id: Гость   вход   регистрация
текущее время 02:23 29/03/2024
Владелец: ressa (создано 29/05/2014 11:18), редакция от 29/05/2014 11:23 (автор: SATtva) Печать
Категории: криптография, софт, инфобезопасность, политика, законодательство, защита дисков, алгоритмы, truecrypt, исходные тексты, спецслужбы
http://www.pgpru.com/Новости/2014/НаСайтеTrueCryptОпубликованоЗаявлениеОНебезопасностиИЗакрытииПроекта
создать
просмотр
редакции
ссылки

29.05 // На сайте TrueCrypt опубликовано заявление о небезопасности и закрытии проекта


На официальном сайте популярной системы дискового шифрования TrueCrypt опубликовано заявление, что система не является безопасной и может содержать уязвимости. Более того, сообщается, что с мая 2014 года разработка TrueCrypt прекращена. В то же время выпущен финальный релиз TrueCrypt 7.2, который рекомендуется использовать только в качестве промежуточного звена при миграции на другие системы.


Указанная на сайте причина закрытия проекта вызывает большие сомнения в правдивости опубликованной информации. В частности, указано что проект закрыт после прекращения поддержки платформы Windows XP в которой отсутствовали встроенные средства шифрования дисков, в то время как в остальных платформах для которых развивался TrueCrypt (Windows 8/7/Vista, OS X и Linux) присутствуют встроенные средства дискового шифрования.


Более непонятной ситуация становится в свете того, что разработчики TrueCrypt не разглашают информацию о себе и являются анонимами. Кроме того, в апреле был завершён независимый аудит исходных текстов TrueCrypt, который не выявил опасных проблем. При этом код TrueCrypt не является свободным и распространяется под собственной лицензией TrueCrypt License, содержащей дополнительные требования к области распространения и упоминании авторства, что делает её не совместимой со свободными лицензиями и не позволяет сообществу продолжить развитие через создание форка.


Что касается нового выпуска TrueCrypt 7.2, то fileотличия от версии 7.1a сводятся к выводу предупреждения о небезопасности проекта и удалению кода для создания новых шифрованных разделов (можно только расшифровать существующие разделы TrueCrypt). Также несущественно был изменён текст лицензии. Самое интересное, что архив с выпуском TrueCrypt 7.2 подписан официальным приватным ключом проекта, что ставит под сомнение гипотезы об изменении сайта злоумышленниками в результате взлома. Маловероятно, что получив доступ к ключу формирования подписей для релизов атакующие оказались способны только на шалость с подменой сайта.


При этом многое в этой истории пока вызывает вопросы, например, зачем понадобился редирект сайта truecrypt.org на страницу truecrypt.sourceforge.net и почему для пользователей Windows рекомендуется миграция только на Microsoft BitLocker. Представители SourceForge указали на то, что не нашли никаких признаков взлома аккаунта и аномальной активности, а недавняя принудительная смена паролей было мероприятием по улучшению инфраструктуры, а не реакцией на взлом.


Источник: http://www.opennet.ru/opennews/art.shtml?num=39881


 
На страницу: 1, 2, 3, 4, 5, 6, 7, 8 След.
Комментарии [скрыть комментарии/форму]
— pgprubot (28/07/2015 17:47)   профиль/связь   <#>
комментариев: 511   документов: 2   редакций: 70

mail2tor.com последние дни не работает и неизвестно, заработает ли теперь когда-либо вообще.


Он вам точно нужен? Чем не устраивает стандартный LUKS? Если сильно нужно, можете и скртые контейнеры сделать.
— ОляВедьма (03/08/2015 12:06)   профиль/связь   <#>
комментариев: 57   документов: 7   редакций: 0
А где можно взять спецификации и сырцы этого Трукрипта? Хочу с бесигнатуркой поиграться)

(испугались от меня увидеть ТАКОЕ? это друг который регистрироваться ленится спрашивает)
— pgprubot (04/08/2015 04:54, исправлен 04/08/2015 05:03)   профиль/связь   <#>
комментариев: 511   документов: 2   редакций: 70

Может быть, всё-таки LUKS'а (спеки — тут, сырцы — наверно, на kernel.org), а не TrueCrypt'а? Последний как раз критиковали за отсутствие спецификаций и внятного объяснения его принципа работы, не говоря уже о том, что этот проект более официально не существует. Здесь когда-то упоминалась работа «Defeating Encrypted and Deniable File Systems: TrueCrypt v5.1a and the Case of the Tattling OS and Applications» — это единственное из существующего официально опубликованного в научной прессе по этой теме из мне известного.

