Cryptkeeper Bug
The Linux encryption app Cryptkeeper has a rather stunning security bug: the single-character decryption key “p” decrypts everything:
The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem’s command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated ‘p’ keypress—instead, it sets passwords for folders to just that letter.
In 2013, I wrote an essay about how an organization might go about designing a perfect backdoor. This one seems much more like a bad mistake than deliberate action. It’s just too dumb, and too obvious. If anyone actually used Cryptkeeper, it would have been discovered long ago.
Who? • February 7, 2017 10:34 AM
It is called a backdoor… just convince hardware manufacturers to not sell keyboards with the “p” (except to the NSA) and it will immediately become a NOBUS.
It is not just a bug in the way Cryptkeeper communicates with encfs, it shows there is something fundamentally broken in the development model for this application. It seems Cryptkeeper lacks some basic testing.