Linked by Thom Holwerda on Sat 31st May 2014 00:12 UTC, submitted by teo
Privacy, Security, Encryption

Over the past 24 hours the website for TrueCrypt (a very widely used encryption solution) was updated with a rather unusually styled message stating that TrueCrypt is "considered harmful" and should not be used.

Very odd story. Lots of little red flags going up all over the place.

Order by: Score:
Comment by smashIt
by smashIt on Sat 31st May 2014 00:18 UTC
smashIt
Member since:
2005-07-06

Lots of little red flags going up all over the place.


only 3:
N
S
L

Reply Score: 2

RE: Comment by smashIt
by chekr on Sat 31st May 2014 00:54 UTC in reply to "Comment by smashIt"
chekr Member since:
2005-11-05


N
S
L


National Soccer League? Who would have thought.

Edited 2014-05-31 00:54 UTC

Reply Score: 6

RE[2]: Comment by smashIt
by smashIt on Sat 31st May 2014 01:05 UTC in reply to "RE: Comment by smashIt"
smashIt Member since:
2005-07-06

National Soccer League?


National Security Letter

Reply Score: 3

RE: Comment by smashIt
by bassbeast on Sat 31st May 2014 07:45 UTC in reply to "Comment by smashIt"
bassbeast Member since:
2007-11-11

Especially when you take the first letters in the first sentence "TrueCrypt is Not Secure Anymore" it looks like the webpage is a warrant canary.

Reply Score: 10

Too bad...
by UltraZelda64 on Sat 31st May 2014 01:51 UTC
UltraZelda64
Member since:
2006-12-05

https://www.grc.com/misc/truecrypt/truecrypt.htm

The anonymity of the developers and the hastily-written "farewell" web page which came without warning both added up to make everything seem questionable, but it seems that it's true... the guys just no longer want to continue maintaining the program. In their view, the fact that Windows XP was the only modern OS without encryption must have been enough incentive for them to keep going; cross-platform compatibility was a major advantage in my opinion, but apparently it wasn't that big of a deal to them.

Now they say to use BitLocker... and that fact alone still makes me wonder, WTF? Great idea if you like the idea of using closed-source encryption from one of the largest software companies who also happens to have the U.S. government in their pockets. No, thanks... I'll just wait for the audit to be complete, and hope that a nice active group of developers is able to take TrueCrypt to the next level under a different name.

RIP, TrueCrypt.

Reply Score: 7

RE: Too bad...
by Morgan on Sat 31st May 2014 02:10 UTC in reply to "Too bad..."
Morgan Member since:
2005-06-29

who also happens to have the U.S. government in their pockets


I would think that would be a good thing for their customers. Did you mean it the other way around?

Reply Score: 3

RE[2]: Too bad...
by UltraZelda64 on Sat 31st May 2014 02:18 UTC in reply to "RE: Too bad..."
UltraZelda64 Member since:
2006-12-05

I was (at least partially) implying that the U.S. government is one of Microsoft's biggest customers. It also had sort of a double meaning, that whatever the government wants, Microsoft will probably kiss their ass and cooperate fully. I will not be surprised when it is found out that they have inserted a backdoor in their encryption system, for example, that very few people (*cough* NSA *cough*) know about.

Edited 2014-05-31 02:23 UTC

Reply Score: 6

RE[3]: Too bad...
by Morgan on Sat 31st May 2014 02:46 UTC in reply to "RE[2]: Too bad..."
Morgan Member since:
2005-06-29

I don't disagree with you, I'm sure it's very tit-for-tat. These days, that kind of collusion is inescapable though. Would Apple's FileVault be any more secure than BitLocker? Was TrueCrypt even really secure? I'm beginning to wonder if the only truly secure data storage is in our heads; if we don't ever put pen to paper, voice to microphone, or fingers to keyboard, maybe it will stay secure then. Maybe...