— ОляВедьма (04/08/2015 12:39)   профиль/связь   <#>
комментариев: 57   документов: 7   редакций: 0
Это уже я пишу. Я видела на вашем ссайте сылку где было бодро написано "анализ аудит исходников не выявил уязвимостей!" и еще встречала как бодро писали, что "мы всегда можем взять исходники проверить их и собрать самому" а потом вы вдруг как-то все его возненавидели))) А лично меня этот вариант заинтересовал потому что я видела ее под виндовс с красивым ключиком) Там очень наглядно и понятно. Чтобы быстро открыть зашифрованный диск не надо "легко" писать в терминале "всего лишь" пару десятков страниц комманд как вы это очень любите делать)))
PS А дайте мне ссылки на где ressa "не осилил в консоли работать, в отличие от Оли"
— pgprubot (07/08/2015 04:35, исправлен 07/08/2015 04:37)   профиль/связь   <#>
комментариев: 511   документов: 2   редакций: 70

Вопрос, с чем сравнивать. Конечно, TC намного более доверяем, чем проприетарные продукты с закрытым кодом, и здесь открытость исходников с проведённым каким-никаким аудитом играют роль. Однако, есть другие решения с открытым кодом, которые более стандартные, более доверяемые и намного более распространённые (LUKS), поэтому выбирать TC, когда есть они, смысла нет.



Открыть LUKS-том — одна команда, подмонтировать его в директорию — ещё одна. Можете написать скрипт — он будет ещё удобнее, чем из работать из интерфейса.



Давайте, вы будете рюшечки, фентиклюшки, свистелки и перделки обсуждать на женских сайтах, а не тут, отвлекая своими вопросами людей от их дел.

— cypherpunks (31/03/2016 20:18)   профиль/связь   <#>
комментариев: 300   документов: 33   редакций: 12
Paul Calder Le Roux’s arrest in 2012 got a fair amount of newspaper coverage. “One of the world’s most successful criminals,” announced The Australian. “This is a very, very bad guy,” intoned a US law enforcement agent, who compared Le Roux’s international career—allegedly involving drug trafficking and arms running — with that of infamous arms dealer Viktor Bout. “He’s Viktor Bout on steroids,” the law enforcement agent told the New York Times.

Le Roux was arrested in Liberia shortly after a yacht which he had rented ran aground on a South Seas Island. On board was about a million dollars in cocaine and a dead Slovakian man. Le Roux was ostensibly arrested on drug charges, although no indictments or formal charges can be found on him now.

Le Roux, who is in his early forties, apparently began his career working as an encryption specialist for the US government, according to confidential sources. He is known to have developed “TrueCrypt,” which may be a virtually unhackable encryption system. At some point — somewhere around 2004-2005 — Le Roux appears to have struck out on his own. Or maybe not.

According to the New York Times, Le Roux has been “turned” and is now informing on others — hence the arrest of Hunter and the Israeli office workers. Certain questions emerge as to this scenario, however. Generally, individuals who turn informant are offered deals — such as reduced sentences — in order to serve up bigger fish. Neither Hunter nor the Israeli office workers meet this criterion, however. They are only lower level employees of the Big Fish — Paul Le Roux.

journal-neo.org

This Le Roux had been famous among a small community of hackers and privacy geeks in the early 2000s as the author of an important piece of encryption software. Before encryption was a mainstream idea, before Apple defied a U.S. government request to provide a method to unlock our phones, this Le Roux had written the underlying code of a program that, a decade and a half later, the National Security Agency still could not break.

The former Paul Le Roux seemed to have disappeared from the Internet in 2004. Encryption experts I contacted had no idea what had become of that Le Roux, and there was no evidence linking him to the man known for drugs and gun running.

Le Roux was something new, a self-made cartel boss whose origins were not in family connections but in code. Not just any code, but encryption software that would play a role in world events a dozen years after he created it. I stared at the address on the screen, a post-office box in Manila, left now with a still larger mystery: What had turned the earnest, brilliant programmer into an international criminal, with a trail of bodies in his wake?

