Der 'Open Source Technology Improvement Fund' kurz OSTIF, sammelt Gelder für Bug Bounties, Code-Audits und direkte Unterstützung lohnenswerter OS-Projekte. Anfang August wurde QuarksLab (ChatSecure/Qubes-check) angagiert, im Veracrypt-Code nach Vulnerabilities und Backdoors zu gucken. Phase0 begann so:
confidential mails verschwunden, hört sich knackig an und manchmal gilt auch:"As we have began the process of staging our audit, we have set up PGP encrypted communications between OSTIF, QuarksLab, and the lead developer of the VeraCrypt project. In these communications we have discussed vulnerability information, processes and procedures for reporting findings, and exchanged confidential information about the audit.
We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.
This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.
We are setting up alternate means of encrypted communications in order to move forward with the audit project.
If nation-states are interested in what we are doing we must be doing something right. Right"?
"They now go after your server provider, domain registrar, domain reseller, domain NIC, mail hosting, DNS hosting and SSL provider, toilet paper supplier and even drug supplier. They go after whoever you can think of, even if you are compliant."
Wer das bei OSTIF alles so ist, veröffentlichen sie im BalanceSheet
Fred Raynal, CEO und Gründer von QuarksLab gab dann auf Threatpost Entwarnung:
so oder so, ohne Integrität wird das nix bei OSTIF; eigenen Mail-Server und kein Commodo-Cert wär da vermutlich die bessere Wahl."I think this news announcement was a mistake. I lost a message I sent to Mounir (Mounir Idrassi, VeraCrypt’s lead developer) and Derek (Derek Zimmer, OSTIF CEO and president). They experienced similar issues, three times before that. Then Derek issued that statement but he should really not have done that. On my end, I am pretty sure it is a local problem on my computer between Mail.app and GPGMail."
Phase1 des Audits sind inzwischen beendet, Phase2 läuft und in den nächsten Tagen werden die Ergebnisse veröffentlicht - OSTIF