Slashdot Mirror
TrueCrypt Safer Than Previously Thought (ec-spride.de)
An anonymous reader writes: Back in September, members of Google's Project Zero team found a pair of flaws in the TrueCrypt disk encryption software that could lead to a system compromise. Their discovery raised concerns that TrueCrypt was unsuitable for use in securing sensitive data. However, the Fraunhofer Institute went ahead with a full audit of TrueCrypt's code, and they found it to be more secure than most people think. They correctly point out that for an attacker to exploit the earlier vulnerabilities (and a couple more vulnerabilities they found themselves), the attacker would already need to have "far-reaching access to the system," with which they could do far worse things than exploit an obscure vulnerability.
The auditors say, "It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure." For other uses, the software "does what it's designed for," despite its code flaws. Their detailed, 77-page report (PDF) goes into further detail.
The auditors say, "It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system. This is because when a TrueCrypt volume is mounted its data is generally accessible through the file system, and with repeated access one can install key loggers etc. to get hold of the key material in many situations. Only when unmounted, and no key is kept in memory, can a TrueCrypt volume really be secure." For other uses, the software "does what it's designed for," despite its code flaws. Their detailed, 77-page report (PDF) goes into further detail.
"... I'd rather trust the last official version of Truecrypt [7.1a] (with correct checksums) than any binary downloaded from the Veracrypt website."
When I go to the VeraCrypt web site, NoScript tells me that site uses Javascript from 3 different Microsoft web sites: aspnetcdn.com, msecnd.net, and s-msft.com.
The many connections to Microsoft web sites makes Windows 10 the world's most common spyware. Should you trust VeraCrypt when it is so closely monitored by the world's biggest spyware company?
Mozilla Foundation and Firefox are now controlled by Microsoft. Google stopped giving Mozilla Foundation $300,000,000 per year. Now Mozilla Foundation gets money from Microsoft through Yahoo. Microsoft pays Yahoo to use Microsoft's Bing Search. Yahoo pays Mozilla Foundation to use "Yahoo" search as the default in new installations of Firefox.
One of the effects of the control of the Mozilla Foundation by Microsoft is apparently that the Thunderbird and SeaMonkey Composer GUIs have been damaged, apparently deliberately. Every time you do a file save, the newer versions of both ask for a new file name, and don't suggest the last one chosen. The damage was reported several months ago, but has not been fixed.
A few of the many, many articles:
Microsoft has no plans to tell us what's in Windows patches. Each update is a black box, and it's going to stay that way.
Leaks show that Microsoft writes release notes, so why can't it publish them? The lack of documentation of Windows' updates is a baffling move on Microsoft's part.
Microsoft's Software is Malware. Malware means software designed to function in ways that mistreat or harm the user.
How Can Any Company Ever Trust Microsoft Again?
NSA Backdoor Exploit in Windows 8 Uncovered
Microsoft Gave the NSA Direct Backdoor Access to Outlook, Skype
Microsoft [lack of] Privacy Statement
Here's how to Block Windows 10 "Spying"