Full Disclosure mailing list archives
Re: TrueCrypt?
From: Dave Howe <davehowe.pentesting () gmail com>
Date: Tue, 03 Jun 2014 12:09:57 +0100
On 30/05/2014 14:40, Philip Cheong wrote:
So a good friend of mine explained... *"...to suspect a "National Security Letter" from the FBI is just stupid.
It is indeed stupid, but not for that reason. The issue we have with the current TC builds is that they are not reproducible. The source code is available online, and is in the process of being audited, but there is no guarantee the installer almost all the users have installed TC with contained code actually built from that source. The audit therefore would be a red herring; should the NSA (or FBI, or some other agency) build their own installer binary with a backdoor in it, and demand both the signing key used by the TC guys to sign their uploads, and the upload credentials for the website itself, there would be no trace of that (they would of course need to also provide some reason for the changes, but usefully, something as simple as increasing the number of iterations for the password hash for new containers would justify that) Assuming that was true, then the result wouldn't be what we see today; the changes represent a significant number of hours of work, and I can't imagine a NSL giving that sort of breathing space between the demand for keys and either a backdoored update or the changes we see. The idea that the original author(s) has/have simply thrown in the towel, taken their ball and gone home makes more sense - the post here: http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/comment-page-1/#comment-255908 Pretty much matches my opinion on the matter - having a group get a $45K cash pool in order to critique ten years of your freely-given hard work (but not provide any actual help) has got to sting a bit, and this could well be the response. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: TrueCrypt? Dave Howe (Jun 03)
- Re: TrueCrypt? Dave Warren (Jun 04)
- Re: TrueCrypt? surivaton surivaton (Jun 08)
- Re: TrueCrypt? Dave Warren (Jun 08)
- Re: TrueCrypt? surivaton surivaton (Jun 08)
- Re: TrueCrypt? Dave Warren (Jun 04)