by Mike Masnick
Thu, May 29th 2014 8:33pm
by Mike Masnick
Wed, May 28th 2014 2:54pm
from the uh... dept
However, a little while ago, TrueCrypt's SourceForge page suddenly announced that " WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" and furthermore: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP."
by Mike Masnick
Wed, May 21st 2014 10:59am
Snowden Ran A Major Tor Exit Relay, Hosted CryptoParty In Hawaii While Waiting For Greenwald To Reply
from the teaching-tor-and-truecrypt dept
Perhaps more interesting is the news that he ran a Tor exit relay. The story kicks off with Snowden emailing Runa Sandvik, a key Tor developer, asking if she can send him some Tor stickers that he can pass around at work. It's long been noted that Snowden has a Tor sticker (along with an EFF sticker) on the laptop he uses, but now we know where and how he got it. But in that email, he noted that he ran a "major tor exit" relay:
In his e-mail, Snowden wrote that he personally ran one of the “major tor exits”–a 2 gbps server named “TheSignal”–and was trying to persuade some unnamed coworkers at his office to set up additional servers. He didn’t say where he worked. But he wanted to know if Sandvik could send him a stack of official Tor stickers....Of course, some may also point out that one minor weakness in Tor is that malicious exit node operators can do some spying on users -- at least opening up the question of whether or not Snowden was running that exit relay for himself (and being good about it) or running it for the NSA.
“He said he had been talking some of the more technical guys at work into setting up some additional fast servers, and figured some swag might incentivize them to do it sooner rather than later,” Sandvik says. “I later learned that he ran more than one Tor exit relay.”
Either way, to get the stickers, Snowden gave Sandvik his real name and address, and she mentioned plans to be in Hawaii, leading to the idea of hosting a CryptoParty, which turned into reality:
Sandvik began by giving her usual Tor presentation, then Snowden stood in front of the white board and gave a 30- to 40-minute introduction to TrueCrypt, an open-source full disk encryption tool. He walked through the steps to encrypt a hard drive or a USB stick. “Then we did an impromptu joint presentation on how to set up and run a Tor relay,” Sandvik says. “He was definitely a really, really smart guy. There was nothing about Tor that he didn’t already know.”As for the timing, Snowden apparently emailed Greenwald for the first time 11 days before the party, and was still waiting for a reply when the party happened...
“Everything ran very smoothly,” she adds. “There were no questions about how to do things or where to put the chairs. Maybe he’s just really good at organizing events.”
by Glyn Moody
Wed, Apr 16th 2014 12:11am
First Phase Of Security Audit Finds Vulnerabilities But No Backdoors In TrueCrypt Encryption Software
from the more-work-needed,-and-more-donations dept
In the wake of the serious Heartbleed flaw in OpenSSL, more people are becoming aware of how widely used and important open source encryption tools are, and how their security is too often taken for granted. Some people were already worrying about this back in September last year, when we learned that the NSA had intentionally undermined encryption by weakening standards and introducing backdoors. As Techdirt reported, that led to a call for a security audit of TrueCrypt, a very popular open source disk encryption tool. Fortunately, the Open Crypto Audit Project raised a goodly sum of money through FundFill and IndieGogo, which allowed the first phase of the audit to be funded. Here's what's now been done (pdf):
The Open Crypto Audit Project engaged iSEC Partners to review select parts of the TrueCrypt 7.1a disk encryption software. This included reviewing the bootloader and Windows kernel driver for any system backdoors as well as any other security related issues.
The good news:
iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.
However, it did still find vulnerabilities in the code it examined:
the iSEC team identified eleven (11) issues in the assessed areas. Most issues were of severity Medium (four (4) found) or Low (four (4) found), with an additional three (3) issues having severity Informational (pertaining to Defense in Depth).
Because of that, among the recommendations that iSEC made was the following:
Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.
Improve code quality. Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project.
That's an important point, and probably something that other open source projects might take to heart, too. Some have called into question whether Linus's Law -- that "all bugs are shallow, given enough eyeballs" -- is really true for free software (although Eric Raymond, author of "The Cathedral and the Bazaar", has offered a robust defense of that claim.) One reason why those eyeballs may not be finding the bugs is that the code, though open, is unnecessarily hard to read.
The fact that vulnerabilities were found -- even if "all appear to be unintentional, introduced as the result of bugs rather than malice" as iSEC puts it -- is another reason why the second phase of the audit, which will look at the details of how the cryptographic functions have been implemented, is necessary. The discovery of "issues" in TrueCrypt's code also underlines why similar audits need to be conducted for all important open source security programs: if there are vulnerabilities in TrueCrypt, there are likely to be more elsewhere, perhaps much more serious. Finding them is largely a question of money, which is why companies currently free-riding on free software -- perfectly legally -- should start seriously thinking about making some voluntary contributions to help audit and improve them to prevent another Heartbleed.
by Mike Masnick
Tue, Oct 15th 2013 1:57pm
from the skepticism-is-a-good-thing dept
As Green notes, he is not suggesting that TrueCrypt is not secure, or that it's been compromised, but that in this day and age, security software needs to be properly audited -- and, if anything, hopefully the results of such an audit will be either more secure software or more confidence that TrueCrypt really is secure.
Maybe nothing at all. Rest assured if I knew of a specific problem with Truecrypt, this post would have a very different title -- something with exclamation points and curse words and much wry humor. Let me be clear: I am not implying anything like this. Not even a little.Hopefully, the end result of this new found skepticism towards popular security products will lead to a world in which we really are more secure, rather than one in which the NSA just has people thinking they're more secure.The 'problem' with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don't know what to trust anymore. We have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, makes a fantastic target for subversion.
But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, 'authorship is a better predictor of quality than openness'. I would feel better if I knew who the TrueCrypt authors were.
Now please don't take this the wrong way: anonymity is not a crime. It's possible the Truecrypt developers are magical security elves who are simply trying to protect their vital essence. More prosaically, perhaps they live in a country where privacy advocates aren't as revered as they are in the US. (I kid.)