The memory requirements for the TrueCrypt Boot Loader have been
reduced by 18 KB (eighteen kilobytes). As a result of this improvement, the
following problem will no longer occur on most of the affected computers:
The memory requirements of the TrueCrypt Boot Loader 5.0 prevented users of
some computers from encrypting system partitions/drives (when performing
the system encryption pretest, the TrueCrypt Boot Loader displayed the
following error message: Insufficient memory for encryption).
Bug fixes:
On computers equipped with certain brands of audio cards, when
performing the system encryption pretest or when the system partition/drive
is encrypted, the sound card drivers failed to load. This will no longer
occur. (Windows Vista/XP/2003)
*Access mounted TrueCrypt volumes over a network.(Windows)*
TrueCrypt Rescue Disks created by the previous version could not be
booted on some computers. This will no longer occur. (Windows
Vista/XP/2003) Many other minor bug fixes. (Windows, Mac OS X, and
Linux)
Version 5.0 February 5, 2008
New features:
Ability to encrypt a system partition/drive (i.e. a partition/drive
where Windows is installed) with pre-boot authentication (anyone who wants
to gain access and use the system, read and write files, etc., needs to
enter the correct password each time before the system starts). For more
information, see the chapter System Encryption in the documentation.
(Windows Vista/XP/2003)
Pipelined operations increasing read/write speed by up to 100%
(Windows)
Mac OS X version
Graphical user interface for the Linux version of TrueCrypt
The TrueCrypt Volume Creation Wizard now allows creation of hidden
volumes within NTFS volumes. (Windows)
XTS mode of operation, which was designed by Phillip Rogaway in 2003
and which was recently approved as the IEEE 1619 standard for cryptographic
protection of data on block-oriented storage devices. XTS is faster and
more secure than LRW mode (for more information on XTS mode, see the
section Modes of Operation in the documentation).
Note: New volumes created by this version of TrueCrypt can be
encrypted only in XTS mode. However, volumes created by previous versions
of TrueCrypt can still be mounted using this version of TrueCrypt.
SHA-512 hash algorithm (replacing SHA-1, which is no longer available
when creating new volumes).
Note: To re-encrypt the header of an existing volume with a header
key derived using HMAC-SHA-512 (PRF), select 'Volumes' > 'Set Header Key
Derivation Algorithm'.
Improvements, bug fixes, and security enhancements:
The Linux version of TrueCrypt has been redesigned so that it will no
longer be affected by changes to the Linux kernel (kernel
upgrades/updates).
--
See Brenda's UniWorldWare http://tinyurl.com/nm2yt
In article <61jughF1vn1s8U2@mid.dfncis.de>
"Sebastian G." <seppi@seppig.de> wrote:
>
> Krazee Brenda wrote:
>
> > The only question is <drum roll>
> >
> > Is it whole disc encryption and/or OTFE?
>
>
> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
> least version 4.0.
>
> I would still refrain from using it, because it's sadly full of security
> vulnerabilities. Pretty much like any other FDE software out there. :-(
Absolutely. I would use ROT 13. Simple, well sorted and very unlikely
to have any of the security weaknesses you are concerned about.
In article <61jughF1vn1s8U2@mid.dfncis.de>
"Sebastian G." <seppi@seppig.de> wrote:
>
> Krazee Brenda wrote:
>
> > The only question is <drum roll>
> >
> > Is it whole disc encryption and/or OTFE?
>
>
> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
> least version 4.0.
>
> I would still refrain from using it, because it's sadly full of security
> vulnerabilities. Pretty much like any other FDE software out there. :-(
So do you think your put down statement will encourage the Truecrypt team
to work even harder to ensure you approve of their product? Or do you
think that after the many years of work they might, just might ignore you?
After all, they have produced an open source product that many find useful
and secure for their needs. Then along comes an anonymous poster who for
all we know is still wet behind the years with no qualifications who sets
himself up as qualified to criticise their work.
Yeah, stick with ROT 13, that's about your level of expertise.
> In article <61jughF1vn1s8U2@mid.dfncis.de>
> "Sebastian G." <seppi@seppig.de> wrote:
>>
>> Krazee Brenda wrote:
>>
>> > The only question is <drum roll>
>> >
>> > Is it whole disc encryption and/or OTFE?
>>
>>
>> TrueCrypt can encrypt entire disks/volumes, and this has been there since
>> at least version 4.0.
