back to article VeraCrypt security audit: Four PGP-encoded emails VANISH

Security researchers running a project to audit open source disk encryption tool VeraCrypt have been spooked by the mysterious disappearance or non-arrival of encrypted communications. The OSTIF (the Open Source Technology Improvement Fund) mounted an effort to get VeraCrypt independently audited at the start of August. …

  1. Anonymous Coward
    Anonymous Coward

    Somewhat unnerving.

    I'll stick with TrueCrypt 7.1a until VeraCrypt has been given a credible clean bill of health. Though its impossible nowadays to be absolutely sure, depending on not only the trustworthiness of the developers but also of the auditors and also assuming that no third parties (NSA etc) have interfered with anyone involved or surreptitiously with either the source code or resulting binary (which assumes the compiler itself hasn't been tampered with). Maybe too many variables to be absolutely sure any software hasn't really been nobbled.

    1. Anonymous Coward
      Thumb Up

      Re: Somewhat unnerving.

      After all the interminable FUDslinging and intrigue and resulting attention, audits and reimplementations TrueCrypt 7.1a received over recent years, it HAS to be about the most scrutinised and trustworthy code there's ever been! I'll be sticking with it until someone someone discovers a serious flaw (which seems spectacularly unlikely) or it ceases to compile.

      Good luck to the "VeraCrypt" people, whoever they may be... but it's simply not useful to me.

  2. Roq D. Kasba

    One time pad

    And ham/shortwave radio, that's the only way to communicate

    1. JimboSmith Silver badge

      Re: One time pad

      Ooh yes I liked our home grown cheesy* variety https://www.youtube.com/watch?v=QnXPqUU6fI0

      *https://lincolnshirepoachercheese.com/

    2. PeeKay
      Black Helicopters

      Re: One time pad

      "And ham/shortwave radio, that's the only way to communicate"

      Sadly, it's illegal (in the UK) to send encrypted communications over the airwaves, and is likely to have the black choppers humming along shortly...

      1. Gray
        Black Helicopters

        Re: One time pad

        It's against FCC rules here in the US as well; first the radio direction-finder vans zero in on the site; then the black helicopters swarm in. The least likely punishment is revocation of license followed by stiff fines.

        It's a foolish person who causes government agents to think.

        1. Anonymous Coward
          Anonymous Coward

          Re: One time pad

          It's a foolish person who causes government agents to think act.

          FTFY

          Never observed any discernible indication of any capability of thought there.

      2. Adam 1

        Re: One time pad

        > it's illegal (in the UK) to send encrypted communications over the airwaves

        Is it legal to broadcast the results of a long running game of heads or tails? Enquiring minds and all that.

        1. Anonymous Coward
          Anonymous Coward

          Re: One time pad

          In all honesty, what *isn't* illegal in the UK?

      3. Anonymous Coward
        Unhappy

        Re: One time pad

        "Sadly, it's illegal (in the UK) to send encrypted communications over the airwaves, and is likely to have the black choppers humming along shortly... "

        Oh Jesus Christ!

        I may have (inadvertently routinely) sent and received innumerable TrueCrypt archives via VPN over WPS2 TKIP/RADIUS 802.11a,g and n microwave radio transmissions.

        I may also have (inadvertently routinely) materially aided, abetted and encouraged innumerable others to do the same.

        Oopsie.

        Does that count?

        Very Important Disclaimer: I haven't really done any of the above. Of course. Don't really know what any of it means. The characters above are merely pseudorandom impulses which I've arranged into a form which I hope might entirely accidentally entertain my fellow commentards. As is the case for all my splaffs in fact. Both previous and future. No part of them has ever been (or ever will be) true. Even by accident. Except where I've said how absolutely marvellous PMTM is. That's true of course because she so obviously is absolutely marvellous. And this disclaimer - this disclaimer is true too. But nothing else. Ever. Honest. :o"

    3. Sandtitz Silver badge
      Coat

      Re: One time pad

      "And ham/shortwave radio, that's the only way to communicate"

      No. They should congregate and communicate solely within the Cone of Silence!

