67 posts in this topic

Posted

But will we ever know about the vulnerabilities that are never disclosed by the manufacturer?

yes,third parties reveal vulnerabilities not disclosed by the manufacturer all the time.

 

"Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system." - http://en.wikipedia.org/wiki/Vulnerability_(computing)#Identifying_and_removing_vulnerabilities

im not talking about system scanners. im talking about reverse engineering tools that aid in understanding decompiled code,and help the reverser better understand where they are in the code they are reading.

Share this post


Link to post
Share on other sites

Posted

im not talking about system scanners. im talking about reverse engineering tools that aid in understanding decompiled code,and help the reverser better understand where they are in the code they are reading.

Is the disassembler going to produce the same exact source code as what the manufacturer has? No, it's going to be partially dirty.

And let's say what you're saying is true, that disassembled code is equivalent to the original source code, and since you're saying disassembled code helps people identify vulnerabilities, then the original source code will help people identify vulnerabilities too, which means that open source will be able to be reviewed the same way proprietary software is reviewed. Personally, I would rather have the source code on hand instead of getting a disassembled copy, it's always going to be easier to read that way.

yes,third parties reveal vulnerabilities not disclosed by the manufacturer all the time.

 

Then why do governments request for Microsoft to give them partial source code access?

Share this post


Link to post
Share on other sites

Posted

Is the disassembler going to produce the same exact source code as what the manufacturer has? No, it's going to be partially dirty.

And let's say what you're saying is true, that disassembled code is equivalent to the original source code, and since you're saying disassembled code helps people identify vulnerabilities, then the original source code will help people identify vulnerabilities too, which means that open source will be able to be reviewed the same way proprietary software is reviewed. Personally, I would rather have the source code on hand instead of getting a disassembled copy, it's always going to be easier to read that way.

Then why do governments request for Microsoft to give them partial source code access?

just to give you an idea of what i mean by tools aiding in code readability,instead of thinking its just a giant web of unintellibible web of asm intructions.

heres a windows procedure of a win32 window in visual studio

http://i.imgur.com/V6SQsOe.png

now this is partially the compiled asm code,it goes much more than this

http://i.imgur.com/wfBP4mS.png

this is the way i see it using graph view in IDA.its much more structured,so much easier to read

http://i.imgur.com/oFums0J.png

and finally this the hexrays decompiler doing its magic,translating the asm code above back to c

http://i.imgur.com/kUPMV1R.png

Share this post


Link to post
Share on other sites

Posted

just to give you an idea of what i mean by tools aiding in code readability,instead of thinking its just a giant web of unintellibible web of asm intructions.

heres a windows procedure of a win32 window in visual studio

http://i.imgur.com/V6SQsOe.png

now this is partially the compiled asm code,it goes much more than this

http://i.imgur.com/wfBP4mS.png

this is the way i see it using graph view in IDA.its much more structured,so much easier to read

http://i.imgur.com/oFums0J.png

and finally this the hexrays decompiler doing its magic,translating the asm code above back to c

http://i.imgur.com/kUPMV1R.png

What are you even arguing about? You're saying that in order to review closed source software, people need to see the source code, right? So why does it matter if it's made available by the developer or obtained through the steps you detailed above?

Share this post


Link to post
Share on other sites

Posted

The software is not safe because it's open-source; it's safe because there can be independent and public scrutiny that it is indeed safe, that there are no backdoors, etc. The mere fact that it's open-source is no guarantee of safety, but it's a prerequisite for independent and public verification.

And yet, I'd still trust MS more. Look at it this way MS has a reputation to lose, OSS is just a bunch of guys coding a din this case we don't even know who they are. MS can't put in a backdoor since if it was found it'd ruin them governments and enterprises the world over would switch to other solutions faster than you could blink.

On top of that, it's the code review issue. You claim OSS is more secure because more people "can" review the code. That's the theory, the practice no. No one reviews code because they want to, it took how many years before this official review was started? And on top of that this is very complex stuff that very few coders would really understand, and you'd need to be both a crypto expert and a coder to understand it fully, not a lot of those around. For MS their code is reviewed a hell of a lot more. They pay people just to review the code over and over, especially on such thing, again because it's a must for them, after all they need a clean name.

