I have no idea what's going on with TrueCrypt. There's a good summary of the story at ArsTechnica, and Slashdot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow.
Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait and see what develops.
Posted on May 29, 2014 at 8:02 AM • 319 Comments
Secret Police • May 29, 2014 8:10 AM
If people need cross platform there's PySkein, pgp and Blake2 implementations around. Skein java works on Android devices as well and if your phone is rooted can always use dmcrypt anyways
AlanS • May 29, 2014 8:11 AM
The Open Crypto Audit Project have announced that they "will be making an announcement later today on the Truecrypt audit and our work ahead".
Dave-o! • May 29, 2014 8:14 AM
Thanks for this post; info has been so thin on the ground. As I recall, you're credited in the "about" blurb for 7.1a and earlier. Is this because of your broader crypto work and analysis of deniability in TC, or did you directly work with the devs at some point?
Bruce Schneier • May 29, 2014 8:19 AM
"As I recall, you're credited in the "about" blurb for 7.1a and earlier. Is this because of your broader crypto work and analysis of deniability in TC, or did you directly work with the devs at some point?"
I never worked with the developers -- I don't know who they are -- so it must have been for some broader work.
a different phil • May 29, 2014 8:22 AM
Doesn't TrueCrypt include Blowfish as one of the encryption options?
Dan • May 29, 2014 8:34 AM
Well. Basically there is one question connected to this:
"Mr. Miranda, Mr. Greenwald, have you been using truecrypt to protect files?"
Zonzo • May 29, 2014 8:36 AM
Some observations, mostly speculative.
a. The odd source code edit where comments referring to "U.S." had the text altered to "United States" seems noteworthy. Its the sort of thing that would be automated in a development environment for a contractor doing work for the .gov. It could also be the modern analog to something like this: http://i.imgur.com/IJGoHTN.jpg
b. The endorsement of BitLocker feeds into the later point above. There's a dog-whistle flavor to it. Almost as if Phil Zimmerman shut down all his web sites and told people to stop using PGP and that they should use something called Bass-o-matic. Of if Bruce pulled this page, sought to deprecate Blowfish/Twofish and instead told everyone "Hey, you should really be using MacGuffin"
c. The update to to where the truecrypt site is redirected has a much more amateurish quality than the original site. Was the original Truecrypt itself an NSA project and the shenanigans yesterday designed to keep people using the 7.1a and earlier versions (assuming there's some sort of subtle compromise)? Was the change some sort of "dead man's switch" that was spring loaded by the developer? Whatever the case, the Truecrypt project is now that friend who usually seems like a good guy, but suddenly turned sketchy. We do need a viable alternative. I think we also need Prof. Green et. al. to FINISH their audit just for posterity.
d. Another line of thought goes like this: If the NSA really really really wants to know WHAT Snowden had access to, and wanted to say, use a tempest solution to grab that information, one way to to that would be to spook someone known to have received those info using psy_ops to persuade that someone to decrypt the entire data from whatever air-gapped machine is on into some other machine. Which is a simply way to suggest that Bruce, Greenwald, et al. ought to review personal security and NOT be spooked into spinning up the NSA archives and trying to migrate that data. Put those laptops under lock and key and don't use them a few days. Don't run off an mass migrate those archives just yet.
AC • May 29, 2014 8:40 AM
The SANS Institute website has this set of presentation slides by Jason A. Lord. Slide 23 is on TrueCrypt. Unlike other slides in the same presentation, this one doesn't have any informative bullets, only a note that says "Removed at request of US Government". I've wondered what to make of it.
Randy Tayler • May 29, 2014 8:41 AM
Scratching "Bruce Schneier found a hole during the audit and everybody freaked out" from my list of possible answers. This is fascinating.
Dan • May 29, 2014 8:47 AM
There is a ticket to remove truecrypt from tails dated at the latest May 19th.
https://tails.boum.org/blueprint/replace_truecrypt/
Considering Jacob Applebaum has 1) worked on the Snowden files and 2) is involved in tails and 3) tor and 4) tails seems to have had advanced warning I am putting my hands down that this is connected.
Maybe the NSA got to them and they were tortured into changing the web site?
RonK • May 29, 2014 8:58 AM
@ Zonzo
> We do need a viable alternative.
We used to also have FreeOTFE but that seems to have been abandoned around June 2013. In retrospect, its abandonment may be for Lavabit-like reasons.
> I think we also need Prof. Green et. al. to FINISH their audit just for posterity.
Why "just for posterity"? If every time the slightest doubt arises about whether a code base is "pristine" we abandon it, it's obvious that we'd need practically infinite resources to maintain the software we need to secure our data against a "FUD-DoS" attack scenario. It seems reasonable to just take an old enough (and audited) version of TrueCrypt's code base and fork it, re-writing and auditing all of the patches applied since the forked date.
AlanS • May 29, 2014 8:58 AM
@Dan
Greenwald and Miranda (and apparently also Snowden) used TrueCrypt. See between Matt Green and Glenn Greenwald on latter's use of Truecrypt.
taxpayer • May 29, 2014 9:00 AM
Any ideas about the significance of Win XP being retired? It seems an odd thing to mention in the announcement, but I haven't seen any comment on it yet.
Kythe • May 29, 2014 9:05 AM
The authors are allegedly from eastern Europe. It's quite possible a number of state actors were involved -- though I'd really expect that a state actor who had somehow taken over the ability to post stuff on the Truecrypt website, SF site, and mail server would have left stuff exactly as it was.
My money is on the developer(s) wanting out. Perhaps the project had been bleeding developers for a while, but in any case, it had been a long time since the code had been updated.
noonnee • May 29, 2014 9:05 AM
Any news if someone tested those images from the site for steganography, or the web-page, or something like it? Don't think there'll be, but...
Ben Johnson • May 29, 2014 9:06 AM
NSA knew their backdoor TrueCrypt vulnerabilities would get found as a result of the ongoing code audit. Best course of action was to try to get as many suckers as possible over to BitLocker, which is also NSA enabled, before the jig was up. After all, what serious security professionals would recommend closed-source encryption from NSA's closest partner?
bae24d3fff • May 29, 2014 9:06 AM
I just want to mention that this has wiped out the TrueCrypt forum too.
There were hundreds of users at the TC forum (myself included), which contained a goldmine of information, not just about TrueCrypt itself but also crypto and computer security in general.
Many people put in many hours of work in the forum, and it would seem that that repository of knowledge is gone at a stroke.
So farewell Dan, pepak, Nicky and all the others…. “Sic transit gloria mundi”.
bae24d3fff
Sparkala • May 29, 2014 9:07 AM
@Zonzo
Scenario (d) is an interesting concept. That someone (not necessarily Snowden) is under surveillance, and that someone (not necessarily the USA) has burnt Truecrypt so as to elicit that person's passphrase during data migration is very creative social engineering. Do tyr to keep in-mind that it could as easily be Russia or some other major power and not necessarily the United States.
Secret Police • May 29, 2014 9:10 AM
Tails has never liked the TC license and was going to remove it completely this month. Luks containers are much better considering TC defaults to iterations recommended 10yrs ago.
I hope they still do the formal cryptanalysis because I've never seen what a paid modern cryptanalysis consists of just for that reason alone :) I also still don't trust their 'cascading cipher' voodoo crypto.
Bruce's name is referenced because twofish is an avail cipher in TC
Anyone knows a download mirror? I want to grab a copy of all 7.1b files. Just in case...
AC • May 29, 2014 9:17 AM
@taxpayer "Any ideas about the significance of Win XP being retired?"
I think that's just red herring.
Aaron • May 29, 2014 9:20 AM
On the Windows XP point - there is some legitimacy there in that Windows XP was the last Windows OS to not support usable built-in encryption functionality. It could be a matter of saying "all OSes now have integrated encryption, so use that instead of our stuff."
Working in a Fortune 500 enterprise environment, I will say the following: Built-in encryption is almost always faster and easier to manage than third party encryption. Many/most companies deploying mobile device encryption use the integrated encryption available in all modern mobile OSes for those reasons. On the laptop/tablet side, it's basically down to PointSec vs. Symantec PGP vs. BitLocker, with BitLocker gaining deployments due to the reasons I mentioned above. TrueCrypt has few deployments because it does not have the enterprise management functionality, centralized reporting, etc. that are required for supporting audits (SOX, PCI-DSS, etc.).
But enough trying to justify the cryptic statement on the Web Site. I'm hoping for a good conspiracy theory. That's far more exciting and timed well with the Snowden interview.