Reply Score: 6

RE[4]: Too bad...
by ilovebeer on Sat 31st May 2014 04:39 UTC in reply to "RE[3]: Too bad..."
ilovebeer Member since:
2011-08-08

I saw a show related to this not long ago that demonstrated present-day capability to display images a test subject was picturing in their mind. The images weren't exactly HD quality, but basic shapes were reliable. The research was explained as a means to give blind people sight by using visual sensors and encoding the images directly to the brain. Not only that but also the ability for people `see` things outside of the normal human-viewable spectrum. And this wasn't blowing the lid off anything secret!

So "they" are developing technology to read/view your thoughts, and literally see things a normal person can't. Think of how that might work in a military application, spy, espionage, etc.

Reply Score: 3

RE[4]: Too bad...
by WereCatf on Sat 31st May 2014 07:58 UTC in reply to "RE[3]: Too bad..."
WereCatf Member since:
2006-02-15

Was TrueCrypt even really secure?


Well, the first part of the audit didn't find any security holes, the second part of the audit that focuses on the algorithms, random-number generators and such is still a go. It could be that there is some hole there, real crypto is really f--king hard to do right, but so far it does seem secure enough.

I'm glad that someone else took over the project and moved it to Switzerland, though I hope the guys who did that know enough about crypto not to introduce any new holes.

Edited 2014-05-31 07:58 UTC

Reply Score: 6

Flatland_Spider
Member since:
2006-09-01

The audit of the Truecrypt source code is going to go forward, so we might find out what they're talking about. Or it will find nothing, and we'll have no idea what motivation the devs had for this announcement, aside from adding to the mythos of the project.

This is on par for the TC developers. They've always been a mysterious and shadowy bunch. No one has know who they were or what they were actually trying to accomplish. There were theories TC was a front for CIA intelligence gathering, and no one was sure the binaries hosted on the TC site actually came from the public source code. There was speculation the TC devs had a private, tainted code branch that they built public binaries from.

Kudos to the team for being able to stay anonymous for the length of this project. They kept their secrets secret, and that is an accomplishment. Usually people get outed or someone talks, and it's very rare for mysteries to stay a mystery. They managed to go out in the most cryptic and mysterious way possible under a cloak of anonymity and shadows, so major props for that.

Reply Score: 3

the only use for personal encryption
by unclefester on Sat 31st May 2014 06:41 UTC
unclefester
Member since:
2007-01-13

The only practical use for personal encryption is for protecting the data on a lost or stolen laptop. You'd have to be insane to think that your secrets are really safe from governments.

Reply Score: 5

Not nice
by Sauron on Sat 31st May 2014 06:48 UTC
Sauron
Member since:
2005-08-02

I dunno, this has a tone of selfishness and spite as much as anything else. Did the lead developer get out of bed the wrong side or something?

Reply Score: 1

RE: Not nice
by daveak on Sat 31st May 2014 10:22 UTC in reply to "Not nice"
daveak Member since:
2008-12-29

Selfishness? You are provided with free software in both senses of the word and you think it is selfish if the developer decides they don't want to do so anymore, for whatever reasons?

Reply Score: 7

RE[2]: Not nice
by Sauron on Sat 31st May 2014 12:31 UTC in reply to "RE: Not nice"
Sauron Member since:
2005-08-02

Hey, read again. I said it has a TONE of, meaning the abrupt message on Sourceforge nothing more, nothing less. I don't care if it's free or costs a arm and a leg, the tone is still there.

Reply Score: 1

truecrypt.org blocked on archive.org
by smashIt on Sat 31st May 2014 20:35 UTC
smashIt
Member since:
2005-07-06

https://web.archive.org/web/*/http://www.truecrypt.org

seems like archive.org got a NSL as well

Reply Score: 4

olejon Member since:
2012-08-12

You can easily avoid being archived in the Internet Archive:

https://archive.org/about/exclude.php

truecrypt.org surely had robots.txt in place before this news.

