[Extra Quality Cw Brute Force Terbaru Full Version
Rancul Ratha
Considering Jacob Applebaum has 1) worked on the Snowden files and 2) is involved in tails and 3) tor and 4) tails seems to have had advanced warning I am putting my hands down that this is connected.
The bitlocker backdoor, who knows. What I do know is that B.L. defaults and nudges users to do key escrow with Microsoft. Which shares information using secret warrants and possibly direct access by and with the NSA and other agencies.
The world has moved on since TC was written. TC got a lot of criticism. There were license problems, continuous problems with deterministic builds (ie, there was none), the small group of developers were justified to be paranoid.
e. It may be that TrueCrypt was ALREADY pwn3d or a product of the security apparatus and that there is a subtle and carefully coded backdoor or leakage in the implementation of the crypto. (I always think of the contest every year where folks compete to do the most nefarious things using the C language). If they are using something about the maths to leak the information, or some other careful backdoor, it would be something they will have deployed elsewhere. The strategy in that case would be to put a stop to the code audit, and how to do that? BURN TrueCrypt, and then send an army of sock puppets out to bang the drum on why it would be a waste of money to actually finish that audit.
The so called 7.2 release offered for download now is signed with the same keys as the last official one, but I have been told that it has been castrated to only allow de-crypting of exisitng TC drives and containers (allegedly for the migration to Bitlocker as outlined in the redirect page).
So someone had to have source code access, knowledge on how to castrate the features for ENcrypting, compile a version, sign it and also take down the websites truecrypt.org and .com and access to the sourceforge page (or was it created for this purpose?).
I believe the reason is this: Encryption can only be as secure as the system it is running on. Now with EOL support, exploits might be discovered which will never be fixed. This will be an entry vector to the running system forever into the future, no matter how good the encryption itself is. And of course an entry point (esp a well known that is left unfixed for forever) into the running system can will corrupt it.
I think most anyone trusted with such information has been educated well enough and would smell the rotten fish. As in sticking to their (proven) guns until there is a clearer picture and not converting on a whim.
Right now after Snowden (and doubtless too after Truecrypt), crypto applications are popping up everywhere with few people reviewing them, no way to tell if they were reviewed, and no way to know how good the people were who reviewd it.
IF there is a backdoor in TrueCrypt, this would be very important news in and of itself. Also, depending on how a backdoor is implemented, the details could be relevant to the other products out there that provide compatibility with TrueCrypt containers.
We have evidence that NSA is perfectly willing to do things that by any reasonable assessment are simply illegal, or illegal by virtue of their interpretations of the laws being unconstitutional. All bets are now off, and nobody should forget that for a moment.
If this were a breach or bad programming I would expect more detail on why this is no longer an acceptable security piece of software. How easy is it to break a TC volume? Does this mean other software that can use or create TC volume are vulnerable too? Are TC volumes vulnerable to anyone with a slide rule or does it take rooms full of GPUs (e.g. organized crime, governments, big corporations). Is this limited to TC volumes is this bug across multiple things like encfs too.
Secondly, while it would be reasonable to expect developers under threat to cancel their project, it is a different matter entirely to push users in recommendation towards any other product. The secondary action in such red flagged complicitous regard anything but synonymous with the first and especially so given the stakes. At that, not simply a recommendation but one with alarming specificity given the step by step instructions pertaining to how one would accomplish the task of encrypted data transfer from a now neutered TrueCrypt in its latest and most sudden alteration, to BitLocker. As such this is not likely the the actions of harried developers under duress but rather the manifestations of a forced takeover by these same agents of change and again, the simpler and more direct explanation.
Of course the added bonus of a compromised TrueCrypt however found manifest is that to some degree it also discredits Edward Snowden by the virtue of his now seemingly apparent revelation of misguided advocacy. A man I suspect among the legions of others also not throwing support behind BitLocker.
Interesting point coming out of this corporate entity business: Supposedly Incorp Services had credit card information and a real postal address for Ondrej Tesarik. To my mind, that makes it really likely that the NSA has known where he is and who he associates with since shortly after they decided that truecrypt was an annoyance.
