[FD] TrueCrypt?

[Anthony Fontanez]

I'm surprised I haven't seen any discussion about the recent issues with 
TrueCrypt.  Links to current discussions follow.

/r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
/r/netsec: 
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/

Thank you,

Anthony Fontanez
PC Systems Administrator
Client Services - College of Liberal Arts
Information & Technology Services, Enterprise Support
Rochester Institute of Technology
LBR-A290
585-475-2208 (office)
ajf...@rit.edu

Submit a request via email: serviced...@rit.edu
Check the status of an active request: 
footprints.rit.edu
Manage your RIT account and computers: start.rit.edu

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
intended only for the person(s) or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and 
destroy any copies of this information.



___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] TrueCrypt

[Henri Salo]

Site http://truecrypt.sourceforge.net/ says "WARNING: Using TrueCrypt is not
secure as it may contain unfixed security issues" does someone have any
information about this?

---
Henri Salo


signature.asc
Description: Digital signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Defense in depth -- the Microsoft way (part 15): unquoted arguments in 120 (of 462) command lines

[Stefan Kanthak]

Hi @ll,

for MANY years now Microsofts own documentation for CreateProcess*()
 resp.
 says:

| Note: If any element of the command string contains or might contain
  
| spaces, it must be enclosed in quotation marks.
 

Additionally "Registering an Application to a URI Scheme"
 shows:

| HKEY_CLASSES_ROOT
|   alert
|  (Default) = "URL:Alert Protocol"
|  URL Protocol = ""
|  DefaultIcon
| (Default) = "alert.exe,1"
|  shell
| open
|command
|   (Default) = "C:\Program Files\Alert\alert.exe" "%1"
   
...
| To mitigate this issue:
| * Avoid spaces, quotes, or backslashes in your URI
| * Quote the %1 in the registration ("%1" as written in the 'alert' example
|   registration)


Let's take a look at the registry of Windows 8.1 (as it comes on the DVD
available from ,
inside the \sources\install.wim):

[HKEY_CLASSES_ROOT\Application.Manifest\shell\open\command]
@="\"C:\\Windows\\system32\\rundll32.exe\" 
\"C:\\Windows\\system32\\dfshim.dll\",ShOpenVerbApplication %1"

[HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\Applications\photoviewer.dll\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo 
Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\Applications\photoviewer.dll\shell\print\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe \"%ProgramFiles%\\Windows Photo 
Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"

[HKEY_CLASSES_ROOT\batfile\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\batfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\CABFolder\Shell\Open\Command]
@=expand:"%SystemRoot%\\Explorer.exe /idlist,%I,%L"

[HKEY_CLASSES_ROOT\CATFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCAT %1"

[HKEY_CLASSES_ROOT\CERFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddCER %1"

[HKEY_CLASSES_ROOT\CERFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCER %1"

[HKEY_CLASSES_ROOT\CertificateStoreFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenSTR %1"

[HKEY_CLASSES_ROOT\chm.file\shell\open\command]
@=expand:\\""%SystemRoot%\\hh.exe\" %1"

[HKEY_CLASSES_ROOT\cmdfile\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"

[HKEY_CLASSES_ROOT\cmdfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE /p %1"

[HKEY_CLASSES_ROOT\CompressedFolder\shell\Open\Command]
@=expand:"%SystemRoot%\\Explorer.exe /idlist,%I,%L"

[HKEY_CLASSES_ROOT\CRLFile\shell\add\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtAddCRL %1"

[HKEY_CLASSES_ROOT\CRLFile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe cryptext.dll,CryptExtOpenCRL %1"

[HKEY_CLASSES_ROOT\desktopthemepackfile\shell\open\command]
@=expand:"%SystemRoot%\\system32\\rundll32.exe 
%SystemRoot%\\system32\\themecpl.dll,OpenThemeAction %1"

[HKEY_CLASSES_ROOT\Drive\shell\change-passphrase\command]
@=expand:"%SystemRoot%\\system32\\bdechangepin.exe -pw %1"

[HKEY_CLASSES_ROOT\Drive\shell\unlock-bde\command]
@=expand:"%SystemRoot%\\system32\\bdeunlock.exe %1"

[HKEY_CLASSES_ROOT\Explorer.AssocProtocol.search-ms\shell\open\command]
@=expand:"%SystemRoot%\\Explorer.exe /separate,/idlist,%I,%L"

[HKEY_CLASSES_ROOT\fonfile\shell\preview\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe %1"

[HKEY_CLASSES_ROOT\fonfile\shell\print\command]
@=expand:"%SystemRoot%\\system32\\fontview.exe /p %1"

[HKEY_CLASSES_ROOT\ftp\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\giffile\shell\Open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\hlpfile\shell\open\command]
@=expand:"%SystemRoot%\\winhlp32.exe %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_

[FD] Microsoft DHCP INFORM Configuration Overwrite

[laurent gaffie]

Title:   Microsoft DHCP INFORM Configuration Overwrite
Version: 1.0
Issue type:  Protocol Security Flaw
Affected vendor: Microsoft
Release date:28/05/2014
Discovered by:   Laurent Gaffié
Advisory by: Laurent Gaffié
Issue status:Patch not available
===

Summary
---

A vulnerability in Windows DHCP (http://www.ietf.org/rfc/rfc2131.txt) was
found on Windows OS versions
ranging from Windows 2000 through to Windows server 2003.  This
vulnerability allows an attacker to remotely
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and
server configuration with no user
interaction. Successful exploitation of this issue will result in a remote
network configuration
overwrite. Microsoft acknowledged the issue but has indicated no plans to
publish a patch to resolve it.


Technical details
-

Windows 2003/XP machines are sending periodic DHCP INFORM requests and are
not checking if the DHCP INFORM answer (DHCP ACK) is from the registered
DHCP server/relay-server. Any local system may respond to these requests
and overwrite a Windows 2003/XP network configuration by sending a properly
formatted unicast reply.

Impact
--

Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing
settings on the target system.

Affected products
-

Windows:
- 2000
- XP
- 2003

Proof of concept

The DHCP.py utility found within the Responder toolkit can be used to
exploit this vulnerability.

git clone https://github.com/Spiderlabs/Responder

Solution

Set a DWORD registry key "UseInform" to "0" in each subfolder found in
HKLM\SYSTEM\CCS\Services\TCP\Interfaces\

Response timeline
-
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment
while looking at the DHCP issue for education purposes. Since multiple
attempts were
   made to have them be aware that any A-D environment by
default is vulnerable if Responder is running on the subnet. Also, MSRC was
asked what
   code change made this DHCP INFORM issue different on Windows
Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code
change, however they mention that 'The product team is investigating
whether the RFC for
   a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was
requested, but the logic behind it. Also, MSRC was asked if they were
successful with
   Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if
they were successful with Responder in their environment.


References
--
* Responder: https://github.com/Spiderlabs/Responder
* http://g-laurent.blogspot.ca/
* https://twitter.com/PythonResponder
*
http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] The 2014 Volatility Plugin Contest is now live!

[Andrew Case]

We (the Volatility Team) are happy to announce that the 2014 Volatility
Plugin Contest is now live:

http://www.volatilityfoundation.org/#!2014/cjpn

This contest is modeled after the annual IDA Pro one, and its purpose is
to encourage new research in the memory forensics field. Volatility is
one of the most popular tools in digital forensics, incident response,
and malware analysis, and by submitting to our contest your work will
immediately gain visibility through all of these communities.