Jan • May 29, 2014 9:24 AM
"Just in case..."
https://github.com/DrWhax/truecrypt-archive
The Last Stand of Frej • May 29, 2014 9:28 AM
Isn't it interesting how the post-NSA revelation era is characterized by this pervasive lack of trust in just about anything?
The truth is, any trust we had to begin with was misplaced. The difference now is that we all know it.
And that's a good thing.
KB • May 29, 2014 9:29 AM
@Aaron you are aware of recent discoveries about NSA and commercial companies cooperation, aren't you? I can't imagine any sane person, who have followed news, using closed source encryption tools made by a "Fortune 500 company" and expect it's not backdoored. That's why a suggestion by TC developers to use one of such tools would be strange at least. It looks much more like red herring or warrant canary.
Craig • May 29, 2014 9:35 AM
"It seems reasonable to just take an old enough (and audited) version of TrueCrypt's code base and fork it, re-writing and auditing all of the patches applied since the forked date."
No, you can't do that. There are legal issues with the TrueCrypt code. Not only was it not released under a FOSS license, but there are claims that it was based on stolen code.
Jakub Narebski • May 29, 2014 9:38 AM
> Any ideas about the significance of Win XP being retired? It seems an odd thing to mention in the announcement, but I haven't seen any comment on it yet.
Together with other information I suspect that the only compiler that can be used to build TrueCrypt works only on Windows XP.
James Johnston • May 29, 2014 9:41 AM
> "The odd source code edit where comments referring to "U.S." had the text altered to "United States" seems noteworthy."
I'm not sure how noteworthy this is. I downloaded some generic Windows 8.1 samples from MSFT and examined the resource files. Some said "U.S." and some said "United States." My guess is Microsoft changed the wording in some version of Visual Studio. But I can't be bothered to find out which one. Maybe the IDE upgraded the wording when he was editing his resource file.
dolphin • May 29, 2014 9:42 AM
Quoting the front page: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
This is what you write when you do warrant canary:
"Truecrypt is Not Secure As" -- please use Bitlocker
This is what you write when you do years of work, documenting, get bored patching Linux code after a proprietary system expires (and move to space)
"Truecrypt is Not As Secure As LUKS/dmcrypt..." However, code is now licenced under GPL. So long and thanks for all the fish!
Aaron • May 29, 2014 9:43 AM
@KB
A couple of things - do you have articles with evidence that BitLocker has a backdoor? There has been a lot of speculation, and there is evidence the government asked for one, but I am not aware of evidence that Microsoft actually put one in.
Let me clarify though - I'm not saying the statement from the TrueCrypt team is or is not legitimate. But I have read a lot of comments on various forums stating that the Windows XP statement makes no sense. I am only stating that there is in fact a valid point to their argument. Whether that is REALLY why the TrueCrypt team posted that message (assuming it is legitimate) is a whole different question.
It is possible (although I'm not sure if it is likely) that the TrueCrypt team realized they don't have much of a market left. Honestly, products like TrueCrypt are for the highly technical individual user, who in many cases does not contribute financially to the Open Source product. In the Corporate world, generally only commercial software is used, because it a) is vendor supported b) easier to manage c) has the required reporting and validation functionality.
Evan • May 29, 2014 9:48 AM
The new page is thrown up as basically plain HTML and that a massive amount of data appears to simply have been deleted. I think we can rule out the following scenarios:
1. Crackers. Generally such persons/groups deface sites to make a political point or to glorify themselves. This does neither.
2. NSA or similar. If they've got to the point where they can sign stuff as if they were TC devs, they'd probably stick around and insert backdoors into the codebase, rather than recommend people to switch to something else they've already got a backdoor entry point for. Even if the actual TC devs found out, their anonymity and reliance on electronic signatures means they can't conclusively prove they're the real ones.
3. Planned retirement of the project. This is much too abrupt to have been something that was extensively thought out beforehand.
It has the mark to me of a counter-hack - someone (one or more devs, outside hackers, FBI/NSA/FSB/etc or a combination thereof) gained or asserted control of the project and, to forestall this, someone else (one or more devs not in the first group) broke into the site, trashed as much as possible, and urged everyone away from the project.
Evan • May 29, 2014 9:54 AM
Forgot:
4. Show-stopping hole. It would have had to have been some kind of architectural flaw that required rebuilding from scratch to fix, and then there wouldn't have been such a vague statement about 'may contain security holes' but an explicit mention to emphasize the urgency.
Zonzo • May 29, 2014 9:56 AM
@aaron...
The XP thing makes no sense. Windows 7 is moving to dominance and bitlocker is not available to Windows 7 home edition users -- a large portion of that code base.
The bitlocker backdoor, who knows. What I do know is that B.L. defaults and nudges users to do key escrow with Microsoft. Which shares information using secret warrants and possibly direct access by and with the NSA and other agencies.
I posted the photo of the crew from the USS Pueblo dropping the finger into propaganda pics because that's what the flavor of this whole thing has for me.
I've also been one who thought it so very odd that Sarah Dean dropped out of development of FreeoTFE so abruptly. If you spent any time on her page, she was an extremely skilled coder who really understood crypto. I know people move on, but there's an "atypical" flavor to both of these projects cratering that's different than we see when other devs decide they've just run out of juice.
Its a mess for sure.
Zonzo • May 29, 2014 9:57 AM
@jamesJohnston
The changes from U.S. to "United States" are primarily in comments. Are you saying the new visual studio autocorrects U.S. to "United States" in all instances? Or something different.
JD • May 29, 2014 9:57 AM
This guy on Krebs's site has the most convincing explanation yet:
"Imagine yourself as the lead/solo developer working on TC. No one pays you for this, governments hate you, much of the crypto community is throwing rocks at you while your user community spends half of its time joining in with clueless paranoia and the other half whining about feature gaps (e.g. GPT boot disks.)....."
Reminder • May 29, 2014 10:03 AM
Just wait a little bit and all gets clearer.
Conspiracy theories won't help here.
x1711DE • May 29, 2014 10:08 AM
I just want to point out to everyone that TrueCrypt has not been updated in over 2 years and up until yesterday everyone was just fine with the situation. The security recommendations the devs made on their page were clearly a joke (especially the Linux and Mac ones), so it seems VERY unlikely that this was triggered by someone finding a massive hole in TrueCrypt. The audit is going on as planned, so there's really no big rush to find any alternatives to TrueCrypt, at least until that is done. Have a little patience - the software is remarkably stable.
Also, even assuming this is a real thing and development has stopped (it's seeming more and more likely as time goes on and evidence comes in), there's almost certainly going to be either a fork or a clone of TrueCrypt. The weird license was modified in version 7.2 and it's probably open to interpretation whether that applies to the 7.1a code as well - and, as many have said, the TrueCrypt devs would need to de-anonymize themselves if they wanted to sue a fork on copyright grounds anyway, which seems very unlikely. Give this a few months (you were happy without updates for two years before this) to see if there are any real problems and see if anyone steps into the vacuum before going off half-cocked and possibly reducing your security by switching to something less well-tested than TrueCrypt.
joelson0007 • May 29, 2014 10:11 AM
There may be hidden message in the official page of the truecrypt, Steganography Cryptography or Warrant Canary?
Winter • May 29, 2014 10:19 AM
What will be the effect of the shutdown of TC?
The world has moved on since TC was written. TC got a lot of criticism. There were license problems, continuous problems with deterministic builds (ie, there was none), the small group of developers were justified to be paranoid.
The solution is obviously to start a new effort that will develop a replacement in the open. The same happened after the hearthbleed bug in OpenSSL.
A large geographically dispersed group working in the open will be largely immune to blackmail and other corrupting pressures.
It is a pity for the code base, though.
Danny Moules (@Rushyo) • May 29, 2014 10:19 AM
"internal power struggle within TrueCrypt"
With no contrary opinion leaking out to established contacts within the community? Seems doubtful. Not without some other complication.
" I think we also need Prof. Green et. al. to FINISH their audit just for posterity. "
He's already stated he will, if only because he's sat on a pile of other people's money :-)
"Why were people funding an audit of a NON OPEN SOURCE product?"
Wut?
"In the Corporate world, generally only commercial software is used, because it a) is vendor supported b) easier to manage c) has the required reporting and validation functionality."