Edited 2014-06-01 12:42 UTC

Reply Score: 3

smashIt Member since:
2005-07-06

You can easily avoid being archived in the Internet Archive:


if a site is not in the archive you get a message that tells you exactly that

Ressource ist nicht im Archiv

Die angeforderte Ressource ist nicht im Archiv.


truecryt.org results in

Zugriffsfehler

Der Zugriff auf den Inhalt ist gesperrt. Blocked Site Error


(sorry for the german messages)

Reply Score: 3

Deliberate move to safer soil?
by shakeshuck on Sat 31st May 2014 22:43 UTC
shakeshuck
Member since:
2011-03-21

Reading between the lines (and making things up as I go along), does a move to Switzerland not suggest they are moving away from external influence to somewhere more respectful of privacy?

Of course I could point out that the Swiss' record has not been impeccable in this respect in recent times...?

Reply Score: 2

unclefester Member since:
2007-01-13

+5

The are trying to escape US jurisdiction.

Eventually tech companies will decide that the US is not a good place to set up businesses.

Reply Score: 5

Comment by Luminair
by Luminair on Sun 1st Jun 2014 02:53 UTC
Luminair
Member since:
2007-03-30

Occam's Razor applies. The conspiracy theorists are probably crazy.

Open source project leaders quit all the time, often in very eccentric ways because they themselves are eccentric. I see nothing out of the ordinary here.

Maybe the guy had a mental break down. Maybe he got a girlfriend. Maybe he got a new job he likes more than TrueCrypt. All more reasonable scenarios than secret government conspiracy.

Reply Score: 0

RE: Comment by Luminair
by CapEnt on Sun 1st Jun 2014 20:19 UTC in reply to "Comment by Luminair"
CapEnt Member since:
2005-12-18

OSS benevolent dictators of popular projects quits all the time, but usually they do it orderly.

They do not simple run away without explanation of any kind, leaving behind a half-assed page that explains nothing at all.

And more, usually popular projects are flooding with people that is more than willing to take over, usually long time collaborators.

So, not only the project leader disappeared, but also choose to scrap the whole project in this case.

Something is wrong here.

Reply Score: 3

RE[2]: Comment by Luminair
by Luminair on Mon 2nd Jun 2014 10:53 UTC in reply to "RE: Comment by Luminair"
Luminair Member since:
2007-03-30

Randomness is not uniform. Something would be wrong if you didn't notice volunteers occasionally quitting without explanation. Oswald shot JFK, and the Bermuda Triangle is just ocean.

Reply Score: 1

RE[3]: Comment by Luminair
by v_bobok on Mon 2nd Jun 2014 11:40 UTC in reply to "RE[2]: Comment by Luminair"
v_bobok Member since:
2008-08-01

Randomness is not uniform. Something would be wrong if you didn't notice volunteers occasionally quitting without explanation. Oswald shot JFK, and the Bermuda Triangle is just ocean.


*tips fedora*

Reply Score: 2

RE: Comment by Luminair
by v_bobok on Mon 2nd Jun 2014 11:39 UTC in reply to "Comment by Luminair"
v_bobok Member since:
2008-08-01

The conspiracy theorists are probably crazy.


Yeah, right. Just like in other cases like... dunno... NSA, remote control and who knows what else.

Reply Score: 2

Vulnerability
by Alfman on Sun 1st Jun 2014 05:09 UTC
Alfman
Member since:
2011-01-28

This is a very strange story, I hope we get some kind of press release with details, but who knows maybe the devs are intentionally going for mystique.

Interestingly enough Truecrypt is vulnerable, as is bitlocker and most likely all other encryption products to a pretty simple exploit:

http://www.prnewswire.com/news-releases/passware-kit-forensic-decry...

Passware Inc., a provider of password recovery, decryption, and evidence discovery software for computer forensics, announced that the latest version of its flagship product, Passware Kit Forensic, has become the first commercially available software to break TrueCrypt hard drive encryption without applying a time-consuming brute-force attack. It was also the first product to decrypt BitLocker drives.



