Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech]'s lack of plausible deniability (Was: TrueCrypt Alternatives?)

mutek mutek at
Tue Oct 7 01:26:10 PDT 2014

Il martedì 7 ottobre 2014 03:50:39 CEST, Greg ha scritto:
> On Oct 6, 2014, at 6:41 PM, Collin Anderson 
> <collin at> wrote:
>> On Mon, Oct 6, 2014 at 9:35 PM, Greg <greg at> wrote:
>> Although this isn't a serious bug, it's still a 
>> security-related issue and you don't know how failing to 
>> responsibly disclose it could affect someone.
>> It seems that you were called out on something fairly basic -- 
>> is this about bug reporting or public embarrassment on a matter 
>> that you would have wished to remain shuffled away in private 
>> correspondences?
> Sorry, I don't understand your question, could you rephrase it?
> I am embarrassed for Steve Weis. If I were employing him, I'd 
> fire him for claiming to be a security professional while not 
> knowing how responsibly disclose a bug.
> Re "fairly basic": yes, modifying timestamps is fairly basic 
> stuff (and it worked in all our tests just fine). I have no idea 
> why it suddenly broke.
> - Greg

IMHO it's fair to let you some time to find the bug but then it's a must 
have to public the issue to advice your client to check for their sensible 
This is only because you claim that there no evidence at all to reproduce 
at the moment this issue.
The check made by Steve was so simple that there no concern about some 
"responsability" on disclosing the bug because it's a simple process in a 
public domain.
At the moment "security by obscurity" it's not more an option nor a must 

More information about the liberationtech mailing list