A few scant details about his criminal existence had been reported in the media, mostly speculations about the mythological size and scope of his empire, but there was little about who he was or how he had built it.

After months of rote data collection, I had amassed tens of thousands of pages of research. There were snippets from long-dead message boards from the early 2000s, Hong Kong legal databases, and obscure newsletters put out by the Australian Federal Police.

He also had a legitimate Congolese Diplomatic passport in his own name and a Bulgarian passport in another name. He is an interesting character.

Paul Le Roux was born on Christmas Eve, 1972, at Lady Rodwell Maternity Home in Bulawayo, the second-largest city in what was then called—by the white minority that governed it, at least— Rhodesia. His birth mother gave him up for adoption. On his birth certificate, a copy of which Lulu sent to me, his first name is listed as “UNKNOWN.” At the bottom, however, the newborn’s fate is outlined succinctly: “Child to be known in future as: Paul Calder Le Roux.”

“Sad and interesting story,” he said. “His real mom’s mom is married to a U.S. Senator.” When I asked him who the Senator was, he said, “That I can’t say, mate. That’ll get me shot.” (I tried all sorts of strategies to figure out if this was true, but for now I’ve had to leave it unconfirmed, another legend following Le Roux.)

Le Roux was adopted by a family living in the asbestos-mining town of Mashava. “His adoptive parents were really nice,” Lulu said. “They loved him very much.” His father worked as an underground mining manager at the giant Gaths and Shabanie mines, which at one point produced 140,000 tons of asbestos a year. He had a younger sister and was well-loved by the extended Le Roux family. “All the cousins adored him,” Lulu told me.

In 1980, Robert Mugabe became prime minister of what would now be called Zimbabwe, ending minority white rule in the country. Four years later, when Le Roux was 12, the family relocated to South Africa, where Paul’s mother believed they would find better schools for their precociously smart son. Krugersdorp, their new home, was also a mining town. Le Roux’s father started a company that managed coal-mining operations, and the family was soon well-off.

Not long after the move, in exchange for washing his father’s car, Le Roux was given his first computer. After that, “he was completely anti-social,” Lulu explained. From his first glimpse at a computer screen, Le Roux became interested in creating his own worlds. “Every time we went there afterwards he was always holed up in his room,” Lulu said. “I remember going in and seeing lines and lines of numbers.” I found this image of a teenaged Le Roux jarring. It wasn’t that I was surprised that he could have discovered his identity in computer code. It was that his story sounded more like that of a programmer turned entrepreneur like Bill Gates or Mark Zuckerberg than of a crime boss like John Gotti or Viktor Bout.

Lulu told me that when Le Roux was 15 or 16, in the late 1980s, the local police raided the family home and arrested Paul for selling pornography online. (I’d heard rumors of this before, from an employee who worked closely with him.) The family was scandalized but managed to keep the story private. After, Le Roux turned even more inward. He was an excellent student but despised the idea of learning Afrikaans, compulsory in South African schools.

When they returned to South Africa, “the moment he landed he said he was leaving.” Eight months later, Le Roux departed for the UK. At the airport, his bags proved too heavy to check. He ditched his clothes and boarded the plane with a suitcase full of programming books.

In an archive of old message boards from the 1990s, I had encountered a prolific and often abusive user from Australia posting under the name Paul Le Roux. In forums like aus.general and alt.religion.kibology (named after a parody religion—it’s a long story), he was often angry and sarcastic, writing extreme or offensive screeds in an attempt to rile up other users. He was, in other words, a troll: the kind of person you might find on Reddit or in a newspaper’s comment sections, getting high off the reactions of fellow posters to his deliberately provocative opinions. Le Roux was a harsh critic of his adopted homeland. (I’m reproducing all messages verbatim, including errors, here.) “All of Australia could disappear into the Pacific and the only difference it would make to the World,” he wrote in a typical post, “is the Americans would have one less pussy country to protect.”

