Starting from version 1.26.7, VeraCrypt discontinued support for the TrueCrypt format to prioritize the highest security standards. However, recognizing the transitionary needs of our users, we have preserved version 1.25.9, the last to support the TrueCrypt format.
On this page, users can find download links for version 1.25.9, specifically provided for converting TrueCrypt volumes to the more secure VeraCrypt format. We strongly recommend transitioning to VeraCrypt volumes and using our latest releases for ongoing encryption needs, as they encompass the latest security enhancements.
GaidinBDJ Ars Scholae Palatinae
11y
1,266
Subscriptor
actor0 said:
Why do people think E2R encryption means the data can't be decrypted?
Probably a gross misunderstanding of encryption in general.ANYONE with access to the keys can unlock it.
The ones with access to the keys own the platform.
The one who own the platform are legally required to submit your info to Subpoena, Homeland Security warrants, and Patriot Act related actions.
This is totally incorrect.
With end-to-end encryption, the platform doesn't have the keys. The clients exchange keys through the platform, but it's done in a way that the platform doesn't know what they are. A subpoena doesn't let them provide information they don't have. The platform may have metadata about your message, but not the contents.
On the Wikipedia page for Diffie-Hellman key exchange there's a good diagram explaining the concept of how you can exchange private keys through public transport. It's the one down the page a bit where they use paint colors. In the real world, it's done with math, but the paint concept is sound to understand the underlying idea.
A team of researchers confirmed that behavior in a recently released formal analysis of WhatsApp group messaging. They reverse-engineered the app, described the formal cryptographic protocols, and provided theorems establishing the security guarantees that WhatsApp provides. Overall, they gave the messenger a clean bill of health, finding that it works securely and as described by WhatsApp.
They did, however, confirm a behavior that should give some group messaging users pause: Like other messengers billed as secure—with the notable exception of Signal—WhatsApp doesn’t provide any sort of cryptographic means for group management.
“This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” //
By contrast, the open source Signal messenger provides a cryptographic assurance that only an existing group member designated as the group admin can add new members. //
Most messaging apps, including Signal, don’t certify the identity of their users. That means there’s no way Signal can verify that the person using an account named Alice does, in fact, belong to Alice. It’s fully possible that Malory could create an account and name it Alice. (As an aside, and in sharp contrast to Signal, the account members that belong to a given WhatsApp group are visible to insiders, hackers, and to anyone with a valid subpoena.)
Signal does, however, offer a feature known as safety numbers. It makes it easy for a user to verify the security of messages or calls with specific contacts. When two users verify out-of-band—meaning using a known valid email address or cell phone number of the other—that Signal is displaying the same safety number on both their devices, they can be assured that the person claiming to be Alice is, in fact, Alice.
McAfee warns “these messages may seem harmless, but they’re often the first step in long-game scams designed to steal personal data — or even life savings. McAfee research shows 1 in 4 Americans have received one. Best advice? Don’t engage.”
- Airgapped raspberry pi computer with touch screen and camera
- Featuring LUKS full disk encryption
- For secure offline blockchain transactions and for secure encrypted messaging
- Move files across the airgap to other devices using QR-Codes
Independent researchers have discovered, or should we say rediscovered, a major security vulnerability in Microsoft's Remote Desktop Protocol (RDP). Previously known as Terminal Services, RDP appears to be designed to always validate a previously used password for remote connections to a Windows machine, even when that password has been revoked by a system administrator or compromised in a security breach. //
The flaw violates universally acknowledged operational security (opsec) practices – and then some. When a password is changed, it should no longer provide access to a remote system. "People trust that changing their password will cut off unauthorized access," Wade said. //
According to Microsoft, the behavior is a design decision meant to "ensure that at least one user account always has the ability to log in no matter how long a system has been offline."
The company had already been warned about this backdoor by other researchers in August 2023, making the new analysis ineligible for a bounty award. Redmond engineers reportedly attempted to modify the code to eliminate the backdoor but abandoned the effort, as the changes could break compatibility with a Windows feature that many applications still rely on. //
brucek brucekMay 2, 2025, 3:30 PM
And on the flip side, RDP doesn't recognize a valid Microsoft Account password that is not cached on the local machine. This can easily happen on a new install where you've only logged in using methods other than the password (PIN, windows hello, etc.) This is a great way to lose an hour wondering why you can't log in because it's so easy to think the problem must be some other configuration problem with setting up RDP or elsewhere in the system. //
FireStormOOOMay 2, 2025, 9:05 PM
This is cached credentials working the same way it had for decades, and it's been configurable by GPO for almost as long. The administrator chooses how long the server will remember stale credentials if it can't reach a domain controller immediately to check. No, the defaults don't make sense for a server that expects 100% availability of your authentication infrastructure.
