Slashdot Mirror
Auditors Release Verified Repositories of TrueCrypt
Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
SHA2 Preimage Attack Discovered
From my perspective, it appears that both China and the US are willing to bend to their control any IT organization that they can.
I'm happy that a verified source have been made, but sad to think that it has now come to this - the US, China, Russia, ..... so many countries that it is no longer safe to host security projects.
If only I could get a CISCO router build in China, packages in the US and sold through a reseller in Russia.... it could be marketed are the ultimate freedom router*.
(* Note: freedom is not for the end user)
"The best part? I became an ordained minister while not wearing pants." -- CleverNickName
Has anyone looked at the differences between 7.1a and 7.2a? It seems unlikely that the TC authors would intentionally release 7.2a with security-compromising bugs...
What are the hashes for your copy?
That was part of my little joke but of course that's all cynicism on my part at this point.
The only truly reliable idiot-proof encryption method is a one-time pad where you commit the key to memory or parts of it among more than one person. Not that practical compared to a mountable volume or full-disk encryption like the old TrueCrypt, but everything has a price.
Only anecdotal, but I have a copy of "TrueCrypt Setup 7.1a.exe" that I downloaded from truecrypt.org on May 25, 2012, with a SHA-1 sum of 7689d038c76bd1df695d295c026961e50e4a62ea, which matches the same file in this repository.
I would be suspicious of 7.1 just as much as 7.2. If the developers left this "message" that 7.2 might be compromised, what kind of guarantee is there that 7.1 isn't also compromised? Discussion below shows that the big difference between the two is, 7.2 won't create new encrypted volumes. The message seems to say "We've been compromised - get your stuff out of the existing volumes, because they are NOT PROTECTED!" Or, "no longer protected".
If NSA demanded keys and/or back doors, and if the NSA actually got anything for their trouble, then those keys will open backdoors into older versions as well.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
> Doesn't get much more secure than that.
The authors of Truecrypt said "WARNING: TrueCrypt is not secure".
I learned a long time ago that if you go on a date with a woman and she says "I'm crazy", BELIEVE HER. She IS crazy. Even if she's hot, she's probably telling the truth when she says she's crazy. I think the same principle may apply here. If the Truecrypt project page says "Truecrypt is not secure", believe them - it probably is not secure.
Other options seem to be more secure. Personally, I use dm-crypt (cryptsetup) with 256 bit ESSIV AES CBC, plus a little magic I've thrown in.
But this time it will be compromised and costly commercial SW.
Luckily I have a copy of 7.1a for x64 linux. Because this is a great opportunity to release a trojan horse version of Truecrypt and many people would be affected
I wonder was its source in any of repositories for the larger Linux distros? Perhaps Debian, Gentoo,or Arch would have a cryptographically signed copy of it if so that would be a simple matter of grabbing the source with a apt-get source command.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
What are the hashes for your copy?
In order for a post of the hashes to be of any use, both the poster and anybody reading the post would have to pay Dice for a subscription to Slashdot. This is because Slashdot redirects all non-subscribers' HTTPS pageviews to HTTP. If the poster does not subscribe, a man in the middle could modify the hash on its way from the poster's computer to Slashdot's server. If the reader does not subscribe, a man in the middle could modify the hash on its way from the poster's computer to the reader's computer.
If the developers left this "message" that 7.2 might be compromised, what kind of guarantee is there that 7.1 isn't also compromised
The only kind of guarantee there is: an open, publically funded audit of the code. That's the point of this exercise, even before people realized that blindly trusting the TrueCrypt code was a mistake, and that an audit by non-government researchers was needed.
Socialism: a lie told by totalitarians and believed by fools.
Personally, I use dm-crypt (cryptsetup) with 256 bit ESSIV AES CBC, plus a little magic I've thrown in.
Might this magic happen to let you write files to an encrypted volume on one operating system and read it on another?
I learned a long time ago that if you go on a date with a woman and she says "I'm crazy", BELIEVE HER. She IS crazy. Even if she's hot, she's probably telling the truth when she says she's crazy. I think the same principle may apply here.
Suddenly I am less interested in my privacy and more interested in your anecdotal story!
