The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.
Sometime in the last 24 hours, truecrypt.org began forwarding visitors to the program’s home page on sourceforge.net, a Web-based source code repository. That page includes instructions for helping Windows users transition drives protected by TrueCrypt over to BitLocker, the proprietary disk encryption program that ships with every Windows version (Ultimate/Enterprise or Pro) since Vista. The page also includes this ominous warning:
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”
“This page exists only to help migrate existing data encrypted by TrueCrypt.”
“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently.
What’s more, the last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired.
That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden.
“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”
Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) — far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF).
Green said he’s disappointed that the TrueCrypt team ended things as abruptly as they did, and that he hopes that a volunteer group of programmers can be brought together to continue development of the TrueCrypt code. That could be a dicey endeavor given the license that ships with TrueCrypt, which Green says leaves murky and unanswered the question of whether users have the right to modify and use the code in other projects.
“There are a lot of things they could have done to make it easier for people to take over this code, including fixing the licensing situation,” Green said. “But maybe what they did today makes that impossible. They set the whole thing on fire, and now maybe nobody is going to trust it because they’ll think there’s some big evil vulnerability in the code.”
Green acknowledged feeling conflicted about today’s turn of events, and that he initially began the project thinking TrueCrypt was “really dangerous.”
“Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green said. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.”
Whether or not volunteer developers pick up and run with the TrueCrypt code to keep it going, Green said he’s committed to finishing what he started with the code audit, if for no other reason than he’s sitting on $30,000 raised for just that purpose.
“Before this happened, we were in process of working with people to look at the crypto side of the code, and that was the project we were going to get done over this summer,” Green said. “Hopefully, we’ll be able to keep TrueCrypt.”
Everyone is talking about FD – which I always saw as a minor point. The layered levels/containers giving plausible deniability was the thing I loved. I only ever used it to create encrypted containers, never FD. Oh – but never used hidden ones. Really. Never
FD as in Full Disk encryption?
It is a MUST, especially since a lot of us use laptops and so forth a lot more nowdays.
I have also had governments seize my desktops, and had multiple embassies chase them down. I had no FD on them then, I wish I did, NOW I do, every disk I have is FULL DISK encrypted. Only problem now is I have 4TB disks and desperatly need GPT support.
Whenever some big news start, I relish in searching for the conspiracy theories, they’re fun.
I found the first one of its kind, so I share it for the laughs, but, please, let’s not fall for all the FUD, allright 🙂
Here, the first sentence on the redirected truecrypt.org website :
« WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues »
Extracting :
« TrueCrypt is not secure as »
Capsizing :
« TrueCrypt is Not Secure As »
… I can’t wait for the following conspiracy theories 😀
Well the only conspiracy I see now is people thinking TrueCrypt was OpenSource to begin with, it isn’t.
The only other conspiracy I see, is the will to keep continuing spending thousands of dollars of donated money on a useless audit for a non open source product.
Yup looks like they are going to be the winners in all this, easy, audit a dead product lol and get paid.
Only a real clown will be handing money over for a non open source project.
I do honestly believe the audit should finish it’s current phase, no more work and money and time wasted on a dead non open source product.
Why on Earth do people think TrueCrypt is open source? That is the height of stupidity.
Why do you say it’s not open source? The source code is available.
It’s open source because you can download it, examine, crate binaries from source yourself.
The fact that you don’t like the licensing does not mean it’s not open source.
Well, that depends on what you mean by “Open Source”. It’s not a legally defined term, so you can use it however you like. If you use the term “Open Source” to mean “the source code can be looked at” then yes, in that sense of the term, TrueCrypt was (and remains) Open Source.
However, I would very strongly advise against that use of the term. As I said, “Open Source” is not legally defined, so you can use the term however you like, but using it to mean something completely different to what most people mean by it, and something completely different to what the Open Source Initiative mean by it, is only going to lead to confusion.
By the commonly accepted definition of the term, which includes the rights to modification, redistribution, and redistribution of modifications, TrueCrypt is not Open Source.
Summary: Calling TrueCrypt Open Source is, technically, permissible, if you want to stand on the mutability of language, but it’s confusing and probably a bad idea.