New ChoiceJacking attack allows malicious chargers to steal data from phones. //
About a decade ago, Apple and Google started updating iOS and Android, respectively, to make them less susceptible to “juice jacking,” a form of attack that could surreptitiously steal data or execute malicious code when users plug their phones into special-purpose charging hardware. Now, researchers are revealing that, for years, the mitigations have suffered from a fundamental defect that has made them trivial to bypass.
“Juice jacking” was coined in a 2011 article on KrebsOnSecurity detailing an attack demonstrated at a Defcon security conference at the time. Juice jacking works by equipping a charger with hidden hardware that can access files and other internal resources of phones, in much the same way that a computer can when a user connects it to the phone. //
Researchers at the Graz University of Technology in Austria recently made a discovery that completely undermines the premise behind the countermeasure: They’re rooted under the assumption that USB hosts can’t inject input that autonomously approves the confirmation prompt. Given the restriction against a USB device simultaneously acting as a host and peripheral, the premise seemed sound. The trust models built into both iOS and Android, however, present loopholes that can be exploited to defeat the protections. The researchers went on to devise ChoiceJacking, the first known attack to defeat juice-jacking mitigations.
“We observe that these mitigations assume that an attacker cannot inject input events while establishing a data connection,” the researchers wrote in a paper scheduled to be presented in August at the Usenix Security Symposium in Seattle. “However, we show that this assumption does not hold in practice.”
I just got a note from @Microfix that pointed me to an interesting discussion from Ionut Ilascu at BleepingComputer:
After Microsoft ends support for Windows 7 and Windows Server 2008 on January 14, 2020, 0Patch platform will continue to ship vulnerability fixes to its agents.
“Each Patch Tuesday we’ll review Microsoft’s security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching”
Micropatches will normally be available to paying customers (Pro – $25/agent/year – and Enterprise license holders). However, Kolsek says that there will be exceptions for high-risk issues that could help slow down a global-level spread, which will be available to non-paying customers, too.
Many of you know that 0Patch has been issuing quick fixes for bad bugs in recent patches. In all cases, I’ve refrained from recommending them, simply because I’m concerned about applying third party patches directly to Windows binaries. That said, to date, they’ve had a very good track record. Whether they can continue that record with patches-on-patches-on-patches remains to be seen, of course.
I fully expect Microsoft to release patches for newly discovered major security flaws, even after January 14. Whether those will step on the 0Patch patches is anybody’s guess.
Definitely something worth considering….
0patch promises to keep delivering security updates to Windows 10 even after Microsoft stops next year. Should you use it? We help you decide. //
It’s a way to (likely) get some extra security on a Windows PC by blocking potential flaws from being exploited. But you’re also trusting an additional vendor’s security software. //
If you’re going to connect a Windows 10 (or Windows 7) PC to a network after it’s no longer receiving patches, you should take some security precautions. Ensure you’re using a browser that’s still getting updates on your operating system and an antivirus that’s still supported. And yes, 0patch could also be an additional layer of security against nasty flaws.
“In the short term, it is a good option to buy time, but eventually, the operating system should be upgraded to a regularly supported version,” said Kron.
The folder, typically c:\inetpub, reappeared on Windows systems in April as part of Microsoft's mitigation for CVE-2025-21204, an exploitable elevation-of-privileges flaw within Windows Process Activation. Rather than patching code directly, Redmond simply pre-created the folder to block a symlink attack path. //
For at least one security researcher, in this case Kevin Beaumont, the fix also presented an opportunity to hunt for more vulnerabilities. After poking around, he discovered that the workaround introduced a new flaw of its own, triggered using the mklink command with the /j parameter.
It's a simple enough function. According to Microsoft's documentation, mklink "creates a directory or file symbolic or hard link." And with the /j flag, it creates a directory junction - a type of filesystem redirect.