Besides this recognition, we also award the top entries over $2,000 in
cash prizes, swag (stickers, t-shirts, etc.), blog entries on our
Volatility Labs blog, and an invitation to speak at our annual memory
forensics workshop.

The entries of last year's winners can be found here:

http://www.volatilityfoundation.org/#!2013/c19yz

This contest is a great opportunity to explore the open source
Volatility Framework, add visibility to your career, and potentially
develop a master's thesis or PhD project.

-- 
Thanks,
Andrew (@attrc)

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] How to use the vulnerable flash player plugin installed with Adobe Reader XI (and other Adobe products)

[Stefan Kanthak]

Hi @ll,

almost a year ago I wrote in 
about the vulnerable NPSWF32.DLL and MSVC*.DLL installed with Adobe Reader XI.

Others wrote about the vulnerable NPSWF32.DLL before, cf.



| After installing Adobe Reader XI there is an NPSWF32.dll in the subdirectory
| of the Reader. 



| Thanks.I calmed PSI by simply deleting two dll files, both called NPSWF.
| One was buried deep down in Adobe Premier Elements 4.


Since Adobe Reader doesnt use the vulnerable NPSWF32.DLL at all (see
;
money qoute: "Adobe Reader and Acrobat no longer include Flash Player")
you may ask yourself: why not put this unused gift into good use?


JFTR: about 6 months before the release of Adobe Reader XI Adobe published
  the following "Background on Security Bulletin APSB12-08"
  



Here's the "howto", in five easy steps:

Step 1:
determine the path of the NPSWF32.DLL on your Windows installation
(on 32-bit systems, Adobe Reader is installed below
"C:\Program Files\Adobe", and below "C:\Program Files (x86)\Adobe"
on 64-bit systems).

Step 2:
start the Windows Editor and paste the 4 lines between the markers:

--- >% --- %< ---
REGEDIT4

[HKEY_CURRENT_USER\Software\MozillaPlugins\@adobe.com/FlashPlayer]
"Path"="C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\npswf32.dll"
--- >% --- %< ---

Step 3:
if necessary correct the path in the last line to resemble the
path determined in step 1.

Step 4:
save the file as "NPSWF32.REG" and close the editor.

Step 5:
open the NPSWF32.DLL and import it into your registry.


Now (re)start your NPAPI-compatible web browser (Firefox, Seamonkey,
Opera, Safari, ...) and enter the URL : you'll see a
flash player plugin version 11.5.502.110 listed there (if you see
flash player plugin version 11.4.402.265 then your Adobe Reader XI
is missing all 7 security updates).


regards
Stefan Kanthak


PS: to undo the damage exit the web browser and import the following
*.REG:

--- >% --- %< ---
REGEDIT4

[-HKEY_CURRENT_USER\Software\MozillaPlugins\@adobe.com/FlashPlayer]
--- >% --- %< ---

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] XSS Attacks vulnerability in InterScan Messaging Security Virtual Appliance 8.5.1.1516 (Zero-DAY)

[William Costa]

I. VULNERABILITY
-

XSS Attacks vulnerability in InterScan Messaging Security Virtual Appliance
8.5.1.1516

II. DESCRIPTION
-
Has been detected a XSS vulnerability in InterScan Messaging Security
Virtual Appliance version 8.5.1.1516.
The code injection is done through the parameter "addWhiteListDomainStr"
send via post in the page “/addWhiteListDomain.imss”

III. PROOF OF CONCEPT
-
The application does not validate the parameter
“addWhiteListDomainStr” correctly.


https://10.200.210.100:8445/addWhiteListDomain.imss

Host=10.200.210.100:8445
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0)
Gecko/20100101 Firefox/29.0
Accept=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate Referer=
https://186.230.33.160/trend-interscan/trend.php
Cookie=JSESSIONID=68D4F0AEF4874173BDE77FAA4895231F; CurrentLocale=en- US;
PHPSESSID=2ok068gfak8np5isbe5k5l4nf3; un=7164ceee6266e893181da6c33936e4a4;
userID=1; LANG=en;
wids=modImsvaSystemUseageWidget,modImsvaMailsQueueWidget,modImsvaQuara
ntineWidget,modImsvaArchiveWidget,; lastID=15; theme=default; lastTab=1;
GetPageTab=1
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=95
POSTDATA=addWhiteListDomainStr=.com">alert(document.cookie
);)


https://vimeo.com/96757096


IV. BUSINESS IMPACT
-
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser allowing session
hijacking.

V. SYSTEMS AFFECTED
-
Tested in InterScan Messaging Security Virtual Appliance 8.5.1.1516

VI. SOLUTION


Answer from Trend.

Hi William,


According to our Product Developers, this is not vulnerability of our
product. All of the cookies(not just IMSVA) can be stolen from a
compromised environment. It was highly suggested that you upgrade your
client to ensure safety.
Also, they recommended another Trend Micro Product  -"OfficeScan" that may
be suitable for your environment.

I hope this information helps. Please let me know if you have additional
questions or clarifications.

Have a great day!



By William Costa

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Barkley, Peter]

+

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/ 

-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of 
Anthony Fontanez
Sent: 2014, May, 28 10:21 PM
To: fulldisclosure@seclists.org
Subject: [FD] TrueCrypt?

I'm surprised I haven't seen any discussion about the recent issues with 
TrueCrypt.  Links to current discussions follow.

/r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
/r/netsec: 
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/

Thank you,

Anthony Fontanez
PC Systems Administrator
Client Services - College of Liberal Arts Information & Technology Services, 
Enterprise Support Rochester Institute of Technology LBR-A290
585-475-2208 (office)
ajf...@rit.edu

Submit a request via email: serviced...@rit.edu
Check the status of an active request: 
footprints.rit.edu
Manage your RIT account and computers: start.rit.edu

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
intended only for the person(s) or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and 
destroy any copies of this information.



___
Sent through the Full Disclosure mailing list 
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
___

This email may be privileged and/or confidential, and the
sender does not waive any related rights and obligations.
Any distribution, use or copying of this email or the
information it contains by other than an intended recipient
is unauthorized. If you received this email in error,
please advise the sender (by return email or otherwise)
immediately. You have consented to receive the attached
electronically at the above-noted email address; please retain a
copy of this confirmation for future reference.

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce
pas aux droits et obligations qui s'y rapportent. Toute diffusion,
utilisation ou copie de ce courriel ou des renseignements qu'il
contient par une personne autre que le (les) destinataire(s)
désigné(s) est interdite. Si vous recevez ce courriel par erreur,
veuillez en aviser l'expéditeur immédiatement, par retour de courriel
ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s)
ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus;
veuillez conserver une copie de cette confirmation pour les fins de reference 
future.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] What do you think of Trollc?

[Brian M. Waters]

So far the thread of discussion here has focused on whether or not
Weev's plan would /actually work/. But lets take a step back.

If I understand it, the plan is to facilitate "ethical vulnerability
disclosure" by
1) Finding security vulnerabilities in live sites
2) Disclosing them to the public before notifying the site operators
3) Thereby causing the stock price to drop
 and
4) Making money by short-selling on knowledge only the developer has

I could distill that to layman's terms:
"Hurting someone else and making money at their expense."

So, how is that ethical, again? Did I miss something?