TRiG.
The source code can be modified and redistributed. What’s not allowed is calling the modified code “TrueCrypt”. They only require that you re-brand your version AND you make your source code open. It looks very open to me.
Yup – nothing there stopping you using the source, just using their name (if they want to enforce that now of course; you could probably make a good case that they have abandoned the trademark, but its still going to be simpler to fork it under a new name)
What *is* needed is a reproducible build; the source looks clean, but there is no guarantee that the source used to build the binary is the source that was audited.
Thats not true anymore. During the truecrypt audit they were able to exactly reproduce the windows binaries.
Given that is impossible, I’m going to have to call BS.
Do tell, how did the auditors get a hold of the keys to sign it?
I don’t think the binary is signed. So, auditors could produce the same binary if they have the exactly same build tools and libraries. (For sure, the Windows 7.1a version I have is not signed. Signature files were always separate, AFAIK.)
It was actually a different researcher. He removed the signature from the distibuted binaries[1]. Okay, so their binaries differed in a few bytes, but the differences were examined by hand. Additionally, the hashes matched when disassembled.
[1] https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
The researcher used a tool to remove the signatures.
https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
It won’t let me respond to your other comment.
The binary is signed, yes.
ACK. I could not find a signature in my binary, but I’ll admit I was just looking for Windows to put it in my face and it did not… when I tried to run it over the network. When I tried to run it from my local machine, I did see the signature presented. Interesting behavior Windows has.
Aren’t you confusing open source with free software? TrueCrypt is open source but not free software as in the definition of freedom.
If the license does not pass OSI’s requirements, it is not open source. OSI’s criteria are actually pretty similar to FSF’s “free software” criteria, so failing to meet FSF’s requirements is a pretty big sign that it may not be open source either.
In the past, one of OSI’s board members said that TC’s then-current license did not meet OSI’s criteria.
I have no love for the FSF. I don’t know what nonsense OSI spews, but TrueCrypt was definitely open as far as any reasonable person cares. The source was there for the world to inspect, it can be given away freely, it can be modified in any way, and it can be redistributed in modified form (so long as it is not called “TrueCrypt”). So, what about that isn’t open?
Perhaps they don’t feel it’s open because there are commercial use restrictions? I didn’t check the license for that, but the FSF is absolutely a pain in the rear for commercial use. I try to avoid the FSF like the plague because of their restrictions. It’s also one reason, IMO, that Linux doesn’t get more application development than it does. If the FSF wants my respect (which I clearly appreciate that they don’t), they would scrap the GNU licence and go with Apache, Mozilla, or something that allows for commercial use of code.
Uh huh. Because OSI owns the words “open source”. Understood.
Your argument is insane. This is crypto software. Why would you allow anyone to make modifications to it? You would thus lose all control over the security component of the software. We have/had the source code to examine.
Anyone can change the source of Firefox too. And any number of things. That doesn’t mean they can change the source of your copy of Firefox, or the version that Mozilla distributes. Anyone can suggest changes to Mozilla (they have an open bugtracker), but only trusted people can actually apply those changes.
For security software, the first requirement is that the source be open to examination. It’s also very nice if other people can change that source and redistribute their changes. That way, if a flaw is found in a security product, but the original developers have abandoned it, someone else can fix that flaw and distribute their modified version. This is known as “forking”.
For example, some people were unhappy with the way that OpenSSL was developing, and decided to take it and modify it and create their own version called LibreSSL. Whether that was a good thing or a bad thing I am not qualified to judge, but it was certainly a good thing that they were able to.
I’m not sure what the problem with TrueCrypt’s licensing was. I believe portions of the code were under different licenses, and some of those licenses were ones that the people at the Free Software Foundation and the Open Source Initiative disaprove of. This may or may not be important to you. If I were in charge of picking the license for a cross-platform security library, my most important criterion would be picking one that Debian was happy with. That way, you’d be able to get into a lot of Linux distributions. And Debian is very very strict indeed.
TRiG.
Actually that is another criticism of TrueCrypt, the lack of ability to deterministically build the source.
Does is matter what the License says? If they were to sue they would need to make themselves known.