>>
>> I would still refrain from using it, because it's sadly full of security
>> vulnerabilities. Pretty much like any other FDE software out there. :-(
>
>
> Absolutely. I would use ROT 13. Simple, well sorted and very unlikely
> to have any of the security weaknesses you are concerned about.
heh,
thats so funny I forgot to laugh.
rot13 is already known and once know, trivially easy to break.
someone please try a symetric encryption here. might actually work better
--
Sometimes, you just gotta come right out and say whats on your mind and be
damned those who would ridicule you for it!
> Absolutely. I would use ROT 13. Simple, well sorted and very unlikely
> to have any of the security weaknesses you are concerned about.
Actually not. I've seen simplest drivers with only 200 LOCs with
vulnerabilities...
The real solution is to download the source code, patch the most obvious
vulnerabilities, compile it yourself and harass the developer to fix them in
the next release.
>> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
>> least version 4.0.
>>
>> I would still refrain from using it, because it's sadly full of security
>> vulnerabilities. Pretty much like any other FDE software out there. :-(
>
> So do you think your put down statement will encourage the Truecrypt team
> to work even harder to ensure you approve of their product?
No, they got a detailed bug report including a test exploit, an analysis of
the affected source code and a proposed fix.
> Or do you
> think that after the many years of work they might, just might ignore you?
Well, that's currently how it looks like. I reported these vulnerabilities
about a week ago, and didn't get any reply so far. Version 5.0a doesn't
contain any fix for these vulnerabilities.
> After all, they have produced an open source product that many find useful
> and secure for their needs. Then along comes an anonymous poster who for
> all we know is still wet behind the years with no qualifications
In my time so far I found and reported multiplie real and serious
vulnerabilities in the following software products: Microsoft Windows
(2K,XP,2K3,Vista), Returnvil System Safe, Paragon Partition Manager, Paragon
Mont Everything, AppArmor Online Firewall, PGP Desktop Workstation,
TrueCrypt, FreeOTFE, CrossCrypt, Hitachi Microdrive Filter Driver,
QueueUserAPCEx, BitDefender Antivirus, ImDisk, Olof Lagerkvist's Zero/Random
filter driver, DeviceLock, FTP WebDrive / Novell NetDrive, Sysinternals
TokenMon, NVidia ForceWare, WinPCap, and some other I can't remember now...
> who sets himself up as qualified to criticise their work.
That must be why these vulnerabilities were properly acknowledged and fixed
(except for TrueCrypt, whereas the first vulnerability I reported was fixed
in TrueCrypt 5.0, but most likely just by accident).
> Yeah, stick with ROT 13, that's about your level of expertise.
Sorry, but the vulnerability introduced by a privilege escalation security
hole can't be compensated by the benefit of encryption.
Fritz Wuehler <fritz@spamexpire-200802.rodent.frell.theremailer.net> wrote:
>Or do you
>think that after the many years of work they might, just might ignore you?
While I do not in general consider Sebastian a reliable source, he has
posted what to an untrained observer looks like technical details about
a flaw in Truecrypt, see message-id <615ashF1sfp4gU1@mid.dfncis.de>.
As far as I can tell, this message is unanswered (unlike, I might add,
a very large number of other posts on various aspects of Truecrypt).
Some time ago in sci.crypt, Truecrypt fans claimed quite strongly that
Truecrypt was secure, even when provided with evidence to the contrary. I
believe it would be benefit Truecrypt's reputation if some of its fans,
instead of posting endless ranting defences, instead got the developer's
attention and pointed them to the claimed flaw referred to above.
It should either be acknowledged and fixed, or it should be explained
why the claim is false.
Of course, it doesn't _really_ matter who does it, as long as it is done.
Has any of you considered DriveCrypt PlusPack (from www.securstar.com)? My opinion is that it is better than TrueCrypt, if only for the bootauth feature and let's not forget...the full disk encryption capability. Another feature that I find of big importance is the possibility to create an ER disk if for any reason you would be in danger of using your data or you couldn't access it anymore. I don't think that you can find that feature in TrueCrypt.
Fritz Wuehler <fritz@spamexpire-200802.rodent.frell.theremailer.net> wrote:
>Or do you
>think that after the many years of work they might, just might ignore you?
While I do not in general consider Sebastian a reliable source, he has
posted what to an untrained observer looks like technical details about
a flaw in Truecrypt, see message-id <615ashF1sfp4gU1@mid.dfncis.de>.
As far as I can tell, this message is unanswered (unlike, I might add,
a very large number of other posts on various aspects of Truecrypt).