BW


On Tue, 27 May 2014 20:49:45 +0200
Philip Cheong  wrote:
> From https://www.startjoin.com/trollc
> 
> *Right now if you're a software exploit developer and you want to
> monetize your craft to pay your rent, there's only one consistent way
> to do so: sell your software exploits. The major customer for these
> are oppressive governments, chiefly that of the United States. We
> know what the United States does with software exploits: it uses them
> to illegally spy on its own citizens, and attack peaceful nations
> around the world.*
> 
> *I need your help to create a company that will ethically disclose
> software vulnerabilities to the public. For this I need help getting
> the filing fees necessary to incorporate a hedge fund. I want to
> continue bringing issues in companies that put you at risk to light,
> and short the stocks of those companies when I do so. I will only get
> paid when large corporations being negligent get punished. This will
> create a structure by which security researchers including myself
> will still make a living, only now by disclosing problems instead of
> selling them in secret to criminal governments.*
> 
> What say you? Is this brilliant? Or stupid? Awesome? But never going
> to work?
> 
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


-- 
Brian M. Waters
Burlington, Vermont, USA
+1 (908) 380-8214
br...@brianmwaters.net
https://brianmwaters.net/


signature.asc
Description: PGP signature

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[uname -a]

There are several strange behaviors.

Sitesource is not clean. Just a html that say take now Bitlocker or
other built-in tools of your OS !?

New Keys got added to SF 3h before release of 7.2 happened.

On SF the old versions got removed. For older Versions you've to
download them elsewhere (there are several sources available).

Encryption, Help and all traces to truecrypt.org got removed in the
Programsource.

No explanation for this anywhere. Just speculations.

Truecrypt isn't available on the webarchive!

The Wiki got editet massively.



Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> I'm surprised I haven't seen any discussion about the recent issues with 
> TrueCrypt.  Links to current discussions follow.
> 
> /r/sysadmin: 
> http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
> /r/netsec: 
> http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/
> 
> Thank you,
> 
> Anthony Fontanez
> PC Systems Administrator
> Client Services - College of Liberal Arts
> Information & Technology Services, Enterprise Support
> Rochester Institute of Technology
> LBR-A290
> 585-475-2208 (office)
> ajf...@rit.edu
> 
> Submit a request via email: serviced...@rit.edu
> Check the status of an active request: 
> footprints.rit.edu
> Manage your RIT account and computers: start.rit.edu
> 
> CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
> intended only for the person(s) or entity to which it is addressed and may 
> contain confidential and/or privileged material. Any review, retransmission, 
> dissemination or other use of, or taking of any action in reliance upon this 
> information by persons or entities other than the intended recipient is 
> prohibited. If you received this in error, please contact the sender and 
> destroy any copies of this information.
> 
> 
> 
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] What do you think of Trollc?

[Jeffrey Walton]

On Tue, May 27, 2014 at 3:32 PM, Jeffrey Walton  wrote:
> On Tue, May 27, 2014 at 3:04 PM, Brandon Perry
>  wrote:
>> Not even sure when the last vulnerability that caused any fluctuation in
>> the stock markets was.
> +!. I'm not sure it ever hurt Sony, and they've had over 40 documented
> problems [0, 1, 2, et al]. Some of them were very serious from a data
> security perspective.
How's this for timing... "Mobile security struggles continue to plague
LifeLock", 
http://www.mobilecommercepress.com/mobile-security-struggles-continue-plague-lifelock/8512293/:

LifeLock, a giant in the identity theft industry, has
now suspended its app following the massive
mobile security issues that had plagued it...

The target share price had reached the point that
it was slashed in half, by the time this article was
written. The Tempe-based company’s stock price
has been riding a virtual roller coaster and it doesn’t
look as though it will be slowing down quite yet. This
was all in response to the announcement that as a
mobile security precaution, all of the user information
from the LifeLock Wallet would be deleted, and the
app would be taken down from Google Play, Amazon
Apps, and other application stores.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt

[Alberto Guglielmo]

Look at this:
http://thehackernews.com/2014/05/encryption-tool-truecrypt-shuts-down.html
I feel very suspicious the suggestion to use Bitlocker...
Regards


On 28/05/2014 22:21, Henri Salo wrote:
> Site http://truecrypt.sourceforge.net/ says "WARNING: Using TrueCrypt is not
> secure as it may contain unfixed security issues" does someone have any
> information about this?
>
> ---
> Henri Salo
>
>
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

-- 

Everything should be made as simple as possible, but not simpler.
 Albert Einstein

Alberto Guglielmo
a.guglielmotcpsas.com
Key Fingerprint:7EAF 9E34 2838 7C6B EE47  E8F0 FFC5 3CBC 90AA 5EEE
Key ID: 0x90AA5EEE
GPG/PGP keys at:  pgpkeys.mit.edu



___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[James Healy]

Krebson covered it pretty well here:
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

And a few more speculations here:
http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/

For the most part the general consensus is they're no longer wanting
to continue development - perhaps through pressure, or this release
would spark a lot of sensitive people to momentarily make their data
vulnerable whilst switching to an alternative. This comes at a time
where full auditing was about to go underway (they had only audited
the bootloader in the past), which in itself adds to the speculation.

Really an open-source variant needs to be made readily-available to
the average consumer. I know of plenty of non-IT-savvy people who
would love an opportunity to secure their local data (photos, email,
work) but don't know how - given their current options there's a clear
gap in the market for this; the paranoid consumer. (Rightly so is
objective.)

On Thu, May 29, 2014 at 2:21 PM, Anthony Fontanez  wrote:
> I'm surprised I haven't seen any discussion about the recent issues with 
> TrueCrypt.  Links to current discussions follow.
>
> /r/sysadmin: 
> http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
> /r/netsec: 
> http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/
>
> Thank you,
>
> Anthony Fontanez
> PC Systems Administrator
> Client Services - College of Liberal Arts
> Information & Technology Services, Enterprise Support
> Rochester Institute of Technology
> LBR-A290
> 585-475-2208 (office)
> ajf...@rit.edu
>
> Submit a request via email: serviced...@rit.edu
> Check the status of an active request: 
> footprints.rit.edu
> Manage your RIT account and computers: start.rit.edu
>
> CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
> intended only for the person(s) or entity to which it is addressed and may 
> contain confidential and/or privileged material. Any review, retransmission, 
> dissemination or other use of, or taking of any action in reliance upon this 
> information by persons or entities other than the intended recipient is 
> prohibited. If you received this in error, please contact the sender and 
> destroy any copies of this information.
>
>
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/



-- 
James Healy
Stoic, PO Box 17042, Greenlane, Auckland 1546.

w: www.stoic.co.nz
e: ja...@stoic.co.nz
p: 09 280 3639
m: 027 900 17 44

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Jeffrey Walton]

On Wed, May 28, 2014 at 10:21 PM, Anthony Fontanez  wrote:
> I'm surprised I haven't seen any discussion about the recent issues with 
> TrueCrypt.  Links to current discussions follow.
>
> /r/sysadmin: 
> http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
> /r/netsec: 
> http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/
The Crypto mailing list offered a few additional factoids (in addition
to the three offered in the first link):

1) Microsoft ended support for XP.
2) Elcomsoft claims the ability to retrieve master & secondary (XTS mode)
keys for TrueCrypt volumes/partitions from hibernation files.
3) Passware same as above.
4) 
https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf-
header key derivation uses low iteration count

And as one other person noted in the crypto mailing list thread, the
same kind of thing happened to Lavabit.

See http://lists.randombit.net/pipermail/cryptography/2014-May/thread.html
and http://lists.randombit.net/pipermail/cryptography/2014-May/006561.html.

Jeff

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] What do you think of Trollc?

[Michal Zalewski]

> I could distill that to layman's terms:
> "Hurting someone else and making money at their expense."