I say fork the sucker and let them sue.
The license DOES allow for forking. The only restriction I saw was that one could not call the forked code “TrueCrypt”.
But, if they did want to assert their trademark on TrueCrypt, they could still do it without revealing their identity. It’s registered in the United States to David Tesarik of the Czech Republic. Is he one of the developers? Dunno, but he could definitely sue for trademark infringement in the US if he wanted.
I for one support continuing the audit. Money was raised to see if TrueCrypt was safe and I still want to know if it was or not.
Go read the comments section of the Slashdot post on this. You’ll get all the conspiracy you want and then some. 🙂
…. I’ll be on my way, thank you 🙂
<>
TrueCrypt
is
N..
S…..
A.
https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html
Schneier has finally posted, but only to say he doesn’t know anything either….
The interview comments about the license seem incorrect. He claims they didn’t clear up the license problems at the end, but the last commit clearly shows the problematic advertising clause that got in the way of open source being removed:
https://gist.github.com/anonymous/e5791d5703325b9cf6d1#file-truecrypt-diff-L6114
But AFAIK, in legal terms, only the last piece of software (which is useless – ie only decrypts) released has that new licensing. I wonder if this would apply to all previous releases?
” BitLocker, the proprietary disk encryption program that ships with every Windows version” … you do spell out the versions it comes with, but “every Windows version” is a bit ironic, given that it isn’t available for the vast majority of Windows users, who are on Windows Home. It’s not even available for Home Premium. Also ironically, on the MS pages I found, they recommend Home users use … wait for it … TrueCrypt.
TrueCrypt is also proprietary.
Does that really make a difference, though, if you’re running a proprietary operating system anyway?
Sorry to hear about this, presuming it is true. However, after reading the source code audit report last month, one statement in there did stand out:
“Improve code quality. Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project.”
Perhaps they were offended by comments like this (it hurts to be criticized), or perhaps several years on one project was enough for them.
Typical cry baby developer, cannot handle criticism.
Tough.
Time to pick another ride at the fairground.
Or just the PITA factor. Given that the authors have other lives and need to earn a living somehow, I can hardly blame them for finding refactoring the code a daunting task.
And you are still fcked with no alternative, and stuck with a dead non open source product.
How ’bout this for the tin foil hat crowd: TrueCrypt is really developed by the NSA and has a complex secret backdoor. Because there is a code audit, because of all of the negative light on the NSA right now, they’re trying to stop the use and/or stop the audit to prevent discovery, possibly because they use that backdoor or flaw elsewhere. They want folks to move to other platforms’ security which they’ve already compromised or found a weakness in and can compromise at will.
Interesting side note: for a time WECC used to require TrueCrypt for all cyber security data submissions (up until about 2011). WECC is the NERC auditing entity for the West Coast of the US, NERC being the ERO which FERC has selected to write the rules and enforce the electric grid stability and security. WECC has since moved to PGP/GPG for data submissions. I wonder if some time ago they were strongly informed to move off of TrueCrypt as it was known to have imbedded weaknesses and not suitable to guarding the nations cyber security secrets?
Another tin foil hat thought: What if the team was found by the NSA, given a National Security Letter instructing them to do something (insert a compromising feature, or whatever), and rather than comply they’re just going to shutter the project?
My suggestion is that the TrueCrypt audit review team continue on and if it is found safe, start another fundraising project to extract out the core encryption methods and write an open source version for all 3 major OS via a clean-room implementation.
Why waste time on this?
There is already a product that IS FOSS and GPL licensed.
http://en.wikipedia.org/wiki/DiskCryptor
But that’s Windows only, not cross-platform… I can’t transfer a USB stick between Windows & Linux with it.
Since DiskCryptor is GPL3, it should be possible to port the code to read its containers.
Yeah… but it supports only windows. I was using truecrypt on windows and linux for same containers.
“My suggestion is that the TrueCrypt audit review team continue on and if it is found safe, start another fundraising project to extract out the core encryption methods and write an open source version for all 3 major OS via a clean-room implementation.”
I agree…
Or…..its a warrant canary style outing….