Some time ago in sci.crypt, Truecrypt fans claimed quite strongly that
Truecrypt was secure, even when provided with evidence to the contrary. I
believe it would be benefit Truecrypt's reputation if some of its fans,
instead of posting endless ranting defences, instead got the developer's
attention and pointed them to the claimed flaw referred to above.
It should either be acknowledged and fixed, or it should be explained
why the claim is false.
Of course, it doesn't _really_ matter who does it, as long as it is done.
--
Kristian Gjøsteen
Has any of you considered DriveCrypt PlusPack (from www.securstar.com)? My opinion is that it is better than TrueCrypt, if only for the bootauth feature and let's not forget...the full disk encryption capability. Another feature that I find of big importance is the possibility to create an ER disk if for any reason you would be in danger of using your data or you couldn't access it anymore. I don't think that you can find that feature in TrueCrypt.
"Bear Bottoms" <bearbottoms1@gmai.com> wrote in
news:op.t6kxuhfgjo4m88@bwwlxc1.br.no.cox.net:
[snip]
> Let me try to understand this. Being such a proclaimed expert in these
> matters, why are you here in a freeware newsgroup? What is your
> purpose?
You do realise that you're arguing that Linus Torvalds can *never* post to
a Linux newsgroup? "A proclaimed expert on linux, so why would he be in a
newsgroup with free software?! What is his purpose?!"
> If not TrueCrypt, what then? What would you recommend as a
> viable free alternative that is much better? ...and why?
Truecrypt is a tool, and like any *tool* is has its pros and cons.
Truecrypt is *not* a "one size fits all" solution, which you're suggesting
by that argument.
ISTM, that certain people on this newsgroup are more interested in
"defending the reputation of TrueCrypt!" than actually listening to, and
constructivly addressing, security concerns which get raised - instead
resorting to ad hominem attacks to deflect critism.
Fritz Wuehler <fritz@spamexpire-200802.rodent.frell.theremailer.net>
wrote in
news:c75f976cc6d90b9d86157a4e084dcce4@msgid.frell. theremailer.net:
[snip]
> After all, they have produced an open source product that many find
> useful and secure for their needs. Then along comes an anonymous
> poster who for all we know is still wet behind the years with no
> qualifications who sets himself up as qualified to criticise their
> work.
Picking up on that comment, OTOH... "Then along comes an anonymous poster
who for all we know has been working in the security field for many years
with considerable qualifications who sets himself up as a qualified
individual who raises criticisms."
Please, try not to resort to childish arguments such as "I don't know who
you are, therefore you don't know anything", and remember that the only
thing you know about the authors is a contact email address, and that they
wrote some security software!
Not a flame, but a valid point; please try not to troll the newsgroups.
> Fritz Wuehler <fritz@spamexpire-200802.rodent.frell.theremailer.net> wro=
te:
> >Or do you
> >think that after the many years of work they might, just might ignore yo=
u?
>=20
> While I do not in general consider Sebastian a reliable source, he has
> posted what to an untrained observer looks like technical details about
> a flaw in Truecrypt, see message-id <615ashF1sfp4gU1@mid.dfncis.de>.
Gobblesnot's "flaw" amounts to "if the sun explodes and the moon turns
purple, and time begins to travel backward, there's an insignificant
chance that the conditions will be right for something that may or may
not even be possible".
Not every buffer is a potential overflow folks.
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info https://www.mixmaster.it
> Fritz Wuehler wrote:
>
>
> > Absolutely. I would use ROT 13. Simple, well sorted and very unlikely
> > to have any of the security weaknesses you are concerned about.
>
>
> Actually not. I've seen simplest drivers with only 200 LOCs with
> vulnerabilities...
> amounts to "if the sun explodes and the moon turns
> purple, and time begins to travel backward, there's an insignificant
> chance that the conditions will be right for something that may or may
> not even be possible".
Bullshit. It's trivial to exploit it for crashing the system, that's
actually how I found this vulnerability in first place.
> Not every buffer is a potential overflow folks.
But a write to arbitrary kernel-mode memory surely is.
>In my time so far I found and reported multiplie real and serious
>vulnerabilities in the following software products: Microsoft Windows
>(2K,XP,2K3,Vista), Returnvil System Safe, Paragon Partition Manager, Paragon
>Mont Everything, AppArmor Online Firewall, PGP Desktop Workstation,
>TrueCrypt, FreeOTFE, CrossCrypt, Hitachi Microdrive Filter Driver,
>QueueUserAPCEx, BitDefender Antivirus, ImDisk, Olof Lagerkvist's Zero/Random
>filter driver, DeviceLock, FTP WebDrive / Novell NetDrive, Sysinternals
>TokenMon, NVidia ForceWare, WinPCap, and some other I can't remember now...
