A Summary of the Recent Open Source Security News

Subject: General Tech | June 1, 2014 - 01:04 AM |
Tagged: TrueCrypt, security, openssl, openssh, heartbleed

This week has been most notable for security, as previous news suggests. TrueCrypt, the popular file encryption suite, lost its developers when they wanted to call it quits -- right in the middle of its audit. While on that topic, OpenSSL is being given money and full-time developers, in response to the recent Heartbleed fiasco. OpenSSH and Network Time Protocol, and others in the future, are also being given love.

Yes, these are two separate pieces of news that are combined into a single article.

TrueCrypt_Logo.png

Earlier, we reported on TrueCrypt's mysterious implosion. The developers' alleged last advice, use closed source solutions or whatever comes up on a random package manager search, I considered too terrible to have been from them. Seriously, from "Trust No-One" to "Trust Who Knows". Just does not seem right...

Since the article, they have apparently been contacted and confirmed that the project is being shut down. That said, it seems like basically every source cites the third-party auditors and no-one else seemed to have direct contact with them -- so who knows. Regardless, the audit is apparently still going on and might lead to a usable fork maintained by someone else.

As for the second piece of news -- several other libraries are getting serious security audits. Apparently, The Linux Foundation has arranged for a long list of companies to commit $5.4 million, over three years, to audit and maintain these projects. As mentioned, OpenSSL, OpenSSH, and Network Time Protocol are the first three mentioned, but others will be included later. Also, that budget can increase as other companies and donors step up.

Currently, the donors are: Adobe, Amazon, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, Salesforce, and VMware. Eighteen companies, each pledging $100,000 per year for three years.

All in all, it seems like the world is on the path to righting itself, somewhat.

Source: Ars Technica

TrueCrypt Taken Offline Doesn't Pass My Smell Test

Subject: Editorial, General Tech | May 28, 2014 - 11:17 PM |
Tagged: TrueCrypt

It should not pass anyone's smell test but it apparently does, according to tweets and other articles. Officially, the TrueCrypt website (which redirects to their SourceForge page) claims that, with the end of Windows XP support (??), the TrueCrypt development team wants users to stop using their software. Instead, they suggest a switch to BitLocker, Mac OSX built-in encryption, or whatever random encryption suite comes up when you search your Linux distro's package manager (!?). Not only that, but several versions of Windows (such as 7 Home Premium) do not have access to BitLocker. Lastly, none of these are a good solution for users who want a single encrypted container across multiple OSes.

A new version (don't use it!!!) called TrueCrypt 7.2 was released and signed with their private encryption key.

TrueCrypt_Logo.png

The developers have not denied the end of support, and its full-of-crap reason. (Seriously, because Microsoft deprecated Windows XP almost two months ago, they pull support for a two year old version now?)

They have also not confirmed it. They have been missing since at least "the announcement" (or earlier if they were not the ones who made it). Going missing and unreachable, the day of your supposedly gigantic resignation announcement, does not support the validity of that announcement. 

To me, that is about as unconfirmed as you can get.

Still, people are believing the claims that TrueCrypt 7.1a is not secure. The version has been around since February 2012 and, beyond people looking at its source code, has passed a significant portion of a third-party audit. Even if you believe the website, it only says that TrueCrypt will not be updated for security. It does not say that TrueCrypt 7.1a is vulnerable to any known attack.

In other words, the version that has been good enough for over two years, and several known cases of government agencies being unable to penetrate it, is probably as secure today as it was last week.

"The final version", TrueCrypt 7.2, is a decrypt-only solution. It allows users to unencrypt existing vaults, although who knows what else it does, to move it to another solution. The source code changes have been published, and they do not seem shady so far, but since we cannot even verify that their private key has not leaked, I wouldn't trust it. A very deep compromise could make finding vulnerabilities very difficult.

So what is going on? Who knows. One possibility is that they were targeted for a very coordinated hack, one which completely owned them and their private key, performed by someone(s) who spent a significant amount of time modifying a fake 7.2 version. Another possibility is that they were legally gagged and forced to shut down operations, but they managed to negotiate a method for users to decrypt existing data with a neutered build.

One thing is for sure, if this is a GoG-style publicity stunt, I will flip a couple of tables.

We'll see. ┻━┻ \_()_/ ┻━┻

Source: TrueCrypt