|
05-28-2014, 07:44 PM | ||
Veteran
Join Date: Apr 2012
Casino cash: $9995865
|
Truecrypt may be compromised
those who visit truecrypt's sourceforge page will get this warning
Quote:
They Recommend to migrate to Bitlocker....an encryption platform by Microsoft that the feds asked for a backdoor. Suspicous. Some users believe the program was compromised due to a national security letter, or it may be a break-in. Many things don't add up, including the fact that Truecrypt re-issued all of its keys only 4 hours before releasing the new version, 7.2. On top of this - they say they have stopped development because WinXP support has ended... which doesn't add up at all. Even those who audited truecrypt found out suddenly today about the changes and shutdown of the trucrypt project. At this point it is not recommended to use the new version 7.2 Last edited by planetdoc; 05-28-2014 at 10:08 PM.. |
|
Posts: 2,174
|
05-29-2014, 12:28 PM | #16 | |
Veteran
Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $9995610
|
Quote:
This sure does seem odd. I've advised my team to stick with their existing versions and to wait until the dust settles. |
|
Posts: 2,367
|
05-29-2014, 12:36 PM | #17 | |
'Tis my eye!
Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $10259900
|
Quote:
It's not unique to security software like TrueCrypt. MD5 hashing offers integrity "peace of mind" just beyond the security implication, for example downloading router firmware. A corrupted firmware image = a bricked router. If you're not verifying the checksum, you're just asking for trouble. |
|
Posts: 100,025
|
05-29-2014, 01:32 PM | #18 |
Veteran
Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $9995610
|
I'm not always on Windows, but when I am I really like the HashCheck Shell Extension.
|
Posts: 2,367
|
05-29-2014, 01:41 PM | #19 |
'Tis my eye!
Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $10259900
|
I don't ever use Windows anymore but when I did I used winMd5Sum Portable.
|
Posts: 100,025
|
05-29-2014, 04:11 PM | #20 |
Veteran
Join Date: Apr 2012
Casino cash: $9995865
|
MD5 checksum is great to verify an already compiled executable. Its not as great for verifying code that you compile yourself, since that will vary depending on the hardware and software used to compile. That has been a longstanding problem with Truecrypt until recently (source doesnt perfectly match pre-compiled executable).
Those who argue that people should simply audit the source themselves to verify authenticity are either ignorant or being obtuse. Auditing Cryptographic software (and its implementation) is just too complex for a single user. An example of this is the underhanded C contest whose point is to get malicous code past a rigorous inspection. Last edited by planetdoc; 05-29-2014 at 04:20 PM.. |
Posts: 2,174
|
05-29-2014, 08:09 PM | #21 |
When a nightmare becomes real
Join Date: Nov 2003
Casino cash: $1216966
|
lol, nope.
__________________
http://www.goemaw.com |
Posts: 47,006
|
05-29-2014, 10:09 PM | #22 |
Veteran
Join Date: Apr 2006
Casino cash: $9448509
|
Some of the the armchair bullshit in this thread is hilarious.
|
Posts: 1,131
|
05-30-2014, 07:10 AM | #23 | |
'Tis my eye!
Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $10259900
|
Quote:
You're stance on this, and multiple threads, seems to border on total paranoia rather than anything even remotely practical. What would your proposed solution be? |
|
Posts: 100,025
|
05-30-2014, 12:06 PM | #24 | |
Veteran
Join Date: Apr 2012
Casino cash: $9995865
|
With open source software at least people have the opportunity to audit code which one does not have with closed source software. Using closed source software requires trust.
Quote:
My stance on Truecrypt is that it may be compromised. That is not paranoia. What you suggest (that people should independantly audit code for each version) is not practical. proposed solution to truecrypt possibly being compromised? The Audit of truecrypt has already been paid for, and stage 1 has been completed. Its worthwhile to see what vulnerabilities are found after a complete audit of version 7.1a. Auditers need to implement a warrant canary in case they receive a NSL to prevent them from disclosing vulnerabilities in 7.1a. If Truecrypt is found to be vulnerable, than the project should be forked and patched. Till more information is known, users should investigate alternatives. Last edited by planetdoc; 05-30-2014 at 12:18 PM.. |
|
Posts: 2,174
|
05-30-2014, 12:41 PM | #25 | |||
'Tis my eye!
Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $10259900
|
Quote:
My counter to that was that it's inherently better than closed-source software because it's open to peer review. Now you're parroting precisely what I said previously. Quote:
Other than "stop using TrueCrypt" what would be your suggestion for people that need that functionality? Quote:
|
|||
Posts: 100,025
|
05-30-2014, 12:43 PM | #26 |
Veteran
Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $9995610
|
Truecrypt is such a good standard that shifting will be very painful.
|
Posts: 2,367
|
05-30-2014, 12:50 PM | #27 |
'Tis my eye!
Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $10259900
|
|
Posts: 100,025
|
05-30-2014, 12:54 PM | #28 |
Veteran
Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $9995610
|
It's also rolled into some of the tactical collection drives that I use.
|
Posts: 2,367
|
05-30-2014, 01:07 PM | #29 | |||
Veteran
Join Date: Apr 2012
Casino cash: $9995865
|
Beware, truecrypt may be compromised. See the OP.
Quote:
Quote:
Quote:
2. understand your threat level. truecrypt is likely still secure enough for those who are not being pursued by a nation state. Those using truecrypt should always fully shutdown their computer and not use suspended animation such as hibernate. Use best security practices. 3. Consider migrating to a Linux variant OS if one has not already done so. 4. Any highly sensitive data should be air-gapped, and likely on read only media (run from a live cd). Last edited by planetdoc; 05-30-2014 at 01:22 PM.. |
|||
Posts: 2,174
|
05-30-2014, 01:12 PM | #30 |
Veteran
Join Date: Apr 2012
Casino cash: $9995865
|
|
Posts: 2,174
|
|
|