My thoughts on Slackware, life and everything

Tag: NSA

Update for VeraCrypt, new flaws in TrueCrypt

veraCrypt Recently TrueCrypt has been in the news again, because of a couple of new critical security issues that were found for its Windows version. You can read more in these articles at Engadget, Threatpost and  Extremetech. Windows computers with TrueCrypt installed can be taken over completely by a non-privileged user, and the computer does not even have to have mounted any TrueCrypt container.

These recently uncovered flaws were not found in last year’s code audit of TrueCrypt sources. Apparently this omission is due to the complexity of Windows drivers and “the kind of vulnerabilities that exist in many software on Windows and they are caused by lack of proper parameter validation in kernel mode code” according to Mounir Idrassi (VeraCrypt developer) in Threatpost.

Despite the fact that these new vulnerabilities are not affecting Linux, it is highly unwise to keep using TrueCrypt on Linux. The code is no longer maintained, it already has security issues and good alternatives exist.

The aforementioned VeraCrypt is a fork of the TrueCrypt code which is actively maintained, and the recent flaws found (to be disclosed next week) in TrueCrypt have already been patched in VeraCrypt 1.15 last weekend.

VeraCrypt is a drop-in replacement for TrueCrypt if you let it handle your encrypted container in “truecrypt mode”:

veracryptI have built new packages for VeraCrypt 1.15, updating it from the previous 1.13 which I had in my repository. You can get the packages (for Slackware versions 13.37 and newer) here: http://www.slackware.com/~alien/slackbuilds/veracrypt/ or at its primary mirror location http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/veracrypt/

Users of slackpkg+ merely have to run “slackpkg update && slackpkg upgrade veracrypt“, assuming that the repository mirror you are using is up to date.

Cheers! Eric

 

Reset The Net – 05 june 2014

ResetTheNet_05jun2014

Did I make you jump by showing the intrusive banner?

Today marks the start of a campaign, called Reset the Net, sponsored by digital rights groups and well-known Internet companies. It is meant to encourage both users of the Internet and companies with an active presence there, to take measures to prevent getting their data snooped by surveillance agencies. The campaign focuses on the promotion of privacy-enhancing tools.

Today’s launch of the campaign is not coïncidentally linked to the first anniversary of the publication of the leaked NSA documents through news articles online and on paper.

Last month saw the HeartBleed bug, today we are confronted with yet another bloody serious leak in OpenSSL., only a few days after the disclosiure of another serious leak in GnuTLS, the OpenSSL alternative. The Internet is never a safe place. Slackware is a fairly sane OS security-wise but the highest risk always comes from the user of that OS.

When you are on-line, act consciously, and think before you do. Guard your privacy and respect that of others. No, Edward Snowden is not a traitor. He sacrificed a lot in order to get the truth out there, and we should have respect for that, too.

Eric

© 2024 Alien Pastures

Theme by Anders NorenUp ↑