If the developers left this "message" that 7.2 might be compromised, what kind of guarantee is there that 7.1 isn't also compromised
The only kind of guarantee there is: an open, publically funded audit of the code. That's the point of this exercise, even before people realized that blindly trusting the TrueCrypt code was a mistake, and that an audit by non-government researchers was needed.
You're assuming the binary is actually compiled from the source being audited. Once the source audit is complete, AND a recompiled version FROM THAT SOURCE is available, then I might consider using TC again...
It depends on the level of security you expect. To make sure that your documents don't get into the open when someone steals your laptop it may be sufficient since most thieves just don't worry about the contents and just reformats it after a cursory glance on the contents. So everything that's not obviously visible or takes more than 5 minutes to access is probably safe.
If you are targeted by the authorities I would say that no wide-spread security system is safe. The authorities are even more likely to have backdoors into bitlocker than TrueCrypt, even though I suspect that they have TrueCrypt backdoors as well.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I learned a long time ago that if you go on a date with a woman and she says "I'm crazy", BELIEVE HER. She IS crazy. Even if she's hot...
You say that as if it were a bad thing...
Have you ever seen any computer system that is completely secure? There's always a hole or backdoor in it, and I'm just waiting for a major one to show up in bitlocker.
How can we trust them to say it's not secure if we can't know in what way it isn't secure?
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
That was actually the first step of the audit - to ensure repeatable builds and ensure the source matched the object (well, the Windows version - the Linux version was built and verified by many people over the years, but the Windows build took some non-default make setting and then it matched, so confirmation of that was ~1 year ago).
Socialism: a lie told by totalitarians and believed by fools.
The current train of thought, which may never be verified, is that the authors got a National Security Letter from the NSA (like Lavabit)... If so, pointing people away from it to something like BitLocker may be a way for the NSA to gain easier access to encrypted data
I find it truly delightful that the NSA has accidentally accomplished one small aspect of their cover-story mission through their bad PR of late...
By making us paranoid of the documented snooping of our own government, the NSA has managed to do what the likes of Bruce Stirling and Phil Zimmerman failed to accomplish for decades - Get us to finally start encrypting everything possible, from end-to-end. This code audit of TrueCrypt counts as only one tiny part of that whole, but attitudes have changed for the better!
I have TrueCrypt 7.0.0.0 timestamped July 19, 2010 at 1:23:31PM
Luckily I have a copy of 7.1a for x64 linux
I noticed something the other day when looking for a copy of the install on my own system. It turns out that when you install TrueCrypt for Windows, it puts a copy of the installer in the destination directory! If you're on Windows, take a look in your %ProgramFiles%\TrueCrypt directory. You will probably find a TrueCrypt Setup.exe file (at work so not sure of the exact filename). This can be used to install/repair/reinstall TrueCrypt on any computer.
There have been some good attempts to create a trustworthy TrueCrypt archive, but nothing beats your original installation source, which you can use to verify against various signatures found online.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
thankfully I use windows and bitlocker and don't have to worry about any of this.
Many consumer grade (and most enterprise grade) NAS devices run Linux or BSD. They are usable from a home desktop OS such as Windows, so yes, even Windows can write files to properly encrypted storage.
>256 bit ESSIV AES CBC
cool story bro, CBC is broken. Truecrypt uses XTS, and TLS added GCM.
Truecrypt also includes the options for serpent and twofish, both AES finalists with higher margins of absolute security than rinjidael.
i think you're confusing 'spontaneous' (which is fun) with 'crazy' which is bunny-burning, jealous lunacy.
That's fine so long as home and the library don't use the same ISP. Cable monopolies tend to do this, such as if home uses Xfinity and the library uses Comcast Business. In extreme cases, an entire country's web traffic passes through the same proxy, as when Wikipedia temporarily blocked all editing from Qatar.
Oh, and a correction to an error that I failed to spot in preview: "from the poster's computer to the reader's computer" at the end of #47205895 was supposed to be "from Dice to the reader's computer".
So who exactly is "the OCAP team?" I admit not following crypto research very closely so the only name I recognize on their site is Bruce Schneier, and though there's a few comments mentioning them on his blog he hasn't as far as I can tell said anything about being involved.
But to make it competitive with a TrueCrypt volume on a USB flash drive, you'd have to shrink the NAS down to pocket size and get it onto the WLAN somehow. Is there a smartphone app for that yet?