Something, to me, seems too fishy. If you up and shut down, fine. Hell, they could even abandon the project without a single bit of fanfare. IF they were trying to run off with audit money, or some unknown reason of wanting to get out of the project, why even say anything? Just stop updating, and let the project die.
To me, and me alone, it stinks of something deeper. Either a REALLY good hack, or some govt involvement. Either they are being compelled in some way to subvert either existing volumes or future ones, or they are under some other subpoena.
No one that uses TC is dumb enough to think a cross platform product needs to be shut down over WinXP support. Why would you even TRY to pass that off on the TC user base, unless it was to say “something is up, we cant talk, get out now.”
Or I’m wrong, and this is just a grand, self involved, last hoorah of someones.
Agreed. On top of that, who in the world would trust what Windows provides for security? If there was software with a back door, I’d place my bets on it being inside Windows.
“Or…..its a warrant canary style outing….”
Agreed. It smells something very much like that to me.
That’s not really “tin foil hat”, it’s very likely, with all the recent NSA bs going on, especially Lavabit being compromised and shutting down. It’s more likely that the team was “visited” by the NSA and they were told to install a backdoor or gtfo, and they chose to gtfo. The timing is just too close to everything else going on.
Like you said, the team could also originally be NSA and decided to shut down after the audits etc. but I think that’s less likely. Either way, I’m pretty certain the NSA is involved one way or another. Something stinks pretty bad here.
And this ladies and gentlemen is why we need FOSS and a good open forkable license, something TrueCrypt was not.
QED.
As I understand, you most certainly can fork it. The license says you may modify and redistribute your code, but you cannot call it “TrueCrypt”. Call it “CryptFork”. I didn’t see any limitation to a person doing that.
Hello,
Due to continued breaches of our core products and the resulting theft of our product source code. I respectfully disagree with your claim to be able to fork OUR code.
Best regards
SecurStar
Are you claiming to be the author of TrueCrypt? And now revoking the license?
The license clearly says the code may be modified and redistributed. In other words, it most certainly can be forked.
Haha… no.
When E4M was released (under a very permissive open-source license), neither SecurStar nor DriveCrypt existed. SecurStar hired the authors of Scramdisk and E4M in 2001, three years after E4M was first released. These developers also signed a contract that obliged them to terminate the development of Scramdisk and E4M. The Scramdisk and E4M websites started redirecting their visitors to SecurStar’s website, while stating that DriveCrypt (a closed-source commercial product) would supersede E4M and that Scramdisk would become obsolete.
Good try, though. I’m sure that this is good news for you guys, since now you can try and keep any derivatives inaccessible and try and convince people again that it is your code.
Pathetic.
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
Here is a list of software to replace TrueCrypt.
Pick one and move on.
Sort that list by Licensing, then Maintained, then find me the ones which are cross-platform…
Do it yourself fatboy, I am not your butler.
Take a breath and keep cool. He just wanted to point that the wikipedia page doesn’t list a solution opensource, cross-platform and maintained.
Im confused why anybody is sweating the license in this issue? They can’t maintain anonymity *and* take somebody to court over a license violation.
Yep, Im saying steal it and dare somebody to do something about it.
I love it. They are not going to come after anyone.
The problem with that argument is that parts of TC are derived from E4M. The E4M license included in TC is itself problematic and asserts a copyright for Paul Le Roux which has been disputed by SecureStar, the publisher of E4M.
IOW: Whether the anonymous former TC devs go after violators of the TC wrapper license is not the sole (or even primary) risk for a forker.
The E4M license said:
“This product can be copied and distributed free of charge, including source code.
You may modify this product and source code, and distribute such modifications, and you may derive new works based on this product, provided that…”
You don’t call it E4M and that you attribute the author.
So, I still see no issue in forking the code.
Brian, here is a list of TC altneratives:
http://nothingjustworks.com/so-long-truecrypt-what-now/
On a practical note, those of you who have a BitLocker-capable version of Windows, but don’t have a Trusted Platform Module chip in your computer, will need to change a Group Policy setting to allow BitLocker on operating-system drives without a TPM. To change that setting,
1. run gpedit.msc using a right-click > Run As Administrator
2. in the Local Group Policy editor, go down to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drve Encryption > Operating System Drives.
