FBI Withholds 69 Pages of TrueCrypt-Related Documents, Most Of Which Can Already Be Found Online

from the DEFAULT:-HIDE dept

Weird TrueCrypt-related things keep happening. Over the past few years, TrueCrypt has gone from "recommended by Snowden!" to a service of questionable trustworthiness. To begin with, it was never clear who exactly was behind TrueCrypt and the lack of a recent security audit wasn't winning it many new converts.

Things went from somewhat bad to disturbingly worse when, shortly after the first phase of the audit was completed, a post went up at SourceForge declaring the software insecure and that all development had been halted. The post pushed users towards BitLocker. Further development was left to the public and more testing seemed to indicate it was still trustworthy, even though it relied on possibly predictable random number generator.

Whether or not TrueCrypt can fully be trusted remains up in the air. But there's some indication that the FBI has taken an interest (probably an unhealthy one) in TrueCrypt's inner workings.

Techdirt reader dfed sends in a tweet from security researcher Runa Sandvik, along with a link to her FOIA request to the FBI for TrueCrypt-related documents. What has been "returned" to her has been completely withheld, all 69 pages of it. The FBI cites FOIA exemption b(4) which covers "trade secrets and commercial and financial information."

The documents that won't be making their way to Sandvik appear to be three technical articles not written by FBI personnel and ones that have appeared elsewhere in unredacted form.

In further explanation of the withholding, the material consists of three, copyrighted articles: Easy to Crack USB Thumbdrives, March 12, 2008 by Daniel Bachfeld; EEEP Net: "FOUO Network", April 2014 by Greg Fulk; Techno Forensics Conference, October 2007 at NIST by Dave Reiser, and a training slide presentation, Anti-Forensics, November 2, 2007 by Secure Computing.
The 2008 article may be somewhat related to the FBI's failed attempt to crack TrueCrypt encryption protecting hard drives owned by Brazilian banker Daniel Dantas, who was suspected of several financial crimes. The Brazilian government asked for the FBI's help after spending five months of its own attempting the same thing. A year later, the drives remained intact.

The thing is, Daniel Bachfeld's article on crackable USB drives can be found online. And it was previously published in a German tech magazine. Once again, we see a government agency withholding publicly-available information simply because that's its natural tendency: to keep requesters and requested documents as far away from each other as possible.

The presentation by Dave Reiser was given at a conference that is open to members of the public, as well as the law enforcement community, so there's no reason for secrecy there. And Paul A. Henry's anti-forensics presentation, which discusses TrueCrypt, can be found online as well.

So, why is the FBI holding these back? Nothing in these papers discusses anything that could possibly be considered a "trade secret." If these are secrets, they're pretty open. Searching for "anti-forensics" turns up a wealth of scholarly papers and presentations that discuss both encryption and TrueCrypt.

This is just the FBI obfuscating for obfuscation's sake. But its knee-jerk reaction to withhold everything in its entirety also suggests something slightly more troubling. Either the intelligence/investigative arms of the US government have found a way in (by obtaining keys or compromising the RNG) or they're still very actively involved in trying to do so. Neither bodes particularly well for TrueCrypt users.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fbi, foia, redaction, truecrypt

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 20 Oct 2018 @ 3:52am


    Here's a theory (some parts of this were read on other websites):

    The NSA, seeing that TrueCrypt was undergoing an audit with very good results that would drive more people to use it, decided that they needed to make a move.

    The developers were located and were being pressured to hand over their signing keys so the software can be covertly backdoored or weakened.

    The developers, not wanting this to happen, handed over the keys to avoid repercussions but also put up their special message, effectively ending the project (NSA trying to start it back up again/pretend the website was defaced would be met with intense scrutiny).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.