Home Mail MemberMap Chat (0) Wallpapers
Go Back   ChiefsPlanet > The Royal Lounge > Media Center

Reply
 
Thread Tools Display Modes
Old 05-28-2014, 07:44 PM  
planetdoc planetdoc is offline
Veteran
 
Join Date: Apr 2012
Casino cash: $5000
Truecrypt may be compromised

those who visit truecrypt's sourceforge page will get this warning
Quote:
WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues
A FOSS project shutters itself and, rather than linking to a fork or posting tarballs of a few versions' worth of source, recommends commercial alternatives. Suspicious

They Recommend to migrate to Bitlocker....an encryption platform by Microsoft that the feds asked for a backdoor. Suspicous.

Some users believe the program was compromised due to a national security letter, or it may be a break-in. Many things don't add up, including the fact that Truecrypt re-issued all of its keys only 4 hours before releasing the new version, 7.2. On top of this - they say they have stopped development because WinXP support has ended... which doesn't add up at all. Even those who audited truecrypt found out suddenly today about the changes and shutdown of the trucrypt project.

At this point it is not recommended to use the new version 7.2

Last edited by planetdoc; 05-28-2014 at 10:08 PM..
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Old 05-29-2014, 12:28 PM   #16
DaveNull DaveNull is offline
Veteran
 
DaveNull's Avatar
 

Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $6257
Quote:
Originally Posted by planetdoc View Post
2. Although software that they host is open source, most people do not check MD5 checksum's of the software that they download, few check that the available executable matches one compiled independently, and few have the capability to audit the millions of lines of code of each version.
If you're using TrueCrypt you'd better.

This sure does seem odd. I've advised my team to stick with their existing versions and to wait until the dust settles.
Posts: 1,251
DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.
  Reply With Quote
Old 05-29-2014, 12:36 PM   #17
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by DaveNull View Post
If you're using TrueCrypt you'd better.

This sure does seem odd. I've advised my team to stick with their existing versions and to wait until the dust settles.
If you're using Open Source software of any kind, you should be checking MD5 checksums.

It's not unique to security software like TrueCrypt.

MD5 hashing offers integrity "peace of mind" just beyond the security implication, for example downloading router firmware. A corrupted firmware image = a bricked router. If you're not verifying the checksum, you're just asking for trouble.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-29-2014, 01:32 PM   #18
DaveNull DaveNull is offline
Veteran
 
DaveNull's Avatar
 

Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $6257
I'm not always on Windows, but when I am I really like the HashCheck Shell Extension.
Posts: 1,251
DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.
  Reply With Quote
Old 05-29-2014, 01:41 PM   #19
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
I don't ever use Windows anymore but when I did I used winMd5Sum Portable.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-29-2014, 04:11 PM   #20
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
MD5 checksum is great to verify an already compiled executable. Its not as great for verifying code that you compile yourself, since that will vary depending on the hardware and software used to compile. That has been a longstanding problem with Truecrypt until recently (source doesnt perfectly match pre-compiled executable).

Those who argue that people should simply audit the source themselves to verify authenticity are either ignorant or being obtuse. Auditing Cryptographic software (and its implementation) is just too complex for a single user.

An example of this is the underhanded C contest whose point is to get malicous code past a rigorous inspection.

Last edited by planetdoc; 05-29-2014 at 04:20 PM..
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Old 05-29-2014, 08:09 PM   #21
Saulbadguy Saulbadguy is offline
When a nightmare becomes real
 
Saulbadguy's Avatar
 

Join Date: Nov 2003
Casino cash: $7062
Quote:
Originally Posted by KC native View Post
The NSA can break any encryption that they want. It doesn't matter what you use.
lol, nope.
__________________
http://www.goemaw.com
Posts: 46,129
Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.Saulbadguy threw an interception on a screen pass.
  Reply With Quote
Old 05-29-2014, 10:09 PM   #22
scorpio scorpio is offline
Starter
 
scorpio's Avatar
 

Join Date: Apr 2006
Casino cash: $5873
Some of the the armchair bullshit in this thread is hilarious.
Posts: 636
scorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking aboutscorpio is the dumbass Milkman is always talking about
  Reply With Quote
Old 05-30-2014, 07:10 AM   #23
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by planetdoc View Post
MD5 checksum is great to verify an already compiled executable. Its not as great for verifying code that you compile yourself, since that will vary depending on the hardware and software used to compile. That has been a longstanding problem with Truecrypt until recently (source doesnt perfectly match pre-compiled executable).

Those who argue that people should simply audit the source themselves to verify authenticity are either ignorant or being obtuse. Auditing Cryptographic software (and its implementation) is just too complex for a single user.

An example of this is the underhanded C contest whose point is to get malicous code past a rigorous inspection.
Then don't use open source software.

You're stance on this, and multiple threads, seems to border on total paranoia rather than anything even remotely practical.

What would your proposed solution be?
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-30-2014, 12:06 PM   #24
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
Quote:
Originally Posted by htismaqe View Post
Then don't use open source software.
With open source software at least people have the opportunity to audit code which one does not have with closed source software. Using closed source software requires trust.

