TrueCrypt Page Says It's Not Secure, All Development Stopped
from the uh... dept
Last fall, we noted that the popular disk encryption software TrueCrypt was undergoing a security audit, inspired by the Snowden revelations. At issue: TrueCrypt is open source and widely used and promoted (hell, Snowden himself apparently taught people how to use it), but no one really knew who was behind it — raising all sorts of questions. A little over a month ago, we noted that the first phase of the audit didn’t find any backdoors, but did note a few (mostly) minor vulnerabilities.
However, a little while ago, TrueCrypt’s SourceForge page suddenly announced that ” WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” and furthermore: “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.”
While some initially questioned if this was a hoax, others quickly noted that a new version of the program was signed with the official TrueCrypt private key — meaning that it’s either legit, or TrueCrypt’s private key has been compromised (which would obviously present another serious issue). If you happen to use TrueCrypt, you should be very, very careful right now.
Filed Under: development, disk encryption, encryption, privacy, security, truecrypt
Comments on “TrueCrypt Page Says It's Not Secure, All Development Stopped”
One of the sources I read stated that the signing key itself may have been recently changed. However, the original sources of the claims were not cited.
Re: Re:
I was just listing to TWIT.TV’s This week in Google when Leo LaPorte brought this up. He is thinking it’s a hack.
Apparently Steve Gibson, the host of Security Now is talking to the people who have been doing the audit and they have been trying to reach people at Trucrypt.org.
There is also a new executable that LaPorte said you should NOT download under any circumstances.
The best advice is wait for a few days for things to shake out. One of the possible clues was the recommendation to use Microsoft’s Bitlocker which is a closed source application. (Obviously)
Re: Re: Re:
truecrypt.org and truecrypt.sourceforge.net are not found in archive.org. And the encryption code is gone from current downloads while the decryption code remains. Dum-de-dum-dum.
Re: Re: Re: Re:
I have heard two possible explanations, both fairly tinfoily:
1. Truecrypt has received a Security Letter from an American or other agency (we don’t know where they are) to build in a backdoor. They are not allowed to announce having received the letter, but they can simply rip out the encryption part of their software and make a general announcement like this one.
2. Were hacked but regained control. But why weren’t they more specific in their warning, then?
Re: Re: Re:2 Re:
I sort of go with a third, slight more hybrid situation, which is:
3. the encryption itself may have been hacked or back doored due to it’s reliance on windows code, particularly older functions traced back to Windows XP. Possibly the NSA knew and used it. Possibly hackers new it and used it. Possibly both.
No matter which answer you go with, the product is compromised, any data stored with this product should be considered at risk, and potentially that it has already been obtained illegally by third parties. It should also not be considered a good way to encode drives to cross the border, as an example.
Re: Re: Re:3 Re:
This is the most likely issue. It’s actually pretty wise of the Truecrypt devteams to say when they have discovered that ti isn’t as secure as it claimed.
Either way, it’s not good for traditional cryptographic protection schema.
Re: Re: Re:3 Re:
There is a REALLY huge flaw in your logic there. Mainly “due to it’s reliance on windows code”. TrueCrypt is cross platform. It ran on Windows, Linux and OSX. So it would not have relied on windows code.
Also, you saying they pulled their product due to flaws in windows code, and then they recommend you move to… Windows bitlocker?
Re: Re: Encryption and open source
Well, there is no reason to hide the algorithm of good encryption just because it’s asymetrical. You can know the way how data is encrypted, but there is no way back once it was secured. If someone say that it should be closed executable… I’m pretty sure there is something behind.
Re: Re:
The history at SF shows that the signing keys were changed 4 hours before the new build was uploaded…
Sounds pretty suspicious to me 😉
Using a closed source solutions is safer??? Further it is only available on pro and enterprise editions of Windows Vista, 7 and 8.
Re: Re:
Potentially safer than using a software solution that is known to be compromised.
Re: Re: Re:
But not safer than using one of the other open source solutions.
Re: Re: Re:
That may depend on who you want to hide your data from, against a casual thief, bitlocker would probably work, against the NSA.. I would not trust it.
Bitlocker is not known to be compromised, the repository may have been hacked, and prior visions might still be effective. Also note that to use Bitlocker will require many home users to upgrade their operating system. Something about this smells worse than a skunk.
