SoylentNews is people
SoylentNews
from the some-settling-of-contents-may-have-occurred dept.
According to a German researcher, Mattias Schlenker, we are to expect that the reason for TrueCrypt's recent shutdown is not a National Security Letter, but a serious security flaw in how TC container files are created on Windows.
He expects the flaw to become public within a week.
What gives this chap some credibility is that he's one of the developers of "desinfec't", a Knoppix-based live Linux that comes with several virus scanners and is distributed by well-renowned German computer magazine c't (whose mother company/publishing house, Heise, hosts the forum where he made his announcement).
Link to his original German posting: http://www.heise.de/security/news/foren/S-Re-Warum -TrueCrypt-nicht-in-Desinfec-t-enthalten-ist/forum -280432/msg-25289876/read/
See our earlier coverage: TrueCrypt Discontinued, Compromised.
(Score: 2) by edIII on Saturday May 31 2014, @02:52AM
I agree about them fixing the problem and moving on, which is why I'm so troubled that they haven't made a full disclosure about what happened. The silence is deafening over there.
Without tearing apart the code myself, which is no longer available anyways, I strongly suspect that TrueCrypt *was* using a CSPRNG from the standard primitives, despite evidence to the contrary. It's not like we have access to documentation anymore; It's been removed.
I'm not sure that is true, and I'm pretty positive that's it not. Unless you are mounting a container as read only.
Key generation is only one activity related to initialization of a container. During normal use on a container TrueCrypt needs to provide itself with large amounts of random numbers. This is especially true if you are using Blowfish as one of the chained algorithms.
Moreover, during container creation that requires an incredibly large amount of high entropy random numbers to initialize the container. How could they achieve such volume both during key creation and container operations? TRNGs are wholly incapable of doing so without expensive dedicated equipment to provide it. Commodity hardware has no choice but to rely on CSPRNGs for the volume required in modern encryption use cases. So my gut tells me that they were in fact using the standard primitives.
Another checkmark in favor of TrueCrypt is that it has survived all kinds of attacks previously in the known literature. I heard rumors that some people claimed they could detect hidden containers, but no actual papers, citations, or proof of concepts. I've not heard one single court case where the government had defeated plausible deniability of the hidden container.
What changed? I suspect that TrueCrypt containers are at risk regardless of when or if the machine was compromised. I just don't know how.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1) by fnj on Saturday May 31 2014, @06:38AM
The source is still available. Everyone who ever downloaded it potentially has kept a copy. If you really want to reference it, it is no trick at all to find a copy.