Of course stealing the keys from memory may be considered "cheating" except for the fact that a very common interface, firewire, allows one to do just that by design...

http://www.pcworld.com/article/143236/article.html
Researcher Adam Boileau, a consultant with Immunity, originally demonstrated the access tool at a security conference in 2006, but decided not to release the code any further at the time. Two years later, however, nothing has been done toward fixing the problem, so he decided to go public.

"Yes, this means you can completely own any box whose Firewire port you can plug into in seconds," said Boileau in a recent blog entry.
...
The attack takes advantage of the fact that Firewire can directly read and write to a system's memory, adding extra speed to data transfer. According to Boileau, because this capability is built into Firewire, Microsoft doesn't consider the problem a standard bug.



http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire...

All of this is done by exploiting a "feature" of the Firewire spec (OHCI-1394) (PDF), namely that it allows read/write access to physical memory (via DMA) for external Firewire devices. Worse, as this is DMA, the CPU/OS will not even know what's going on. Even worse, this works regardless of whether you have locked your screen with a password-protected screensaver, or xlock, or vlock, or whatever. As long as the system is running, you're vulnerable.


I don't know if the information is still current. If I recall it still applied to firewire hardware sold in 2010, which was incapable of controlling access to ram from attackers. This is not a shortcoming of truecrypt, but it should never the less be of particular interest to it's users. Hardware that leaves a backdoor wide open to just about every security mechanism ever devised, what a lame design!

Edited 2014-06-01 05:12 UTC

Reply Score: 3

RE: Vulnerability
by Soulbender on Wed 4th Jun 2014 07:19 UTC in reply to "Vulnerability"
Soulbender Member since:
2005-08-18

I tend to believe press-releases by security companies as much as a believe in Santa Clause and the Toothfairy.

Long believed unbreakable


And it still is. Stealing the key by abusing DMA and using custom hardware is pretty clever but they still haven't broken truecrypt.

Reply Score: 2

RE[2]: Vulnerability
by Alfman on Thu 5th Jun 2014 15:02 UTC in reply to "RE: Vulnerability"
Alfman Member since:
2011-01-28

Soulbender,

I tend to believe press-releases by security companies as much as a believe in Santa Clause and the Toothfairy.


Sure, but the point of my link was intended to be educational since many end-users probably don't realize they are vulnerable to such a trivial & highly effective attack.

And it still is. Stealing the key by abusing DMA and using custom hardware is pretty clever but they still haven't broken truecrypt.


They haven't broken truecrypt's encryption itself, but arguably they have broken one of it's use cases. You don't even need custom hardware, just an ipod will do. It's not adequate to simply lock the computer or shut the lid when you leave (ie for a short bathroom break).
http://www.wilderssecurity.com/threads/truecrypt-standby.246757/

Edit: I've not used it, but apparently "Rohos Disk" is designed to protect against the "wake up from sleep" attack:
http://www.rohos.com/2011/11/timeout-feature-for-rohos-disk-encrypt...


Even taking security out of the equation, it's poor to give external devices free reign over host ram from a robustness point of view too. The solution to this is so obvious I don't know why it wasn't engineered into the firewire spec from version 1: only allow external devices to perform DMA against memory buffers allocated by the host. Ie a video camera should only have access to it's own video buffers and nothing else.

Edit: For the sake of completeness, I should mention that memory is vulnerable to another process by which running DRAM can be chilled and physically transferred to another device to copy it's contents, however this is less reliable due to the sensitive nature of the operation and the existence of CPU caches, etc. Not to mention such an attack would much more obvious from a physical perspective.

Edited 2014-06-05 15:20 UTC

Reply Score: 2

RE: Vulnerability
by zima on Wed 4th Jun 2014 18:03 UTC in reply to "Vulnerability"
zima Member since:
2005-07-06

Luckily Firewire seems to be going away?...

Reply Score: 2