Well, kind of, but that's essentially the definition of all short-term
stock trading: you're betting that somebody else is wrong and want to
profit from their loss.

/mz

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] What do you think of Trollc?

[Jeffrey Paul]

On May 28, 2014, at 7:29 PM, Brian M. Waters  wrote:

> I could distill that to layman's terms:
> "Hurting someone else and making money at their expense."

Disclosing information that is available to the public is not hurting anyone.

If they are hurt in the markets due to poor data security practices, the only 
person or entity responsible is the one that chose and implemented those data 
security practices.

Please don’t misattribute responsibility.  Insecurity is not the fault of the 
discloser.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] What do you think of Trollc?

[Scott Arciszewski]

"Ethical" is always a matter of perspective. "Legal" and "effective" are
the relevant points of contention.


On Wed, May 28, 2014 at 10:29 PM, Brian M. Waters 
wrote:

> So far the thread of discussion here has focused on whether or not
> Weev's plan would /actually work/. But lets take a step back.
>
> If I understand it, the plan is to facilitate "ethical vulnerability
> disclosure" by
> 1) Finding security vulnerabilities in live sites
> 2) Disclosing them to the public before notifying the site operators
> 3) Thereby causing the stock price to drop
>  and
> 4) Making money by short-selling on knowledge only the developer has
>
> I could distill that to layman's terms:
> "Hurting someone else and making money at their expense."
>
> So, how is that ethical, again? Did I miss something?
>
> BW
>
>
> On Tue, 27 May 2014 20:49:45 +0200
> Philip Cheong  wrote:
> > From https://www.startjoin.com/trollc
> >
> > *Right now if you're a software exploit developer and you want to
> > monetize your craft to pay your rent, there's only one consistent way
> > to do so: sell your software exploits. The major customer for these
> > are oppressive governments, chiefly that of the United States. We
> > know what the United States does with software exploits: it uses them
> > to illegally spy on its own citizens, and attack peaceful nations
> > around the world.*
> >
> > *I need your help to create a company that will ethically disclose
> > software vulnerabilities to the public. For this I need help getting
> > the filing fees necessary to incorporate a hedge fund. I want to
> > continue bringing issues in companies that put you at risk to light,
> > and short the stocks of those companies when I do so. I will only get
> > paid when large corporations being negligent get punished. This will
> > create a structure by which security researchers including myself
> > will still make a living, only now by disclosing problems instead of
> > selling them in secret to criminal governments.*
> >
> > What say you? Is this brilliant? Or stupid? Awesome? But never going
> > to work?
> >
> > ___
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
>
>
> --
> Brian M. Waters
> Burlington, Vermont, USA
> +1 (908) 380-8214
> br...@brianmwaters.net
> https://brianmwaters.net/
>
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[secuip]

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/comment-page-1/#comment-255908


Le 29/05/2014 22:51, uname -a a écrit :

There are several strange behaviors.

Sitesource is not clean. Just a html that say take now Bitlocker or
other built-in tools of your OS !?

New Keys got added to SF 3h before release of 7.2 happened.

On SF the old versions got removed. For older Versions you've to
download them elsewhere (there are several sources available).

Encryption, Help and all traces to truecrypt.org got removed in the
Programsource.

No explanation for this anywhere. Just speculations.

Truecrypt isn't available on the webarchive!

The Wiki got editet massively.



Am 29.05.2014 04:21, schrieb Anthony Fontanez:

I'm surprised I haven't seen any discussion about the recent issues with 
TrueCrypt.  Links to current discussions follow.

/r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
/r/netsec: 
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/

Thank you,

Anthony Fontanez
PC Systems Administrator
Client Services - College of Liberal Arts
Information & Technology Services, Enterprise Support
Rochester Institute of Technology
LBR-A290
585-475-2208 (office)
ajf...@rit.edu

Submit a request via email: serviced...@rit.edu
Check the status of an active request: 
footprints.rit.edu
Manage your RIT account and computers: start.rit.edu

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
intended only for the person(s) or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and 
destroy any copies of this information.



___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Full disk encryption for OS X alternative to TrueCrypt

[CIURANA EUGENE (pr3d4t0r - Full Disclosure)]

 

Greetings. 

I'm a happy long-time user of TrueCrypt, and was as
dismayed as anyone else to see the news. I'm considering starting a full
disk image encryption alternative to TrueCrypt that will target OS X
(maybe others too, but right now OS X is my priority). 

Asking here for
interest in such an endeavor. My system still uses TrueCrypt 7.1a and I
managed to rescue the binaries, but I suspect they may break Real Soon
Now and, with nobody to maintain the code... well, OS X needs an
alternative. And no, Apple's partition encryption isn't an option since
it's suspect of having back doors. 

My intention is to release the code
under an open source license (GPLv2 or Apache). Please let me know your
thoughts. Working now on understanding how Fuse might play in this
setup, or whether to write a low-level driver altogether and mount it
via the kernel w/o Fuse. 

Cheers! 

pr3d 

-- 
 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Justin Bull]

But why go out in that style? Why not be frank? Why be so careless as to
recommend BitLocker?

The diff was meticulous but the website and comms were not. It doesn't add
up.

Sent from mobile.
On May 29, 2014 5:13 PM, "secuip"  wrote:

> http://krebsonsecurity.com/2014/05/true-goodbye-using-
> truecrypt-is-not-secure/comment-page-1/#comment-255908
>
>
> Le 29/05/2014 22:51, uname -a a écrit :
>
>> There are several strange behaviors.
>>
>> Sitesource is not clean. Just a html that say take now Bitlocker or
>> other built-in tools of your OS !?
>>
>> New Keys got added to SF 3h before release of 7.2 happened.
>>
>> On SF the old versions got removed. For older Versions you've to
>> download them elsewhere (there are several sources available).
>>
>> Encryption, Help and all traces to truecrypt.org got removed in the
>> Programsource.
>>
>> No explanation for this anywhere. Just speculations.
>>
>> Truecrypt isn't available on the webarchive!
>>
>> The Wiki got editet massively.
>>
>>
>>
>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>
>>> I'm surprised I haven't seen any discussion about the recent issues with
>>> TrueCrypt.  Links to current discussions follow.
>>>
>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>> truecrypt_is_dead/
>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>> truecrypt_development_has_ended_052814/
>>>
>>> Thank you,
>>>
>>> Anthony Fontanez
>>> PC Systems Administrator
>>> Client Services - College of Liberal Arts
>>> Information & Technology Services, Enterprise Support
>>> Rochester Institute of Technology
>>> LBR-A290
>>> 585-475-2208 (office)
>>> ajf...@rit.edu
>>>
>>> Submit a request via email: serviced...@rit.edu>> viced...@rit.edu>
>>> Check the status of an active request: footprints.rit.edu>> footprints.rit.edu/>
>>> Manage your RIT account and computers: start.rit.edu>> rit.edu/>
>>>
>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>> attachments, is intended only for the person(s) or entity to which it is
>>> addressed and may contain confidential and/or privileged material. Any
>>> review, retransmission, dissemination or other use of, or taking of any
>>> action in reliance upon this information by persons or entities other than
>>> the intended recipient is prohibited. If you received this in error, please
>>> contact the sender and destroy any copies of this information.
>>>
>>>
>>>
>>> ___
>>> Sent through the Full Disclosure mailing list
>>> http://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>>
>>>  ___
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Bizagi BPM Suite contains multiple vulnerabilities

[Walter Cuestas]

Vulnerability Note VU#112412
Bizagi BPM Suite contains multiple vulnerabilities

Overview
Bizagi BPM Suite contains a reflected cross-site scripting vulnerability
and a SQL injection vulnerability.