Share this post


Link to post
Share on other sites

Posted

What are you even arguing about? You're saying that in order to review closed source software, people need to see the source code, right? So why does it matter if it's made available by the developer or obtained through the steps you detailed above?

The point is that being OSS doesn't make it inherently more secure.

Share this post


Link to post
Share on other sites

Posted

When I read the initial posts from OP - I thought - "someone is going to tell him to stop believing what he sees in movies - nobody cares about your little collection"  but 3 pages later there is still discussion.

Surely that's because regardless of the initial reason for asking, it's a subject worth discussing? Many of us have used TrueCrypt for our "worthless" information, and I would be interested to know of worthy alternatives.

I'm glad to hear that there are people out there that want to bring the project back, but it's always good to know that there are alternatives. For those that are saying to just use BitLocker, what should people on Mac use? I see that someone mentioned that Linux already has their own type of encryption, does Apple provide something similar?

Share this post


Link to post
Share on other sites

Posted

Didn't they say in the other thread that Mac has it's own BitLocker like thing, though it can't boot from a locked volume. So... They use that...

Share this post


Link to post
Share on other sites

Posted

And yet, I'd still trust MS more. Look at it this way MS has a reputation to lose, OSS is just a bunch of guys coding a din this case we don't even know who they are. MS can't put in a backdoor since if it was found it'd ruin them governments and enterprises the world over would switch to other solutions faster than you could blink.

On top of that, it's the code review issue. You claim OSS is more secure because more people "can" review the code. That's the theory, the practice no. No one reviews code because they want to, it took how many years before this official review was started? And on top of that this is very complex stuff that very few coders would really understand, and you'd need to be both a crypto expert and a coder to understand it fully, not a lot of those around. For MS their code is reviewed a hell of a lot more. They pay people just to review the code over and over, especially on such thing, again because it's a must for them, after all they need a clean name.

We know who these guys are as much as we know about who codes in Microsoft. We know they are the TrueCrypt Foundation, compared to Microsoft Corporation. We don't know a lot about either's coders, but this is not related to being open source. The TrueCrypt Foundation also has a reputation. If a backdoor was found, people would switch in the same way with Microsoft software.

A popular open source software operating system, Linux, has had backdoors attempted to be put into it, but as every single commit is analyzed, this happened with one backdoor. Again, the community does help. People who are afraid of backdoors will check for backdoors, and there have been studies that show Linux is more reliable and has fewer bugs. The fact that Microsoft is a company, and does not have certain ethics that open source software must follow makes room for 'legal compliance' with the NSA.

Sure, people would be outraged if a Windows backdoor was found but here's a better way to put it:

We have two pieces of software, SecWin and OpenWin, they are operating systems (let's say they're identical code wise, to make this easier). They both get a backdoor in their Internet intrusion prevention system that allows a party with the correct key to get root access in an update to the OS. The backdoor is incredibly complex and is coded across the whole system, in order to remain obscure. SecWin is closed source and OpenWin is released as open source, both with this backdoor. Since these operating systems are advertised as profoundly better than current OS implementations, they gain market share quickly. The intuitive design and total security (with the exception of this unknown backdoor) makes them very popular. People are concerned about the newness of the developers of OpenWin, and since they switched to OpenWin to remain secure, they start to wonder if OpenWin is really secure. They start to review the commits to the OS, and notice that the Internet intrusion prevention system got some updates to how it verifies keys, and they notice that there is a key check, which was stated to check for bad or invalid keys, which actually gives a person attempting to access the system root access if they have a key set in the source. Due to the other features of the OS that are actually very good, they create a fork without the backdoor. SecWin goes under an independent audit as well, due to the developers being relatively new and not very trusted. Through some experimentation and variable analysis, they find a key variable. They're not sure what it does, since the code they decompiled does not specifically mention it, so they prompt for a collaborative audit effort with the developers of SecWin. SecWin verifies that the key is used in the operating system, but it is only there for compliance reasons and is not a backdoor.