Re: Anonymous Coward
TrueCrypt was developed in a closed fashion (although source code was available). Seems to be that the whole “hey guys use BitLocker instead lol!” strategy is merely an excuse. I mean, it’s not like BitLocker has any government backdoors or anything.
Only a fool would suggest to use a Microsoft product for encryption purposes post-Snowden. Something fishy is definitely up and it’s most likely not good. Anyone know of any alternative open-source encryption if truecrypt is indeed compromised?
Re: MS Fool
Use Paper. Read it. Memorize it. And then, eat it.
Re: Re: MS Fool
Mmmmmm…. Paper contained a printed doughnut. Tasty.
Re: Re: MS Fool
They can read your brain too!!!! 😉
Re: LUKS
I personally prefer LUKS encrypted containers or drives. Sure they have a known signature at the beginning, but how likely do you think someone is going to have a multi-gigabyte file full of random data.
Best of all, the Linux cryptsetup program supports both these and truecrypt. For windows you can use a program called FreeOTFE.
Unfortunately, while LUKS is the standard way to do full disk encryption in Linux it doesn’t do the fancy pre boot stuff so it can’t encrypt your main windows drive.
Re: Re: LUKS
Glad someone mentioned LUKS. Great for many reasons, including the ability to separate the header (where the keys are stored) from the data itself. Works even better when you’re entire drive is filled with random data first.
Re: Re: LUKS
Re: Encryption issues
Ananymous Coward, how you could ever trust any encryption software since you’re probably no cryptographic expert? OK, you can get source code of thousands lines and you will never be sure what exactly you’re compiling. Moreover, you probably don’t know what the compiler does with the source code. The only way is to have nothing to hide 😀
“The website is presumed hacked, the keys are presumed compromised, the binary on the website is capable only to decode crypted data, not encode, and may contain trojan. The binary is signed with the valid (old) key. All old versions are wiped, the repository is wiped too. Please do not download or run it. And please don’t switch to bitlocker.”
See https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff
Occam's Razor suggests...
…it’s a hack. Given that there have been no public statements from the principals thus far, I have to guess they’re busy solving the problem and will publicly say something once that’s done.
Re: Occam's Razor suggests...
I agree, a hack is the most likely explanation (all signs point to it, anyway).
Anyone using TrueCrypt should stand pat for the time being until more is known. Do not use the binary on the website. If you feel the need to migrate, then decrypt using your existing version of the software and don’t migrate to BitLocker.
Re: Occam's Razor suggests...
“busy solving the problem and will publicly say something once that’s done”
They’re anonymous and have never been identified. How will you know whether to trust what “they” say?
Re: Occam's Razor suggests...
Coincidentally enough, this morning I got an email message from the TrueCrypt Audit Indiegogo letting me know that the gifts/rewards for contributing to the campaign were going out in the mail….
..or was it the NSA? Hmmmm.
Another possibility?
From twitter:
Let’s hope this isn’t lavabit 2.0
Re: Another possibility?
Actually when you think about it, the Lavabit route may have sucked for the company and the ones running it, but with regards to the targets, otherwise known as the customers/users of the service, it was pretty much the best they could hope for. Yeah the service shut down, but compared to having it totally compromised, that seems like a decent alternative.
Re: Re: Another possibility?
Very true. Given the choice between a high quality product being discontinued and a completely compromised product available without anyone’s knowledge of the compromise, anyone with any sense will be happy with the former.
Re: Re: Another possibility?
As a former Lavabit customer, I can say there was certainly some short-term suckage for me while I had to figure out what to do with my email after the shutdown. The plug was pulled with no advance warning, so the transition to a new host was less than smooth.
But otherwise, yeah, I’d rather have that happen than have a totally compromised host.
Re: Another possibility?
I think Lavabit 2.0 is quite possible. Had this Truecrypt developer received a National Security Letter (NSL) then the only option that remains is to discredit his own product.
New page layout hastily created, bullshit reason, an open source developer recommending a closed source product, “Microsoft”, newly generated encryption key, pointing out ‘compromised’ despite a clean audit, then lastly migration to avoid a possible NSA compromised product.
If that does not scream out NSL then I don’t know what does when naturally anyone who receives an NSL is forbidden from saying that they have.