Description
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - CVE-2014-2947
According to Open-Sec consultant Mauricio Urizar, all versions of Bizagi
BPM Suite contain a reflected cross-site scripting (XSS) vulnerability. The
application fails to sanitize the txtUsername POST parameter to the
Login.aspxpage.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection') - CVE-2014-2948
Furthermore, Urizar reports that all versions of Bizagi BPM Suite are
vulnerable to SQL injection attacks through theworkflowenginesoa.asmx web
service. By sending specially crafted SOAP requests to the web service, a
remote authenticated attacker can execute arbitrary SQL statements.

The CVSS score reflects CVE-2014-2948.

Impact
By exploiting the reflected XSS vulnerability, a remote unauthenticated
attacker may be able to execute arbitrary javascript in the context of the
victim's browser. By exploiting the SQL injection vulnerability, a remote
authenticated attacker may be able to read, modify, or delete data from the
database.

Solution
Bizagi has stated that the cross-site scripting vulnerability
(CVE-2014-2947) was fixed in version 10.3. To remediate the SQL injection
vulnerability, a hotfix is available for 64-bit installations of the 10.3
official release. A separate hotfix is available for 64-bit installations
of the 10.4 official and latest release. Bizagi has provided the following
patching instructions:

1. Ensure that you have temporarily stopped your project service (at the
IIS), and that your project is using a 64-bit installation.
2. Replace the "BizAgi.WFES.dll" file found inside the zipped folder of the
fix, so that you paste this assembly into the bin folder of your Bizagi
Work portal.
(By default, the bin is located as
"C:\BizAgi\Enterprise\Projects\[your_Project]\WebApplication\bin\"). This
will replace an older file having the same name.
3. Proceed to re-start your project service (at the IIS).

In addition, Bizagi advises users to consult the "Security setup
recommendations" documentation in the meantime. Users who are unable to
patch should consider the following workaround:
Restrict Access

As a general good security practice, only allow connections from trusted
hosts and networks.

Vendor Information (Learn More)

Vendor Status Date Notified Date Updated
Bizagi Affected 11 Apr 2014 22 May 2014

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:W/RC:C
Environmental 1.9 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References
http://www.bizagi.com/products/bizagi-bpm-suite/overview-bpm-suite
http://help.bizagi.com/bpmsuite/en/index.html?setup_security.htm

Credit
Thanks to Mauricio Urizar for reporting this vulnerability.
This document was written by Todd Lewellen.

Other Information
CVE IDs: CVE-2014-2947 CVE-2014-2948
Date Public: 22 May 2014
Date First Published: 22 May 2014
Date Last Updated: 22 May 2014
Document Revision: 14
---
Walter Cuestas Agramonte

*They run automated tools, We have ETHICAL HACKERS !*
*Offensive Security Certified Professional / **C|EH **C)PTE **C)PTC*
 Gerente General
 Celular: (+51) 997926168

Ethical Hacking/InfoSec
http://www.open-sec.com
http://ehopen-sec.blogspot.com/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Dennis E. Hamilton]

In the various accounts and discussions all around the Internet, I had been 
baffled by the mention of Windows XP support end-of-life.

On reflection, I can see why there might be concern for the vulnerability of 
TrueCrypt, and user keys, on a platform for which there is no longer any 
security support.

The observation that there are existing solutions on the major 
currently-supported platforms makes sense in that context.  Concerning the 
mention of Bitlocker, I note that Bitlocker is available on Windows 8.1 Pro and 
works just fine given the hardware that Windows 8 and 8.1 require anyhow.  (I 
am not in a position to know whether "works just fine" means Bitlocker is 
highly secure or not.  At least it is not password based and one should remove 
and squirrel away the USB key after powering up and certainly not leave it 
inserted in a powered-down system.)

I have no idea what the actual trigger of the TrueCrypt shutdown is.  


 -- Dennis E. Hamilton
dennis.hamil...@acm.org+1-206-779-9430
https://keybase.io/orcmid  PGP F96E 89FF D456 628A


-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of 
Barkley, Peter
Sent: Thursday, May 29, 2014 13:47
To: fulldisclosure@seclists.org
Subject: Re: [FD] TrueCrypt?

+

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/ 

-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of 
Anthony Fontanez
Sent: 2014, May, 28 10:21 PM
To: fulldisclosure@seclists.org
Subject: [FD] TrueCrypt?

I'm surprised I haven't seen any discussion about the recent issues with 
TrueCrypt.  Links to current discussions follow.

/r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/
/r/netsec: 
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/

[ ... ]


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

[CIURANA EUGENE (pr3d4t0r - Full Disclosure)]

 

On 2014-05-29 14:23, Jeffrey Groby wrote: 

> Maybe I am confused
here. I thought FileVault was the full disk encryption tool for OS X and
TrueCrypt was the Windows solution. Are you writing an alternative to
FileVault? 
> 
> I am sure I must have misunderstood
something.

TrueCrypt was available to Linux and OS X users as well. The
most current version was 7.1a, and it did more or less the same things
as the Windows version, plus it also allowed you to reformat an
encrypted partition under HFS+ and treat it like a native OS X file
system in every other respect. 

FileVault is suspect -- we have no
guarantee, one way or another, that Apple doesn't have some kind of back
door into it. 

That's why I believe we need an alternative for OS X
users who rely on TrueCrypt and want better security than what is
provided by Apple. 

Note: I love Apple products, but given Prism and
other disclosures, I don't trust their software to be safe. That's why
OTR, TrueCrypt, and GPG/PGP are in my arsenal for secure storage and
communications. 

Cheers! 

pr3d 

-- 

 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[CIURANA EUGENE (pr3d4t0r - Full Disclosure)]

 

On 2014-05-29 14:18, Justin Bull wrote: 

> But why go out in that
style? Why not be frank? Why be so careless as to
> recommend
BitLocker?
> 
> The diff was meticulous but the website and comms were
not. It doesn't add
> up.

The general consensus in some quarters (e.g.
encryption and topical IRC channels across various networks) is that the
developer(s) were identified and served with a National Security Letter
(NSL). Since its existence can't be divulged, and since the suggestion
to use BitLocker is ridiculous to anyone with a clue, the demise of the
TrueCrypt site and its circumstances is viewed as a canary-in-the-mine.
A way of alerting users. 

Think of Lavabit a year ago and how they were
coerced to open up their encryption. They went out of business rather
than surrender the keys and create a false sense of security among their
users. 

Cheers, 

pr3d 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] US cybercrime laws being used to target security researchers | Technology | The Guardian

[Ivan .Heca]

HD Moore, creator of the ethical hacking tool Metasploit and chief research
officer of security consultancy Rapid7, told the Guardian he had been
warned by US law enforcement last year over a scanning project called
Critical.IO, which he started in 2012. The initiative sought to find
widespread vulnerabilities using automated computer programs to uncover the
weaknesses across the entire internet.

http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

[Mike Cramer]

You need to ask yourself a question:

How well do you know coding and encryption handling to ensure that your
software doesn't have unintentional back doors and/or information
disclosure? This is a serious question because it requires serious answers
when you're dealing with cryptography. The weakest part of the security
system should not be the application.

What libraries would you use for encryption? If any? I assume you would
leverage AES. Would the library you choose to use support AES-NI? Would you
use the Intel CPU-based PRNG? (http://en.wikipedia.org/wiki/RdRand)

I think it's reasonable to assume that the "many eyes" approach to software
security doesn't really work. So simply saying you'll release it as GPL I
don't think should be considered "good enough" anymore when it comes to
encryption. The myriad of flaws in OpenSSL over the years both upstream and
in distributions should be a serious wake-up call on this one.