3. in that folder, you’ll most likely have two instances of Require Additional Authentication, one of them being for Windows Vista, the other being for Win7 and Win8.x. In whichever instances is relevant to your OS, check the box for “Allow BitLocker without a TPM.”
4. Also enable the Enhanced PINs setting so your BitLocker startup password can use more than just alphanumerics.
Be sure to back up your BitLocker key to a flash drive, print it, print your chosen PIN/password, and optionally create a “get out of jail free” USB drive.
For those still due to move on from WinXP, the Pro versions of Win8.x have BitLocker. For those due to move on from an old system, a Win8-certified system will have a TPM (as well as SecureBoot capabilities). Win8 is rumored to be getting its proper Start menu back soon, but in the meanwhile, there are Start Menu add-ons for free or very cheap if you don’t like the newfangled Win8 UI (I don’t).
If you read between the lines, if you read the entire sourceforge page clearly, it is VERY clear that they have sold out to MICROSOFT.
I’m convinced this is a sellout.
But I just cannot blame the truecrypt team for selling out to microsoft.
They were giving their talent to the masses for FREE and in return they were getting just harassment. From all those self styled ‘auditors’ etc.
It’s the truecrypt critics that have killed it. Through their hypocrisy.
I would hope they have thicker skin than that. I authored AES Crypt, which is a much simpler file encryption package that’s open source. It gets reviewed from time-to-time by security experts around the world. In the past, I have had to make code changes to fix issues. There are still issues, but nothing core to the encrypted files produced, which is important for applications like that.
I cannot believe that a critical review of the software would frustrate them to a point of shutting down. Perhaps an audit found a critical flaw that could not be fixed?
For certain, encouraging people to use Windows’ security features is crazy.
WOWSERS.. pretty amazing to me the number of folks that choose to debate the best way to overcome this rather than using that box in front of you for a solution that works in YOUR situation..
good grief people.. it’s SOFTWARE.. find another product and move on..
side note :: i DID like the comments on the ‘tin hat folks’
The self righteous auditors and critics of TrueCrypt are to blame for this loss.
What a depressing day. Such beautiful work, abandoned forever because of the pettiness of humans for whom it was developed.
I’m sorry, but that is absolutely the wrong way to think about the audit. It’s one thing to be emotionally invested in a product, it’s another thing use blind faith to drive your decision making, espeically where your personal security, intellectual property, and civil liberties are potentially at stake.
The audit was a valuable and important idea, and while I don’t have data I think it’s a safe assumption that a substantial amount of the funding for the audit came from people who have depended on TrueCrypt and wanted a rigorous validation of their investment in using that tool.
The only people to blame are the people who created TrueCrypt. They are (allegedly) adults who make their own decisions. They had other options and chose this one. It’s a waste of time looking for villains here.
Additionally, I am more than happy to see the audit continue to completion. With TrueCrypt “dead” maybe we should call it an autopsy now. Regardless, there is no shame in searching for the truth and learning as much as we can about where TrueCrypt was great and possibly where it wasn’t.
Call me what you want, but it smells like NSA stunt. Who in his right mind would ever trust BitLocker? This is BS!
Agreed! I would not put an ounce of trust in Windows’ encryption software.
But you’d run their operating system? I don’t get it.
If Windows is backdoored, then running a third-party encryption product doesn’t gain you anything. Why would MS backdoor Bitlocker but not Windows?
So is there a consensus on what to do now?
Assuming it is good practice to encrypt hard disks on machines that might get stolen, lost, left on trains etc., what is recommended for:
– The merely cautious windows user? Bitlocker?
– The merely cautious windows/linux/mac user?
– Those wanting something more secure?
– Those who think they can/must beat the NSA/GCHQ?
This whole shamozzle highlights the danger of relying on a component that is not verifiable.
Until proven otherwise, I would not stop using TC. Most people need a cross-platform solution and Bitlocker is not it. That’s really a joke to even suggest using it, IMO. Maybe they were serious, but it’s not a viable solution.
I meant.. until proven it’s not secure.