 

~~~

Also, I found another TrueCrypt fork (for Linux and Dragonfly BSD):

https://github.com/bwalex/tc-play

Share this post


Link to post
Share on other sites

Posted

The difference is that no one cares if people stop using truecrypt. If all the governments and enterprises stop using MS it affects millions of people and the company goes under along with everyone who works there and the shareholders.

If truecrypt stops being used... Well a few unknown people get todo something else in their spare time.

And you can actually find out who works on the code at MS, the names of the people wasn't the point anyway., which you know very well.

Share this post


Link to post
Share on other sites

Posted

Also your your hypotetichal situation has some huge flaws, namely the conclusion and that somehow the reviewers can't see what the "variable" does. Heck a key alone can't do anything so your whole theory is a dead end.

Share this post


Link to post
Share on other sites

Posted

The difference is that no one cares if people stop using truecrypt. If all the governments and enterprises stop using MS it affects millions of people and the company goes under along with everyone who works there and the shareholders.

If truecrypt stops being used... Well a few unknown people get todo something else in their spare time.

And you can actually find out who works on the code at MS, the names of the people wasn't the point anyway., which you know very well.

It doesn't matter if anyone cares if people stop using TrueCrypt. People will still stop using it.

Is there a log of changes to the code, with reasons for commits, and user labels? Can we know if any one coder/contributor in MS is credible (from a security stand point, not a quality stand point)?

Share this post


Link to post
Share on other sites

Posted

Also your your hypotetichal situation has some huge flaws, namely the conclusion and that somehow the reviewers can't see what the "variable" does. Heck a key alone can't do anything so your whole theory is a dead end.

It doesn't matter if the backdoor details are feasible, what matters is that there is a backdoor that the reviewers find.

The 'variable' that you're talking about: if the reviewers find a reference to this key in the registry of the operating system, they won't have the original source code, only symbols for the key, so they wouldn't be able to clearly identify what the key was used for without asking for the original source code or asking the developer what the key does, and you said it yourself, Microsoft would not want to jeopardize the perception of its OS, which would make it lose tons of money, so they will do anything to make Windows seem secure, whether its by hiding things or by making it actually secure.

 

You're saying that Windows is more secure because it gets people to audit it while open source software can be less secure since people audit it themselves. Professional audits can still be done on open source software, by the same (or more extensive) process Windows would, and these audits are being done on heavily used open source software.

 

Would you rather have a government that discloses what laws it passes or a government that is closed, where no one outside of the government knows what is being done?

Yes, you can infer what laws are being passed from what happens in the country, but nothing beats having full transparent access available to the public.

 

And why are ingredients listed on food? So people can view them, and see if they are safe for them. Would you trust a blob of food with no ingredients listed? Would you eat it?

Share this post


Link to post
Share on other sites

Posted

It doesn't matter if anyone cares if people stop using TrueCrypt. People will still stop using it.

Is there a log of changes to the code, with reasons for commits, and user labels? Can we know if any one coder/contributor in MS is credible (from a security stand point, not a quality stand point)?

'

Exactly it doesn't matter if people stop using truecrypt. it matters a LOT of people stop using MS products. 

 

The 'variable' that you're talking about: if the reviewers find a reference to this key in the registry of the operating system, they won't have the original source code, only symbols for the key, so they wouldn't be able to clearly identify what the key was used for without asking for the original source code or asking the developer what the key does

 

Of course they wouldn't it's in the sourcecode, if it's not in the sourcecode... if it's not there and doesn't do anything. 

Share this post


Link to post
Share on other sites

Posted

Exactly it doesn't matter if people stop using truecrypt. it matters a LOT of people stop using MS products. 

 

Who cares what happens to the developers? People can and will stop using the software if a backdoor is found, just like they would stop using MS products.

Of course they wouldn't it's in the sourcecode, if it's not in the sourcecode... if it's not there and doesn't do anything. 

I never said it wasn't in the source code, I'm not sure what you're saying, but I'll take a guess: the key stored in the registry will not have the same name or label as a decompiled source code.

Share this post


Link to post
Share on other sites

Posted

Dear frieds,

I tryed to use Truecrypt, but it doesn't allow me to create a volume.

I found a good alternative for Windows: Rohos Mini drive application. It is freeware, can encrypt up to 8 GB of personal information. Works with USB drives, but, sure, you will find a way to create an encrypted volume on your hard drive as well.

Find it on http://rohos.com

Share this post


Link to post
Share on other sites

Posted

*jumping into the conversation - interested in the topic.*

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.