My recommendation would be to use FileVault/Bitlocker/OS implementations
unless you can come up with a good reason why not to do so.

-Mike

-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf
Of CIURANA EUGENE (pr3d4t0r - Full Disclosure)
Sent: Thursday, May 29, 2014 17:18
To: fulldisclosure@seclists.org
Subject: [FD] Full disk encryption for OS X alternative to TrueCrypt

 

Greetings. 

I'm a happy long-time user of TrueCrypt, and was as dismayed as anyone else
to see the news. I'm considering starting a full disk image encryption
alternative to TrueCrypt that will target OS X (maybe others too, but right
now OS X is my priority). 

Asking here for
interest in such an endeavor. My system still uses TrueCrypt 7.1a and I
managed to rescue the binaries, but I suspect they may break Real Soon Now
and, with nobody to maintain the code... well, OS X needs an alternative.
And no, Apple's partition encryption isn't an option since it's suspect of
having back doors. 

My intention is to release the code
under an open source license (GPLv2 or Apache). Please let me know your
thoughts. Working now on understanding how Fuse might play in this setup, or
whether to write a low-level driver altogether and mount it via the kernel
w/o Fuse. 

Cheers! 

pr3d 

-- 
 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[JK]

http://threatpost.com/of-truecrypt-and-warrant-canaries/106355


On Thu, May 29, 2014 at 5:18 PM, Justin Bull  wrote:

> But why go out in that style? Why not be frank? Why be so careless as to
> recommend BitLocker?
>
> The diff was meticulous but the website and comms were not. It doesn't add
> up.
>
> Sent from mobile.
> On May 29, 2014 5:13 PM, "secuip"  wrote:
>
> > http://krebsonsecurity.com/2014/05/true-goodbye-using-
> > truecrypt-is-not-secure/comment-page-1/#comment-255908
> >
> >
> > Le 29/05/2014 22:51, uname -a a écrit :
> >
> >> There are several strange behaviors.
> >>
> >> Sitesource is not clean. Just a html that say take now Bitlocker or
> >> other built-in tools of your OS !?
> >>
> >> New Keys got added to SF 3h before release of 7.2 happened.
> >>
> >> On SF the old versions got removed. For older Versions you've to
> >> download them elsewhere (there are several sources available).
> >>
> >> Encryption, Help and all traces to truecrypt.org got removed in the
> >> Programsource.
> >>
> >> No explanation for this anywhere. Just speculations.
> >>
> >> Truecrypt isn't available on the webarchive!
> >>
> >> The Wiki got editet massively.
> >>
> >>
> >>
> >> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> >>
> >>> I'm surprised I haven't seen any discussion about the recent issues
> with
> >>> TrueCrypt.  Links to current discussions follow.
> >>>
> >>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
> >>> truecrypt_is_dead/
> >>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
> >>> truecrypt_development_has_ended_052814/
> >>>
> >>> Thank you,
> >>>
> >>> Anthony Fontanez
> >>> PC Systems Administrator
> >>> Client Services - College of Liberal Arts
> >>> Information & Technology Services, Enterprise Support
> >>> Rochester Institute of Technology
> >>> LBR-A290
> >>> 585-475-2208 (office)
> >>> ajf...@rit.edu
> >>>
> >>> Submit a request via email: serviced...@rit.edu >>> viced...@rit.edu>
> >>> Check the status of an active request: footprints.rit.edu >>> footprints.rit.edu/>
> >>> Manage your RIT account and computers: start.rit.edu >>> rit.edu/>
> >>>
> >>> CONFIDENTIALITY NOTE: The information transmitted, including
> >>> attachments, is intended only for the person(s) or entity to which it
> is
> >>> addressed and may contain confidential and/or privileged material. Any
> >>> review, retransmission, dissemination or other use of, or taking of any
> >>> action in reliance upon this information by persons or entities other
> than
> >>> the intended recipient is prohibited. If you received this in error,
> please
> >>> contact the sender and destroy any copies of this information.
> >>>
> >>>
> >>>
> >>> ___
> >>> Sent through the Full Disclosure mailing list
> >>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>
> >>>  ___
> >> Sent through the Full Disclosure mailing list
> >> http://nmap.org/mailman/listinfo/fulldisclosure
> >> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>
> >
> >
> > ___
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Philip Cheong]

It's almost as mysterious as the Lavabit shutdown. Interestingly enough
there is a recent update on the story of Lavabit and how the company was
considered a third party up a crime so they did not have a right to legal
counsel. Check it out http://lavabit.com

I'm certainly interested to hear more on the back story of the TrueCrypt
shutdown and this supposed vulnerability.

On Thursday, May 29, 2014, Justin Bull  wrote:

> But why go out in that style? Why not be frank? Why be so careless as to
> recommend BitLocker?
>
> The diff was meticulous but the website and comms were not. It doesn't add
> up.
>
> Sent from mobile.
> On May 29, 2014 5:13 PM, "secuip" > wrote:
>
> > http://krebsonsecurity.com/2014/05/true-goodbye-using-
> > truecrypt-is-not-secure/comment-page-1/#comment-255908
> >
> >
> > Le 29/05/2014 22:51, uname -a a écrit :
> >
> >> There are several strange behaviors.
> >>
> >> Sitesource is not clean. Just a html that say take now Bitlocker or
> >> other built-in tools of your OS !?
> >>
> >> New Keys got added to SF 3h before release of 7.2 happened.
> >>
> >> On SF the old versions got removed. For older Versions you've to
> >> download them elsewhere (there are several sources available).
> >>
> >> Encryption, Help and all traces to truecrypt.org got removed in the
> >> Programsource.
> >>
> >> No explanation for this anywhere. Just speculations.
> >>
> >> Truecrypt isn't available on the webarchive!
> >>
> >> The Wiki got editet massively.
> >>
> >>
> >>
> >> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> >>
> >>> I'm surprised I haven't seen any discussion about the recent issues
> with
> >>> TrueCrypt.  Links to current discussions follow.
> >>>
> >>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
> >>> truecrypt_is_dead/
> >>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
> >>> truecrypt_development_has_ended_052814/
> >>>
> >>> Thank you,
> >>>
> >>> Anthony Fontanez
> >>> PC Systems Administrator
> >>> Client Services - College of Liberal Arts
> >>> Information & Technology Services, Enterprise Support
> >>> Rochester Institute of Technology
> >>> LBR-A290
> >>> 585-475-2208 (office)
> >>> ajf...@rit.edu
> >>>
> >>> Submit a request via email: serviced...@rit.edu >>> viced...@rit.edu>
> >>> Check the status of an active request: footprints.rit.edu >>> footprints.rit.edu/>
> >>> Manage your RIT account and computers: start.rit.edu >>> rit.edu/>
> >>>
> >>> CONFIDENTIALITY NOTE: The information transmitted, including
> >>> attachments, is intended only for the person(s) or entity to which it
> is
> >>> addressed and may contain confidential and/or privileged material. Any
> >>> review, retransmission, dissemination or other use of, or taking of any
> >>> action in reliance upon this information by persons or entities other
> than
> >>> the intended recipient is prohibited. If you received this in error,
> please
> >>> contact the sender and destroy any copies of this information.
> >>>
> >>>
> >>>
> >>> ___
> >>> Sent through the Full Disclosure mailing list
> >>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>
> >>>  ___
> >> Sent through the Full Disclosure mailing list
> >> http://nmap.org/mailman/listinfo/fulldisclosure
> >> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>
> >
> >
> > ___
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fu



-- 
*Philip Cheong*
*Elastx *| Public and Private PaaS
email: philip.che...@elastx.se
office: +46 8 557 728 10
mobile: +46 702 8170 814
twitter: @Elastx 
http://elastx.se

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Sergio Conde Gómez]

I saw this link at #truecr...@irc.freenode.net where they are collecting 
some facts:


http://www.etcwiki.org/wiki/What_happened_to_Truecrypt_-_May_2014

I agree with the comment that secuip linked, is pretty close what I 
though this morning.


