Home Mail MemberMap Chat (0) Wallpapers
Go Back   ChiefsPlanet > The Lounge > Media Center

Reply
 
Thread Tools Display Modes
Old 05-28-2014, 08:44 PM  
planetdoc planetdoc is offline
Veteran
 
Join Date: Apr 2012
Casino cash: $5125
Truecrypt may be compromised

those who visit truecrypt's sourceforge page will get this warning
Quote:
WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues
A FOSS project shutters itself and, rather than linking to a fork or posting tarballs of a few versions' worth of source, recommends commercial alternatives. Suspicious

They Recommend to migrate to Bitlocker....an encryption platform by Microsoft that the feds asked for a backdoor. Suspicous.

Some users believe the program was compromised due to a national security letter, or it may be a break-in. Many things don't add up, including the fact that Truecrypt re-issued all of its keys only 4 hours before releasing the new version, 7.2. On top of this - they say they have stopped development because WinXP support has ended... which doesn't add up at all. Even those who audited truecrypt found out suddenly today about the changes and shutdown of the trucrypt project.

At this point it is not recommended to use the new version 7.2

Last edited by planetdoc; 05-28-2014 at 11:08 PM..
Posts: 1,994
planetdoc has disabled reputation
  Reply With Quote
Old 05-28-2014, 08:51 PM   #2
KC native KC native is offline
a toda madre o un desmadre
 
KC native's Avatar
 

Join Date: Feb 2009
Location: Fort Worth, TX
Casino cash: $17288
The NSA can break any encryption that they want. It doesn't matter what you use.
__________________
The diameter of your knowledge is the circumference of your actions. Ras Kass

Quote:
Originally Posted by Iowanian View Post
I'm just a little pussy from Iowa
Posts: 18,900
KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.
  Reply With Quote
Old 05-28-2014, 09:00 PM   #3
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5125
Quote:
Originally Posted by KC native View Post
The NSA can break any encryption that they want. It doesn't matter what you use.
no they cant. They might be able to gain access to some systems via side channel attacks, but they rarely break strong encryption. The fundamental math behind encryption holds up even under theoretical quantum mechanics.

truecrypt uses AES 256,

Quote:
Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. 50 supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 31051 years to exhaust the 256-bit key space.
http://www.eetimes.com/document.asp?doc_id=1279619
Posts: 1,994
planetdoc has disabled reputation
  Reply With Quote
Old 05-28-2014, 09:24 PM   #4
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5125
SourceForge forced a password reset last week citing "changes to how we're storing user passwords."

SourceForge may be compromised as well.
Posts: 1,994
planetdoc has disabled reputation
  Reply With Quote
Old 05-28-2014, 09:34 PM   #5
KC native KC native is offline
a toda madre o un desmadre
 
KC native's Avatar
 

Join Date: Feb 2009
Location: Fort Worth, TX
Casino cash: $17288
Quote:
Originally Posted by planetdoc View Post
no they cant. They might be able to gain access to some systems via side channel attacks, but they rarely break strong encryption. The fundamental math behind encryption holds up even under theoretical quantum mechanics.

truecrypt uses AES 256,


http://www.eetimes.com/document.asp?doc_id=1279619
They have back doors to just about everything. If they want the information, they will get it.
__________________
The diameter of your knowledge is the circumference of your actions. Ras Kass

Quote:
Originally Posted by Iowanian View Post
I'm just a little pussy from Iowa
Posts: 18,900
KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.KC native is too fat/Omaha.
  Reply With Quote
Old 05-28-2014, 10:29 PM   #6
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5125
Quote:
Originally Posted by KC native View Post
They have back doors to just about everything. If they want the information, they will get it.
That may be, but truecrypt 7.1a was independantly audited recently and no backdoors were found (though that alone may not be definitive).

That being said, backdoors are different from what you said earlier which is clearly false

Quote:
Originally Posted by KC native View Post
The NSA can break any encryption that they want. It doesn't matter what you use.
Posts: 1,994
planetdoc has disabled reputation
  Reply With Quote
Old 05-28-2014, 10:32 PM   #7
Ragged Robin Ragged Robin is offline
Veteran
 
Ragged Robin's Avatar
 

Join Date: Sep 2013
Location: Seattle, WA
Casino cash: $10052
The HeartBleed exploit was the biggest eye opener in like decades. Everything uses SSL/https and hackers could pull any data from memory at will with it and yet it was only discovered a couple months ago.

http://heartbleed.com/
__________________
Quote:
Originally Posted by Pam Oliver's Forehead View Post
You listen to me. Alex Smith already won this game.