Might be another Lavabit scenario
Some speculation that TrueCrypt is falling on it’s sword after some secret orders:
http://forums.theregister.co.uk/forum/1/2014/05/28/truecrypt_hack/#c_2200085
Seems as good of a speculative explanation as any. Why would someone compromising the dev key warn people away from the binary? Better just to sign a compromised one and say nothing….
And if you are going to hack a site like TrueCrypt for notoriety, you’d put up the typical ‘I OWNZ UR ASS’ hacker boasts….
Re: Might be another Lavabit scenario
Wouldn’t work. Someone else would simply grab the source tree and start working on it. (More likely: multiple someone else’s.)
Killing a service like Lavabit is relatively easy. Killing off open-source code is hard.
Re: Might be another Lavabit scenario
There is a problem with putting back-doors in open source code, you can assume that they will be found sooner or latter, especially if an outside audit is in progress. So it is more likely they have been forced to fall on their swords, and point users at a closed source compromised system.
Re: Re: Might be another Lavabit scenario
However phase one of the audit said that no backdoors, intentional or otherwise were found…
So that doesn’t make any sense.
Re: Re: Re: Might be another Lavabit scenario
I think the running theory (and I emphasize that it is a theory) in this thread is that the new version of the code is compromised, not the old version. They were forced to put in back doors in the new version, so they did the honorable thing and shut it down.
Again, theory, I want evidence. It could be that they found out that the NSA has some way to decrypt anything Trucrypt created without a backdoor, so they jumped ship. It could also be that the site was hacked as has been suggested. Or any number of other things.
One thing I can say is that I’m not plugging in my encrypted hard drive until I get more information.
Re: Re: Re:2 Might be another Lavabit scenario
I think that’s an hypothesis, not a Theory.
Re: Re: Re:3 Might be another Lavabit scenario
Scientifically speaking, yes. Colloquial speaking, no. You’re just being a pedant.
Re: Re: Might be another Lavabit scenario
I’m still unconvinced. IF that was the case, then eventually it would come out — and the outcome would be much worse for those issuing those orders than if they’d just left TrueCrypt alone.
Why? Because if it became public knowledge that TrueCrypt was ordered to shut down, the first question would be “why?”. And if the answer to that is “because we can’t crack it and we’d really like to” then that immediately calls into question EVERY cryptographic implementation, because we must reason that any which haven’t been ordered to shut down are, in fact, already compromised.
And I don’t think anybody wants to go there.
Re: Re: Might be another Lavabit scenario
Yeah, it will probably be found eventually. But if it is actively hidden, it could last longer than a simple mistake like Heartbleed, which lasted two years before discovery. That leaves plenty of time to exploit it.
Re: Might be another Lavabit scenario
Some speculation? There’s relentless speculation about this online, and pretty much nobody is saying these theories go too far, that people are just paranoid, that governments wouldn’t do this, etc. I knew there was some mistrust, but this is near-universal mistrust. And the government hasn’t even put out their suspiciously-precisely-worded denial yet.
Trusted Systems
Whether this is a hack, or a defensive move against government interference, or a yet another reason, what does this have to say about trusted systems?
Is trust temporary, until you know you can’t or shouldn’t?
Or is trust permanent, until it is taken away?
How does one know who or what to trust anymore?
Personally, I will lend $20 to almost anyone I have some relationship with. I learn a lot in how they handle it. If I get it back, it speaks to character. If I don’t get it back, it speaks to character. I tend to trust, until I have reason not to.
But with systems, how does one determine trust? I have given trust to deal with things like banking online, Skype communications, several email accounts, etc. All of them now have serious trust issues. To some degree, I just continue, but I am far from comfortable.
Re: Trusted Systems
Use open source software, as deliberate back-doors will not exist in it for long, and security vulnerabilities get fixed in hours to days, not weeks to months. For really sensitive stuff, run a live distro off of a DVD. Post Snowden, people will be keeping a closer eye on all commits, including some that are not part of the project, making it a stupid idea for a security agency to try and get a back door into the software.
Re: Re: Trusted Systems
I do. This is being posted from my Linux Machine. I run Windows as well, but only because I need, I mean need, my Flight Simulator.
This does not help if SSL is broken. This does not help if any encryption that gets used is broken. This does not help if Skype is broken, and do to the folks on the other end, other choices are not reasonable. This does not help if my VPN’s encryption is broken. This does not help if Tor is broken.