El 29/05/14 23:18, Justin Bull escribió:

But why go out in that style? Why not be frank? Why be so careless as to
recommend BitLocker?

The diff was meticulous but the website and comms were not. It doesn't add
up.

Sent from mobile.
On May 29, 2014 5:13 PM, "secuip"  wrote:


http://krebsonsecurity.com/2014/05/true-goodbye-using-
truecrypt-is-not-secure/comment-page-1/#comment-255908


Le 29/05/2014 22:51, uname -a a écrit :


There are several strange behaviors.

Sitesource is not clean. Just a html that say take now Bitlocker or
other built-in tools of your OS !?

New Keys got added to SF 3h before release of 7.2 happened.

On SF the old versions got removed. For older Versions you've to
download them elsewhere (there are several sources available).

Encryption, Help and all traces to truecrypt.org got removed in the
Programsource.

No explanation for this anywhere. Just speculations.

Truecrypt isn't available on the webarchive!

The Wiki got editet massively.



Am 29.05.2014 04:21, schrieb Anthony Fontanez:


I'm surprised I haven't seen any discussion about the recent issues with
TrueCrypt.  Links to current discussions follow.

/r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
truecrypt_is_dead/
/r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
truecrypt_development_has_ended_052814/

Thank you,

Anthony Fontanez
PC Systems Administrator
Client Services - College of Liberal Arts
Information & Technology Services, Enterprise Support
Rochester Institute of Technology
LBR-A290
585-475-2208 (office)
ajf...@rit.edu

Submit a request via email: serviced...@rit.edu
Check the status of an active request: footprints.rit.edu
Manage your RIT account and computers: start.rit.edu

CONFIDENTIALITY NOTE: The information transmitted, including
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.



___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

  ___

Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

[CIURANA EUGENE (pr3d4t0r - Full Disclosure)]

 

On 2014-05-29 14:46, Mike Cramer wrote: 

> You need to ask yourself
a question:
> 
> How well do you know coding and encryption handling to
ensure that your
> software doesn't have unintentional back doors and/or
information
> disclosure? This is a serious question because it requires
serious answers
> when you're dealing with cryptography. The weakest
part of the security
> system should not be the application.
> 
> What
libraries would you use for encryption? If any? I assume you would
>
leverage AES. Would the library you choose to use support AES-NI? Would
you
> use the Intel CPU-based PRNG?
(http://en.wikipedia.org/wiki/RdRand)
> 
> I think it's reasonable to
assume that the "many eyes" approach to software
> security doesn't
really work. So simply saying you'll release it as GPL I
> don't think
should be considered "good enough" anymore when it comes to
>
encryption. The myriad of flaws in OpenSSL over the years both upstream
and
> in distributions should be a serious wake-up call on this one.
>

> My recommendation would be to use FileVault/Bitlocker/OS
implementations
> unless you can come up with a good reason why not to
do so.

Mike, 

Well aware of the Intel PRNG issues and others
(http://twitter.com/ciurana -- I covered them when they happened and
continue to address them). 

Ditto on the encryption: I know it well
enough to come up with an initial implementation, and be conscious of
the limitations of my coding. Part of this plan consists on establishing
an auditing process from the get go, not unlike OpenBSD's, where
security is built into the process, not only into the code and reviewed
as an after thought. 

I want to have more than one block encryption
algorithm built into it, different digests, and so on. 

Libraries,
features selection, etc. are still in a preliminary stage. First I want
to gauge level of interest. 

Would you like to help? :) 

Cheers!


pr3d 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] TrueCrypt?

[Mike Cramer]

I think it’s more important to have rational discussions. This isn’t the first 
time Microsoft has been ‘rumored’ to have backdoors in Windows for the US 
Government. These rumors have been perpetuated for years. While I don’t know 
how long you’ve been in the industry, it’s something I recall even being 14 
years old and sitting on IRC and having people discuss.

 

The reality now, just as then, is that these are unsubstantiated.

 

A more apt description about the cooperation between the US Government and 
Microsoft I think falls back onto our old pals “Alice and Bob”. I’m sure you 
may recall these names from any sort of discussion about PKI.

 

What people seem to forget in all of these discussions is that Microsoft is 
Bob. (Microsoft Bob? :P)

 

No amount of encryption, protection, secret keying is going to protect you when 
one party is going to hand over the information to 3rd parties to review.

 

Based on my Alice and Bob comment above, it’s reasonable to assume that the 
encryption itself is 100% fine, so as long as you believe that Bob will never 
divulge the information you’ve disclosed.

 

Through all of these discussions surrounding Bitlocker across multiple forums 
nobody has brought up the fact that Bitlocker in Windows 8 allows you to store 
recovery key information in OneDrive/”The Cloud”. Why bother writing in 
backdoors to the software when the keys are readily available with a warrant?

 

There are a million and one ways to get access to the information and the 
absolutely most difficult, most costly, and most potentially damaging is the 
one people are jumping to first.

 

If it were ever revealed that Microsoft purposefully weakened its encryption 
systems to allow the NSA access to any Windows device, then it would be the end 
of the organization. They’re just not that dumb.

 

Mike

 

From: Justin Bull [mailto:m...@justinbull.ca] 
Sent: Thursday, May 29, 2014 18:02
To: Mike Cramer
Cc: fulldisclosure@seclists.org; secuip
Subject: RE: [FD] TrueCrypt?

 

Closed source and Microsoft is notoriously known to play ball with LEO and 
government. It's an ill-fitting shoe. 

Sent from mobile. 

On May 29, 2014 5:47 PM, "Mike Cramer" mailto:mike.cra...@outlook.com> > wrote:

What is careless about recommending Bitlocker?

-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org 
 ] On Behalf Of Justin Bull
Sent: Thursday, May 29, 2014 17:18
To: secuip
Cc: fulldisclosure@seclists.org  
Subject: Re: [FD] TrueCrypt?

But why go out in that style? Why not be frank? Why be so careless as to 
recommend BitLocker?

The diff was meticulous but the website and comms were not. It doesn't add up.

