Forgot your password?
typodupeerror

+ - Ask Slashdot: After TrueCrypt->

Submitted by TechForensics
TechForensics (944258) writes "(Resubmitted because was not identified as "Ask Slashdot"

We all know the TrueCrypt story-- a fine, effective encryption program beginning to achieve wide use. When you see how the national security agency modified this tool so they could easily overcome it, you'll probably understand why they don't complain about PGP anymore. The slip that showed what was happening was the information that NSA "were really ticked about TrueCrypt" either because they couldn't circumvent it or found it too difficult. From the standpoint of privacy advocates, NSA's dislike for TrueCrypt was evidence it was effective.

Next, NSA directly wrapped up the makers of TrueCrypt in legal webs that made them insert an NSA backdoor and forbade them from revealing it was there. It's only because of the cleverness of the TrueCrypt makers the world was able to determine for itself that TrueCrypt was now compromised. (Among other things, though formerly staunch privacy advocates, the makers discontinued development of TrueCrypt and recommended something like Microsoft Bitlocker, which no one with any sense believes could be NSA – hostile. It then became logically defensible, since NSA was not complaining about PGP or other encryption programs, to posit they had already been compromised.

This is the situation we have: all of the main are important encryption programs are compromised at least in use against the federal government. Whether NSA tools are made available to local law enforcement is not known. This all begs the question:

Does the public now have *any* encryption that works? Even if we can see the source code of the encryption algorithm the source code of the program employing that algorithm must be considered false. (TrueCrypt was the only program NSA complained about.) In the case of other software, it becomes believable the NSA has allowed to be published only source code that hides their changes, and the only way around that may be to check and compile the published code yourself. Half the public probably doesn't bother.

Okay, Slashdot, what do you think? Where do we stand? And what ought we to do about it?We all know the TrueCrypt story-- a fine, effective encryption program beginning to achieve wide use. When you see how the national security agency modified this tool so they could easily overcome it, you'll probably understand why they don't complain about PGP anymore. The slip that showed what was happening was the information that NSA "were really ticked about TrueCrypt" either because they couldn't circumvent it or found it too difficult. From the standpoint of privacy advocates, NSA's dislike for TrueCrypt was evidence it was effective.

Next, NSA directly wrapped up the makers of TrueCrypt in legal webs that made them insert an NSA backdoor and forbade them from revealing it was there. It's only because of the cleverness of the TrueCrypt makers the world was able to determine for itself that TrueCrypt was now compromised. (Among other things, though formerly staunch privacy advocates, the makers discontinued development of TrueCrypt and recommended something like Microsoft Bitlocker, which no one with any sense believes could be NSA–hostile. It then became logically defensible, since NSA was not complaining about PGP or other encryption programs, to posit they had already been vitiated.

This is the situation we have: all of the main or important encryption programs are compromised at least in use against the federal government. Whether NSA tools are made available to local law enforcement is not known. This all begs the question:

Does the public now have *any* encryption that works? Even if we can see the source code of the encryption algorithm the source code of the program employing that algorithm must be considered tainted. (TrueCrypt was the only program NSA complained about.) In the case of other software, it becomes believable the NSA has allowed to be published only source code that hides their changes, and the only way around that may be to check and compile the published code yourself. Half the public probably doesn't bother. (Would it not be possible for the NSA to create a second TrueCrypt that has the same hash value as the original?)

Okay, Slashdot, what do you think? Where do we stand? And what ought we to do about it?"

Link to Original Source

Comment: Re:well (Score 1) 126

by Tom (#47537637) Attached to: The Psychology of Phishing

I gave an example of ensuring it's not.

And I already stated in my first reply that IMHO your success has little to do with the training and a lot to do with the continuous follow-ups you do. Also with an environment that is not business-focussed.

There are numerous ways to get people involved and interested in training. Showing them a hack in progress or playing recorded calls of phishing attacks, let them put their hands on a hacking device or operate a key logger on a demo PC.

That means spending a considerable amount of time and effort on everyone. Scale that up to a 3,000 people company. Now get approval for the budget for this. Not many companies are going to spend this amount of money.

Writing policy is not the same as educating people.

That is true. But you missed the point I was making. Of course you need in-depth technical documents when you actually secure a somewhat complicated system. But the policy - the document that you expect every employee in the company to read and know - should not contain those details.

Same with almost every security awareness training I've personally seen. Half of its contents can be thrown out with no loss of vital information, and if the people who run the trainings don't do it (because if they did, they'd only get half as much money for it), then the recipients will do it via filtering. The end result is the same.

Because everyone is exposed to and knows as much about security as you do right?

No, because the wrong problems are addressed. I've given a keynote not long ago about these things as my contribution to improving the status quo. One of the points I keep repeating is that most password policies actually make passwords less secure, not more. (they follow predictable patterns because most people will build the most simple password the policy allows, for example).