I don't think this assumption holds true for TrueCrypt. I know plenty of multi-nationals that like it because they don't need support - it Just Works(tm). Nobody has ever questioned it since 'the crypto guy' implemented it years before because it's never caused anybody grief.
x1711DE • May 29, 2014 10:20 AM
@TrueCrypt cannot be forked:
It's not clear that that's true. In the 7.2 release, the license was modified, see the diff here:
https://github.com/warewolf/truecrypt/compare/master...7.2#diff-dc5cde275269b574b34b1204b9221cb2L1
They removed the part where you have to give attribution and now basically the only restriction is that you can't call your product "TrueCrypt" and you can't link to truecrypt.org. It's up to interpretation whether this applies to 7.1a, presumably, but the only people who have standing to challenge it are the TrueCrypt devs, who are unlikely to deanonymize to press the issue. It's not even clear to me that the old license precludes a fork anyway, since the big restriction was that code inclusion required attribution to TrueCrypt (hardly a high bar to clear). Just because it wasn't truly FOSS doesn't mean it can't be forked.
Danny Moules (@Rushyo) • May 29, 2014 10:26 AM
@x1711DE Only holds true if you assume the person who changed the license in 7.2 is actually legally privileged to do so.
But it's clear whoever did the 7.2 changes wanted to cut ties to truecrypt.org and it is implied they intended to open it up for forking. Even if it's not patently the end result that it's available for forking, it seems clear 7.2 was intended to encourage it.
Zonzo • May 29, 2014 10:33 AM
@stopwastingmoney...
The stridency of these type of comments suddenly appearing everywhere this morning feels almost coordinated.
It also suggests another bit of speculation:
e. It may be that TrueCrypt was ALREADY pwn3d or a product of the security apparatus and that there is a subtle and carefully coded backdoor or leakage in the implementation of the crypto. (I always think of the contest every year where folks compete to do the most nefarious things using the C language). If they are using something about the maths to leak the information, or some other careful backdoor, it would be something they will have deployed elsewhere. The strategy in that case would be to put a stop to the code audit, and how to do that? BURN TrueCrypt, and then send an army of sock puppets out to bang the drum on why it would be a waste of money to actually finish that audit.
Mr. Pragma • May 29, 2014 10:34 AM
Pardon me but with what I perceive as spamming going on here by all the foss/gpl proponents I can't help but to think that maybe they were somehow involved in the current truecrypt "drama".
And I say that knowing perfectly well that this implies a certain communality between foss/gpl and the usa government agencies.
But then it has aroused my suspicion since quite some time now that "democracy" rather than "good engineering" seemed to be the foss/gpl priority and that "democracy" has been (ab)used for many usa agency crimes (like kids being bombed in kindergardens by a "democratic" "government" supported by and put into power by us-american agencies).
TheBrazilian • May 29, 2014 10:39 AM
Isn't there some Brazilian guy that was in jail, but not for as much time as they wanted, because FBI couldn't decrypt his TC drives after two years of brute force? I'd watch that guy...if he gets more time, they found a way in. If not, 7.1a works fine.
I don't buy the explanation that the developers simply wanted out. This would be the sketchiest way possible of announcing that. Just put up a banner on the site saying development has stopped because of funding/boredom/whatever and move on. This smells too funny to be something as innocent as that.
Zonzo • May 29, 2014 10:47 AM
@whoever you are
The answer is "get both"
Start a ground up project for the right WDE software.
AND finish auditing truecrypt so we can figure out if there are issues we need to watch out for in developing that new software.
Any alphabet agency can supply manpower who would infiltrate a FOSS coding project, you know.
I also think the audit needs to be finished. This fiasco makes the code much more suspicious and it would be wise to see what's in there.
wilson • May 29, 2014 10:49 AM
TC is largely used: audit is imperative for the past, it's vital to know what part of your data you must consider compromised; so you have to know if there was a way to accede data and in what conditions.
Avi • May 29, 2014 10:50 AM
Will DiskCryptor now work on supporting containers?
@wilson
Agreed, and if there was a particular backdoor technique being used in TC, it would be a good idea to find it so it can be looked for in other projects.
MisterSmitty • May 29, 2014 10:52 AM
Bruce, a list of TC alternatives here:
wilson • May 29, 2014 10:52 AM
ps: I'll start to audit and expanding (deniability and win compatibility, for a start, I guess) LUKS.
Andy • May 29, 2014 10:53 AM
I don't know if anyone has noticed this before, but for what it's worth...
The download offered on the pages one is redirected to offer a 7.2 TC download. I believe (but I am not sure) there also was an official 7.2 legit version.
The so called 7.2 release offered for download now is signed with the same keys as the last official one, but I have been told that it has been castrated to only allow de-crypting of exisitng TC drives and containers (allegedly for the migration to Bitlocker as outlined in the redirect page).
So someone had to have source code access, knowledge on how to castrate the features for ENcrypting, compile a version, sign it and also take down the websites truecrypt.org and .com and access to the sourceforge page (or was it created for this purpose?).
This seems like a long way to go for a defacement or hacker prank.
Rex the Wonder Horse • May 29, 2014 11:04 AM
@Bruce
How about you, Jon Callas, Phil Zimmermann, Joan Daemen, Vincent Rijmen, Scott Vanstone, and others you trust, get together, raise some no-strings-attached money from Red Hat, Microsoft, Apple, IBM, indie ISP's from all over the world, Kim Dotcom, maybe even major newspapers (if their confidential sources can't keep their disclosures secret, the tips will dry up), and stuff the money into a non-American controlled off-shore trust to fund an audited open-source FDE for Windows, Mac, Linux, etc.... ?
You guys participate/supervise the design/coding/testing to help engender trust.
sls • May 29, 2014 11:05 AM
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
Did nobody else pick up on this?
Benni • May 29, 2014 11:06 AM
This informtion from the truecrypt site here seems to indicate that the site is now run by someone who is interested in files not being encrypted at all:
https://twitter.com/matthew_d_green/status/471998315437883392
that would be typical for a three letter agency. I do not see why some hacker would publicly advise the people out there, to "encrypt" their files on Mac with the setting "encryption: none"
Bob S. • May 29, 2014 11:09 AM
1. Maybe TrueCrypt was found to work too good and the government stepped in.
2. Maybe a government induced crack was found and the developers freaked.
3. MS is in the pocket of the NSA, why convert to BitLocker?
4. Disgruntled developer pulled the pin?
5. Disgruntled developers hack uncovered by other developer?
6. They were bought off.
7. The government stepped on them (ala' LavaBit)
The TrueCrypt implosion is a true mystery, so far.
Andy • May 29, 2014 11:11 AM
>> Any ideas about the significance of Win XP being retired? It seems an odd thing to mention in the announcement, but I haven't seen any comment on it yet.
I believe the reason is this: Encryption can only be as secure as the system it is running on. Now with EOL support, exploits might be discovered which will never be fixed. This will be an entry vector to the running system forever into the future, no matter how good the encryption itself is. And of course an entry point (esp a well known that is left unfixed for forever) into the running system can will corrupt it.
>> NSA knew their backdoor TrueCrypt vulnerabilities would get found as a result of the ongoing code audit.
Doubtful, IMHO. I think they would just play the odds and then react (or deny / ignore the outrage) when the problem actually happens.
>> Scenario (d) is an interesting concept
I think most anyone trusted with such information has been educated well enough and would smell the rotten fish. As in sticking to their (proven) guns until there is a clearer picture and not converting on a whim.
>> No, you can't do that. There are legal issues with the TrueCrypt code. Not only was it not released under a FOSS license, but there are claims that it was based on stolen code.
I wonder if anyone who really wants security cares. I would not give two shits about licensing issues if a new team of reputable people picked up TC and developed it further. One is not ALLOWED to that, but one can do it, and maybe this is a case where the saying "If you outlaw tough crypto, only outlaws will have tough crypto" comes true.
I so wish a reputable,trustworthy organization (EFF, CCC, Bruce, ...) would pick up rebuild the whole TC software / feature set. Hell, there should be a kickstarter so they can pay developers and external auditors.
So start coding, guys. If "we" need a FOSS app "someone" will need to create it.
unimportant • May 29, 2014 11:13 AM
@Benni: Above the image with the dialog box there is an explicit statement that the user has to select Encryption.
@ Andy and Rex the Wonder Horse
I think an international, non-governmental body of trusted cryptographers that reviews code and certifies it would be a good thing, as long as it is limited to vetted folks, not Bill the Crypto Expert who hails from Maryland and claims he can't talk about his job. They could just sign the source code with their key as a seal of approval. That way, if you want a crypto app that's probably pretty good, look for their sig on the source code.
Right now after Snowden (and doubtless too after Truecrypt), crypto applications are popping up everywhere with few people reviewing them, no way to tell if they were reviewed, and no way to know how good the people were who reviewd it.