I have, and share a Tails torrent, which is open source, Tor enabled, Linux based, used to be anonymous, used by Ed Snowden and Bruce Schneir, but just exactly when do I use it? Everytime I visit my bank? When I want to send an email? Those are both online, and not particularly in my control.
Using Tails rather than punching the browser button is a tremendous inconvenience, as at the very least it requires two reboots, one to use it, and another to get back to normal. Is banking the break point? Or do I need a nefarious intent to invoke it? While I have nothing to hide, I have nothing I want seen.
Re: Re: Re: Trusted Systems
I assume you are learning how to land too?
Re: Re: Re:2 Trusted Systems
Oops that was me not logged in …
Re: Re: Re:2 Trusted Systems
I learned to land…with difficulty, as I had no instructor. My controlled crashes were not controlled, and mostly over speed. Now, roughly 30,000 simulated flight hours later (still no instructor (though I did learn a whole bunch from this CFI http://www.whittsflying.com/web/index.htm)), I can take off too.
Re: Re: Re: Trusted Systems
“I have, and share a Tails torrent, which is open source, Tor enabled, Linux based, used to be anonymous, used by Ed Snowden and Bruce Schneir, but just exactly when do I use it? Everytime I visit my bank? When I want to send an email? Those are both online, and not particularly in my control.”
You use it when you want anonymity online, which is not the same as encryption. You should use a VPN for banking and email, not Tails or tor, and you should only trust that VPN up to the TLA point, and not beyond that. These tools can do a lot but it is critical that people understand what they do and do not do.
Re: Re: Trusted Systems
“security vulnerabilities get fixed in hours to days, not weeks to months.”
Heartbleed.
Re: Re: Re: Trusted Systems
Implication being once known to the developers. Only a manager could ask for, and expect, all unknown vulnerabilities to be listed and fixed.
Re: Re: Re:2 Trusted Systems
By those same standards those ‘hours to days’ and not ‘weeks to months’ also applies to many non-open source software. The speed that a vulnerability gets fixed depends on other factors such as the seriousness of the vulnerability (heartbleed was a very serious vulnerability) and the nature of the developers (are they lazy and slow or are they motivated and quick).
You can have motivated open-source developers and lazy ones too which is also true for proprietary software.
Re: Re: Re:3 Trusted Systems
and another factor involved in the speed that vulnerabilities get fixed is the nature of the vulnerability and the nature of the vulnerable software. Some minor security vulnerability on a Windows machine can probably wait a week since the machine is probably behind a NAT firewall anyways. But the whole purpose of OpenSSL is to provide front line protection of very critical information.
So the AC above was comparing apples to oranges. Comparing the speed by which a non-critical vulnerability gets fix after it is made vs the speed with which a critical vulnerability gets fixed from the time of disclosure to the developers is not a fair comparison.
Re: Re: Re:3 Trusted Systems
One big difference with open source, anyone who is capable can provide the fix, and make it available to anyone who wants it. If it is a significant package, then the developers for many distros will be looking at the problem, so the fix is not dependent on a small number of developers, or even just the one, who are the acknowledged maintainer(s) for the package.
Re: Re: Re:4 Trusted Systems
I agree that open source is better when it comes to security purposes in the long term when (at least when it comes to highly used software).
Re: Re: Re:3 Trusted Systems
“You can have motivated open-source developers and lazy ones too”
True, but the advantage of OSS is that anyone can fix it. Heartbleed is case in point. The original patch for it came from Google. So, while proprietary software can only be fixed by small pool of developers, OSS software can be fixed by anyone in a much, much larger pool.
Re: Re: Re: Trusted Systems
In the case of Heartbleed, the vulnerability was fixed very quickly.
Now distribution of the fix, on the other hand . . .
. . . that may take some time. But not necessarily for software systems (like OSes and some applications) that have an automatic self-update capability.
Re: Re: Re:2 Trusted Systems
“In the case of Heartbleed, the vulnerability was fixed very quickly.”
After disclosure.
Re: Re: Re:3 Trusted Systems
After discovery.
Re: Re: Re:4 Trusted Systems
You can’t know that. You don’t know if someone, like the NSA, discovered it a year ago and never disclosed it and they may have exploited it.
Re: Re: Re:5 Trusted Systems
The NSA doesn’t count. The original discovery in a nonclassified setting was by Google. The problem was fixed and a patch released in less than a week.