Maybe that I say a silly thing. But I have on my pc TrueCrypt Setup 7.1a.exe downaloaded last year. I have downloaded its signature from -archive/. I use the signature
Key-ID: F0D6B1E0 now present in the keys.gnupg.net. I get positive signature test for the old 7.1a version and the new 7.2 version with the same Key-ID.
What a pity that and chose only to link to source repositories instead of to also freeze and upload to their own sites the files used for the audit. We might then have more visibility into the removal (takedown) process.
The simple fact is that parties such as the NSA, GCHQ, ASD etc, could simply just install a WIFI dongle into something like your monitor cable, or internally within the packaging of some component within your device while you are not home, or by intercepting an online purchase. They could also use a known exploit delivered via your wireless router or phone line to install firmware into your motherboard or GPU BIOS that gives them access to the system bus, then raw input like keystrokes and also your monityor feed. They could also fit a spy camera drilled in above anywhere you may sit with your computer/laptop.
NSA could currently be leaking disinformation to undermine use of TrueCrypt or get those with sensitive information to check or move their TrueCrypt protected data or perhaps migrate it to another solution, revealing where it is kept and also allowing an interception or sabotage operation to go ahead.
Likely faith in TrueCrypt maybe being rattled purposely by GCHQ and NSA as they are getting increasingly nervous as their arguments keep falling over and they continue to contradict themselves. Maybe they are worrying some very serious criminal behavior they conducted for quite some time is about to be revealed? Quick, discredit the messenger before everyone finds out!
TrueCrypt alternatives would be a good idea though. Cryptanalysts need to collaborate on a couple of new open source alternatives that are subject to a wide array of detailed reviews by a number of independent math and crypto collectives before each new stable release candidate is publicly recommened, or any unvetted code contributions are allowed to be added to any version at any stage of the development process.
Universities, privacy orginisations and experienced members of the public with a strong background in crypto could also conduct open public reviews of each new public release or update of crypto solutions to help ensure a set of standards is developed to rate and assess the effectiveness of each and any build version of a crypto solution. This would help to avoid ineffective home baked implementations or poisoned repositories and purposely weakened code contributions. Now that orginisations such as RSA and NIST have had serious questions rasised over their proceedures, a whole new variety of vetting processes and independent collectives is needed to ensure public and private trust in security standards.
Truecrypt imploded and I think that fact. There are a few alternatives to Truecrypt but I believe none are as usable as what Truecrypt offers. If we want to make cryptography accessible to the masses, I think the most logical next step is how to drive other alternatives a few more steps closer to the usability of Truecrypt or to form a community driven cryptography project to create some kind of Next Generation Disk and File Encryption System.
Does anyone have a reference as to what actually transpired beyond the orignal accusations? All I can find is that there was a dispute between the original author Paul Le Roux, and SecureStar, a company he at some point worked for, over the ownership of the E4M code. But by some accounts he only worked for them some years after releasing E4M, so anything derived from a version prior to that should be safe, one would imagine.
I tend to agree with his summation, that we will all still be ok to use TC v 7.1 given that it looks like:
a) the audit is going to be completed, and;
b) the Linux Foundation may be creating a true FOSS fork.
TrueCrypt is perfectly kosher, and the developers have come under government pressure to compromise it, but they have chosen to shut it down instead, and have done so in such a daft way to signal the truth.
All, pt 2: I would encourage users who already have important data encrypted with TC to not panic. Migrating your data may be what an adversary is actually trying to achieve. If you are truly concerned that TC is broken and you are using a container and not FDE, there is nothing stopping you from encrypting the existing container file with another tool, e.g. gpg in symmetric mode. We usually discourage multiple layers of encryption but this would merely be a stop gap measure.
What if the developer of TrueCrypt is on a 5 day fishing trip? And what if the NSA found that out a couple of weeks ago, knowing that during these 5 days he is not on-line, placed the story of abandoning blah blah on his site? They can do this.
795a8134c1