A Critical Security Bug in Tarsnap

55

The author of tarsnap (“online backups for the truly paranoid”) has sent out an advisory describing a “critical” security bug in versions 1.0.22 through 1.0.27. “It may be possible for me, Amazon, or US government agencies with access to Amazon’s datacenters to decrypt data stored with those versions of Tarsnap. This is an absolutely unacceptable compromise of Tarsnap’s security principles, and I sincerely apologize to everyone affected.” The posting describes how to respond to the problem and is an interesting discussion of how easily things can go wrong in security-related code.

Read more at LWN