SoylentNews is people
SoylentNews
The flaws, which were apparently missed in an earlier independent audit of the TrueCrypt source code, could allow attackers to obtain elevated privileges on a system if they have access to a limited user account.
The original authors of TrueCrypt, who have remained anonymous, abruptly shut down the project in May 2014 warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature that's available in certain versions of Windows.
At that time a crowd-funded effort was already underway to perform a professional security audit of TrueCrypt's source code and its cryptography implementations. The first phase, which analyzed the TrueCrypt driver and other critical parts of the code, had already been completed when TrueCrypt was discontinued. The auditors found no high-severity issues or evidence of intentional backdoors in the program.
It's impossible to tell if the new flaws discovered by Forshaw were introduced intentionally or not, but they do show that despite professional code audits, serious bugs can remain undiscovered
(Score: 5, Informative) by frojack on Wednesday September 30 2015, @06:22PM
First, I understand its Windows Only problem.
Second, This is not a compromise of the TrueCrypt encryption!
This is just a a bug in the Windows TrueCrypt driver. The bug allows an account on an already running and "decrypted" system to achieve elevated credentials. So if YOU don't do that, your data is quite safe, as long as your turn your computer off when you are not using it. (suspend to ram is a no no, as it has always been).
The VeraCrypt project, based on truecrypt has already fixed these vulnerabilities.
https://github.com/veracrypt/VeraCrypt/commit/b7f9df6e4f09ba342fdbbadc63af5062cc57eaf2 [github.com]
https://github.com/veracrypt/VeraCrypt/commit/9b24da3398581da1fa66c6b8f682bbcfa7ded4fd [github.com]
You should be using VeraCrypt instead. http://sourceforge.net/projects/veracrypt/ [sourceforge.net]
No, you are mistaken. I've always had this sig.
(Score: 2, Funny) by Runaway1956 on Wednesday September 30 2015, @06:31PM
Looks like Frojack wins the internet today. Snopes should be offering you a job soon.
(Score: -1, Redundant) by Anonymous Coward on Wednesday September 30 2015, @06:53PM
Straight up. That comment has everything you need to know in one shot.
(Score: 4, Funny) by Anonymous Coward on Wednesday September 30 2015, @07:34PM
However, it leaves very little room to inject comments about NSA, Snowden, derogatory comments about "the sheeple", remarkably un-insightful comments regarding bread and circuses from people who think they are being insightful. In short, it removes the need for 95% of the obligatory comments we need in every story, so perhaps his comment was a bit too effective.
(Score: 1, Funny) by Anonymous Coward on Wednesday September 30 2015, @07:47PM
wait. are you paid by the government to lead people into shutting up about the government? i mean... who else would say such nasty things about our insightful views into the conspiracy to generate a sheeple of illiterate oblivious corporate minions?
(Score: 2) by http on Thursday October 01 2015, @04:08AM
Bingo, sir.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2, Touché) by Marand on Wednesday September 30 2015, @07:50PM
However, it leaves very little room to inject comments about NSA, Snowden, derogatory comments about "the sheeple", remarkably un-insightful comments regarding bread and circuses from people who think they are being insightful. In short, it removes the need for 95% of the obligatory comments we need in every story, so perhaps his comment was a bit too effective.
That's okay, because it's a Windows bug. That means we can still make snarky remarks about "M$" and criticise people for using "Windoze" while pointing out that if people used $preferred_os_of_poster everything would be 100% safe, no bugs would ever happen again, and their computers would start ejecting gold coins out of the dvd drives (for any old-timers that still have them)
Or, more likely, people will just not read frojack's post and still inject the NSA/etc. comments anyway. :)
(Score: 2) by dyingtolive on Wednesday September 30 2015, @09:30PM
This just in: SNOWDEN AND AHMED MELTED STEEL BEAMS WITH BREAD AND CIRCUSES UNDER THE INFLUENCE OF GAMEMAKER ON ORDER FROM NSA! 9/11 CONFIRMED!
I think that covers most of the rest.
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Thursday October 01 2015, @06:33AM
What about MyCleanPC?
(Score: 2) by aristarchus on Wednesday September 30 2015, @10:16PM
perhaps his comment was a bit too effective.
That's our frojack! Winning the internet and killing SoylentNews!
(Score: 0) by Anonymous Coward on Thursday October 01 2015, @06:39AM
Well, there is a reason people say those things. When you have hordes of people who don't care about or even support unconstitutional mass surveillance, what other conclusions can you draw? They are simply ignorant fools.
(Score: 0) by Anonymous Coward on Wednesday September 30 2015, @09:46PM
... warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature ...
First, I understand its Windows Only problem.
Of course it's a Windows only issue. They told us that when they recommended using BitLocker.
(Score: 5, Interesting) by FakeBeldin on Wednesday September 30 2015, @10:20PM
The interesting questions revolve around the audit [istruecryptauditedyet.com]:
- Should this have been caught in the audit?
yes, the paid-for source audit specifically included looking for "Windows kernel driver ... elevation of privilege".
report [opencryptoaudit.org], pg. 10.
- Why wasn't it?
It's clear that not everything will be caught in a time/money/person-limited audit. Nevertheless, finding bugs that ought to have been caught places the rest of the audit's findings in doubt.
:s
(Score: 0) by Anonymous Coward on Thursday October 01 2015, @02:16AM
You say you can't find every flaw, then you say that this ought to have been caught. Well, first it was caught, which is why we're having a story about it. But why do you say this one should have been caught with 100% certainty over any other one?
(Score: 3, Insightful) by FakeBeldin on Friday October 02 2015, @11:55AM
I'm not saying this should have been caught with 100% certainty.
I am saying that since they specifically claimed to be looking for this type of bug in the windows driver. There was exactly such a bug in exactly the place they looked for it, and they didn't find it. We should take the rest of their findings with a larger dose of salt than expected.
We paid someone to look into things, they said "we can't see everything, we're only looking at these very specific parts for these very specific bugs", and then later we find that they didn't spot exactly such a bug in exactly one of the parts they claimed to look at.
It's like someone in the Independence Day movie saying "we're looking for signs of alien activity" and not noticing the city-sized flying saucers over his head.
(Score: 0) by Anonymous Coward on Thursday October 01 2015, @12:43AM