Re: Re: Re:6 Trusted Systems
and when there is a disclosed Microsoft Windows vulnerability how long after disclosure does it typically get fixed?
Re: Re: Re:7 Trusted Systems
That’s impossible to know, as we don’t know when Microsoft is made aware of such vulnerabilities. However, if we look at when vulnerabilities become publicly known and measure the time until a fix, it’s usually fairly long. A month would be quick.
Re: Re: Re:2 Trusted Systems
But it was in the wild for two years before it was discovered and could be fixed. The speed with which a vulnerability is fixed after discovery doesn’t do much to mitigate all the time it had to be exploited before said discovery.
Re: Re: Re:3 Trusted Systems
Some Windows security flaws have been in Windows code for much longer, like vulnerabilities that date back to IE 6.
Re: Re: Re:3 Trusted Systems
This is true, but a pointless point. A vulnerability cannot be fixed until it is known to exist. That this one was in the wild for a long time before discovery has nothing whatsoever to do with whether or not is was OSS.
Re: Re: Re:4 Trusted Systems
That this one was in the wild for a long time before discovery has nothing whatsoever to do with whether or not is was OSS.
His point is that software being open source doesn’t guarantee anything about not having vulnerabilities, which is an attitude many people seemed to have pre-heartbleed.
Re: Re: Re:5 Trusted Systems
“which is an attitude many people seemed to have pre-heartbleed”
Interesting. I’ve seen many comments accusing others of thinking that OSS is some guarantee that there is no vulnerability, but I’ve not actually seen large numbers of people who actually think that, so it’s more than a bit of a straw man.
What I have seen a lot of is people misunderstanding the arguments that OSS is better than closed source in this matter and thinking that the argument is that OSS is inherently safe. It’s pretty near indisputable that OSS really is the safer choice, and often I wonder if the misunderstanding of the argument is deliberate.
Re: Re: Re:4 Trusted Systems
“This is true, but a pointless point.”
A pointless point…
Re: Re: Re:5 Trusted Systems
[head explodes]
Re: Re: Re:3 Trusted Systems
“The speed with which a vulnerability is fixed after discovery doesn’t do much to mitigate all the time it had to be exploited before said discovery.”
Just as with proprietary software.
Re: Re: Re: Trusted Systems
Who are you, Dilbert’s pointy haired boss?
Re: Trusted Systems
“Is trust temporary, until you know you can’t or shouldn’t?”
Trust is always temporary and conditional. This has been true for all security systems going back as far as security systems have existed.
When you think about it, it’s true in all of life as well.
Re: Re: Trusted Systems
That is why I use my $20 test, it tests the conditional, the condition being the others character.
Is not a situation where someone is selling trust a bit different? Does not the seller need to exhibit some form of character to get that trust? Should not such trust, thus displayed, be able to be counted upon? Should there be a statute of limitations on such trust? I know, better not ask a banker, or an insurance company executive, or certain ebook providers, or gaming system manufacturers, etc.
I am not arguing that such trust exists. The government has failed our trust. Banks have failed our trust. Numerous other companies and individuals have failed our trust. There is a lot not to trust out there.
I am arguing that we should be able to count on some things. I am arguing that the government should not be in the business of conflating that trust. I am arguing that short of criminal behavior, we should be able to trust.
Look, I am a realist. I know we cannot fully trust our current understanding of physics, simply because we don’t know it all yet, and current ‘facts’ may change. Yet I fully trust that if I jump up in the air, that part of physics that defines gravity will again earn my trust and hurtle me back to the ground. If that kind of trust can be developed in nature, what is so damn difficult about it for us humanoids?
I guess my question might better be expressed as how can we get to trust systems? Given what we now know.
Re: Re: Re: Trusted Systems
“I guess my question might better be expressed as how can we get to trust systems”
And my answer is that if you’re looking for some kind of permanent trust, that’s impossible. It doesn’t matter if you’re talking about trusting technology or people. It’s just a fact of existence — things change, so trust must be temporary.
However, my personal take on trust issues is this: nothing and nobody is 100% trustworthy, so absolute trust is a foolish goal. When I say I “trust” something, what I mean is that I feel I have a good idea of the predictability of it. I have a reasonable handle on what circumstances I can or cannot rely on it.
Nice try, GCHQ, but I don’t think so.