Yes, it would take money and effort.
wilson • May 29, 2014 11:19 AM
What about using more then a layer of encryption? (something like PGP over Encfs over LUKS over TC)
Steve Friedl • May 29, 2014 11:21 AM
Bruce sure picked an odd way to announce the winner of the movie-plot contest ;-)
wilson • May 29, 2014 11:34 AM
@ @wilson
mmm, I'm a linux user, so I don't know how things are in Win (I see they are quite bad: only FDE and only TC)
I use FDE, plus homedir encription plus individual folder encryption. With different passwords.
Against forensic (as you describe it) the simple homedir encryption (if not backdoored) should be enough: you can't read any of my data without my user password.
Czerno • May 29, 2014 11:35 AM
Why does everyone keeps buying - and reselling - the incorrect notion that MBR is limited to 2 TByte disks ?
I would've thought at least on /this/ boards, people know better. The limit imposed by conventional 32-bit long LBA in MBR entries is in _sectors_, not bytes. Namely 4+ billion sectors, that would translate indeed to 2 TB when using 512-byte sectors, but with 4-kByte long sectors now being the standard it follows that MBR disks can span over 16 TeraBytes, provided the hack known as 512 byte sector "emulation" is turned off.
Concerned_person • May 29, 2014 11:39 AM
RE: "The only actively developed (for Windows) FDE is DiskCryptor that comes close to TrueCrypt."
I believe BestCrypt offers OTF full-disk and container-based encryption that is also close to that provided by TrueCrypt. See BestCrypt's website.
wilson • May 29, 2014 11:50 AM
@ @ (please, use a nick, even "anick" will do)
I follow you about folder structure (even if it's difficult to understand anything useful from just that, it may well be), but not about sectors: when is plaintext even written on disk?
ps: anyway, may wondering was about using more then one layer, with different implementations
unimportant • May 29, 2014 11:51 AM
One point which was not mentioned yet is the build date "5/2014". Previously, they always specified a certain day (like "May 27, 2014").
unimportant • May 29, 2014 11:55 AM
One point which was not mentioned yet is the build date "5/2014". Previously, they always specified a certain day (like "May 27, 2014").
somebody • May 29, 2014 12:02 PM
What do people think about Ubuntu disk encryption?
wilson • May 29, 2014 12:04 PM
@somebody
Ubuntu disk encryption is LUKS (don't confuse it with the home encryption)
Conspiracy Theorist • May 29, 2014 12:18 PM
TrueCrypt developers are surely high priority targets for the NSA. It wouldn't surprise me at all to learn the NSA has somehow managed to identify and approach them.
Kythe • May 29, 2014 12:20 PM
Another possibility that's been discussed - this was some sort of a "deadman's switch" that was either triggered accidentally, or deliberately due to some sort of problem the developer encountered (e.g. police storming his/her house, etc.).
jdgalt • May 29, 2014 12:21 PM
I wonder if anyone who really wants security cares. I would not give two shits about licensing issues if a new team of reputable people picked up TC and developed it further. One is not ALLOWED to that, but one can do it, and maybe this is a case where the saying "If you outlaw tough crypto, only outlaws will have tough crypto" comes true.
Amen to that. And Bruce, you're on EFF's board, maybe you can put something into their upcoming copyright-reform proposal that would give people the right to reuse/improve code when it's been abandoned like this. Especially when it may be the only way to keep their data from being held hostage to the whim of the copyright owner (or whoever is pulling his strings).
Kythe • May 29, 2014 12:28 PM
As a practical matter, it may be difficult for anonymous coders to sue anyone for license violation, especially if they've abandoned the project (and possibly erased any way to prove they were the developers)...
XP User • May 29, 2014 12:28 PM
XP isn't end-of-life. Its only end-of-life for people who didn't pay for extended support.
Zonzo • May 29, 2014 12:29 PM
Hey "whoever"
When you respond put YOUR nickname in the "name" part of the form. Put the @Zonzo (if you're replying to me) in the "Comments" box at the top to let me know you're talking to me.
If you don't put YOUR name/nickname in the "Name" box its impossible for us to follow your posts as YOUR posts. Enough already, do it right.
guillem • May 29, 2014 12:48 PM
Wait. As I understand http://truecrypt.sourceforge.net/ now, it says:
- Don't use this from now on.
- Because it's insecure.
- Because it MAY contain unfixed security issues.
- Because the development of TrueCrypt was ended in 5/2014.
- Because Windows XP is over, and nowadays all major Operating Systems offer integrated support for strong cryptography.
- So this doesn't make sense anymore.
I don't see how this implies any currently known security problem in the TrueCrypt code!
They're just weird. "Open Source" licenses with obscure, unique terms are usually made by awkward people, computer scientists who are also wanna-be lawyers. They're legally unstable and unreliable, that's the main reason why I don't trust them. The quality of the source code is a different matter ;)
Kythe • May 29, 2014 12:51 PM
Guillem - I agree. A lot depends on your interpretation of what's written on the site, but it could be as innocuous as saying "because we're no longer developing Truecrypt/it's not active any more, any security flaws found won't get fixed".
name.withheld.for.obvious.reasons • May 29, 2014 1:03 PM
I understand that most COTS secure drive applications are problematic, even when executed at the drive "intelligence" layer in hardware. This issue is non-repudiation at boot. Verifying the veracity of digital signatures or code on the hardware relies on a fundamentally broken PKI infrastructure.
OTP branding at power up that produces a verifiable hash prior to HW (device, not system) "bootstrap" but shortly (timing and latency measurements would probably need to test/certified--OOPS) after power on the device. He'll, even insuring the controller firmware is oki-doki may represent yet another COTS challenge...is that my bad or some else's?
What a bunch of smart fellers we are...ALL YOUR DATA ARE BELONG TO U.S.
Coyne Tibbets • May 29, 2014 1:32 PM
Given the current environment, I'm proposing a prima facie method for identification of events caused by intelligence agency involvement:
1) The event involves encryption products; services protected by encryption; and/or implicates privacy of communications; and...
2) The event occurs without prior warning; and...
3) The event appears to lack sensibility; and...
4) The event occurs without any explanation, or the explanation that is given seems evasive (deliberately non-informative).
It is what we saw with LavaBit; now we're seeing it here. Make of it what you will.
Zonzo • May 29, 2014 1:37 PM
@Coyne
...add to your list:
5). Shortly after the event security oriented sites are flooded by new posters spamming the discussion in a counterproductive fashion.
I wonder if our troll is paid by the hour or by the post
x1711DE • May 29, 2014 1:38 PM
@Danny Moules (@Rushyo):
@x1711DE Only holds true if you assume the person who changed the license in 7.2 is actually legally privileged to do so.But it's clear whoever did the 7.2 changes wanted to cut ties to truecrypt.org and it is implied they intended to open it up for forking. Even if it's not patently the end result that it's available for forking, it seems clear 7.2 was intended to encourage it.
Yes, but if the person who changed the license is not a TC dev, then there's no problem anyway, because that means that continued official TC development is likely not being discontinued. And you almost certainly don't have to be overly cautious about taking a fork and running with it, because the TC devs are not likely to sue you over it, since that would require de-anonymizing, which they aren't likely to do.
Zonzo • May 29, 2014 1:43 PM
@X1711DE
Naw. The TC Foundation could sue and enforce copyright, and win on the papers, without ever having to review the coders behind it.
Jonny Kake • May 29, 2014 1:51 PM
Perhaps when I view Microsoft's Web site it should state,
"WARNING: Using Windows is not secure as it may contain unfixed security issues"
.
Mr. C • May 29, 2014 1:52 PM
As a practicing attorney, if a client came to me asking if it would be alright to fork truecrypt, my advice would be: "go for it." Completely setting aside what the license says, or whether it's enforceable, a potential lawsuit would never survive a pre-answer motion to dismiss for lack of standing. To even get in the door to the courthouse, a plaintiff would have to first reveal his/her/their identities, and second *prove* that he(/she/they) is(/are) in fact truecrypt's anonymous author(/s). The first is highly unlikely because it would be extremely out of character. The second is highly unlikely because it's probably impossible. Without a credible threat of a lawsuit (that will at least survive a pre-answer motion) to back it up, the license is just words on a page.
Wm • May 29, 2014 1:58 PM
@Andy
"...I think there also was an official 7.2 legit version"
I don't think there was a 7.2. I have a web search program that looked at the TrueCrypt site every morning and never saw anything beyond 7.1a.
John • May 29, 2014 2:01 PM
I agree with Mr. C. If Obama can flaunt the laws and do anything he wants, then so can we.
John • May 29, 2014 2:01 PM
Truecrypt was forked at least twice. There was a Mac OS version called OSXCrypt and there is a Mandriva RPM called RealCrypt.