>
>...these vulnerabilities were properly acknowledged and fixed
>(except for TrueCrypt, whereas the first vulnerability I reported
>was fixed in TrueCrypt 5.0, but most likely just by accident).
I have a simple text file, less than 64KB, containing all the
unique passwords I use for websites. I want to encrypt it in as
secure a manner as possible on a Windows XP box. I don't need
all these other fancy features, just a simple "type in my
passphrase, see the text file" system. Any recommendations?
It doesn't need to be free.
(What would be really nice is something like notepad that
displays my encrypted password file without saving a
cleartext version to disk. dare I hope that such a beast
exists *and* isn't full of security holes?)
> Krazee Brenda wrote:
>
> > The only question is <drum roll>
> >
> > Is it whole disc encryption and/or OTFE?
>
>
> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
> least version 4.0.
That doesn't make it WD/FD according to any accepted definition of the
term. The happenstance that a partition of volume can consume an entire
device is irrelevant. Products like Truecrypt and Bestcrypt are not
whole disk encryption, and don't pretend to be.
>
> I would still refrain from using it, because it's sadly full of security
> vulnerabilities. Pretty much like any other FDE software out there. :-(
Rubbish. Your "vulnerability" hasn't been addresses because it's not a
vulnerability at all.
On Fri, 15 Feb 2008 12:10:32 -0600, Sebastian G. <seppi@seppig.de> wrote:
> George Orwell wrote:
>
>> amounts to "if the sun explodes and the moon turns
>> purple, and time begins to travel backward, there's an insignificant
>> chance that the conditions will be right for something that may or may
>> not even be possible".
>
>
> Bullshit. It's trivial to exploit it for crashing the system, that's
> actually how I found this vulnerability in first place.
>
>> Not every buffer is a potential overflow folks.
>
>
> But a write to arbitrary kernel-mode memory surely is.
Let me try to understand this. Being such a proclaimed expert in these
matters, why are you here in a freeware newsgroup? What is your purpose?
If not TrueCrypt, what then? What would you recommend as a viable free
alternative that is much better? ...and why?
>> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
>> least version 4.0.
>
> That doesn't make it WD/FD according to any accepted definition of the
> term. The happenstance that a partition of volume can consume an entire
> device is irrelevant. Products like Truecrypt and Bestcrypt are not
> whole disk encryption, and don't pretend to be.
You're telling bullshit. TrueCrypt can encrypt entire volumes including the
partition table and the rest of block #0.
>> I would still refrain from using it, because it's sadly full of security
>> vulnerabilities. Pretty much like any other FDE software out there. :-(
>
> Rubbish. Your "vulnerability" hasn't been addresses because it's not a
> vulnerability at all.
So the BSOD is just a pure imagination, and my test exploit which uses the
memory write to patch KeSingleAccessCheck() ran by pure magic?
> I have a simple text file, less than 64KB, containing all the
> unique passwords I use for websites. I want to encrypt it in as
> secure a manner as possible on a Windows XP box. I don't need
> all these other fancy features, just a simple "type in my
> passphrase, see the text file" system. Any recommendations?
> It doesn't need to be free.
GnuPG...
> (What would be really nice is something like notepad that
> displays my encrypted password file without saving a
> cleartext version to disk. dare I hope that such a beast
> exists *and* isn't full of security holes?)
> Let me try to understand this. Being such a proclaimed expert in these
> matters, why are you here in a freeware newsgroup?
comp.security.misc is no group about freeware.
> What is your purpose?
Discussing about security?
> If not TrueCrypt, what then? What would you recommend as a viable free
> alternative that is much better? ...and why?
Well, I also found vulnerabilities in FreeOTFE, CrossCrypt, DCrypt and PGP
WDE. So currently the best I recommend is to download the source, patch it
and compile it yourself.
> Has any of you considered DriveCrypt PlusPack (from www.securstar.com)?
> My opinion is that it is better than TrueCrypt,
It's closed source, matches the snake-oil FAQ and is horribly broken.
> if only for the bootauth
> feature and let's not forget...the full disk encryption capability.
Which TrueCrypt supports as well. Your point being?
> Another feature that I find of big importance is the possibility to
> create an ER disk if for any reason you would be in danger of using your
> data or you couldn't access it anymore. I don't think that you can find
> that feature in TrueCrypt.