People who later worked for Le Roux, at his call centers and other businesses, had told me he was often openly racist. But it was still surprising to see the level of vitriol that Le Roux would attach to his real name. “People like you should be rounded up, castrated, then shot,” he wrote in response to someone who accused him of racism for asserting that Asians should be “screened out” of the country “for DNA defects.” He continued, “Whats more your sperm could be used to create the ultimate germ weapon. Simply impregnate a countries woman, and within 20 years, you will have a race of ‘people’, which by all accounts, are capable only of collecting the dole.” Like much trolling on the Internet, Le Roux’s provocations worked. His posts so outraged the boards he was posting on that someone even changed their handle to fuck@you.paul.

In a coup de grace, Le Roux penned a 30-part post on aus.general in which he laid out the “Advantages” and “Disadvantages” of Australia as a nation. He made a point to note that, “I am ZIMBABWEAN. I left Zimbabwe in 1984, and have since lived in several countries including the U.S & U.K.” The “Disadvantages” column included “Internet access is far to expensive,” “pornography laws in Australia are backward,” “banks report on everything you do,” and “movies are about 6 months behind the U.S.” “Drug laws are primitive compared with Europe,” he wrote in closing. “The way to combat drugs is in fact to legalise them.”

Early in the process, I noticed that Paul Le Roux used four different email addresses in his posts. But two of them traced predominantly not to his trollish screeds but to highly technical encryption discussions on other boards. One of the emails, pleroux@swprofessionals.com, was connected to a software company called SW Professionals. That same address turned up in the documentation for the encryption software E4M, hosted on the now defunct website E4M.net.

Confident in the connection between the two Le Roux’s, I burrowed into the world of encryption. Le Roux, it seemed, had started building E4M—Encryption for the Masses—in 1997. It followed that a talented young man so absorbed with the challenges of code, one who had gotten himself into trouble with law enforcement in the past, would tackle a problem as technically knotty as digital privacy. Le Roux’s software allowed users to encrypt their entire hard drives—and to conceal the existence of encrypted files, so that prying eyes wouldn’t even know they were there. After two years of development, he released it to the world with a post to the alt.security.scramdisk board. According to his own account, the software was written “from scratch,” and “thousands of hours went into its development and testing.”

On the website for E4M, Le Roux posted a manifesto. “The battle for privacy has long since been lost in the real world. As more and more human activity becomes computerised, governments are scrambling to preserve and extend their powers,” he wrote. “Strong Encryption is the mechanism with which to combat these intrusions, preserve your rights, and guarantee your freedoms into the information age and beyond.”

In the spirit of the burgeoning open-source software movement in the late 1990s, Le Roux released E4M for free and made the code available for other people to improve. With no income from his two years of labor, he was struggling financially. His marriage fell apart—violently, both Lulu and a colleague of Le Roux’s told me, although it wasn’t clear what that violence entailed. According to Australian records, the couple divorced in Brisbane in 1999. Le Roux relocated first to Hong Kong, then to Rotterdam, in the Netherlands. He married a Dutch citizen named Lilian Cheung Yuen Pui, and they had a child.

In 2000, Le Roux launched SW Professionals, his software-development company, nominally based back in South Africa. Its motto was Excellence in Offshore Programming; its website claimed that the company had six employees.

One of Le Roux’s clients was an Italian telecommunications engineer named Wilfried Hafner, who had corresponded with Le Roux for several years about his encryption software. Hafner had founded a company to create a commercial encryption product that would combine some of the elements of E4M with another piece of software, Scramdisk. The new company would be called SecurStar, and its product DriveCrypt. Hafner hired Le Roux to build DriveCrypt’s underlying engine.

He was always very smart,” Hafner said. “He came also with some, how do you say, interesting, innovative ideas. But at the same time, I felt he was a little bit… disingenuous.”

I asked him what he meant, and Hafner told me that in the middle of the development work for DriveCrypt, he discovered that Le Roux was still working on E4M and had incorporated some of his work for SecurStar into his personal project. Hafner was furious. Because E4M was an open-source product, the source code that Hafner had personally funded, he claimed, could now be used by anyone to develop an encryption product of their own. He confronted Le Roux, who he says apologized and asserted that it was all a mix-up. “He was very humble,” Hafner says. But the damage was done, and Hafner terminated Le Roux’s contract.

