Over the past 24 hours the website for TrueCrypt (a very widely used encryption solution) was updated with a rather unusually styled message stating that TrueCrypt is “considered harmful” and should not be used.
Very odd story. Lots of little red flags going up all over the place.
only 3:
N
S
L
National Soccer League? Who would have thought.
Edited 2014-05-31 00:54 UTC
National Security Letter
Especially when you take the first letters in the first sentence “TrueCrypt is Not Secure Anymore” it looks like the webpage is a warrant canary.
http://news.softpedia.com/news/TrueCrypt-Not-Dead-Forked-and-Reloca…
https://www.grc.com/misc/truecrypt/truecrypt.htm
The anonymity of the developers and the hastily-written “farewell” web page which came without warning both added up to make everything seem questionable, but it seems that it’s true… the guys just no longer want to continue maintaining the program. In their view, the fact that Windows XP was the only modern OS without encryption must have been enough incentive for them to keep going; cross-platform compatibility was a major advantage in my opinion, but apparently it wasn’t that big of a deal to them.
Now they say to use BitLocker… and that fact alone still makes me wonder, WTF? Great idea if you like the idea of using closed-source encryption from one of the largest software companies who also happens to have the U.S. government in their pockets. No, thanks… I’ll just wait for the audit to be complete, and hope that a nice active group of developers is able to take TrueCrypt to the next level under a different name.
RIP, TrueCrypt.
I would think that would be a good thing for their customers. Did you mean it the other way around?
I was (at least partially) implying that the U.S. government is one of Microsoft’s biggest customers. It also had sort of a double meaning, that whatever the government wants, Microsoft will probably kiss their ass and cooperate fully. I will not be surprised when it is found out that they have inserted a backdoor in their encryption system, for example, that very few people (*cough* NSA *cough*) know about.
Edited 2014-05-31 02:23 UTC
I don’t disagree with you, I’m sure it’s very tit-for-tat. These days, that kind of collusion is inescapable though. Would Apple’s FileVault be any more secure than BitLocker? Was TrueCrypt even really secure? I’m beginning to wonder if the only truly secure data storage is in our heads; if we don’t ever put pen to paper, voice to microphone, or fingers to keyboard, maybe it will stay secure then. Maybe…
I saw a show related to this not long ago that demonstrated present-day capability to display images a test subject was picturing in their mind. The images weren’t exactly HD quality, but basic shapes were reliable. The research was explained as a means to give blind people sight by using visual sensors and encoding the images directly to the brain. Not only that but also the ability for people `see` things outside of the normal human-viewable spectrum. And this wasn’t blowing the lid off anything secret!
So “they” are developing technology to read/view your thoughts, and literally see things a normal person can’t. Think of how that might work in a military application, spy, espionage, etc.
Well, the first part of the audit didn’t find any security holes, the second part of the audit that focuses on the algorithms, random-number generators and such is still a go. It could be that there is some hole there, real crypto is really f–king hard to do right, but so far it does seem secure enough.
I’m glad that someone else took over the project and moved it to Switzerland, though I hope the guys who did that know enough about crypto not to introduce any new holes.
Edited 2014-05-31 07:58 UTC
The audit of the Truecrypt source code is going to go forward, so we might find out what they’re talking about. Or it will find nothing, and we’ll have no idea what motivation the devs had for this announcement, aside from adding to the mythos of the project.
This is on par for the TC developers. They’ve always been a mysterious and shadowy bunch. No one has know who they were or what they were actually trying to accomplish. There were theories TC was a front for CIA intelligence gathering, and no one was sure the binaries hosted on the TC site actually came from the public source code. There was speculation the TC devs had a private, tainted code branch that they built public binaries from.
Kudos to the team for being able to stay anonymous for the length of this project. They kept their secrets secret, and that is an accomplishment. Usually people get outed or someone talks, and it’s very rare for mysteries to stay a mystery. They managed to go out in the most cryptic and mysterious way possible under a cloak of anonymity and shadows, so major props for that.
The only practical use for personal encryption is for protecting the data on a lost or stolen laptop. You’d have to be insane to think that your secrets are really safe from governments.
I dunno, this has a tone of selfishness and spite as much as anything else. Did the lead developer get out of bed the wrong side or something?
Selfishness? You are provided with free software in both senses of the word and you think it is selfish if the developer decides they don’t want to do so anymore, for whatever reasons?