NC • May 29, 2014 2:02 PM
Finishing the TrueCrypt audit is important regardless of whether or not the code is forked or people start anew from the ground up.
*IF* there is a backdoor in TrueCrypt, this would be very important news in and of itself. Also, depending on how a backdoor is implemented, the details could be relevant to the other products out there that provide compatibility with TrueCrypt containers.
-N.
Zonzo • May 29, 2014 2:04 PM
@Mr. C....
Suppose Microsoft is suing someone for copyright violation for Misusing Windows code.
Does Microsoft have to present the Court with the employment agreements of every coder who developed that code base to establish work for hire and ownership of the code?
I don't think so.
Here, the TC Foundation would have to establish ITS standing -- which is to say that is is the party asserting copyright, it is the party named in the source code files, and it is a valid existing entity with. It can do so, and would not in my view be required to reveal the coders identities.
I respect your experience and expertise as a practicing attorney, but I'm not sure this is as black and white. I'm aware of several small software houses (just consulting guys with established stock code bases) who have successfully protected their copyright materials in federal court without having to show the assignments from the individual human beings who developed the code. Its possible I'm missing something but that's my take on things.
Reminder • May 29, 2014 2:08 PM
Keep in mind, that the only true FREEDOM and CONTROL of your PC is with a FOSS Operating System. Only Linux/*BSD sets you free and gives you full control.
Not Microsoft Windows, nor Apple OSX will get you anything trustworthy!
First you need a FOSS OS, then the FOSS/GPL encryption software. Without the FOSS OS, there is no real trust, no matter how secure and open any encryption software is written.
Since Bruce itself wrote in a blog post a time ago he has no Unix/Linux knowledge,...
Start to think about it.
I'm especially interested in what our beloved FSF front-runner 'Mr. Stallman' has to say about TrueCrypt debakel.
x1711DE • May 29, 2014 2:14 PM
@Zonzo: Even if it's true that they could hire a lawyer to represent their corporation without revealing any members of the corporation (maybe possible, but I think unlikely), there's also the fact that even version 3.0 of the license allows for forks of TrueCrypt with attribution. There's a problem, which is that version 3.0 and 3.1 are actually contradictory - version 3.0 says you need to link to TrueCrypt, version 3.1 says you aren't allowed to link to their website - but both actually allow for forks. The license problem was that it's not compatible with other FOSS licenses, so you can't include it wholesale into something like a GPL-licensed suite of tools.
At this point, you're on pretty solid ground no matter what you do, and assuming the TC devs even care, the best they can do is say, "The encryption parts of the code are licensed under version 3.0, not 3.1, so you need to link to our site.", which any fork of TrueCrypt wouldn't care about anyway at this point. Chances are we'll see a bunch of forks of the code base and when the audit results come in, we'll see some of those forks updating to address some of the problems (like the integer signing, etc), and eventually one of those forks will become the new TrueCrypt standard.
Chris Abbott • May 29, 2014 2:16 PM
This is insane. They could re-license the code and hand it off if they got tired of it. They could continue the audit and just patch anything they find. Just blowing it up completely after all these years it's been in use is really, really, fishy.
I'm suspicious of it being an intel agency strong-arming the developers in someway and I would suspect FVEYS. This is how Lavabit got shut down of course. Even if they aren't in the U.S. could find ways. My guess is that at least one of the guys doing it is in the U.S. and you could also use things like blackmail, death threats, ect.
Also, there is a good chance you could get plaintext data in the process of people migrating to a different system, I would think.
To me, it definitely seems like there's a skunk in the woodpile...
Zonzo • May 29, 2014 2:24 PM
@x1711DE ..
Good points. Look, I'll defer to you and the guy who has a law license.
Is it too early to start posting feature wishlists?
Here's mine:
- USER supplied SALT bits, including the possibility of zeroing out the salt bits and requiring the app to pull them off a smartcard. That ensures back door keys aren't hidden in the salt.
- USER configured value for the number of hash cascades in the conversion of the pass-phrase to the master key values... up to some very high number that on modern machines would constitute a 5 minute wait. And with this number not stored anywhere and NOT input at the time of pass phrase entry. The software should sit there running Hash/Compare loops until it finds the the key or times out at the 5 minute mark. This would make brute forcing so very difficult.
- I can think of more, just give me time.
Mr. C • May 29, 2014 2:39 PM
@ Zonzo:
Microsoft proves standing by pointing out that it is a registered corporation incorporated in Washington state before the software at issue was released, and that the software at issue identifies itself as having been written by Microsoft. Additional proof is provided by the fact that the software talks to update servers and the like that Microsoft can prove it controls. (Also, no one would be dumb enough to challenge their standing anyway...)
I had been working under the assumption that truecrypt doesn't identify its author in the same way because the "Truecrypt Foundation" was a made-up name. Before spouting that out, I decided to look it up, and... Turns out **I was wrong**. "True Crypt Foundation" and "Truecrypt Developers Association, LC" (which is the copyright holder identified in the source code) are actual Nevada corporations, both formed in 2009. Both appear to have precisely one stockholder, director, and officer - one Ondrej Tesarik. (The contact information is for a corporate registration service.)
So, I revise my former statement. Truecrypt Developers Association, LC could file a lawsuit that would survive long enough to force a forker to litigate the meaning and enforceability of the license. If I were defending the case, I'd still move to dismiss for lack of standing and insist that the produce Ondrej Tesarik in the flesh to verify that he was behind the lawsuit.
Chris Abbott • May 29, 2014 2:41 PM
Perhaps the NSA used an NSL to kill it or bug it as a way to get into Greenwald's machine and discover the remaining documents?? Perhaps they were ordered to tell people to use Bitlocker? Or it's tongue-in-cheek. Who knows?
KnottWhittingley • May 29, 2014 2:43 PM
The good news is: You're not paranoid!
We have no way of telling, at present, whether TrueCrypt has been compromised or for how long, or if it hasn't been and that's precisely why it's been arranged for us to think so.
Which brings me to an important point. If the NSA is actually good at their jobs---and I have no idea whether they are---then the Snowden revelations are not the worst of what they've been up to.
Presumably, the most precious and closely-held secrets of the NSA would NOT be on computers that Edward Snowden or anyone like him could access. If they're on computers at all, they'd be on thoroughly air-gapped and Faraday-caged computers that even most NSA insiders could never access---certainly not dozens or hundreds of analysts. Access to that information would only be available to a truly small number of people, like three, or maybe a dozen.
Yes, this is conspiracy theoretic, but when you know for a fact that there is in fact a secret conspiracy of some sort at the highest levels of all three branches of government---the White House, the FISC and the Chief Justice of the Supreme Court of the US, and the most powerful members of the congressional Intelligence Committees---then you know that all bets are off. "Paranoid" loses a lot of its meaning.
If we assume---and I certainly don't know if we should---that the NSA is competent at basic tradecraft, then presumably there are significantly bigger, more closely-held secrets somewhere. Maybe on paper in safes, maybe on air-gapped computers at NSA, maybe somewhere at FBI, and likely at some supersecret agency whose existence is not even admitted.
Think about that, and what little we know of the history of NSA, and what we do know of the history of CIA.
What is the first thing that merely competent spies would do upon public revelation of the secret existence of a supersecret agency like NSA?
It stands to reason that they'd create a new even-more-secret agency---rather like B613 on Scandal---whose mere existence is harder to detect, whose real reporting/authority/power structure is harder to determine, and which may or may not ultimately be under control of POTUS to any reliable extent. (Don't believe that? Look at Jimmy Carter and his adversarial relationship with CIA, and be afraid.)
I have no inside knowledge, but I think it's safest to guess that there's likely stuff that Snowden could not get at that's worse than what he could, and that what he could get at may or may not lead to what's really going on at the highest and most important levels.
At this point, I think a lot of people are overly concerned with what's responsible speculation---do we have evidence that NSA does this or does that---which is looking through the wrong end of the microscope.
We have evidence that NSA is perfectly willing to do things that by any reasonable assessment are simply illegal, or illegal by virtue of their interpretations of the laws being unconstitutional. All bets are now off, and nobody should forget that for a moment.
When somebody like Hayden or Clapper says that they'll go "right up to the line" of what is legal, they are patently lying. What that really means is that they'll go right up to the line continuously and semi-accountably---if and only if there are big revelations like Snowden's---and that they will regularly cross that line in ways they think are sufficiently undetectable and unaccountable. That is, they'll go as far beyond the line as they think they can probably get away with, using cutouts, reverse targeting, plausible deniability, with records only on touchpaper or on airgapped and Faraday-caged computers that they can destroy on a moment's notice.