The two reconciled personally, however, and stayed in touch. Hafner told me that Le Roux was also building a gaming engine for an online casino that he planned to launch in Canada and Romania. To do so, he needed to learn a new programming language. “In one week, he was better than most of the programmers I know that program in that language,” Hafner says. “I know that in the casino industry there is a lot of money,” he continued. “But Paul is not a marketer. I didn’t see how he could bring in the gamers to play.” Around 2002, Hafner lost touch with Le Roux.

It was around this same time, Lulu told me, that Le Roux received some news that “shattered his whole world”: He found out he was adopted. Although many family members had known for years, Le Roux’s parents had elected to keep him in the dark about it. But in 2002, Le Roux traveled to Zimbabwe to retrieve a copy of his birth certificate. On the trip, his aunt and uncle pulled him aside to tell him the truth. “It was the ‘unknown’ part that hurt him the most,” said Lulu.

Hafner and his SecurStar colleagues suspected that Le Roux was part of the TrueCrypt collective but couldn’t prove it. Indeed, even today the question of who launched the software remains unanswered. “The origin of TrueCrypt has always been very mysterious,” says Matthew Green, a computer-science professor at the Johns Hopkins Information Security Institute and an expert on TrueCrypt who led a security audit of the software in 2014. “It was written by anonymous folks; it could have been Paul Le Roux writing under an assumed name, or it could have been someone completely different.”

Hafner found an email address associated with the TrueCrypt programmers and sent a cease-and-desist letter, arguing that the software was based on stolen code. The developers did briefly stop additional development but soon started up again. The response of the free-software community could be summed up in an anonymous message-board response to Hafner’s demand: “FUCK YOU, SecurStar—we’ve got it already!”

For the next decade, that mysterious group of anonymous programmers maintained TrueCrypt, with funding from some equally opaque source. TrueCrypt came to be known as the most powerful and reliable encryption solution available. “They improved it, even did quite impressive work on top of it,” says Hafner, whose business was forced to compete with a free product. “Nevertheless, it’s built on our engine.”

In response to the controversy, in June 2004, Le Roux returned to the alt.security.scramdisk forum and posted a note defending his E4M work, adding that when it came to the controversy over TrueCrypt and E4M, “the pure speculation here (often stated as fact) is damaging and in some cases libelous.” After that post, he disappeared from the message boards for good.

Le Roux’s departure from the encryption world, at least under his own name, coincided with his entry into the Internet-pharmacy business.

In 2005, Le Roux surfaced in Israeli documents registering IBS Systems, one of the companies that would evolve into the customer-service arm of his prescription-drug empire.

As RX Limited earned hundreds of millions of dollars, Le Roux’s lifestyle changed in some ways but remained the same in others. He became known for bragging graphically to associates about his extramarital conquests. “He lived in expensive houses in exclusive areas, but he didn’t live extravagantly,” Gil said. “He would travel in flip-flops, shorts, just like a bum. Anywhere, he would look like that.” Lulu recalled that Le Roux told him that RX Limited was bringing in four or five million a month, but it didn’t show. “He was as tight as they come,” Lulu said. “I assume he was just hoarding it.”

By 2008, the Le Roux who once gleefully posted online under his own name was gone, replaced by a man obsessed with secrecy and holding a pocketful of identities. His activities were spread across dozens of shell companies registered all over the world, with names like Ajax Technology, Cycom, GX Port, and Southern Ace. Le Roux often used the identity John Bernard Bowlins and had a fake Zimbabwean birth certificate and passport to back it up. Some people called him Benny, others went with Boss or even Paul, if they knew his name at all. Le Roux had another fake Zimbabwean birth certificate for a Johan William Smit—it was an ironic alias, Lulu told me, because it’s a popular name in Afrikaans, the language Le Roux dropped out of school rather than learn. Another birth certificate listed his identity as William Vaughn.

“When I corresponded with him in the beginning, he used the name Alexander,” a South African who worked for one of his companies told me. “When I met him, he introduced himself as John. I only found out after more than a year that he is actually Paul Calder Le Roux. But then again, we all used pseudonyms in the Philippines.”

In his first email, Lulu had told me that Le Roux possessed a diplomatic passport from the Democratic Republic of the Congo, a document that helped him avoid customs. Lulu forwarded me a copy of it; the passport was issued in Le Roux’s own name.