Hey, read again. I said it has a TONE of, meaning the abrupt message on Sourceforge nothing more, nothing less. I don’t care if it’s free or costs a arm and a leg, the tone is still there.
https://web.archive.org/web/*/http://www.truecrypt.org
seems like archive.org got a NSL as well
You can easily avoid being archived in the Internet Archive:
https://archive.org/about/exclude.php
truecrypt.org surely had robots.txt in place before this news.
Edited 2014-06-01 12:42 UTC
if a site is not in the archive you get a message that tells you exactly that
truecryt.org results in
(sorry for the german messages)
Reading between the lines (and making things up as I go along), does a move to Switzerland not suggest they are moving away from external influence to somewhere more respectful of privacy?
Of course I could point out that the Swiss’ record has not been impeccable in this respect in recent times…?
+5
The are trying to escape US jurisdiction.
Eventually tech companies will decide that the US is not a good place to set up businesses.
Occam’s Razor applies. The conspiracy theorists are probably crazy.
Open source project leaders quit all the time, often in very eccentric ways because they themselves are eccentric. I see nothing out of the ordinary here.
Maybe the guy had a mental break down. Maybe he got a girlfriend. Maybe he got a new job he likes more than TrueCrypt. All more reasonable scenarios than secret government conspiracy.
OSS benevolent dictators of popular projects quits all the time, but usually they do it orderly.
They do not simple run away without explanation of any kind, leaving behind a half-assed page that explains nothing at all.
And more, usually popular projects are flooding with people that is more than willing to take over, usually long time collaborators.
So, not only the project leader disappeared, but also choose to scrap the whole project in this case.
Something is wrong here.
Randomness is not uniform. Something would be wrong if you didn’t notice volunteers occasionally quitting without explanation. Oswald shot JFK, and the Bermuda Triangle is just ocean.
*tips fedora*
Yeah, right. Just like in other cases like… dunno… NSA, remote control and who knows what else.
This is a very strange story, I hope we get some kind of press release with details, but who knows maybe the devs are intentionally going for mystique.
Interestingly enough Truecrypt is vulnerable, as is bitlocker and most likely all other encryption products to a pretty simple exploit:
http://www.prnewswire.com/news-releases/passware-kit-forensic-decry…
Of course stealing the keys from memory may be considered “cheating” except for the fact that a very common interface, firewire, allows one to do just that by design…
http://www.pcworld.com/article/143236/article.html
http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire…
I don’t know if the information is still current. If I recall it still applied to firewire hardware sold in 2010, which was incapable of controlling access to ram from attackers. This is not a shortcoming of truecrypt, but it should never the less be of particular interest to it’s users. Hardware that leaves a backdoor wide open to just about every security mechanism ever devised, what a lame design!
Edited 2014-06-01 05:12 UTC
I tend to believe press-releases by security companies as much as a believe in Santa Clause and the Toothfairy.
And it still is. Stealing the key by abusing DMA and using custom hardware is pretty clever but they still haven’t broken truecrypt.
Soulbender,
Sure, but the point of my link was intended to be educational since many end-users probably don’t realize they are vulnerable to such a trivial & highly effective attack.
They haven’t broken truecrypt’s encryption itself, but arguably they have broken one of it’s use cases. You don’t even need custom hardware, just an ipod will do. It’s not adequate to simply lock the computer or shut the lid when you leave (ie for a short bathroom break).
http://www.wilderssecurity.com/threads/truecrypt-standby.246757/
Edit: I’ve not used it, but apparently “Rohos Disk” is designed to protect against the “wake up from sleep” attack:
http://www.rohos.com/2011/11/timeout-feature-for-rohos-disk-encrypt…
Even taking security out of the equation, it’s poor to give external devices free reign over host ram from a robustness point of view too. The solution to this is so obvious I don’t know why it wasn’t engineered into the firewire spec from version 1: only allow external devices to perform DMA against memory buffers allocated by the host. Ie a video camera should only have access to it’s own video buffers and nothing else.
Edit: For the sake of completeness, I should mention that memory is vulnerable to another process by which running DRAM can be chilled and physically transferred to another device to copy it’s contents, however this is less reliable due to the sensitive nature of the operation and the existence of CPU caches, etc. Not to mention such an attack would much more obvious from a physical perspective.
Edited 2014-06-05 15:20 UTC
Luckily Firewire seems to be going away?…