Here's mine:
2667681 Apr 9 2013 truecrypt-7.1a-linux-x64.tar.gz
9526318 Jan 20 2013 TrueCrypt 7.1a Mac OS X.dmg
3466248 Jan 20 2013 TrueCrypt Setup 7.1a.exe
$ sha1sum *
086cf24fad36c2c99a6ac32774833c74091acc4d truecrypt-7.1a-linux-x64.tar.gz
16e6d7675d63fba9bb75a9983397e3fb610459a1 TrueCrypt 7.1a Mac OS X.dmg
7689d038c76bd1df695d295c026961e50e4a62ea TrueCrypt Setup 7.1a.exe
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
SHA-256:
e95eca399dfe95500c4de569efc4cc77b75e2b66a864d467df37733ec06a0ff2
TrueCrypt Setup 7.1a.exe
Downloaded 02/10/2012 04:19 AM.
Same answer from the CNet.com, FileHippo, and Steve Gibson versions. MD5's also match. Using sha256deep64.exe and md5deep64.exe.
the auditors?
.
.
.
.
.
If you were me, you'd be good lookin'. - six string samurai
Not him, but as I said above on another reply, TRESOR uses CBC. I don't know about CBC being *broken* (citation, please? I'm not an expert), but I would imagine that protection from cold boot attacks is worth the tradeoff.
https://en.wikipedia.org/wiki/TRESOR
TRESOR (recursive acronym for "TRESOR Runs Encryption Securely Outside RAM") is a Linux kernel patch which provides CPU-only based encryption to defend against cold boot attacks on computer systems by performing encryption outside usual random-access memory (RAM).
EDIT: holy crap, captcha is "decrypt"
cool story bro, CBC is broken. Truecrypt uses XTS, and TLS added GCM.
CBC is not broken. It doesn't provide the authentication properties an AEAD mode like GCM does, and it's more subject to ciphertext tampering attacks than XTS, but it's a perfectly good mode when applied with understanding of its strengths and weaknesses -- which is also true of GCM (which is terribly insecure if tags are truncated too much; far worse than CBC) and XTS (which isn't authenticated and therefore still subject to ciphertext tampering). And if you want CBC to have authentication and tamper-resistance, they can easily be added by HMACing the ciphertext.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
That's what the audit mentioned in the summary - and several dozen previous articles - will show (and has already intimated, in brief, that there's nothing obviously wrong with it but it can take years of analysis to have confidence that something this large is clean).
Keep up.
Gentoo doesn't keep the source in the repository, but it has the hashes. /usr/portage/app-crypt/truecrypt/Manifest:
from
DIST truecrypt-7.1a.tar.gz 1949303 SHA256 e6214e911d0bbededba274a2f8f8d7b3f6f6951e20f1c3a598fc7a23af81c8dc SHA512 b5e766023168015cb91bfd85c9e2621055dd98408215e02704775861b5070c5a 0234a00c64c1bf7faa34e6d0b51ac71cd36169dd7a6f84d7a34ad0cfa304796a WHIRLPOOL 5e7f4360746a30639aea96eaf4deac268289c111c0efa96f50487527f0406499 2c26ad4c8ae0fd565d80e77f0ce8add82b03930d877fe5adedc8a733b482fe38
(the filter did not like awful long strings of letters so I added spaces to WHIRLPOOL and SHA512 hash strings.
They said it was not secure because it "may contain unfixed security issues". That statement was 100% true for every earlier version of TrueCrypt and every single piece of software ever created. Including dm-crypt, your recommendation.
"Trying is only the first step towards failure." - Homer
Are you thinking of SSL (not TLS) and how it used a predictable IV in CBC mode? That's an SSL issue, not a CBC issue.
CBC is "broken" to the extent that it isn't tamper-evident, so if a bad guy has write access to your encrypted storage you might not know it (unless you hash the file, just like any other storage). XTS is the same!
> volume on a USB flash drive, you'd have to shrink the NAS down to pocket size
See Gumstix and many similar options.