Beaumont demonstrated this by running: "mklink /j c:\inetpub c:\windows\system32\notepad.exe." This turned the c:\inetpub folder - precreated in Microsoft's April 2025 update to block symlink abuse - into a redirect to a system executable. When Windows Update tried to interact with the folder, it hit the wrong target, errored out, and rolled everything back.
"So you just go without security updates," he noted.
At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought:
In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale. The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit. Compromising our telecommunications infrastructure is now little different from performing any other kind of computer intrusion or data breach, a well-known and endemic cybersecurity problem. To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made.
This is the access that the Chinese threat actor Salt Typhoon used to spy on Americans:
The Wall Street Journal first reported Friday that a Chinese government hacking group dubbed Salt Typhoon broke into three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access systems they use for facilitating customer data to law enforcement and governments. The hacks reportedly may have resulted in the “vast collection of internet traffic”; from the telecom and internet giants. CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.
This is the kind of information that all the sites you visit, as well as their advertisers and any embedded widget, can see and collect about you.
We Need to Talk About Jeffrey Goldberg Accidently Being Added to a National Security Chat – RedState
anon-l6yk
3 hours ago
My take is that this signal app was used extensively during the “Biden” administration and they created the original list of regular participants. How much do you want to bet that Goldberg was a regular participant in those classified briefings during the Biden years and this was a result of an incomplete purge of the unauthorized participants?
Rapid Response 47 @RapidResponse47
·
.@CIADirector: "One of the first things that happened when I was confirmed as CIA director was Signal was loaded onto my computer ... One of the things that I was briefed on very early was ... the use of Signal as a permissible work use — it is."
11:03 AM · Mar 25, 2025. //
RATCLIFFE: It is permissible to use to communicate and coordinate for work purposes, provided — provided, Senator — that any decisions that are made are also recorded through formal channels. So, those were procedures that were implemented — my staff implemented those processes, followed those processes, complied with those processes, and finally — just please — so, my communications, to be clear, in a Signal message group, were entirely permissible and lawful — and did not include classified information. //
As Bonchie rightly noted earlier, Goldberg's inclusion on the chat was an unforced error, and frankly, none of the administration should be in contact with him — ever — given his previous bad-faith reporting.
But as Ratcliffe's testimony clearly demonstrates, the use of the app itself by officials for non-classified communication and coordinating for work purposes is both allowed and legal — just as it was under the Biden administration. Hopefully, this will serve as a valuable lesson and help underscore the importance of mindfulness as to proper channels and participants when officials communicate with one another.
It’s hard to have a conversation with anyone in Washington these days without using Signal. I hate the app. It’s just one more messaging app that must be checked. Everyone in Washington, it seems, has Signal. Government officials use it. Reporters use it. Politicians on Capitol Hill use it. Hillary Clinton used an insecure email server. Everyone else just uses Signal, which, at least, is end-to-end encrypted.
With China thoroughly infiltrating our telecom system, no officials in DC are using built in phone messaging apps or voice to communicate important information now. Apple’s iMessage is robust and secure if the bubbles are blue. But someone may have their iCloud backup turned on, which would capture the chat. What’s App is fine and secure. But, again, someone might have a backup. Signal is secure and once a message is deleted, it is deleted. It is the preferred app.
For members of the Trump Administration, which last term saw rogue embedded progressives leaking classified information and even now has seen ICE raid information leak, bypassing government approved means of communications for Signal makes sense — the rogue bureaucrats provided the incentive.
But that is no excuse to add a reporter to a secure group chat trading information related to bombing the Houthis as the Trump national security team did. //
- This whole mess really does suggest that the Trump Administration, like the Biden Administration, has no clue how to get the Chinese out of our telecom networks.
Clive Robinson • March 20, 2025 12:38 PM
@ For those “new to the game”
CI/CD Secrets is liberaly spread across the articles, but none explain what they are in layman’s terms.
The first step is to understand what “Continuous Intergration”(CI) “Continuous Development/Deployment”(CD) Pipeline is. Gitlab has a reasonable description at,
https://about.gitlab.com/topics/ci-cd/cicd-pipeline/
However it says nothing about “secrets”
Put overly simply in our modern environments much is “done in the cloud” or in older parlance “across multiple servers” for which “Authorization”(AuthZ) and “Authentication”(AuthN) is required.
At the simplest that is a user has to have “an account” that once would have been a “user name” and was considered “public knowledge”, and “a password” or “passphrase” or other “secret” known only to the user and verifiable by the server.