“He changed at that point,” he said. “I think the money got to him. I personally saw $100 million in his office in Makati. Cash, bud. It was fucking ridiculous. It was in wicker baskets lined up on the side of the wall in his office.” One image in particular stuck with him: He remembered that the $100 U.S. bills were each stamped with a pink rabbit.


Like the Silicon Valley entrepreneur who sells a company for $100 million, only to start another one in hopes that it will sell for a billion, Le Roux made the pursuit of more money, and more power, an end in and of itself. But the kid who had once locked himself in his bedroom, losing himself in code, had gone as far as his technical skills could take him. He wanted to be a different kind of businessman, a lord of the real underworld, not just the virtual one. “He made money on the pharmacies, and then he decided that he wanted to make more money, fast,” the Israeli associate told me. Le Roux wanted to diversify, to be bigger, he said. “The only way to do that was illegal. He was living inside a movie, you could almost say. He always had a dark side, it just developed more with money.”

Sometime in 2008, Wilfried Hafner logged into his long-dormant chat account and noticed Le Roux’s handle was still active. He messaged Le Roux and the two exchanged greetings and caught up. Hafner mentioned that he was raising money for a new phone-encryption software project called PhoneCrypt. Le Roux remarked that he was now a wealthy man and would consider investing if Hafner sent along his business plan. Remembering how little money Le Roux had had back in the early 2000s, “the picture did not match,” Hafner said. “I didn’t take it seriously.” “It’s a pity I didn’t believe it,” Hafner said, before stopping himself. “On the other hand, I could have gotten wrapped up in these stories.”

In the years since Le Roux disappeared from the encryption community, the ideas that drove him to develop E4M were slow to penetrate the public consciousness. As more of our lives became digitized, governments began peering into them. TrueCrypt, E4M’s progeny, had become one of the most popular disk-encryption programs, used by tens of millions of people. Yet the significance of encryption remained largely the province of privacy enthusiasts and libertarian hackers.

All of that was about to change. In November 2012, a man with the online handle Cincinnatus decided to throw a party in Hawaii. The idea arose out of an email exchange with Runa Sandvik, a developer and expert on the online software Tor, which allows its users to mask the physical location of their computers on the Internet. After she gave a Tor tutorial on Reddit, Cincinnatus sent Sandvik an encrypted message.

When she was finished, Ed pulled out his laptop, plugged it into the projector, and began his own instructional talk about TrueCrypt. In Ed’s presentation, Sandvik later wrote, he “pointed out that while the only known name associated with TrueCrypt is someone in the Czech Republic, TrueCrypt is one of the best open-source solutions available.” On a website for the party, Cincinnatus posted an “after-action report.” “I’m making a note here,” he summarized, “huge success.”

The date was set for December 11. “I never imagined,” Sandvik later wrote in an account of the events published on Forbes.com, “that the innocuous emails we exchanged might one day be of interest to the U.S. Government.”

In time they revealed that his full name was Edward Snowden, that he had worked in various capacities at the National Security Agency, and that he had downloaded and handed over a trove of documents from the NSA in an effort to blow the whistle on what he believed were egregious privacy encroachments by the U.S. government. Among them was a document revealing that TrueCrypt was one of a small number of encryption programs that had withstood the NSA’s efforts to crack it.

What Snowden and the rest of the world wouldn’t know for another two years was that Paul Le Roux, the man whose code formed the foundation of True Crypt, was at that very moment in the custody of the U.S. government. Le Roux was in a bind, facing the full force of a U.S. federal prosecution for any number of his extraordinary array of crimes. The only way out was to spill his secrets.

mastermind.atavist.com

По косвенным данным выходит, PdR мог быть сооснователем TrueCrypt и тайно работать над ним вместе с David Tesařík. История темная, жизнь выдающаяся, пора фильм снимать. Факты могли быть причиной прекращения поддержки TrueCrypt.
— гыук (01/04/2016 00:44)   профиль/связь   <#>
комментариев: 271   документов: 0   редакций: 0
А краткое содержание предыдущих серий на русском языке?
В чем суть то? Аудит вроде был.
На страницу: 1, 2, 3, 4, 5, 6, 7, 8 След.
Ваша оценка документа [показать результаты]
-3-2-1 0+1+2+3