According to a German researcher, Mattias Schlenker, we are to expect that the reason for TrueCrypt's recent shutdown is not a National Security Letter, but a serious security flaw in how TC container files are created on Windows.
He expects the flaw to become public within a week.
What gives this chap some credibility is that he's one of the developers of "desinfec't", a Knoppix-based live Linux that comes with several virus scanners and is distributed by well-renowned German computer magazine c't (whose mother company/publishing house, Heise, hosts the forum where he made his announcement).
Link to his original German posting: http://www.heise.de/security/news/foren/S-Re-Warum -TrueCrypt-nicht-in-Desinfec-t-enthalten-ist/forum -280432/msg-25289876/read/
See our earlier coverage: TrueCrypt Discontinued, Compromised.
(Score: 2) by dbot on Saturday May 31 2014, @12:03PM
Windows can't do it, so let's take our pid, and gettimeofday() and seed rand()? [6]
Both linux[1] and Windows Vista (onward)[2] are using fortuna[3], for their RNG. RNGs in Windows prior to Vista were vulnerable[4]. XP SP3 received a patch[5].
Even if you want to roll your own RNG, /which is a really, really bad idea/, you should at least XOR your stream with your OS's RNG. The resultant stream will be as random as the most random source, providing there is no correlation between the two sources (which itself would be hard to prove). You can see this if you take any stream and XOR it with {1}, {0}, or {01}. Using a predictable sequence does not affect the randomness of the stream.
1. https://www.schneier.com/blog/archives/2013/10/ins ecurities_in.html [schneier.com]t or_attack#Windows_implementation [wikipedia.org]m mand=viewArticleBasic&articleId=9048438 [computerworld.com]- openssl-codebase-does-get-the-time-add-it [opensslrampage.org]
2. http://eprint.iacr.org/2014/167 [iacr.org] (pp3 in abstract)
3. http://en.wikipedia.org/wiki/Fortuna_(PRNG) [wikipedia.org]
4. http://en.wikipedia.org/wiki/Random_number_genera
5. http://www.computerworld.com/action/article.do?co
6. http://opensslrampage.org/post/82975103611/so-the