Steve Gibson on Truecrypt

Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.

The important thing to remember right now is that we still don’t know what’s going on.

Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.

That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.

So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.

Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.

Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.

Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.

Chrome and EMET

A week or two ago, Chrome quit working–I would launch it, and EMET would give me a message that it detected Caller Mitigation. It turns out that particular setting isn’t compatible with Chrome 35 and up.

The fix is easy. Launch EMET, click “Apps,” scroll down to Chrome, and uncheck the 10th item from the left.

Google doesn’t recommend EMET because Chrome already does most of the things that EMET forces, and the EMET mitigations that Chrome lacks can be bypassed. To me, that doesn’t make them worthless. It filters out the unsophisticated attackers. And if you make the advanced adversary make the attack more complex, there’s a greater chance of being caught. Security isn’t about preventing everything–you can’t–but you can raise the stakes.

That’s why I disabled Caller Mitigation and keep EMET enabled on Chrome.exe.

I also saw this week that Google is working on a 64-bit version of Chrome for Windows. Finally! Once it comes out of beta, that’s something I’ll be installing. That may be what makes me change allegiances from Firefox.

Tips on buying used stuff

I just found a Lifehacker piece on buying used stuff without getting ripped off. I have plenty of experience in this area.

The key, I think, is to deal in person, and test as much functionality as you can before handing over the cash. Read more

Things I said at the Royals-Cardinals game last night

So last night I went to the Royals-Cardinals game in St. Louis with one of my best friends. Being a Cardinals fan, he doesn’t follow the Royals much, so I filled him in a bit.

I told him I like when the Royals play National League teams and don’t have the DH rule, because their pitchers are some of their best hitters. To prove my point, James Shields, the Royals’ starting pitcher, went two for two with a single, a double, a run scored and a run batted in. Read more

SSDs for the masses, 2014 edition

If you’re looking for alternatives to nasty platters of spinning rust for storing your data, I have good news for you: SSDs are getting cheaper, and fast. They aren’t as cheap as rust, but there’s probably a good reason for that if you think about it for a minute.

PNY has been tempting me all year with the PNY XLR8, a 240 GB drive that typically sells for $80-$90 after a rebate. It uses an inexpensive controller to deliver middling performance, but compared to the speed that spinning rust can deliver, it’s still going to be pretty good. Then Micron came along with its Crucial MX100, which delivers 240 GB for $110, or 480 GB for $225, along with enthusiast-grade performance. Read more

Truecrypt and collateral damage

Last week, the free full-disk encryption program Truecrypt was abruptly discontinued, for reasons that made no sense, and making equally nonsensical recommendations about substitute products to use.

There’s speculation that the creators of Truecrypt received a National Security Letter, but can’t say anything about it. Right now we have to take it as a rumor–it’s bad if governments are cracking down on encryption, but we’ll save that discussion for another day, when we know whether they actually are. Let’s talk instead about why you need encryption if you own a computer, just like you need locks on your front door.

Read more

Windows XP rises from the dead… accidentally

I’ve been hearing predictions for a year that after Windows XP went out of support, it would only be a matter of time before people started backporting patches to it.

As it turns out, they don’t have to. Windows XP has a close relative, Windows Embedded, that doesn’t go out of support until 2019. The people who are fretting over XP-based ATMs and cash registers don’t realize many of those devices–those built in 2009 or later–are running Windows Embedded. It looks just like XP, works just like XP, and installs a lot like XP, but it’s still supported. The bigger question is whether the people running it are patching it, but that problem has existed ever since Microsoft released Windows Update.

Well, with a simple registry hack, it’s possible to make Windows XP look like Windows Embedded and keep getting updates. Microsoft quickly issued a statement, and some people are predicting Microsoft will quickly close that loophole.

I’m not so sure about that. Read more

St*ff my three year old says

On Monday morning, before I’d finished my first cup of coffee, my three year old ran in with an armful of stuffed animals and informed me the family dog had given birth to three puppies, a bunny rabbit, and a monkey.

He doesn’t seem to grasp biology just yet, because later he said, “When I was a bird, I was so cute!” Read more

Why don’t they just hire some hackers to stop the other hackers?

After Ebay got hacked, someone asked Rob O’Hara why they don’t just hire hackers to stop the hackers.

That’s a more complicated question than it sounds like. The simple answer is that most companies do, but their hackers don’t find everything. The more complicated question is one of ethics. Read more

Firefox memory high? It might be Adblock Plus

Last week, a great deal of discussion about ad blocking and its effect on memory usage took place. This makes a lot of sense, and explains why my memory usage has always been really high.

I’m not sure there’s a lot you can do about it. One of these days I’m going to get around to standing up a pfsense box, which, among other things, can serve as a web cache and block ads for an entire network. My family has enough machines to justify that, and, given that security is what I do for a living, it’s something I need to be experimenting with anyway.