It's time for simultaneous raids on all of the major intelligence agencies, confiscating all the paper in safes, all the odd-looking computers in funny rooms or boxes, and a whole lot of other stuff, just to see if this "paranoia" happens to be right.
But of course that isn't going to happen.
What we can expect, irrespective of whether this "paranoia" is correct, is that they'll admit to what's proven, after denying it for a while, and they'll justify it as best they can, and they'll paint anyone who thinks worse has been hidden as paranoid and/or unAmerican and/or naive and/or treasonous.
It's reasonable to guess that if NSA is actually good at their jobs, most of what they do is a smokescreen for stuff they could do more easily and thoroughy, but could not act on, most of the time, without their abilities and methods becoming apparent.
That has always been the way good tradecraft works, since forever---since before the Roman Empire, for sure, and presumably much before. You only exploit your intelligence abilities to the maxiumum when you have no alternative, because exploiting them reveals that you have them, and your channels of espionage will quickly close if you reveal them that way.
So you let thousands of your soldiers and sailors die here and there, let entirely allied countries get invaded, etc., as though you didn't know that it was about to happen, when in fact you did, but that itself is the most closely-guarded secret of all, which you're saving for something even bigger---like preventing the destruction of your own homeland or the world economy.
To some extent, you play the odds, and exploit supersecret intelligence to some extent, to shift the odds in subtle ways, and to explain away your resulting "good luck."
"Parallel construction" isn't just used to conceal results of intelligence from juries and judges---it's basic spy tradecraft for concealing the existence of intelligence channels from adversaries.
Given that, the Snowden revelations provide only a lower bound on what the US and Five Eyes are up to, intelligence-wise. It's safest to guess they're doing a lot more, but exploiting it a lot less, keeping most of their abilities---the most potent and secret ones---in reserve.
Zonzo • May 29, 2014 2:43 PM
@Mr. C
Thanks much (MUCH!!!) for the background, perspective and research.
But don't send me a bill, ok?
Its probably academic: If memory serves the code base was not praised in the audit for being "clean" (though I doubt much of the MS code base is clean, either).
May indeed be best for a new project to arise from ground up. If that happens, my prerequisite before using it will be that ONE SINGLE CRYPTO EXPERT and ONE NINJA CODER have to unanimously agree before any community developer's code submission is committed.
noonnee • May 29, 2014 2:47 PM
@Mr. C
Take a look at http://pastebin.com/7LNQUsrA , you'll find more details about it.
Moderator • May 29, 2014 3:05 PM
To the person posting under the name "To Linux Fanbois," and approximately 34 other names:
I am going to remove all your comments, because you are being incredibly spammy and sucking up all of the oxygen out of the room. Next time you come to a new forum, I suggest you try to approach the conversation as an equal participant -- one of many -- rather than trying to dominate the thread through sheer number of posts. Also, if people are complaining about your behavior, take it seriously rather than responding with "U mad bro?" A different approach will increase your chances of persuading people, and of having your comments remain published. But you will have to try it somewhere else, because you're banned here.
Everyone else:
I will also be removing some responses to Mr. "Linux Fanbois" that don't make sense out of context; this doesn't mean there's anything wrong with your comments themselves. (Although, avoiding engagement with folks who act like this would not be a bad idea in general.)
a4657103 • May 29, 2014 3:13 PM
The announcement contains some steganography in plain sight, by way of intentionally lousy grammar:
From the "new" website, in red letters:
...TrueCrypt is not secure as...
Now, with added emphasis:
...TrueCrypt is Not Secure As...
NSL for sure. Nicely sidestepped.
rufo guerreschi • May 29, 2014 3:26 PM
Very simply, the machines we use are way more complex than we can (or decide to) afford to verify for vulnerability.
We should use commercial devices for non sensitive computing, and instead build and use devices running exclusively EXTREMELY simple open design hw, and free (or at least code-verifiable) software and firmware, and have them verified regularly in very extensive ways relative to size and complexity of code. Then we also need hw manufacturing oversight process, that could cost just 30-50$ per unit of device if beyond 100.000 device units. We'll end up with devices with 100 times less features, slickness, but that are very very "trustless", and therefore trustworthy.
Chris O • May 29, 2014 3:27 PM
There is more here than appears on the surface.
IMHO: for security aware programmers I would expect better.
If it were a 'dead man' trigger, I would expect that to be called out and not cryptic vague language the kind of sorta half way indicated that might be the case.
If this were an 'aw screw it, going fishing' I would expect them to say something like "were done; bye" or at least a quite disappearance like Mark Williams Corporation (MWC producers of Coherent) and not a cryptic and unexplained "don't trust this" which brings up more questions than answers. If it were an 'aw screw it' I would also expect that flags would have been placed up like 'does anyone want to take this over' or a full release of source code so it doesn't have encumbrances. If it had to do with intellectual property violations, I would expect that to be called out (see also: SCO).
If this were a breach or bad programming I would expect more detail on why this is no longer an acceptable security piece of software. How easy is it to break a TC volume? Does this mean other software that can use or create TC volume are vulnerable too? Are TC volumes vulnerable to anyone with a slide rule or does it take rooms full of GPUs (e.g. organized crime, governments, big corporations). Is this limited to TC volumes is this bug across multiple things like encfs too.
I also expect better of programmers than "use this software no one trusts for windows and the rest of you can go 'google it'". If there is no other trustworthy software then call that out.
Perhaps I expect too much.
almost anonymoust • May 29, 2014 3:31 PM
In my personal and hardly informed opinion we should probably apply Occam's Razor to this conundrum. We know that Edward_Snowden was a highly visible advocate for the use of TrueCrypt which has been shown to be problematic for the NSA in particular. We may well consider TrueCrypt to be likewise at issue with other interested agencies also. The impetus thus becomes discounting the use of TrueCrypt in conjunction with advocacy in replacement product more friendly to usurpation by these agents of change. Direct advocacy in this instance to the use of BitLocker as the replacement, a product broadly considered purposefully backdoored by a company friendly to the NSA et al. It thus stands to reason in the glaring face of it all, the simpler explanation being most likely correct.
Secondly, while it would be reasonable to expect developers under threat to cancel their project, it is a different matter entirely to push users in recommendation towards any other product. The secondary action in such red flagged complicitous regard anything but synonymous with the first and especially so given the stakes. At that, not simply a recommendation but one with alarming specificity given the step by step instructions pertaining to how one would accomplish the task of encrypted data transfer from a now neutered TrueCrypt in its latest and most sudden alteration, to BitLocker. As such this is not likely the the actions of harried developers under duress but rather the manifestations of a forced takeover by these same agents of change and again, the simpler and more direct explanation.
Of course the added bonus of a compromised TrueCrypt however found manifest is that to some degree it also discredits Edward Snowden by the virtue of his now seemingly apparent revelation of misguided advocacy. A man I suspect among the legions of others also not throwing support behind BitLocker.
Mr. C • May 29, 2014 3:39 PM
@ Zonzo: I'm not qualified to say whether truecrypt deserves to be forked. I was merely (and narrowmindedly) addressing one "threshhold" aspect of whether one could fork it without suffering legal consequences.
@noonee: Thank you for the link. That's pretty much what I found. The author strikes me as a bit paranoid. To address his or her questions: (1) Why would Czech incorporate in the US? Because US law affords ridiculous levels of corporate secrecy that other countries don't. It's the place to be for anonymous shell corporations. (2) Why have a for-profit LLC entity in addition to the non-profit entity? Maybe they had planned to eventually sell a "pro" version, or sell T-shirts. Maybe Nevada has regulatory requirements for non-profits they didn't want to follow. (I'm not a NV attorney, so I don't know.) Anyway, I don't view this as particularly suspicious. (3) Where'd they get the money for the administrative support for the companies and the trademark filings? This question incorrectly presupposes that one can't DIY these things. Incorporation in NV is $75 for the LLC and $50 for the non-profit. Incorp Services, the registration service here, charges $431.80 to register the entity and act as agent for service for 5 years. Low-activity corporations require very little care and feeding after the initial setup -- in many states, just a DIY tax return once per year. Someone smart enough to write a program like this is also smart enough to deal with the USPTO's instructions for DIY trademark filing. Filing fee could be as low as $275. I have no idea what a Czech trademark filing costs. So, all told they laid out maybe $1500 or $2000 in administrative expenses. Probably self-financed out-of-pocket because they believed in their cause. (4) "Is the Truecrypt story simply too good to be true?" I don't know. But today it sounds almost too weird to be true.