What I mean is that we replace actual security with trainings and think it's a solution. Basically, instead of putting belts and airbags into cars, we tell people to not crash into each other - as if they did it intentionally, as if crashes only happened because nobody told people to not crash their cars. Yes, there's a good reason to tell people to drive carefully, but just like those roadside signs, it doesn't give any measurable gain to hammer the message in. Simple messages and time-spaced reminders work better than extensive training. In fact, if you train people too much, you can get the opposite effect, as they become annoyed by being told the same thing they already know for the 100th time.

Your problem with security awareness training is related to your own psychological problems. We all have them, I don't intend that as an insult. I work on mine every day.

Sure I have my own view and experiences and my attitude is the result of what I've seen and what I think about it. Also the result of knowing a lot of people in the IT consulting business privately, where they tell you what they really think.
I don't consider it a psychological problem, it's a simple fact of life. If your life experience is different, you'll have different expectations. By exchanging them here, we can both widen our horizon, which at least for me is the main reason I'm posting.

Comment: Re:Foreshadowing? (Score 3, Interesting) 112

Seriously. Bradley/Chelsea Manning was tortured to the point of having severe psychological problems (I am not saying being transgendered is a psychological problem, but I strongly question any psychiatrist who would not wait several years until after Manning had access to therapy to get over the trauma of isolation and torture to determine that Manning is indeed transgendered and not just showing signs of having been tortured). America is 100% on the hook for that. One of our own.

Sorry, but your view is total nonsense that isn't connected to the facts. Bradley Manning apparently had mental health and temperament issues long before he was arrested, and I doubt they are resolved. They seem to have played a role in the actions that put him in prison.

WikiLeaks: Bradley Manning 'had history of suicidal thoughts'

...Manning had contemplated suicide six to eight months earlier after his arrest in Iraq. The evidence included a noose Manning had fashioned from a bedsheet while confined in Kuwait, and a written statement he made upon arrival at Quantico in July 2010 that he was "always planning and never acting" on suicidal impulses. .... Blenis, who spent more time with Manning, said Manning chose not to speak most of the time except for short, yes-or-no answers. He said Manning spurned his offers to play chess or work brain teasers by arrogantly responding, "They're a little below my level."

WikiLeaks: Private Bradley Manning sent superiors picture of himself dressed as a woman

Bradley Manning told his military superiors that he was emotionally unstable and sent them a picture of himself dressed as a woman but his warnings were never passed up a chaotic chain-of-command, a court heard on Friday. ...

Pte Manning's civilian defence lawyer, David Coombs, told the court martial hearing that his client had sent a distressed email to his immediate supervisor, Master Sergeant Paul Watkins. "He told [Watkins] he was suffering a gender identity disorder and in that email even had a picture of himself dressed as a woman."

In the email Pte Manning warned that his ability to work as an analyst of attacks by Shia militants in Iraq was being impaired by his emotional problems. .....

On December 12, the defendant apparently became enraged during a meeting and knocked over a chair while screaming at more senior soldiers.

Then on December 20, he allegedly flipped over a table during a counselling session, destroying the computer monitor that was sitting on top of it. Comrades had restrain him because they believed he was "going for a weapon rack", Mr Coombs told the court.

Bradley Manning, suspected source of Wikileaks documents, raged on his Facebook page

Mr Manning, who is openly homosexual, began his gloomy postings on January 12, saying: "Bradley Manning didn't want this fight. Too much to lose, too fast."

At the beginning of May, when he was serving at a US military base near Baghdad, he changed his status to: "Bradley Manning is now left with the sinking feeling that he doesn't have anything left."

Five days later he said he was "livid" after being "lectured by ex-boyfriend", then later the same day said he was "not a piece of equipment" and was "beyond frustrated with people and society at large".

His tagline on his personal page reads: "Take me for who I am, or face the consequences!"

Comment: Re:Saudi ? (Score 1) 112

The government of Saudi Arabia didn't have anything to do with the attacks. Or are you trying to claim that they did because some members of the international terrorist group al Qaida that happened to be Saudi citizens took part in the attack? You do realize that al Qaida threatens the Saudi government as well, don't you?

What is that post we keep seeing on Slashdot? Correlation is not causation?

It is hard to understand or solve problems when you keep focusing on irrelevant details.

Comment: Re:GPLv4 - the good public license? (Score 1) 136

by cold fjord (#47536373) Attached to: The Army Is 3D Printing Warheads

The weapons manufacturers could use whatever the government gave them just like construction companies can build a road on taken land.

Why would you be surprised? If the government can take land to build roads, why would software be any different? (Especially when what you are talking about is a licensing term?)

I think you just have some mistaken ideas about power of licenses and government, especially if there is an emergency declared.

I wouldn't worry too much about this though. Linux isn't that special that something else couldn't be used, and I doubt such a license would be embraced by the general software community.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.

Working...