Quote:
Originally Posted by htismaqe View Post
You're stance on this, and multiple threads, seems to border on total paranoia rather than anything even remotely practical.
please clarify.

My stance on Truecrypt is that it may be compromised. That is not paranoia.

What you suggest (that people should independantly audit code for each version) is not practical.

Quote:
Originally Posted by htismaqe View Post
What would your proposed solution be?
proposed solution to truecrypt possibly being compromised?

The Audit of truecrypt has already been paid for, and stage 1 has been completed. Its worthwhile to see what vulnerabilities are found after a complete audit of version 7.1a.

Auditers need to implement a warrant canary in case they receive a NSL to prevent them from disclosing vulnerabilities in 7.1a.

If Truecrypt is found to be vulnerable, than the project should be forked and patched. Till more information is known, users should investigate alternatives.

Last edited by planetdoc; 05-30-2014 at 12:18 PM..
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Old 05-30-2014, 12:41 PM   #25
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by planetdoc View Post
With open source software at least people have the opportunity to audit code which one does not have with closed source software. Using closed source software requires trust.
So then what's your point? This whole conversation has essentially been you suggesting that there's no way to truly secure the open source software space.

My counter to that was that it's inherently better than closed-source software because it's open to peer review.

Now you're parroting precisely what I said previously.

Quote:
Originally Posted by planetdoc View Post
My stance on Truecrypt is that it may be compromised. That is not paranoia.

What you suggest (that people should independantly audit code for each version) is not practical.
Then what is practical? You have already demonstrated a lack of trust in closed-source software, particularly encryption solutions.

Other than "stop using TrueCrypt" what would be your suggestion for people that need that functionality?

Quote:
Originally Posted by planetdoc View Post
proposed solution to truecrypt possibly being compromised?

The Audit of truecrypt has already been paid for, and stage 1 has been completed. Its worthwhile to see what vulnerabilities are found after a complete audit of version 7.1a.

Auditers need to implement a warrant canary in case they receive a NSL to prevent them from disclosing vulnerabilities in 7.1a.

If Truecrypt is found to be vulnerable, than the project should be forked and patched. Till more information is known, users should investigate alternatives.
Now we're getting somewhere.
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-30-2014, 12:43 PM   #26
DaveNull DaveNull is offline
Veteran
 
DaveNull's Avatar
 

Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $6257
Truecrypt is such a good standard that shifting will be very painful.
Posts: 1,251
DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.
  Reply With Quote
Old 05-30-2014, 12:50 PM   #27
htismaqe htismaqe is offline
What? What?
 
htismaqe's Avatar
 

Join Date: Aug 2000
Location: Chiefsplanet
Casino cash: $8834
Quote:
Originally Posted by DaveNull View Post
Truecrypt is such a good standard that shifting will be very painful.
Yeah, it's one of those pieces of software that is kind of hard to just replace with something else...
Posts: 61,900
htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.htismaqe is obviously part of the inner Circle.
  Reply With Quote
Old 05-30-2014, 12:54 PM   #28
DaveNull DaveNull is offline
Veteran
 
DaveNull's Avatar
 

Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $6257
It's also rolled into some of the tactical collection drives that I use.
Posts: 1,251
DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.
  Reply With Quote
Old 05-30-2014, 01:07 PM   #29
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
Quote:
Originally Posted by htismaqe View Post
So then what's your point?
Beware, truecrypt may be compromised. See the OP.

Quote:
Originally Posted by htismaqe View Post
This whole conversation has essentially been you suggesting that there's no way to truly secure the open source software space.
than you are not paying attention. I am saying that its impractical for an individual to audit code. It requires the watchful eyes of a community.

Quote:
Originally Posted by htismaqe View Post
My counter to that was that it's inherently better than closed-source software because it's open to peer review.

Now you're parroting precisely what I said previously.
thats not what you said. you said people should look at md5 checksum and audit code themselves....and not doing that is lazy. thats obtuse.


Quote:
Originally Posted by htismaqe View Post
Then what is practical?

Other than "stop using TrueCrypt" what would be your suggestion for people that need that functionality?
1. For those who are using truecrypt currently, than do not migrate to version 7.2 and remain on 7.1a until more information is known.

2. understand your threat level. truecrypt is likely still secure enough for those who are not being pursued by a nation state. Those using truecrypt should always fully shutdown their computer and not use suspended animation such as hibernate. Use best security practices.

3. Consider migrating to a Linux variant OS if one has not already done so.

4. Any highly sensitive data should be air-gapped, and likely on read only media (run from a live cd).

Last edited by planetdoc; 05-30-2014 at 01:22 PM..
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Old 05-30-2014, 01:12 PM   #30
planetdoc planetdoc is offline
Veteran
 

Join Date: Apr 2012
Casino cash: $5000
http://truecrypt.ch/
https://www.grc.com/misc/truecrypt/truecrypt.htm
Posts: 1,989
planetdoc has disabled reputation
  Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump




All times are GMT -6. The time now is 07:51 AM.


This is a test for a client's site.
A new website that shows member-created construction site listings that need fill or have excess fill. Dirt Monkey @ https://DirtMonkey.net
Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.