First of all, they said TrueCrypt has unfixed critical bugs not that it was compromised. It wouldn't really make a lot of sense either, if it was compromised back in 2012 and you wanted to be a whistleblower why wait well over 2 years to do it? It's not like NSA or whomever would let that sort of gag order expire. And if they're under any kind of pressure now, it would be to discredit the software they made years ago that doesn't contain any backdoors. Which brings us over to the next issue, they claim there's critical bugs but they won't tell anyone where they are so others can fix them nor fix them themselves. I mean they don't just want to shut down their project, they want tarnish the name, burn it to the ground and salt the earth after them and you really have to ask: Why?
I don't think and you probably also don't think that it's because XP support has ended and we should now all go use Bitlocker, so they're lying to us now. Why are they lying to us? I don't know, either they're pressured to it or working for commercial alternatives or threw a hand grenade to start conspiracy theories and get everyone reviewing the code or just went plain nuts I don't know. But there's no reason for any agency to kill off a version that has a backdoor and if there really was a government backdoor wouldn't the best way to be a whistleblower be to point it out? Why this ominous yet vague FUD? The answer that makes the most sense is that they're lying about everything. The developers don't know of any critical issues with 7.1a, but they're being pressured to or want to kill it.
That doesn't mean TrueCrypt is bug free, of course it may have bigger and smaller issues. But I think they're lying about knowingly withholding anything, that they're not working on the code and not maintaining it isn't the same as deliberately avoiding fixing issues. If they had said nothing at all and TrueCrypt had stayed at versjon 7.1a for another few years I'd still use it and despite what looks to me like a best effort they can't go back in time and sabotage their old release. So while I wouldn't trust anything they do from now on, the older code looks good. Why else would they go through so much effort to get rid of it? Somebody badly wants TrueCrypt 7.1a to disappear and be abandoned, the question is who and why.
Live today, because you never know what tomorrow brings
I have v7.1a for Windows, downloaded 21 Oct 2013. md5 is 7a23ac83a0856c352025a6f7c9cc1526.
Source package (not Linux) sha256sum: e6214e911d0bbededba274a2f8f8d7b3f6f6951e20f1c3a598fc7a23af81c8dc
That's what I just signed in the first ever signed git commit of the CipherShed fork of TrueCrypt. It's been a crazy week over there!
Celebrate failure, and then learn from it - Nolan Bushnell
Excellent. That's what I just got for the source we're using to build the CipherShed fork of TrueCrypt.
Celebrate failure, and then learn from it - Nolan Bushnell
I believe I read about this guy on slashdot a year-ish ago. He verified the Windows binary comes from the official source. I replicated most of his steps, until I became a believer. It is the actual source used to compile the 7.1a binary.
Now, if you're afraid of back-doors, be afraid of what is already in the official source, all 110K+ lines of it.
Celebrate failure, and then learn from it - Nolan Bushnell
My question is academic. If they got a developer into a dungeon somewhere, and applied the five dollar monkey wrench interrogation method to extract a working back door - what assurance is there that this back door doesn't work on previous versions? FUD? I thought it a reasonable question. Does an exploit in version x.xxx work on version x.xxx - 1, or x.xxx - .001, or even x.xxx - 3? In some cases, I would imagine that the exploit might work all the way back to the project's startup and milestone .01, in other cases the same exploit might not work in a very minor version update.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The only cryptography you can truly trust is one you invent yourself, and don't tell anyone else about it, after you've learned all the top of the line methods and technologies and tricks available in the world. But don't trust these "expert proclaimed" unsolvable problems to really be unsolvable. Somebody somewhere might be passing off to you cryptography so you hide "secrets." Best thing is not to have secrets, or even if you do, they should not be something you absolutely can't have out in the public. Like putting a lock on a bicycle, sure somebody can cut it off with, it's like there is no lock that cannot be picked or wall that cannot be destroyed, unlike in the old days, until they invented cannons, but people still practice building walls and putting up locks, So consider all security to be a mild one, like a password, it's a minor obstacle. Like it's not possible to not have your credit cards stolen. Or be victim to false witnesses. It's not possible to have computer security, because whatever you do on the chips and whatever you see on the screen, somebody could be snooping on you. You wanna practice cryptography? Go hide in a cave somewhere and draw lines in the sand with a stick, and they will still find it with sniffing dogs, and only if it makes absolute nonsense because you did not mean anything by it you were just putting down nonsense marks in the hidden cave sand on purpose, they