SoylentNews is people
SoylentNews
In an update to the speculation that TrueCrypt development was officially discontinued as a response to efforts by US intelligence agencies to compromise the project, the TrueCrypt web site seems to contain a secret message warning potential users of NSA interference in the integrity of the software. The apparent message, "Don't use TrueCrypt because it is under the control of the NSA" is read as an acrostic in Latin, contained in the message announcing developer cessation of the project on SouceForge. Two independent analytical exercises, conducted independently, arrive at the same conclusion. User "Badon" at the Live Business Chat message board has a detailed exegesis including screenshots and footnotes.
[EDITOR'S NOTE: I have cross checked this on some Latin specific sites, and the consensus seems to be that it is nonsensical from a perspective of proper Latin grammar and syntax. However, Google Translation does reproduce these results. I can certainly believe that a warning might have been composed using G.T. rather than by consulting a classicist. --ED]
(Score: 0) by Anonymous Coward on Wednesday June 18 2014, @06:08PM
Someone else noted the initials in Schneider's comments section, and was mostly ignored at the time.
But what kind of warning is this? To carry any weight we'd need at least a single detail as to how past versions were compromised. If those versions are actually okay, the poster did everyone a disservice by being so unclear, canary pressures notwithstanding. The whole thing's tarred with uncertainty.
(Score: 2) by Yog-Yogguth on Monday June 30 2014, @02:52PM
I'm out of my mind replying to ancient AC post given my circumstances but here goes lol and it's Schneier not Schneider, easy mistake :)
If someone wants to verify their own findings then telling invalidates independent verification.
If someone asks for help in investigations then demonstrably some things have to be independently verified to be believed and telling will only trigger unreasonable ridicule.
Since you're talking about Schneier's comment section look at the whole audio side-channel issue and remember that elsewhere someone respected who told but was struggling to nail it down in its malware form (as in hindsight should be expected) was first and foremost labeled a fool and idiot. This is now known to be a real possibility even though it hasn't gotten all that much attention. We now have recent academic papers using ordinary off the shelf computers and mobile phones that defeats air gaps. Some say Linux is secure against it while OpenBSD isn't; I very much doubt that applies to the actual malware which likely cuts through both like air.
As far as I know (and I'm not up to date, not even on my rss feed which explains this late comment -I'm completely overwhelmed by a deluge of information and need longer and longer breaks) nobody has nailed down the in-the-wild malware yet but I'm not sure that will be possible considering the likely source and the likely tools it employs. The computers and mobile phones don't actually control the hardware in question; instead they delegate to it, they have to, it is the whole point of the subsystem existing in the first place, it is unavoidable and I don't see anyone providing open source subsystem replacement code which would require "rooting" and replacing the independent sub-system processor hardware firmware software (yes that was meant to make sense: the software stored on and running on the sub-system processor) using software backdoors (which is obviously possible because it too has been publicly demonstrated in similar and applicable circumstances). Compare this to a virus successfully targeting and attacking the independent genome of mitochondria instead of that of the body at large.
Someone went through a lot of effort to create this little gem, one can already say that even when not knowing the specifics of the content. As a hack it is impressive and beautiful and far above the minds and imaginations of most of us (at least that's the way I feel about it myself: I doubt I could even conceive of it on my own).
People still doubt it all but that will always be the case.
Anyway back to Schneier's comments section: have fun finding some weird comments that most likely alludes to this "air gaps are dead" business (or much worse). I don't know if they're advanced warnings or not but a few months later it is obvious that the setup Scheier uses to remain secure is anything but: he uses TrueCrypt in combination with airgapped computers and PGP/GPG. Unless Schneier keeps his system separated in different rooms that aren't traversed by electronic devices (no carrying around of for example mobile phones within a significant radius of the room) then his setup isn't secure: thus most likely for example the seed numbers for any encryption are known, maybe much more.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))