bounces@xxxxxxxxxxxx
>>> <mailto:fulldisclosure-bounces@xxxxxxxxxxxx> ] On Behalf Of Justin Bull
>>> Sent: Thursday, May 29, 2014 17:18
>>> To: secuip
>>> Cc: fulldisclosure@xxxxxxxxxxxx <mailto:fulldisclosure@xxxxxxxxxxxx>
>>> Subject: Re: [FD] TrueCrypt?
>>>
>>> But why go out in that style? Why not be frank? Why be so careless as to
>>> recommend BitLocker?
>>>
>>> The diff was meticulous but the website and comms were not. It doesn't
>>> add up.
>>>
>>> Sent from mobile.
>>> On May 29, 2014 5:13 PM, "secuip" <root@xxxxxxxxx <mailto:root@xxxxxxxxx>
>>>> wrote:
>>>
>>>> http://krebsonsecurity.com/2014/05/true-goodbye-using-
>>>> truecrypt-is-not-secure/comment-page-1/#comment-255908
>>>>
>>>>
>>>> Le 29/05/2014 22:51, uname -a a écrit :
>>>>
>>>>> There are several strange behaviors.
>>>>>
>>>>> Sitesource is not clean. Just a html that say take now Bitlocker or
>>>>> other built-in tools of your OS !?
>>>>>
>>>>> New Keys got added to SF 3h before release of 7.2 happened.
>>>>>
>>>>> On SF the old versions got removed. For older Versions you've to
>>>>> download them elsewhere (there are several sources available).
>>>>>
>>>>> Encryption, Help and all traces to truecrypt.org
>>>>> <http://truecrypt.org>  got removed in the
>>>>> Programsource.
>>>>>
>>>>> No explanation for this anywhere. Just speculations.
>>>>>
>>>>> Truecrypt isn't available on the webarchive!
>>>>>
>>>>> The Wiki got editet massively.
>>>>>
>>>>>
>>>>>
>>>>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>>>>
>>>>>> I'm surprised I haven't seen any discussion about the recent issues
>>>>>> with TrueCrypt.  Links to current discussions follow.
>>>>>>
>>>>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>>>>> truecrypt_is_dead/
>>>>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>>>>> truecrypt_development_has_ended_052814/
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> Anthony Fontanez
>>>>>> PC Systems Administrator
>>>>>> Client Services - College of Liberal Arts Information & Technology
>>>>>> Services, Enterprise Support Rochester Institute of Technology
>>>>>> LBR-A290
>>>>>> 585-475-2208 <tel:585-475-2208>  (office)
>>>>>> ajfrcc@xxxxxxx <mailto:ajfrcc@xxxxxxx> <mailto:ajfrcc@xxxxxxx
>>>>>> <mailto:ajfrcc@xxxxxxx> >
>>>>>>
>>>>>> Submit a request via email: servicedesk@xxxxxxx
>>>>>> <mailto:servicedesk@xxxxxxx> <mailto:ser <mailto:ser>
>>>>>> vicedesk@xxxxxxx <mailto:vicedesk@xxxxxxx> > Check the status of an
>>>>>> active request:
>>>>>> footprints.rit.edu <http://footprints.rit.edu> <https://
>>>>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT
>>>>>> account and computers: start.rit.edu <http://start.rit.edu>
>>>>>> <https://start.
>>>>>> rit.edu/ <http://rit.edu/> >
>>>>>>
>>>>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>>>>> attachments, is intended only for the person(s) or entity to which
>>>>>> it is addressed and may contain confidential and/or privileged
>>>>>> material. Any review, retransmission, dissemination or other use of,
>>>>>> or taking of any action in reliance upon this information by persons
>>>>>> or entities other than the intended recipient is prohibited. If you
>>>>>> received this in error, please contact the sender and destroy any
>>>>>> copies of this information.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Sent through the Full Disclosure mailing list
>>>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>>>>
>>>>>> _______________________________________________
>>>>> Sent through the Full Disclosure mailing list
>>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>>
>>>>
>>>> _______________________________________________
>>>> Sent through the Full Disclosure mailing list
>>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] TrueCrypt?
  - From: Jeffrey Walton

References:
- [FD] TrueCrypt?
  - From: Anthony Fontanez
- Re: [FD] TrueCrypt?
  - From: uname -a
- Re: [FD] TrueCrypt?
  - From: secuip
- Re: [FD] TrueCrypt?
  - From: Justin Bull
- Re: [FD] TrueCrypt?
  - From: Justin Bull
- Re: [FD] TrueCrypt?
  - From: Mike Cramer
- Re: [FD] TrueCrypt?
  - From: Chris Schmidt
- Re: [FD] TrueCrypt?
  - From: Michael Cramer

Prev by Date: Re: [FD] TrueCrypt?
Next by Date: Re: [FD] TrueCrypt 7.1 repos on GitHub - forking starting point
Previous by thread: Re: [FD] TrueCrypt?
Next by thread: Re: [FD] TrueCrypt?
Index(es):
- Date
- Thread