There’s no claim that it’s not secure. There’s only a statement that it MAY contain unfixed security issues. Sounds rather vague to me. Any software MAY contain unfixed security issues.
I still think this is either a joke, a hack, or just a means of exiting the scene. The development could have been handed off to others.
@Paul. Thanks for posting some common sense, both with regard to Truecrypt itself and to the licensing issues.
Seems to me the only real fact we have is that we don’t know the facts! Definitely a case of “wait and see” as far as I am concerned.
mechBgon, do not recommend Bitlocker. Read the end of this blog post to see why:
http://nothingjustworks.com/so-long-truecrypt-what-now/
That is only one option. You do not have to send your key to Microsoft. You can save it locally, print it out, and even store it in AD somewhere I believe. That other blog post didn’t know what e was talking about.
Enterprise adoption of BitLocker is increasing every year. There is no evidence that it has backdoors (at least, nothing that has been disclosed).
I understand why storing the BitLocker key in the cloud, and Microsoft’s cloud in particular, could be a concern. But as Aaron pointed out, you don’t have to unless you want to. And of the Windows versions that do support BitLocker, I think only Win8 is Microsoft Account-aware and would even have that option.
Personally, I don’t use Microsoft Accounts at this point, and we have them forcibly disallowed at work. For those who want to enforce that, run Secpol.msc and it’s in the Local Policies > Security Options > Accounts: Block Microsoft Accounts.
Oh, and I should mention that my primary purpose for full-disk encryption isn’t to defeat the gubmint from spying on me. It’s a precaution against having all my credentials accessible if my apartment gets burglarized and my computer gets stolen. For that role, either BitLocker or a flawed TrueCrypt ought to get the job done.
https://news.ycombinator.com/item?id=7812133
^^^ for the uber nerd
What is all this fascination and mindless dribble over disk encryption. I never heard of TrueCrypt and looking it over I am glad I did’t, Who cares.
Some of us actually use computers for stuff other than playing games, I guess.
Asynchronous encryption, SSL and certificate authorities on the other hand it something I would like to hear about.
What do you mean by asynchronous encryption? Do you mean asymmetric encryption? I assume so, since the other two items are in line with that.
People do want to be able to encrypt data and symmetric keys used in software like TrueCrypt are reasonable ways to do it. And nobody can really trust Windows to provide a secure encryption layer. There is one there and it might be really good, but given how the NSA has coordinated with Microsoft on things, I would not trust it.
Certificate authorities are a scary area, too. You have a set of certificates you trust. And, any one of those numerous certificate authorities could, if they desired or were hacked, create a certificate that you would then trust. That kind of model is just broken. It’s the best we have for browsers, but it’s flawed … badly.
Oops. I intended to say asymmetric and “is” instead of “it”. Sorry. I am just not that concerned about my government reviewing data if need be. I assume they will use good judgment.
It’s not so much the government reviewing your data. Evidence has shown that, if they want… they will 🙂
However, businesses and individuals have private information they want to protect. It’s important that, for example, if I am traveling with my corporate laptop and lose it that the data cannot simply be recovered by whomever finds it.
This is particularly true for certain types of data and external storage devices. If I ever store important business-related information on an external drive, I encrypt the data on the external drive.
Certificate Authorities have issued bogus certificates. There are CAs in countries that your browser will trust… and you might not trust that country any farther than you can throw them. So, you definitely should not put a lot of trust in TLS certificates. As I said, it’s “the best we have” right now for web sites, but we should do better than that.
Understood and I agree. I just work a bit differently. When I travel I do not bring a computer or cell phone.
Their is suppose to me a major announcement this week by Glenn Greenwald about companies that where targeted by the N.S.A. Was TrueCrypt one those software companies involved and the reason behind the shut down?
Which then leads to this article
“Or had they received a subpoena from a secret court demanding access to keys or the installation of surveillance software into its product, a request they could not acquiesce to, and decided to shut down development?”
htxx://threatpost.com/of-truecrypt-and-warrant-canaries/106355
Could the confidence in this encryption software be a another victim, like what happened to Lavabit following the many Snowden allegations about government surveillance.
Lavabit. I was unaware of this. Now that is interesting.