Wow, you're really stupid. In some other group we have been discussing how
to circumvent the fact that TrueCrypt forces you to create and verify a
rescue CD.
> Another feature that I find of big importance is the possibility to
> create an ER disk if for any reason you would be in danger of using your
> data or you couldn't access it anymore.
"Sebastian G." <seppi@seppig.de> wrote in
news:61la6pF1vlce9U1@mid.dfncis.de:
> In my time so far I found and reported multiplie real and serious
> vulnerabilities in the following software products: Microsoft Windows
> (2K,XP,2K3,Vista), Returnvil System Safe, Paragon Partition Manager,
> Paragon Mont Everything, AppArmor Online Firewall, PGP Desktop
> Workstation, TrueCrypt, FreeOTFE, CrossCrypt, Hitachi Microdrive
> Filter Driver, QueueUserAPCEx, BitDefender Antivirus, ImDisk, Olof
> Lagerkvist's Zero/Random filter driver, DeviceLock, FTP WebDrive /
> Novell NetDrive, Sysinternals TokenMon, NVidia ForceWare, WinPCap, and
> some other I can't remember now...
Yes, but, Sebastian, have you ever considered making allowance for the fact
that you are a flaming loon?
Your're not stupid, Sebastian - far from it! - you're just crazy.
On Fri, 15 Feb 2008 13:02:31 -0600, Bear Bottoms wrote:
> On Fri, 15 Feb 2008 12:10:32 -0600, Sebastian G. <seppi@seppig.de> wrote:
>
>> George Orwell wrote:
>>
>>> amounts to "if the sun explodes and the moon turns
>>> purple, and time begins to travel backward, there's an insignificant
>>> chance that the conditions will be right for something that may or may
>>> not even be possible".
>>
>>
>> Bullshit. It's trivial to exploit it for crashing the system, that's
>> actually how I found this vulnerability in first place.
>>
>>> Not every buffer is a potential overflow folks.
>>
>>
>> But a write to arbitrary kernel-mode memory surely is.
>
> Let me try to understand this. Being such a proclaimed expert in these
> matters, why are you here in a freeware newsgroup? What is your purpose?
> If not TrueCrypt, what then? What would you recommend as a viable free
> alternative that is much better? ...and why?
Truecrypt is freeware, you DoltBare and just because these guys talk over
your head doesn't mean they aren't allowed in YOUR Bareland.
--
See Brenda's UniWorldWare http://tinyurl.com/nm2yt
On Fri, 15 Feb 2008 18:29:41 +0000, me@privacy.net wrote:
> I have a simple text file, less than 64KB, containing all the
> unique passwords I use for websites. I want to encrypt it in as
> secure a manner as possible on a Windows XP box. I don't need
> all these other fancy features, just a simple "type in my
> passphrase, see the text file" system. Any recommendations?
> It doesn't need to be free.
Axcrypt, Twofish (with GUI) shit there's another one.
--
See Brenda's UniWorldWare http://tinyurl.com/nm2yt
> Cyberiade.it Anonymous Remailer wrote:
>
>
> >> TrueCrypt can encrypt entire disks/volumes, and this has been there since at
> >> least version 4.0.
> >
> > That doesn't make it WD/FD according to any accepted definition of the
> > term. The happenstance that a partition of volume can consume an entire
> > device is irrelevant. Products like Truecrypt and Bestcrypt are not
> > whole disk encryption, and don't pretend to be.
>
>
> You're telling bullshit.
No, you're full of bullshit. Neither of those products' producers or
distributors even define their OWN products as FDE. The only ones doing
so are a couple of idiots in a Usenet newsgroup. You, and your deflated
partner nemo_outtaluck.
Sorry about your luck and all, but welcome to reality.
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info https://www.mixmaster.it
> On Fri, 15 Feb 2008 18:29:41 +0000, me@privacy.net wrote:
>
> > I have a simple text file, less than 64KB, containing all the
> > unique passwords I use for websites. I want to encrypt it in as
> > secure a manner as possible on a Windows XP box. I don't need
> > all these other fancy features, just a simple "type in my
> > passphrase, see the text file" system. Any recommendations?
> > It doesn't need to be free.
>
> Axcrypt, Twofish (with GUI) shit there's another one.
I take it you're oblivious to the fact that Bruce Schneier himself
recommends *not* using twofish, right?
TrueCrypt 5.0a - Non KakaWare 
Linear Mode