Well is this not a temporary nightmare seeing that millions of people including myself use Truecrypt. Security and safety are utterly important and not some split and run.
I would not care to speculate what is going on when we can only await the hard facts and then kill whoever is responsible.
National Security Letter
THIS is exactly how a reaction to National Security Letter would look like. Instead of cooperating author decided to steer people away from it killing the project.
Re: National Security Letter
An NSL looks most likely.
Had he only wanted to quit then why say Truecrypt is insecure?
If he believes Truecrypt is insecure then why not state the faults?
Had Truecrypt really been insecure then why do all on-going audits say that no serious flaw has been found?
Clearly much more is going on here than meets the eye.
Re: Re: National Security Letter
If it were insecure, they would already have a new version that fixed the security problem and would be encouraging everyone to upgrade to that.
It’s gotta be either a compromised key or a hidden message. The development team wouldn’t in their right minds advise people to move from TrueCrypt to Bitlocker–that’s clearly ludicrous. The fact that they haven’t made any clarifications to their statement is equally telling, and it’s pretty easy to do the math. My guess is that they are under a gag order, and that some entity really doesn’t want to you the user to use TrueCrypt, meaning it is probably secure. Personally, I’m going to stay the course.
One more thought: Let’s say you are some third party out to undermine TrueCrypt, for whatever reason. It would be very difficult to undermine the code as it is open source. You are unable to undermine the product itself so why not do the next best thing: undermine the user’s trust in that product. So in that you accomplish your goal, because less people will use it and migrate to something less secure. And in this scenario, it should go without saying that if you had already undermined the code, you’d want more people to use it, not less. And you wouldn’t be issuing any statements.
So yeah, I think the team either fell on their swords or this is a clumsy attempt to undermine trust, and that both scenarios point towards older versions being trustworthy. I certainly won’t be downloading newer versions, that’s for double-dog sure.
Sabu’s last favor to the FBI?
Re: Re:
Last?
Looks pretty fishy to me.
On the off chance this is true….what are the other good, reliable, credible and trust worthy encryption software out there…
TrueCrypt 7.1a
TrueCrypt 7.1a is still as good as it ever was.
installation binaries, source, signing key and signatures plus PDF of iSec audit
torrent: https://dl.dropboxusercontent.com/u/1797250/TrueCrypt-7.1a.torrent
Seeding will continue for the forseeable future.
What Do You Seek
Locks only keep out honest people.
Risk Assessment 101:
– Who are you hiding data from? The government, your wife or your mom?
– How much of your data really needs to be encrypted? It’ll be a small subset of all the bytes you own. In which case you can probably concoct your own disguise for it.
Re: What Do You Seek
You’re asking the wrong questions. Or, at least, coming at it from the wrong angle.
It isn’t about “hiding” anything. It’s about privacy, and knowing your data is safe.
I have backups of my financial records (and other related personal items) on a thumbdrive, and it’s with me at all times. It’s my “backup of last resort” in case all my other backups are lost. (Due to fire, flooding, etc., all of which have affected me in the past.) If everything else fails, I always know I’ll have a backup of my most irreplaceable records with me.
And I encrypt it. Heavily. Not because I’m trying to “hide” it, but because it’s personal. Yes, I want to keep it out of the hands of any who would try to use it for nefarious purposes, but I also just want to know that a stranger can’t peruse my personal information if they get their hands on the drive. If the drive is lost or stolen, I don’t want to give a second thought to the information on it; I know it’s encrypted far beyond the point of practical recovery.
Not only that, but it’s also protected from situations we see more of these days, where any random traffic stop is “cause” to try to pry through every digital device in or near your control. I’d probably be perfectly willing to provide the password to law enforcement—upon receipt of a valid, narrow, and properly executed warrant (and after speaking with my lawyer)—but I rest easier knowing I have at least that level of control.
Again, it’s not secret, it’s private, and that’s a distinction that doesn’t get as much notice as it deserves. Even a person with “nothing to hide” has things they’d prefer to keep private. Different things for different people, to be sure, but taking steps to safeguard ones privacy in the modern digital world is something that each person should be able to do in a way they feel is appropriate.
Locks may only keep out honest people, but I still use them. And I prefer to use the best ones I can.
Re: What Do You Seek
“Risk Assessment 101:
– Who are you hiding data from? The government, your wife or your mom?”