There was no lack of confidence in Lavabit. The guy shut down the service because the government demanded keys that would allow the government to access user data. He had a choice of continuing business knowing the government could intercept everything or taking the high road and terminating operations. He chose the latter.
Who’s to say the NSA doesn’t want the the keys to Truecrypt, which the anonymous developers refused to give up on a court order, causing the whole thing to be shut down due to principles of good internet security for all the users.
Amnesty for Ed Snowden !
There are no keys to give away. You generate new keys every time you create a TC file.
Sorry about that I am not real familiar with True Crypt.
I’ve tried to collect the facts as best as I can (http://dnlongen.blogspot.com/2014/05/hack-hoax-or-hanging-it-up-whats-real.html):
– Any and all traffic to truecrypt.org (whether to real pages or to made-up links) is redirected via an HTTP 301 response header to sourceforge.
– The new 7.2 version now posted appears properly signed, but does nothing except decrypt existing volumes and give warnings.
– DNS records have not been tampered with.
– Email sent to the registered domain owner per whois, as well as to most addresses @truecrypt.org, bounce back as “Recipient address rejected: User unknown in local recipient table.” Oddly, this is not true for abuse@ or postmaster@truecrypt.org
– whois puts the domain owners in Drums, PA, the truecrypt.org host servers in Plano, TX, and the sourceforge.net host servers in Chesterfield, MO.
– Phase I of the code audit revealed some minor to medium findings, but no red flags and no evidence of intentional backdoors. Phase II (cryptanalysis) should have concluded around now with a report to come soon.
Still in wait-and-see mode for now. It will be interesting to see if, as Krebs posits, the developers threw in the towel, or if as others have suggested there is something else going on.
Some of you are worrying over the very last link in the chain. Have you ever considered:
– All motherboards are made in China, so a chip and/or firmware could have been added with a backdoor. Intel no longer manufactures motherboards, even though it also made them in China.
– As for CPUs, a hardware backdoor could have been added in the factory. A lot is known regarding traditional Intel and AMD desktop/laptop CPUs, but the myriad of tablet, smartphone, and wearable-tech chips are black boxes.
– Except for Chromebooks, all desktops/laptops use either a hard drive or SSD. The firmware could contain a backdoor.
– Ditto for graphics cards, routers, DVD/CD drives, and add-on wireless cards
– Computers in China often come with preinstalled malware (http://www.bbc.com/news/technology-19585433)
– http://www.reuters.com/article/2011/07/11/cybersecurity-electronics-idUSN1E76A0SF20110711
Your toys could easily contain multiple backdoors from multiple countries. Things could theoretically be so bad that the backdoors pass on keys to intelligence agencies. Just like the Outer Limits announcer said, you are no longer in control.
I don’t know how Green can say these guys are unreliable. Haven’t they been supporting and updating Truecrypt for 10 years or more? Maybe they are just tired.
DiskCryptor may be an alternative for me and the 4 international travel laptops we use for our company. I had just recently (within the last month) set up the system to use TrueCrypt but I think that is no longer an option.
I like AEScrypt for individual file encryption but not sure how much I would use it.
Axcrypt would be ok if not for the installer trying to install browser addons and the continuous advertisements from the app itself. Sorry. I recommend you all avoid this. I will report back on DiskCryptor though.
7.2 is a NSA hack. Stay away. Stay far away. All else is FUD. Do not move to Bitlocker.
“Warning: TrueCrypt is Not Secure As”
Warning:
TrueCrypt
is
N..
S…..
A.
Someone posted that on Schneier’s Blog as well. Interesting thought. The wording of that sentence is a little stiff and disjointed. Definitely better ways of stating it, so it makes you wonder if they were purposely trying to make that subtle NSA point.
assuming this “TrueCrypt is N..S…..A.” message is regarding the last/latest/later versions. but that much older versions (one of which is on my computer) are okay.
I’ve moved all my TC containers to dm-crypt+LUKS.
Works like a charm for Linux, but needs a outside tool for opening those containers on Windows like FreeOFTE. Also while FDE works for Linux, not sure if it’s possible to have a dual boot configuration.