[opensuse] Something fishy at Truecrypt
I've been a truecrypt user for years, so this is worrying: http://www.theregister.co.uk/2014/05/28/truecrypt_hack No one seems to know what is going on. For now I will make sure not to download truecrypt and I suggest the same to all here. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, On Thu, 29 May 2014, Greg Freemyer wrote:
I've been a truecrypt user for years, so this is worrying:
http://www.theregister.co.uk/2014/05/28/truecrypt_hack
No one seems to know what is going on. For now I will make sure not to download truecrypt and I suggest the same to all here.
Speculations go to e.g. that TC got a NSL and this is their form of a "canary" warning for their users. (I'm translating http://blog.fefe.de/?ts=ad75a806 there) <quote> Another sign was: WARNING: Using TrueCrypt is *n*ot *s*ecure *a*s it may contain unfixed security issues </quote> (boldend by fefe, "starred" by me to reflect that) 7.1x and before should be safe to keep using. Disclaimer: I never used TC. HTH, -dnh -- If human beings don't keep exercising their lips, he thought, their mouths probably seize up. After a few months' consideration and observation he abandonded this theory in favor of a new one. If they don't keep on exercising their lips, he thought, their brains start working. -- THHGTTG -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 6/1/2014 8:47 PM, David Haller wrote:
Hello,
On Thu, 29 May 2014, Greg Freemyer wrote:
I've been a truecrypt user for years, so this is worrying:
http://www.theregister.co.uk/2014/05/28/truecrypt_hack
No one seems to know what is going on. For now I will make sure not to download truecrypt and I suggest the same to all here.
Speculations go to e.g. that TC got a NSL and this is their form of a "canary" warning for their users. (I'm translating http://blog.fefe.de/?ts=ad75a806 there)
<quote> Another sign was:
WARNING: Using TrueCrypt is *n*ot *s*ecure *a*s it may contain unfixed security issues </quote> (boldend by fefe, "starred" by me to reflect that)
7.1x and before should be safe to keep using.
Disclaimer: I never used TC.
HTH, -dnh
An NSA letter really doesn't make sense. An NSA letter directs you to hand over information about a client. (And keep quiet). But Truecrypt is open source. The developers have no idea WHO their users are, and they have no access to their user's disk drives. There is nothing for them to hand over. We don't actually know who the true developers of Truecrypt are although Wiki has a running cometary on the history of Truecypt, an it appears it's history may have started with a theft of code. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Jun 2, 2014 at 7:33 AM, John Andersen <jsamyth@gmail.com> wrote:
An NSA letter really doesn't make sense. An NSA letter directs you to hand over information about a client. (And keep quiet).
But Truecrypt is open source. The developers have no idea WHO their users are, and they have no access to their user's disk drives.
There is nothing for them to hand over.
You're attributing technical know-how to people who may or may not have any. You're assuming that access to the published code is what they'd want (which doesn't make sense in an open source project) vs access to the signing keys (which does make sense since that in theory allows changes to the source to be made and signed... and slipped in barring any code audits of course) In the end though... it's all speculation since no one here really knows what happened - and those that do aren't saying anything. C. -- openSUSE 13.1 x86_64, KDE 4.13 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I don't believe that there is any instance of the NSA making a successful demand for private signing keys. They may have tried, but the only case I recall, they immediately backed off when the subject took them to court. The legislation does not authorize this. On June 1, 2014 11:03:32 PM PDT, C <smaug42@opensuse.org> wrote:
On Mon, Jun 2, 2014 at 7:33 AM, John Andersen <jsamyth@gmail.com> wrote:
An NSA letter really doesn't make sense. An NSA letter directs you to hand over information about a client. (And keep quiet).
But Truecrypt is open source. The developers have no idea WHO their users are, and they have no access to their user's disk drives.
There is nothing for them to hand over.
You're attributing technical know-how to people who may or may not have any.
You're assuming that access to the published code is what they'd want (which doesn't make sense in an open source project) vs access to the signing keys (which does make sense since that in theory allows changes to the source to be made and signed... and slipped in barring any code audits of course)
In the end though... it's all speculation since no one here really knows what happened - and those that do aren't saying anything.
C. -- openSUSE 13.1 x86_64, KDE 4.13 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
C -
David Haller -
Greg Freemyer -
John Andersen