Thread: TrueCrypt 5.0a - Non KakaWare
View Single Post
  #7 (permalink)  
Old 02-15-2008, 10:09 AM
Sebastian G.
Guest
  
Posts: n/a
Default Re: TrueCrypt 5.0a - Non KakaWare
Fritz Wuehler wrote:


>> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
>> least version 4.0.
>>
>> I would still refrain from using it, because it's sadly full of security
>> vulnerabilities. Pretty much like any other FDE software out there. :-(
>
> So do you think your put down statement will encourage the Truecrypt team
> to work even harder to ensure you approve of their product?


No, they got a detailed bug report including a test exploit, an analysis of
the affected source code and a proposed fix.

> Or do you
> think that after the many years of work they might, just might ignore you?


Well, that's currently how it looks like. I reported these vulnerabilities
about a week ago, and didn't get any reply so far. Version 5.0a doesn't
contain any fix for these vulnerabilities.

> After all, they have produced an open source product that many find useful
> and secure for their needs. Then along comes an anonymous poster who for
> all we know is still wet behind the years with no qualifications


In my time so far I found and reported multiplie real and serious
vulnerabilities in the following software products: Microsoft Windows
(2K,XP,2K3,Vista), Returnvil System Safe, Paragon Partition Manager, Paragon
Mont Everything, AppArmor Online Firewall, PGP Desktop Workstation,
TrueCrypt, FreeOTFE, CrossCrypt, Hitachi Microdrive Filter Driver,
QueueUserAPCEx, BitDefender Antivirus, ImDisk, Olof Lagerkvist's Zero/Random
filter driver, DeviceLock, FTP WebDrive / Novell NetDrive, Sysinternals
TokenMon, NVidia ForceWare, WinPCap, and some other I can't remember now...

> who sets himself up as qualified to criticise their work.


That must be why these vulnerabilities were properly acknowledged and fixed
(except for TrueCrypt, whereas the first vulnerability I reported was fixed
in TrueCrypt 5.0, but most likely just by accident).

> Yeah, stick with ROT 13, that's about your level of expertise.

Sorry, but the vulnerability introduced by a privilege escalation security
hole can't be compensated by the benefit of encryption.

Reply With Quote