    4. Mark 85

      Re: One time pad

      Maybe a one-time pad and snail mail. Interception won't matter as it can't be read. Lower tech would be smoke signals.

  3. Novex

    Gmail...

    ...really? And you wonder why messages are no longer in your Sent folder? I would have hoped any such communications weren't going via such a service. They should really have their own email servers, or be using a recognized secure provider. I wouldn't call Google secure when they like to sniff into any email that goes via their systems.

    1. Ogi

      Re: Gmail...

      Yeah, I had to do a double take when I read the article. The fact they use Google services boggles the mind, and that is ignoring the conspiracy theories saying Google is a NSA front.

      Google openly admits to reading emails. They can't read GPG encrypted emails (AFAIK) unless you somehow upload your private key to them (web based GPG signing/encrypting service?), but they can give copies of your emails to authorities, or indeed have the power to vanish them (although I suspect that would be more likely to be an error/bug, due to the attention it draws).

      Not saying running your own email server is 100% secure, but at least your emails are on your systems, and not under someone else's, where you don't need to get hacked to get interesting goings on.

      It isn't even particularly hard. I set up my own after lavabit went down, and been using it ever since.

      1. Anonymous Coward
        Alert

        Re: Gmail...

        "Not saying running your own email server is 100% secure, but at least your emails are on your systems, and not under someone else's, where you don't need to get hacked to get interesting goings on.

        It isn't even particularly hard. I set up my own after lavabit went down, and been using it ever since."

        SHUT. UP.

        The 'mercuns are putting on an "election" and not understanding email is intensely important to 50% of the demented nutters participating.

    2. Matt Bryant Silver badge
      Thumb Up

      Re: Novex Re: Gmail...

      "..... I would have hoped any such communications weren't going via such a service....." Beat me to it! I was going to point the finger of suspicion at Gmail, but more because I suspect Google's infrastructure is riddled with backdoors and insider hacking. The GCHQ and NSA (and the Chinese, Russians and Norks) are not stupid, they know the point at which a message is most vulnerable is before and after decryption, when it is sitting in plain text on the sender's or receiver's system, and in this case that is in a Gmail folder. Snowjob already said that the spooks hacked into Google originally because Google used to not encrypt traffic inside their network, I'm sure they didn't just pack their bags and give up when Google said they would encrypt internally. Using a folder on a public email service was begging for interference.

      Plus, has no-one noticed how cosy the Obambi administration and Google are!?!?!?!?

  4. Anonymous Coward
    Go

    "using heavily encrypted communications,”

    Well, of course they should assume they are being snooped on. That's the whole reason for using heavily [sic*] encrypted communications.

    Provided they have adequate encryption and key security, it's the internal security of their organisations and systems that they should be worried about. That's where any trouble will be.

    (*Cryptography is like sex - more is not necessarily the same as better)

    1. This post has been deleted by its author

  5. Dan Wilkie

    Maybe I've been crushed by users too long, but until I see something concrete to the contrary I'm going to assume that they forgot to send the email - they're probably in their drafts folders...

    1. bazza Silver badge

      I was wondering about whether these were accidental malware signature matches. Google scan email for malware, (it's even a service you can buy!), and one could imagine them simply deleting false-alarm emails pretty sharpish and keeping stum about it...

    2. Anonymous Coward
      Paris Hilton

      "they're probably in their drafts folders..."

      Yup.

      Unencrypted.

  6. jaywin

    I've heard this before

    "Shall we get down to this dull / difficult / repetative work, or shall we nip down the Dog & Flag for a quick half?"... Two hours later... "Er, they've asked for a progress update, hic, what shall we say?", "Nothing, if they ask again we'll just say we sent the email and it must have disappeared on the way. Another pint?"

    File under "the dog ate my homework".

  7. Pascal Monett Silver badge

    "stemming from multiple independent senders"

    Um, sorry, but how can 4 emails stem from more than 4 "independent senders" ?