The first question is valid as it addresses use-case. The allusion to authority figures and the desire to hide things from aforementioned authority figures has already been well addressed.
– How much of your data really needs to be encrypted?”
All of it, if any of it.
Why a Three Letter Agency must be involved
Why a Three Letter Agency must be involved
TLA = Three Letter Agency
TPLA = Three Plus Letter Agency
* This is nothing but a hoax
* This is nothing but a defacement
If that were the case, then the authors would come out and say so.
The newly released code containing the “hoax” was signed with the authentic signing key.
So a hoax seems unlikely.
If this is a hoax or defacement, then someone went to an awful lot of work to build a new software release — and obtain the capability to sign it!
If someone had obtained the secret signing keys, then there are lot more valuable things that could be done with them than a mere hoax / defacement.
* Mabye the authors just want to retire from long work on this program
Then why not just come out and say so?
Why not pass the torch to others to continue to work?
Why use the excuse of discontinuing it because of discontinued support for Windows XP, which is so lame of an excuse as to be unbelievable. (Hint: not to be believed.)
* A security vulnerability was discovered
* The program was hacked by the NSA, Chinese, Aliens, etc
* A weakness was discovered in the encryption
If this were the case, then why wouldn’t the authors just come out and say so? The only reason would be if they were constrained from saying so by a secret order from a secret court under the authority of a secret interpretation of a secret law, or something like that.
Consider that the newly released program, authentic according to its digital signature, has the warnings embedded. So the warnings must be genuine. Yet the same release with the warnings also removes the encryption capability the retains the decryption capability. This would imply that the author’s motives are to allow you continue to decrypt previously encrypted data, and would imply that the authors believe it currently is and will continue to be secure — but that *encryption* will not continue to be secure in the future.
* Maybe the authors merely lost control of their credentials, signing key, etc.
The same arguments apply.
* Why wouldn’t authors just say so?
* Why then release a new version with warnings, and removing future encryption capability, but keeping decryption capability?
This argument would imply that the authors still care about your security but were merely hacked or lost control of their key. If the authors continue to care about your security, then why suggest switching to BitLocker which is (a) closed source, (b) cannot be analyzed for vulnerabilities or back doors, and (c) is from Microsoft.
* This situatiion is nothing like LavaBit’s poor choice of response strategy
Nobody is arguing that it is similar. I am only arguing that the authors forced to compromise *future* security, and not disclose this, had no other choice but to find a way to get people to stop using the program.
My conclusion.
The only thing that seems to fit all of the facts is that a TLA/TPLA ordered them to hand over their digital signing keys and keep this fact a secret.
* This would mean that the authors have lost control of their keys
* The authors may have been forced to suggest switching to BitLocker, also for the benefit of TLAs/TPLAs.
* The authors cannot disclose this fact
* The TLAs/TPLAs want to make new insecure releases, that are digitally signed as authentic — even if only intended for release to selected parties.
* The authors still care about your security
* The authors still control their website and can still make new software releases
* The authors are not forbidden from abandoning the project or saying that it is now insecure
* The authors know that the past security of the program is not compromised, only the future security
* Therefore authors remove encryption but retian decryption capability, and then fall on their sword to protect everyone. Similar motives to Lavabit response, but not similar in other ways.
Re: Why a Three Letter Agency must be involved
I would also like to add that someone on Ars points out that in the set of changes to the source code in this new release of True Crypt, all instances of “U.S.” have been replaced by “United States”.
That sounds like something a TLA would do.
GitHub source code comparison:
https://github.com/warewolf/truecrypt/compare/master…7.2
Re: Re: Why a Three Letter Agency must be involved
It was also pointed out that in the two years since the last release that the compiler could have been updated to now express U.S as United States.
People should be cautious looking for shapes in tea leaves.
Re: Why a Three Letter Agency must be involved
Another argument:
* But the authors gave a reason to stop using TrueCrypt — because of the removal of Windows XP support
TrueCrypt is (was) a cross platform program. So why would removal of XP support (even if that excuse were believable) have any effect on other platforms?
Why wouldn’t the authors simply discontinue the Windows version of TrueCrypt? Or simply discontinue it only in XP but continue working on TrueCrypt on Windows 7, 8, etc.?
Re: Why a Three Letter Agency must be involved
So far, I have argued, based on available facts, that this is a Lavabit like situation.