If we lose, it's 100 percent on the defense.
Posts: 1,572
Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.Ragged Robin must have mowed badgirl's lawn.
  Reply With Quote
Old 05-29-2014, 12:03 AM   #8
unlurking unlurking is offline
Venator
 
unlurking's Avatar
 

Join Date: Aug 2003
Casino cash: $9034
Quote:
Originally Posted by Ragged Robin View Post
The HeartBleed exploit was the biggest eye opener in like decades. Everything uses SSL/https and hackers could pull any data from memory at will with it and yet it was only discovered a couple months ago.

http://heartbleed.com/
Heartbleed + WiFi attack! Fun!

http://www.slideshare.net/lgrangeia/...leed-35236317#
__________________

Posts: 8,152
unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.
  Reply With Quote
Old 05-29-2014, 12:08 AM   #9
unlurking unlurking is offline
Venator
 
unlurking's Avatar
 

Join Date: Aug 2003
Casino cash: $9034
There are several suspicious details to this. May 22 sourceforge required a password reset. Recommended bitlocker is ONLY available on Win7 Ultimate and Enterprise (not home or pro), and only available on Win8 Pro and Enterprise (not rt or home).

I'm leaning towards hacked or warrant canary.
__________________

Posts: 8,152
unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.
  Reply With Quote
Old 05-29-2014, 08:10 AM   #10
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by planetdoc View Post
SourceForge forced a password reset last week citing "changes to how we're storing user passwords."

SourceForge may be compromised as well.
And? If you're publishing software on Soureforge, it's all open source, so it can be reviewed by anyone without the need for your personal account information.

Nothing in my Sourceforge account tells them anything about me.

And if you're using the same password for multiple online services, that's pretty freaking dumb.

So I ask again, why does it matter if Sourceforge has been compromised?
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-29-2014, 08:17 AM   #11
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5125
Quote:
Originally Posted by htismaqe View Post
So I ask again, why does it matter if Sourceforge has been compromised?
1. It can allow a 3rd party to take over a project and push out malicious code.

2. Although software that they host is open source, most people do not check MD5 checksum's of the software that they download, few check that the available executable matches one compiled independently, and few have the capability to audit the millions of lines of code of each version.

Thus, when the chain of trust is potentially broken (such as when SourceForge has been compromised), than any software hosted from the site becomes potentially suspect and should be viewed with suspicion.

Last edited by planetdoc; 05-29-2014 at 08:43 AM..
Posts: 1,994
planetdoc has disabled reputation
  Reply With Quote
Old 05-29-2014, 09:40 AM   #12
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by planetdoc View Post
1. It can allow a 3rd party to take over a project and push out malicious code.
All projects on SourceForge are open source and the source code can be reviewed by anyone at any time. Malicious code would have to be exposed right out in the open.

Quote:
Originally Posted by planetdoc View Post
2. Although software that they host is open source, most people do not check MD5 checksum's of the software that they download, few check that the available executable matches one compiled independently, and few have the capability to audit the millions of lines of code of each version.
Not checking MD5 checksum's is a user problem and question of sheer laziness. I have very little sympathy for people that don't follow standard procedure.

Quote:
Originally Posted by planetdoc View Post
Thus, when the chain of trust is potentially broken (such as when SourceForge has been compromised), than any software hosted from the site becomes potentially suspect and should be viewed with suspicion.
All software, from all sources, should be viewed with suspicion. Even legitimate software sources like Oracle and Google occasionally try to slip stuff into their installers that the average doesn't want or need.

As a source of open source software, SourceForge gives the user the ability to inspect the actual code and make informed decisions all on their own. If the users aren't doing that, shame on them.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-29-2014, 01:10 PM   #13
unlurking unlurking is offline
Venator
 
unlurking's Avatar
 

Join Date: Aug 2003
Casino cash: $9034
Quote:
Originally Posted by htismaqe View Post
And? If you're publishing software on Soureforge, it's all open source, so it can be reviewed by anyone without the need for your personal account information.

Nothing in my Sourceforge account tells them anything about me.

And if you're using the same password for multiple online services, that's pretty freaking dumb.

So I ask again, why does it matter if Sourceforge has been compromised?
I think initially the concern was that someone (not the devs) was able to delete the archive and release new versions. Especially since the website was simply redirected to the sourceforge page. Just seemed like an odd coincidence at the time.
__________________

Posts: 8,152
unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.unlurking has just been standing around suckin' on a big ol' chili dog.
  Reply With Quote
Old 05-29-2014, 01:14 PM   #14
Mr. Laz Mr. Laz is offline
Don't Tease Me
 
Mr. Laz's Avatar
 

Join Date: Dec 2000
Location: KS
Casino cash: $1021747
glad i'm still using the old version
Posts: 83,812
Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.Mr. Laz is obviously part of the inner Circle.
  Reply With Quote
Old 05-29-2014, 01:26 PM   #15
DaveNull DaveNull is offline
Veteran
 
DaveNull's Avatar
 

Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $8137
Quote:
Originally Posted by Ragged Robin View Post
The HeartBleed exploit was the biggest eye opener in like decades. Everything uses SSL/https and hackers could pull any data from memory at will with it and yet it was only discovered a couple months ago.

http://heartbleed.com/
That's a little bit of an overstatement.
Posts: 1,344
DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.
  Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump




All times are GMT -6. The time now is 08:17 AM.


This is a test for a client's site.
A new website that shows member-created construction site listings that need fill or have excess fill. Dirt Monkey @ https://DirtMonkey.net
Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.