Interesting point coming out of this corporate entity business: Supposedly Incorp Services had credit card information and a real postal address for Ondrej Tesarik. To my mind, that makes it really likely that the NSA has known where he is and who he associates with since shortly after they decided that truecrypt was an annoyance.
Bob S. • May 29, 2014 3:40 PM
Re: "Not Secure As"...
Maybe so. I wonder if NSA has that kind of reach however...that is...overseas? I don't think an NSL would work there. Of course, there are other agencies and governments striving to appease Master, also.
The Last Stand of Frej • May 29, 2014 3:45 PM
Well, Bruce, looks like you're up. When's the Bruce Schneier NSA-killer full-disc encryption solution going to drop? The awareness, need and momentum has never been more momentum-ey.
unhappyApples • May 29, 2014 3:57 PM
@almostanonymoust: "step by step instructions [...] encrypted data transfer from a now neutered TrueCrypt [...] to BitLocker"
It is interesting to wonder whether we should infer that the person posting the instructions did not know that BitLocker is not available for all Windows platforms. Would a genuine long-time TC developer not be aware of that given the effort put into multi-platform support? It seems unlikely. So perhaps this lends credibility to the idea that a only lesser-skilled developers were in attendance. Thence to the idea that they were (possibly very reasonably) alarmed at all the recent publicity and raised profile arising from the ES affair and decided to jump ship before they were flushed out. However this doesn't explain why they went to the trouble of removing the encryption code, unless that was done to possibly mitigate against future legal problems if the remaining code were forked.
Gweihir • May 29, 2014 3:59 PM
@Moderator: Good decision. Some people just do not get it and you have to bring your foot down and kick them out.
@everybody else: This may take days to months to clear up. Do not jump to conclusions. A panicked move to something else is likely to do more harm than good.
nicola • May 29, 2014 4:02 PM
Maybe that I say a silly thing. But I have on my pc TrueCrypt Setup 7.1a.exe downaloaded last year. I have downloaded its signature from https://github.com/DrWhax/truecrypt-archive/. I use the signature
Key-ID: F0D6B1E0 now present in the keys.gnupg.net. I get positive signature test for the old 7.1a version and the new 7.2 version with the same Key-ID.
Or the developer(s) have change idea on disk encryption or someone has the control of all credentials of developers(s). (Or I say a silly thing. :-) )
I know what • May 29, 2014 4:08 PM
TC team asked for money - noticeable banner "donate via paypal". They deserve for money for a million dollars but there is one problem. Nobody paid and TC team gave us a middle finger. Do you know why nobody paid? Because we simply didn't want to be registered by NSA as TC users. It was bad idea to use paypal as the right service for donations. I would send $100 bucks in an envelope if they had given a pobox. We all support TC and such initiatives but we are afraid of gov's oppressions, 6AM visits just because of a small donation.
Meee • May 29, 2014 4:13 PM
@TheBrazilian • May 29, 2014 10:39 AM
The guy you're talking about is Daniel Dantas. The FBI tried for a year to crack his HD but couldn't do it and gave up.
Jerry • May 29, 2014 4:29 PM
Translating the notice on the cyberside.planet.ee site:
Attention!
cyberside.planet.ee monthly data volume is exceeded
Therefore, the material is located temporarily restricted access to the website!
This seems like a reasonable explanation. Probably a lot of people downloading files. Let's not get too paranoid.
unhappyApples • May 29, 2014 4:35 PM
What a pity that http://istruecryptauditedyet.com and http://opencryptoaudit.org/ chose only to link to source repositories instead of to also freeze and upload to their own sites the files used for the audit. We might then have more visibility into the removal (takedown) process.
Roy Badami • May 29, 2014 4:42 PM
I'm a little bit skeptical of the suggestion that this relates to a decade-old copyright dispute. If that's really the case, though, I'm sure we will know soon enough, as when someone inevitably forks TrueCrypt they will presumably receive a cease and desist letter, too.
roy
Jerry • May 29, 2014 4:48 PM
@anonymouse
Of course both Wayback and Google will honor robots.txt on any site.
The software is available on many sites, such as CNet, download.com, etc.
Here's one which has the last few dozen versions archived.
unhappyApples • May 29, 2014 5:04 PM
@Roy Badami: "...copyright dispute. If that's really the case, though, I'm sure we will know soon enough, as when someone inevitably forks TrueCrypt they will presumably receive a cease and desist letter, too."
Not if based on TC 7.2 (latest version, without encryption code), TC 7.2 plus a clean-room encryption implementation of the encryption routines "should" be free of the 'infringing' code. That is what I am reading into this, currently. Of course I am probably about to be proved wrong.
@anonymouse: So it seems that putting pressure on already stressed developers on the basis of a legal dispute might be just enough to get them to quit. So the people who want TC discredited and hence used less get their way, they just did not take the most direct route. Sounds plausible. Now the most likely users of TC going forward are techies and other "suspicious characters" such as those who use VPNs and other encryption, while the lesser technical are herded to BitLocker.
omoo • May 29, 2014 5:08 PM
truecrypt.org has been excluded from Internet Archive:
Some Dude • May 29, 2014 5:13 PM
The good news of the day is that truecrypt 7.1a will be audited as planned:
https://twitter.com/OpenCryptoAudit
It is really a pity that the forum went missing. Is the manual still available somewhere?
BrandonHeat • May 29, 2014 5:24 PM
dm-crypt + frontend cmd line (*nix) ftw
temporary • May 29, 2014 5:32 PM
Its time for open hardware...
rene • May 29, 2014 5:42 PM
The problem rose up after ide to sata leap. IDE AES harware we would have had already on $10 FPGA. The SATA interface is the problem. There were SATA X-Wall chips but they died without any opinion.
mcderp • May 29, 2014 6:18 PM
Bitlocker is fine for Win FDE unless your adversary is a government. If it is then you wouldn't be using proprietary windows software anyways, so TC is fully redundant and should die
Alex • May 29, 2014 6:26 PM
If truecrypt.org was excluded from Internet Archive, and truecrypt was excluded from presentation slides by Jason A. Lord, then it is NSA.
Moderator • May 29, 2014 6:30 PM
There have now been two spammy banned commenters at work on this thread -- one new today and one who's been around off and on for years. If your comment disappeared for no apparent reason, it's not something you did, it's because you responded to one or the other of them.
Andy • May 29, 2014 6:48 PM
This is a funny little tidbit.
The server responds with a HTTP 410 Gone. The RFC here http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html says:
"The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable."
Mike the goat (horn equipped) • May 29, 2014 8:32 PM
Zonzo: I spoke of the "interesting" circumstances surrounding Sarah and FreeOTFE's disappearance a few years back. It does indeed seem funny that the two viable open source FDE alternatives have now gone from the scene in strange enough circumstances.
Nick P • May 29, 2014 8:47 PM
@ Mike the goat
That is very interesting indeed. I have a method for figuring this out that comes from years of professional experience in finding BS. The method is useful because it identifies whether a coercion happened with a certain probability without the source telling me anything. It's based on the fact that passionate, typically honest people suck at lying. It works as follows:
1. Warm them up to you with normal conversation talking about plenty of stuff.
2. Bring in some tough situations you dealt with and have them reciprocate.
3. After a while observing them on 1 and 2, bring up the event you think involved coercion.
I will have been watching the body language the whole time. I'll have seen how the person reacts to fun, intrigue, stressful memories, and plain evil if it came up in conversation. At the point No 3 kicks in I try to notice any change in body language. If they become more withdrawn, nervous, etc than any other point in the conversation I'd probe the issue a bit. It's also important to play up their skill in the project and play down any form of blame because the goal isn't to have their guard at 100%. They should feel a need to open up even as they are defensive. People whose passionate work is destroyed by threats feel violated and experience inner turmoil. It shows in their eyes, how their hands move, sound of voice, etc. Deeper it is, longer the effect lasts & still feels fresh when brought up.