will still decrypt it into something and jail you for it. Such is cryptography. Who you wanna trust? A computer that has a sticker that says "intel inside" or some "amd?" You can't even trust a chip you made yourself and didn't tell anybody, cuz they replaced it with a rigged identical indistinguishable copy of theirs. All you can hope for is they make mistakes, and are not thorough - and who in the world does not make mistakes - and they forgot to detect a UV pen marker line you put on it, or even a trace of blood that - in theory - can be dna decrypted to your blood, and i mean in theory. So much for cryptography and security. You have no rights. Maybe the right to think freely, but only if you don't tell anybody, or don't express it on anything, like a computer screen, voices into the air, or a piece of paper, or sand. If anything, hiding in plain sight is best. You can store information by some rules you invent, and encode things into how you place say a pillow or a sock somewhere, rules that you don't tell anybody, and sometimes, you can just fuck with the snoopers without having rules, but making it look like the disarray you throw your socks into is an expression of something, like a secret, when you were just trying to fuck with them a little and give them something to decrypt. Like a lot of google books results are "top secrect" gov't documents from like 1940's and 50's written by absolute quacks, and you can tell after 3 sentences or 3 paragraphs into it, but sometimes they are amusing to read and entertaining. Such is the top secret released to you, and you can do similar top secret releases yourself. Not to really encrypt anything and believe it's not decryptable, but just to plain fuck with people decrypting it and disrespecting your privacy.
SUUURE, this new verified installer is legit. ..tries to download it...
Love, the NSA (who wrote the thing in the first place)
"Using GitHub on Windows has never been this easy."
Sad Internet user has a sad.
I want to delete my account but Slashdot doesn't allow it.
But I have come to the conclusion the devs just got sick of giving us free stuff, especially when these auditors came along and got PAID to review code the TrueCrypt devs have been toiling on without pay for years.
All your NSA conspiracy theories are fun to read, but really.. I'm pretty convinced there's nothing wrong with 7.1a that will come to reveal it's fundamentally flawed and insecure.
I think I'd be giving you all the finger too if I worked 10 years without pay and some hooha's came along and got paid a bunch of dough to review my stuff and criticize it.
Move along, nothing to see here now. Just some p/o'd devs giving us all the finger.
Only if you can handle the keying material properly. The problem with one time pad is that the keying material needs to be as much as the message to encrypt. Now if you want to transfer 1 GB of data you need 1GB of keying material. This material needs to be shared with the receiving end. Although a one time pad is mathematically proven safe, the burden is shifted from the problem to keep the message safe to keeping the keying material safe.
Thanks, but it gets you in the same trouble as drawing nonsense lines in the sand - you get caught with a set of random looking characters in a hostile country and you can prepare for some good torture sessions to extract the meaning of them. They are just random crap? Boloni! etc. So you better be creative and ready to invent something they wanna hear, to get your ass out of trouble, kinda like the American pilot captured in WW2 by the Japanese, who was interrogated about how many nukes the Americans have. Of course he had no idea, but he told them many many, because that's what he thought they wanted to hear.
The authorities don't need backdoors or attacks on encrypted systems. They get a court order demanding the encryption key, and if you' don't provide it you go to jail, indefinitely, for contempt of court. If that doesn't swing in your jurisdiction, then the law probably already has something about providing keys being mandatory in some instances (In UK law it's an offence to not provide them when requested; 2 years in jail, or 5 years if it's regarding terrorism or CP).
Failing that, they already have the best backdoor to secure systems that there is; A dark room in a foreign country where they pour water over your face until you're just about ready to end yourself.
But yeah, it should be fine for use against a smash-and-grab break in.
Finally had enough. Come see us over at https://soylentnews.org/
Authorities can only do that if they don't mind revealing the investigation against someone. There are still alot of reasons why authorities would want to be able to read something encrypted without it being obvious that they are doing so.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
All softwares have bugs, the question is just if the bugs are serious or if they are benign.
The hardest bugs to find are those that are due to bad overall design. Each part may be perfect, but they are joined in a way that is unsafe.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
If they got a developer into a dungeon somewhere, and applied the five dollar monkey wrench interrogation method to extract a working back door - what assurance is there that this back door doesn't work on previous versions?