However when you “automate” things it gets more complicated and it gets to the point where even the user does not know what is used for AuthZ and AuthN as they are “embedded in some way” into the automated pipeline.
It is these that form the basis for “CI/CD Secrets” and whilst they could be “dynamic” and “random” by “challenge and response” or “Zero Knowledge Proof” they generally are “static” and put as “plaintext in files”.
Thus if static “once leaked” anyone who has access to the leak can impersonate the valid user(s).
It’s actually a really bad security design for an automated system and should be replaced with something that is not vulnerable to being recorded and replayed, but still does not need user(s) to be actively involved.
Unfortunately by the way this attack works it can get around the “security advise” given online with articles like,
https://blog.gitguardian.com/handle-secrets-in-ci-cd-pipelines/
Who? • March 20, 2025 12:25 PM
@ Clive Robinson
Years ago I sent an email to DISA about some obvious “errors” in some networking-related STIGs that made those technical implementation guides dangerous if followed as published. They replied, in a somewhat unpolited way, noting the obvious (that I am not affiliated with the U.S. army); these technical implementation guides about some well-known routing devices remain unfixed yet.
Same happened again some time later, this time about some CTR and CSIs published by NSA. No answer at all, something I appreciate when compared to DISA reply, but they continue recommending a setup that opens widely known attacks against shared caches in certain processor architectures. Not to say, these documents have been updated at least one time but continue suggesting the insecure settings.
To be honest, I do not trust on what CISA/DISA/NSA may publish.
The current U.S. administration may continue degrading the country cybersecurity and international alliances. If U.S. citizens accept it this way, who am I to disagree?
Clive Robinson • March 20, 2025 12:58 PM
@ Who?, ALL,
With regards,
“To be honest, I do not trust on what CISA/DISA/NSA may publish.”
And so you should not. Likewise you should not trust the word of anyone including me 😉
It’s why I do not like the idea of “Best Practice” that every man and his dog took as an idea from the legal profession. Because there is no such thing as “best practice” and anything written in that regard almost certainly become “out of date” very shortly there after.
What people should do, and few have time to do so is learn what a system does and how and what it’s interactions, strengths, weaknesses and Non Obvious Flaws are.
From time to time, security issues are found within software. The FreeBSD package management system relies upon pkg-audit and the Vulnerability database to alert system administrators that attention is required.
The U.K. government appears to have quietly scrubbed encryption advice from government web pages, just weeks after demanding backdoor access to encrypted data stored on Apple’s cloud storage service, iCloud.
Once the backdoor exists, others will attempt to surreptitiously use it. A technical means of access can’t be limited to only people with proper legal authority. Its very existence invites others to try. In 2004, hackers—we don’t know who—breached a backdoor access capability in a major Greek cellphone network to spy on users, including the prime minister of Greece and other elected officials. Just last year, China hacked U.S. telecoms and gained access to their systems that provide eavesdropping on cellphone users, possibly including the presidential campaigns of both Donald Trump and Kamala Harris. That operation resulted in the FBI and the Cybersecurity and Infrastructure Security Agency recommending that everyone use end-to-end encrypted messaging for their own security. //
It’s a question of security vs. security. Yes, we are all more secure if the police are able to investigate and solve crimes. But we are also more secure if our data and communications are safe from eavesdropping. A backdoor in Apple’s security is not just harmful on a personal level, it’s harmful to national security. We live in a world where everyone communicates electronically and stores their important data on a computer. These computers and phones are used by every national leader, member of a legislature, police officer, judge, CEO, journalist, dissident, political operative, and citizen. They need to be as secure as possible: from account takeovers, from ransomware, from foreign spying and manipulation. Remember that the FBI recommended that we all use backdoor-free end-to-end encryption for messaging just a few months ago.
Securing digital systems is hard. Defenders must defeat every attack, while eavesdroppers need one attack that works. Given how essential these devices are, we need to adopt a defense-dominant strategy. To do anything else makes us all less safe. //
Stéphan • February 26, 2025 7:37 AM
It will be interesting to see if the UK Govt is satisfied with the disabling of ADP, because that would confirm the backdoor is already in place for non-ADP iCloud accounts. Which would mean it is likely also in place for non-E2E-encrypted cloud services like Google and MS365 accounts. With this move Apple came up with a clever canary about the true underlying situation.