Another possibility suggests itself.
A TLA (three letter agency) has managed to gain COMPLETE control of the project and its signing keys.
This also fits available facts. Lame excuse for ending project. Lack of any response by actual authors discrediting idea of a hack, hoax, defacement, or discovered vulnerability. This also fits with the U.S. being changed to United States. Some TLA button-down necktie programmer would do that.
Motive? If TrueCrypt is really secure, as all past evidence suggests, then TLAs would not want people using it. Thus they be sure to remove all previous versions so you cannot download and use them.
Why not a peep from the authors? I’ve read that the authors are anonymous and have never before spoken to the press. If that is the case, loss of their signing credentials makes it impossible for them to verify that they are who they claim to be. You, or I could claim to be the author of TrueCrypt, but would equally have no way to prove it.
Re: Re: Why a Three Letter Agency must be involved
Which because it was a git project fails because there will be hundreds of copies out their already, including one torrent referenced in this thread. As well as in every Linux repo of Distros that offered it.
Re: Re: Why a Three Letter Agency must be involved
“A TLA (three letter agency) has managed to gain COMPLETE control of the project and its signing keys.”
Then why has the TrueCrypt team not stated this?
You are looking at this the wrong way when spies are not good spies being so public. The US Administration runs on ultra secrecy mode when they won’t send in the hackers but the ultra secret court orders.
Re: Re: Re: Why a Three Letter Agency must be involved
Then why has the TrueCrypt team not stated this?
How would they do that?
Random person: “Hi internet, I’m one of the authors of TrueCrypt.”
The internet: “Prove it.”
Random person: “Um… trust me?”
Re: Why a Three Letter Agency must be involved
Just wanted to point out a crucial detail to the OP: a form of encryption itself is not the same as an implementation of that same encryption. Case in point, AES encryption. Found in TrueCrypt, LUKS, BitLocker, and many other places. TrueCrypt (linux version, locally compiled) uses AES properly, hence why it worked (I don’t use TrueCrypt myself, but have heard that the windows version comes with a binary blob, and that the same source code that compiles on Linux won’t compile on windows). On the other hand, BitLocker uses that same AES encryption but because of implementation it also adds a backdoor for LEAs, rendering the same encryption practically useless (in that implementation).
Duh!
TrueCrypt is open source and widely used and promoted (hell, Snowden himself apparently taught people how to use it), but no one really knew who was behind it — raising all sorts of questions.
Need I say more..
My 2 Cents....
I’m going with the letter theory…
In the code…this line was removed….
Donate now…
A hacker would have left that in, because that’s just another way hacker could scam people….by nabbing money along the way!
Re: My 2 Cents....
I don’t think that h-word means what you think it means. In fact, I’m not even sure that it has any meaning anymore.
What if
I’ve only started using this a few months back, around Jan. I have the downloaded exe file on a flash drive. Misplaced the drive, which I just found. However, I downloaded another copy of this on monday. The site seemed fine. No warnings, error messages, etc.
Wouldn’t it be possible to reverse engineer an older release or two and compare it to a reversed engineered of the newest release to see what if anything has changed to see see if there is a backdoor or anything like that?
From what i’ve read, the govt, mainly the NSA has stated they couldn’t crack True Crypt. So in theory, from some of these comments, how possible is it, they were forced to back door it? Then did the honorable thing and shut down?
Just curiosity and questions here.
Also, from my knowledge, Bit Locker is not Linux compatible. TC comes installed on BT5, though that support has ended and has been replaced by Kali. But BT5 is still available.
Re: What if
Don’t use BitLocker, it is backdoored.
No need for reverse engineering, both the old and the new source code are available. However as a check the new source should produce the same binary as the new binary when compiled for the same target using the same version of the compiler.
Re: Re:
That’s not necessarily reliable. Many projects do not have “deterministic builds”, where compiling the same source for the same target with the same compiler and the same external libraries (et cetera) will produce a binary-identical file in all cases; in some cases, the compiler may go so far as to insert compile-time timestamps – or other time-dependent information – in the generated binary.
Producing a reliably deterministic build is still possible, but there’s no guarantee that any given project has gone to the trouble to ensure it.
I’ll be keeping an eye and ear out on this story to see what. if anything, comes from it.
I will just use NSA’s Bitlocker. YEAH RIGHT