Sure, with a $5 monkey wrench you can make someone implement a backdoor, but if the developer never made one and doesn't know of any exploits to produce one then beating him to a pulp won't help him find one. Sure I can't guarantee that I haven't made any big oopsies in my code, but if I did I'm not aware of them and if I found one it'd be patched immediately. I'd never knowingly sit around with an unpatched way to backdoor the system, it can only "extract" things you actually know how to do.
Live today, because you never know what tomorrow brings
Slashdot does not support updating of posts once they are submitted
Of course it does. True, Slashdot is WORM in the sense that it doesn't allow users to edit submitted comments. But if you reply to yourself with the correction, the correction will be displayed below your original comment. See, for example, my post "Qatar ball" above.
To me the most likely and simplest explanation of the strange canary-like behavior is to assume a warrant canary is indeed what we are seeing. Which probably means that 7.1a has not been compromised, but that a compromised version of 7.1a will eventually be introduced into the wild. Hence the need for a trusted repo for windows.
Nevertheless are the changes between 7.0 and 7.1 so significant that it is worth the additional risk of a more recent release? I'm thinking of using my 7.0 download from 2011 instead. A 2 year delay and then suddenly an update might in itself seem suspicious to a sufficiently paranoid individual given what we now know about the aggressive behavior of the NSA. The drawback is that the code verification process is based on 7.1a. Until the verification/cryptanalysis process is complete downgrading to 7.0 temporarily might be worthwhile.
FWIW here are some md5sums for my Windows copies.
5.0a: 4ec2b386f5d786b3017727aaecf28aa8
6.0: ec0827315825a035ff9a4203ddddfef7
6.1a: c413ecd820d2f912996ae86327b0d622
7.0: eadd4ae48541b830638f279d83938497
7.0a: 354e280c4bb56704e3925770f282588f
7.1a: 7a23ac83a0856c352025a6f7c9cc1526
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
QFT. Personally, I can add an example of "crazy" which included her living in a fantasy construct, pathologically lying, stealing thousands of dollars from me, faking a pregnancy and abortion (to get more cash from me), eventually getting institutionalized briefly after we broke up, and drunk texting me annually on her mother's death anniversary with passive-aggressive suicide notes (don't respond to those). I eventually changed my phone number I had for 10 years in order to escape.
Listen to the man.
There's a difference between "dating" and "letting the crazy person affect you to the point of theft, personal harm, etc.". Maybe I just have more experience with them and know when to pull out, so to speak. Not that that's a particularly cool badge to have earned, but I have been able to see where things were heading and jumped off the train. Still it was usually worth the ride.
And you're assuming that your compiler isn't inserting extra code that wasn't in the source code.
- For the complete works of Shakespeare: cat
The level of trust in the current binary builds, in my mind, approaches 0. Once the source code audit is complete, we'll see where my level of trust is in whatever newly compiled versions might be available. Ideally I'd be able to take the source with verifiable md5sum/etc. and compile my own, but a number of comments seem to indicate that this is unlikely, so maybe it's just time to move on to something else.
In my opinion, the NSA flies other law enforcement people, have decided that TrueCrypt is too much of a problem. So either through layers day off extort it up on TrueCrypt to end their business or they just directly did it. And so now that it's Joe will be stuck with Windows alternative. And we know how much we can trust Microsoft. So I repeat True Grit probably is good, but the authorities don't want us to use it
Oh that's fantastic! I didn't even know a setup.exe was stored there. Thanks for the tip!
Fair enough. But, most developers know how to wreck their software. The guy holding the interrogation implement asks, "What is the weakest part of your encryption tool?" WHACK! "You don't need to think so long, you know the weakest part of your scheme, tell me!"
Given that answer, it would help to focus attention where WE would least want attention.
The best thing going right now, is that so many eyes ARE focused on the last "known good" version. Maybe if there is a weak link, someone will notice it. Of course, there is no guarantee at all.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
It's like jazz, spontaneous - it has no paragraphs. If I had more time or were not as lazy, I would have had paragraphed it for you, and made it shorter too, to the point of unfollowable mentally. Euler or some other mathematicians, like Gauss, used to get off on just presenting the end results, without detailing how they arrived to it, or giving some inhuman, unnatural flow of thoughts official and strict proof, but where is the fun in that?
The nice thing about one time pads is that for any ciphertext there's a OTP which produces any (alibi-)cleartext you desire.
CLI paste? paste.pr0.tips!