Sent from mobile.
On May 29, 2014 5:13 PM, "secuip" mailto:r...@secuip.fr> > 
wrote:

> http://krebsonsecurity.com/2014/05/true-goodbye-using-
> truecrypt-is-not-secure/comment-page-1/#comment-255908
>
>
> Le 29/05/2014 22:51, uname -a a écrit :
>
>> There are several strange behaviors.
>>
>> Sitesource is not clean. Just a html that say take now Bitlocker or
>> other built-in tools of your OS !?
>>
>> New Keys got added to SF 3h before release of 7.2 happened.
>>
>> On SF the old versions got removed. For older Versions you've to
>> download them elsewhere (there are several sources available).
>>
>> Encryption, Help and all traces to truecrypt.org   got 
>> removed in the
>> Programsource.
>>
>> No explanation for this anywhere. Just speculations.
>>
>> Truecrypt isn't available on the webarchive!
>>
>> The Wiki got editet massively.
>>
>>
>>
>> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
>>
>>> I'm surprised I haven't seen any discussion about the recent issues
>>> with TrueCrypt.  Links to current discussions follow.
>>>
>>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
>>> truecrypt_is_dead/
>>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
>>> truecrypt_development_has_ended_052814/
>>>
>>> Thank you,
>>>
>>> Anthony Fontanez
>>> PC Systems Administrator
>>> Client Services - College of Liberal Arts Information & Technology
>>> Services, Enterprise Support Rochester Institute of Technology
>>> LBR-A290
>>> 585-475-2208   (office)
>>> ajf...@rit.edu  >>  >
>>>
>>> Submit a request via email: serviced...@rit.edu 
>>>   
>>> viced...@rit.edu  > Check the status of an active 
>>> request:
>>> footprints.rit.edu  >> footprints.rit.edu/  > Manage your RIT
>>> account and computers: start.rit.edu  >> rit.edu/  >
>>>
>>> CONFIDENTIALITY NOTE: The information transmitted, including
>>> attachments, is intended only for the person(s) or entity to which
>>> it is addressed and may c

Re: [FD] TrueCrypt?

[Justin Bull]

Closed source and Microsoft is notoriously known to play ball with LEO and
government. It's an ill-fitting shoe.

Sent from mobile.
On May 29, 2014 5:47 PM, "Mike Cramer"  wrote:

> What is careless about recommending Bitlocker?
>
> -Original Message-
> From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On
> Behalf Of Justin Bull
> Sent: Thursday, May 29, 2014 17:18
> To: secuip
> Cc: fulldisclosure@seclists.org
> Subject: Re: [FD] TrueCrypt?
>
> But why go out in that style? Why not be frank? Why be so careless as to
> recommend BitLocker?
>
> The diff was meticulous but the website and comms were not. It doesn't add
> up.
>
> Sent from mobile.
> On May 29, 2014 5:13 PM, "secuip"  wrote:
>
> > http://krebsonsecurity.com/2014/05/true-goodbye-using-
> > truecrypt-is-not-secure/comment-page-1/#comment-255908
> >
> >
> > Le 29/05/2014 22:51, uname -a a écrit :
> >
> >> There are several strange behaviors.
> >>
> >> Sitesource is not clean. Just a html that say take now Bitlocker or
> >> other built-in tools of your OS !?
> >>
> >> New Keys got added to SF 3h before release of 7.2 happened.
> >>
> >> On SF the old versions got removed. For older Versions you've to
> >> download them elsewhere (there are several sources available).
> >>
> >> Encryption, Help and all traces to truecrypt.org got removed in the
> >> Programsource.
> >>
> >> No explanation for this anywhere. Just speculations.
> >>
> >> Truecrypt isn't available on the webarchive!
> >>
> >> The Wiki got editet massively.
> >>
> >>
> >>
> >> Am 29.05.2014 04:21, schrieb Anthony Fontanez:
> >>
> >>> I'm surprised I haven't seen any discussion about the recent issues
> >>> with TrueCrypt.  Links to current discussions follow.
> >>>
> >>> /r/sysadmin: http://www.reddit.com/r/sysadmin/comments/26pxol/
> >>> truecrypt_is_dead/
> >>> /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/
> >>> truecrypt_development_has_ended_052814/
> >>>
> >>> Thank you,
> >>>
> >>> Anthony Fontanez
> >>> PC Systems Administrator
> >>> Client Services - College of Liberal Arts Information & Technology
> >>> Services, Enterprise Support Rochester Institute of Technology
> >>> LBR-A290
> >>> 585-475-2208 (office)
> >>> ajf...@rit.edu
> >>>
> >>> Submit a request via email: serviced...@rit.edu >>> viced...@rit.edu> Check the status of an active request:
> >>> footprints.rit.edu Manage your RIT
> >>> account and computers: start.rit.edu >>> rit.edu/>
> >>>
> >>> CONFIDENTIALITY NOTE: The information transmitted, including
> >>> attachments, is intended only for the person(s) or entity to which
> >>> it is addressed and may contain confidential and/or privileged
> >>> material. Any review, retransmission, dissemination or other use of,
> >>> or taking of any action in reliance upon this information by persons
> >>> or entities other than the intended recipient is prohibited. If you
> >>> received this in error, please contact the sender and destroy any
> copies of this information.
> >>>
> >>>
> >>>
> >>> ___
> >>> Sent through the Full Disclosure mailing list
> >>> http://nmap.org/mailman/listinfo/fulldisclosure
> >>> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>>
> >>>  ___
> >> Sent through the Full Disclosure mailing list
> >> http://nmap.org/mailman/listinfo/fulldisclosure
> >> Web Archives & RSS: http://seclists.org/fulldisclosure/
> >>
> >
> >
> > ___
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> ___
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

[James Lay]

On 2014-05-29 15:18, CIURANA EUGENE (pr3d4t0r - Full Disclosure) wrote:

Greetings.

I'm a happy long-time user of TrueCrypt, and was as
dismayed as anyone else to see the news. I'm considering starting a 
full

disk image encryption alternative to TrueCrypt that will target OS X
(maybe others too, but right now OS X is my priority).

Asking here for
interest in such an endeavor. My system still uses TrueCrypt 7.1a and 
I
managed to rescue the binaries, but I suspect they may break Real 
Soon

Now and, with nobody to maintain the code... well, OS X needs an
alternative. And no, Apple's partition encryption isn't an option 
since

it's suspect of having back doors.

My intention is to release the code
under an open source license (GPLv2 or Apache). Please let me know 
your

thoughts. Working now on understanding how Fuse might play in this
setup, or whether to write a low-level driver altogether and mount it
via the kernel w/o Fuse.

Cheers!

pr3d


Maybe the built-in FileVault in 10.9.

James

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

[CIURANA EUGENE (pr3d4t0r - Full Disclosure)]

 

On 2014-05-29 14:39, Jeffrey Walton wrote: 

> GPL can be a toxic
license. Its great if you're OK with being
> boxed-in, but its too
encumbered to do anything outside of Stallman's
> vision. Apache, Boost
and {2|3}-clause BSD license will likely be more
> useful for those who
want to reuse code or components.
> 
> Build the code in C/C++ so its
portable and available everywhere.
> Package it as a library. Build the
loader using platform
> specific/native APIs. Build the front-end using
the platform specific
> frameworks. For example, use Cocoa and Objective
C on Mac OS X, use Qt
> on Linux, etc.
> 
> I've built multi-platofrm
libraries using C/C++ for years. They are
> write once, run everywhere.
The libraries run on Windows, Linux, OS X,
> Android and iOS. Windows
Phone and Windows RT kind of sucks, though.

Thanks Jeff! 

I was
thinking along those lines, except that I want to dispense with C++ and
keep the code in C altogether. Better portability than with C++, and
fewer headaches for the developers who'll audit/contribute to the code.


The only reason I was considering GPLv2 was for its toxicity... it may
deter third-parties from hijacking the code into other applications. In
the normal course of business all my open source stuff is done under BSD
or Apache. I think I'll continue with either of those (thinking that BSD
might be the best). 

Layering it as a library + drivers was also my
general idea (hence looking into how Fuse works). Thanks very much for
the advise; you've confirmed some 5,000' level assumptions I'd made, and
showed me a better path when it comes to licensing. 

Cheers! 

pr3d 

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/