    It is tiring to see how even the brightest can get pwned by marketspeak. Four emails sent by four different people - is that so hard to say ? Is it really necessary to try to make things sound even more important than they are ?

    You've got a brain, you're speaking to people who should have a brain. KISS, people.

    Of course, if you're trying to do email security research and use Gmail for that, it's an instant FAIL.

    1. cbars Bronze badge

      Re: "stemming from multiple independent senders"

      Maybe it's been re-written. But what I see is

      "We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders"

      That looks fine to me. No-one specified 4, could have been 2 or 3 and that sentence still makes sense.

  8. SImon Hobson Bronze badge

    There's nothing fundamentally wrong with using public email systems - provided that the information you are including is suitably protected. So if the infomation is properly encrypted and attached as a file, then who cares if Google can read the "Hi Jim, here's the information you asked for" in plain text ?

    1. Mephistro
      Devil

      "...then who cares if Google can read the "Hi Jim, here's the information you asked for" in plain text ?"

      True, but if the email's title is "Vulnerability found in module XXX, please fix asap!" or "NSA backdoor found in function YYY!" then "bad things maywill happen".

      1. tom dial Silver badge

        Those who don't know the email metadata are in the clear are a danger to themselves and others, and should be kept under tight supervision in any security context.

  9. Anonymous Coward
    Black Helicopters

    Another possibility

    They are making these claims for publicity, and for the unstated assumption some will make "if the powers that be don't want this project to go forward, VeraCrypt must be really secure!"

    Or if you want to go deeper down the conspiracy theory hole, it has been investigated by the powers that be, they've found they can break it, but they are harassing them anyway to make them and their potential users think they're on the right track!

    1. Matt Bryant Silver badge
      Big Brother

      Re: Doug S Re: Another possibility

      ".....Or if you want to go deeper down the conspiracy theory hole, it has been investigated by the powers that be, they've found they can break it, but they are harassing them anyway....." Or, someone at the NSA actually has a sense of humour and is messing with them for the lulz - "Big Borther Is Watching, now crap your pants and run around like headless chickens!"

  10. WibbleMe

    I bet if they look at the server logs it will be something simple like no DKIM or HELO missing from the senders emails that is required by the server email daemon.

    1. DonL

      "I bet if they look at the server logs it will be something simple like no DKIM or HELO missing from the senders emails that is required by the server email daemon."

      Exactly, this is why I don't understand why people use these cloud services for anything serious. When someone reports a missing e-mail to me I start looking into the mail logs immediately and within a few minutes they get an exact explaination and a solution (if applicable). And then it also provides a lot more privacy and security.

      The way they are handling this makes them look unprofessional in my opinion as they haven't got a clue what happened but speculate wildly. This is a security company basicly saying that Google can run a better/more secure mail server than them, yet you should hire them to audit your security. Seems contradictve to me.

  11. Anonymous Coward
    Anonymous Coward

    Google for Privacy...?!

    HA ha ha ha HA HA ha HA HA.....

    You guys....

  12. Adam 52 Silver badge

    "since PGP is notoriously difficult to use and offers no better security than secure messaging alternatives"

    Such as....?

    1. Anonymous Coward
      Anonymous Coward

      Re: Such as...

      I hear the NSA is a big backer of AES, or anything using Dual_EC_DRBG.

  13. cd

    https://protonmail.com/

  14. Sven Coenye
    Coat

    QuarkLab + PGP

    Maybe the message changed flavor? It started out charmed, but now they should be looking for a strange e-mail?

  15. Anonymous Coward
    Anonymous Coward

    I like VeraCrypt as it allows PIM on top of key files, not to mention Unicode characters in passwords.

    So a file, with a 62 character password, one of which is a Kanji character, with key files and a PIM?

    Have fun cracking that, boffins.

  16. Paul Woodhouse

    I really can't believe they are using GMail... :S

    s'gotta be a wind-up of some sort...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like