On a technicality, There has never been a demonstration of a vulnerability in Dual_EC_DRBG. There are only allegations based on ties to the NSA.
-Mike Sent from my iPhone > On May 30, 2014, at 11:09, "Chris Schmidt" > <[email protected]> wrote: > > Regarding your final statement here, I seem to recall it being reported a > little company called RSA allowed NSA backdooring and I¹m pretty sure they > are far from Out-Of-Business. Claiming that giants like MS would go out of > business if it got out that they were working with the NSA is completely > naïve. > >> On 5/29/14, 4:13 PM, "Mike Cramer" <[email protected]> wrote: >> >> I think it¹s more important to have rational discussions. This isn¹t the >> first time Microsoft has been Œrumored¹ to have backdoors in Windows for >> the US Government. These rumors have been perpetuated for years. While I >> don¹t know how long you¹ve been in the industry, it¹s something I recall >> even being 14 years old and sitting on IRC and having people discuss. >> >> >> >> The reality now, just as then, is that these are unsubstantiated. >> >> >> >> A more apt description about the cooperation between the US Government >> and Microsoft I think falls back onto our old pals ³Alice and Bob². I¹m >> sure you may recall these names from any sort of discussion about PKI. >> >> >> >> What people seem to forget in all of these discussions is that Microsoft >> is Bob. (Microsoft Bob? :P) >> >> >> >> No amount of encryption, protection, secret keying is going to protect >> you when one party is going to hand over the information to 3rd parties >> to review. >> >> >> >> Based on my Alice and Bob comment above, it¹s reasonable to assume that >> the encryption itself is 100% fine, so as long as you believe that Bob >> will never divulge the information you¹ve disclosed. >> >> >> >> Through all of these discussions surrounding Bitlocker across multiple >> forums nobody has brought up the fact that Bitlocker in Windows 8 allows >> you to store recovery key information in OneDrive/²The Cloud². Why bother >> writing in backdoors to the software when the keys are readily available >> with a warrant? >> >> >> >> There are a million and one ways to get access to the information and the >> absolutely most difficult, most costly, and most potentially damaging is >> the one people are jumping to first. >> >> >> >> If it were ever revealed that Microsoft purposefully weakened its >> encryption systems to allow the NSA access to any Windows device, then it >> would be the end of the organization. They¹re just not that dumb. >> >> >> >> Mike >> >> >> >> From: Justin Bull [mailto:[email protected]] >> Sent: Thursday, May 29, 2014 18:02 >> To: Mike Cramer >> Cc: [email protected]; secuip >> Subject: RE: [FD] TrueCrypt? >> >> >> >> Closed source and Microsoft is notoriously known to play ball with LEO >> and government. It's an ill-fitting shoe. >> >> Sent from mobile. >> >> On May 29, 2014 5:47 PM, "Mike Cramer" <[email protected] >> <mailto:[email protected]> > wrote: >> >> What is careless about recommending Bitlocker? >> >> -----Original Message----- >> From: Fulldisclosure [mailto:[email protected] >> <mailto:[email protected]> ] On Behalf Of Justin Bull >> Sent: Thursday, May 29, 2014 17:18 >> To: secuip >> Cc: [email protected] <mailto:[email protected]> >> Subject: Re: [FD] TrueCrypt? >> >> But why go out in that style? Why not be frank? Why be so careless as to >> recommend BitLocker? >> >> The diff was meticulous but the website and comms were not. It doesn't >> add up. >> >> Sent from mobile. >> On May 29, 2014 5:13 PM, "secuip" <[email protected] <mailto:[email protected]> >>> wrote: >> >>> http://krebsonsecurity.com/2014/05/true-goodbye-using- >>> truecrypt-is-not-secure/comment-page-1/#comment-255908 >>> >>> >>> Le 29/05/2014 22:51, uname -a a écrit : >>> >>>> There are several strange behaviors. >>>> >>>> Sitesource is not clean. Just a html that say take now Bitlocker or >>>> other built-in tools of your OS !? >>>> >>>> New Keys got added to SF 3h before release of 7.2 happened. >>>> >>>> On SF the old versions got removed. For older Versions you've to >>>> download them elsewhere (there are several sources available). >>>> >>>> Encryption, Help and all traces to truecrypt.org >>>> <http://truecrypt.org> got removed in the >>>> Programsource. >>>> >>>> No explanation for this anywhere. Just speculations. >>>> >>>> Truecrypt isn't available on the webarchive! >>>> >>>> The Wiki got editet massively. >>>> >>>> >>>> >>>> Am 29.05.2014 04:21, schrieb Anthony Fontanez: >>>> >>>>> I'm surprised I haven't seen any discussion about the recent issues >>>>> with TrueCrypt. Links to current discussions follow. >>>>> >>>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/ >>>>> truecrypt_is_dead/ >>>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/ >>>>> truecrypt_development_has_ended_052814/ >>>>> >>>>> Thank you, >>>>> >>>>> Anthony Fontanez >>>>> PC Systems Administrator >>>>> Client Services - College of Liberal Arts Information & Technology >>>>> Services, Enterprise Support Rochester Institute of Technology >>>>> LBR-A290 >>>>> 585-475-2208 <tel:585-475-2208> (office) >>>>> [email protected] <mailto:[email protected]> <mailto:[email protected] >>>>> <mailto:[email protected]> > >>>>> >>>>> Submit a request via email: [email protected] >>>>> <mailto:[email protected]> <mailto:ser <mailto:ser> >>>>> [email protected] <mailto:[email protected]> > Check the status of an >>>>> active request: >>>>> footprints.rit.edu <http://footprints.rit.edu> <https:// >>>>> footprints.rit.edu/ <http://footprints.rit.edu/> > Manage your RIT >>>>> account and computers: start.rit.edu <http://start.rit.edu> >>>>> <https://start. >>>>> rit.edu/ <http://rit.edu/> > >>>>> >>>>> CONFIDENTIALITY NOTE: The information transmitted, including >>>>> attachments, is intended only for the person(s) or entity to which >>>>> it is addressed and may contain confidential and/or privileged >>>>> material. Any review, retransmission, dissemination or other use of, >>>>> or taking of any action in reliance upon this information by persons >>>>> or entities other than the intended recipient is prohibited. If you >>>>> received this in error, please contact the sender and destroy any >>>>> copies of this information. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Sent through the Full Disclosure mailing list >>>>> http://nmap.org/mailman/listinfo/fulldisclosure >>>>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >>>>> >>>>> _______________________________________________ >>>> Sent through the Full Disclosure mailing list >>>> http://nmap.org/mailman/listinfo/fulldisclosure >>>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >>> >>> >>> _______________________________________________ >>> Sent through the Full Disclosure mailing list >>> http://nmap.org/mailman/listinfo/fulldisclosure >>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