Sometimes, the least technical solution is the easiest way to get to the bottom of a technology mystery. ;) It's how I'd question someone to get truth while giving them deniability and chance to repeat lies. The deniability should be more effective by me writing this here as I believe the method's effectiveness on bad liars is self-evident to TLA types and it's now available for 250,000+ people to practice. :O
Jonathan Wilson • May 29, 2014 9:08 PM
I for one would like to see a new full-disk-encryption solution with all the good things of Truecrypt and none of the bad things (like ambiguous licensing). One developed and hosted in a country where the global spy networks can't go in and force them to shut down or insert backdoors or something. (not sure which country would qualify, needs to be one that doesn't like the USA but also wouldn't have their own intelligence agency interfering with the development)
biting_fingernails • May 29, 2014 9:26 PM
Waiting for announcement from OpenCryptoAudit.... FUUUUUUUUUUUUUUUUUUUUUUUUUUU!!!111oneoneone
Adam Johnson • May 29, 2014 9:32 PM
There are some old mirrors where you can still download a legit TrueCrypt version
http://s7ick.org/tools/truecrypt/
Name • May 29, 2014 9:38 PM
So Bruce, what are you doing with your own data? The commercial solutions all have issues - the big ones are probably secure against non-governmental penetration (and unknown on governmental ones)
Bitlocker - lots of wild stories on compromise, Windows only
LUKS - probably solid, but only on Linux
FileVault2 - Probably ok given apple's willingness to use canary and public statements. OSX only
PGP - symantec doing best to kill it (and I trust Apple far more than I trust them). Bricks on many platforms
Bestcrypt/other small vendors - unknown security even from non-governmental threats
GnuPGP - likely secure, but individual file only
It's a darned shame that PGP isn't independent with published source anymore.
What's left?
Nick P • May 29, 2014 9:45 PM
Important note
I read all the comments and didn't see something worth bring up: it's still fine on air gapped machines... probably. ;) The end of XP, the end of Truecrypt... whatever. If you stick to a supported OS & TC version, you can still use it fine. The attacks mainly come through external media. The ways of dealing with those are outside the scope of host OS or Truecrypt anyway. So, even if it's dead, Bruce and others using it on air gapped machines can still do so if they keep the app and ISO for old software. If old software is Linux, it can be ported to other hardware later. So, it's not game over for that scenario.
Truecrypt can live on without its developers, forks, or even support of PC manufacturers. :)
Mike the goat (horn equipped) • May 29, 2014 9:56 PM
Nick: what do you make of this?
Nick P • May 29, 2014 10:04 PM
@ mike the goat
The word strange get's mentioned in plenty of commentary. I'd call that strange. Another word comes to mind: defeatist. It sounded like a person trying to make a joke about their utter loss. The shutdown theory is a possibility here as much as the "shutdown due to lack of talent or funds" theory. It's not a good conclusion one way or another.
Mr. C • May 29, 2014 10:12 PM
@ Mike the Goat: Assuming one can get past the unsigned driver issues, is FreeOTFE a viable alternative?
Skeptical • May 29, 2014 10:20 PM
Couple thoughts.
-- with an established company, I know the rules they have to play by, and I know their incentives; while this isn't as good as some other arrangements proposed (I did like Nick P's proposal of an adversarial review), it's good enough for most purposes. With open-source software, I am able to depend on the incentives of those who claim to have reviewed the software, and perhaps the incentives of others to find and disclose errors; while this isn't as good as the adversarial review idea either, it's good enough for most purposes provided those involved in the project meet certain criteria (and that certain processes are followed). But in the case of TrueCrypt, I'm not really sure what I was supposed to trust, other than the incentives of many to gain reputation by cracking it and then publishing their accomplishment (obviously the incentives of some of the most able players in that game would be not to publish, which raises problems).
-- if the comments above regarding lack of work on TrueCrypt for two years are true, then the actions do likely seem driven by ordinary personal or professional factors. And in fairness, they made an appropriately noisy exit from the work, which gives everyone fair warning. I don't scoff at the Bitlocker recommendation quite as much as some others here.
Off Topic:
@Nick P re deception detection:
As bad as people often are at lying, they're equally bad at detecting lies.
The really hard part, even after you become skilled at reading emotional reactions, is the fact that deception is always just one possible explanation. Perhaps the individual knows that you're probing him, and simply becomes uncomfortable or self-conscious (very common reaction to being questioned). Perhaps they're thinking about how they would react if they were coerced, and you're reading their response to those thoughts. If the event you bring up was unpleasant for reasons other than coercion, you may be reading that.
And then even if they are being deceptive, there's still the question of what they're being deceptive about.
Not saying any of this is new info for you, of course. Just want to sound a cautionary note.
I've found the research sparked by Ekman (microexpressions) to be useful, in this vein.
Chris Abbott • May 29, 2014 10:20 PM
@Alex, @AC
That to me this looks like a smoking gun. Especially since they're telling everyone to switch to Bitlocker. It could be tongue-in-cheek thing or they could have been ordered to do it. There is no way to challenge the constitutionality of it because it's likely top secret and FISC is just a rubber stamp. There's nothing anyone can do. If the audit proves that it's secure, that will be a dead giveaway, especially knowing what we know now about how they operate.
If the audit comes up clean, public attention needs to be drawn to this in an overwhelming fashion. That would prove it.
It would prove that since the Snowden documents have been released, that they are doubling down and getting more aggressive. I'm sure they are. They have more reason to than ever before.
If that's the case, it's truly terrifying. I'm sure everyone that reads and comments on this blog could be a target. Sometimes it feels like (metaphorically) you've been forced to take a knife to a gunfight...
We need all the help we can get. A legislative solution is necessary, but wouldn't go far enough, because these people are already breaking the law. A technical solution is the only way to keep the spooks at bay. Snowden himself said at SXSW that NSA set the Internet on fire, and that the developers are the firefighters. Strong crypto that isn't backdoored is the solution. The governments of the U.S. and the Five Eyes will oppose such things, naturally, but we can do it. They cannot stop everyone. So we can do everything necessary to fight back. We need systems that make us immune to NSLs. We need to fight back as hard as we can. This is the way to fight for freedom. This is the only way we can take them down. We all have to be on the same page. We need to have the same goals.
Figureitout • May 29, 2014 10:24 PM
Man this is big news. Well, to try to make the best of a bad situation (sounds like it's really dead now)...this is an opportunity for cryptographers that can code to make a replacement.
And yes you can still use it on other hardware and I guess lots of CD's/DVD's/USB sticks just became more valuable...
uh, Mike • May 29, 2014 10:39 PM
I think the bitelocker recommendation was low info. A responsible developer, when retiring their product, needn't offer the best alternative, only a workable one. To go further is to take on clients.
That seems to be driving most of the conspiracy theories, no?
There's a thing that's happened to me when I stopped giving away free stuff: people got angry with me. No thanks, on so many levels.
Tony • May 29, 2014 10:42 PM
Fiction: Do you remember the scene near the end of the movie Scarface where the group of criminals conspired in an attempt to remove an individual speaking out against them before he spoke at the UN? (UN - IIRC)
Reality: Do you remember the individual who died just shortly prior to speaking out about pacemakers (and possibly other technology) and how they are vulnerable to hacker attacks?
Possibility: Sn0wd3n and/or others about to deliver a speech which mentions the useful tool TrueCrypt to a wider audience - TrueCrypt project dies.
I'm interested in the results of the complete TC code audit, but give this comparison some thought.
However, I was concerned about the project when releases ceased after 7.1a. There were steady releases up until that time and I'm curious if 7.1a was released as low hanging fruit with a backdoor and the site was allowed to operate for a few years before closing shop when the hunger for enough interesting people who downloaded/used TC was satisfied.
uh, Mike • May 29, 2014 10:56 PM
@Tony, nice job extrapolating from one questionable incident.
Coyne Tibbets • May 30, 2014 12:00 AM
@Zonzo
I'll buy the general idea, but I think it should be an "and/or" in rule 4:
1) The event involves encryption products; services protected by encryption; and/or implicates privacy of communications; and...
2) The event occurs without prior warning; and...
3) The event appears to lack sensibility; and...
4) The event occurs without any explanation, or the explanation that is given seems evasive (deliberately non-informative); especially if there appears to be a coordinated effort to counter any meaningful community discussion after the event.
Good?
bad contractor • May 30, 2014 12:20 AM
I'd wait until the audit is completed and meanwhile use caution and keep your important files on encrypted USB drives, with a few backup USBs stashed somewhere other than your property incase the other drives need to suddenly be introduced to a hammer drill or other effective means of destruction.
The simple fact is that parties such as the NSA, GCHQ, ASD etc, could simply just install a WIFI dongle into something like your monitor cable, or internally within the packaging of some component within your device while you are not home, or by intercepting an online purchase. They could also use a known exploit delivered via your wireless router or phone line to install firmware into your motherboard or GPU BIOS that gives them access to the system bus, then raw input like keystrokes and also your monityor feed. They could also fit a spy camera drilled in above anywhere you may sit with your computer/laptop.
NSA could currently be leaking disinformation to undermine use of TrueCrypt or get those with sensitive information to check or move their TrueCrypt protected data or perhaps migrate it to another solution, revealing where it is kept and also allowing an interception or sabotage operation to go ahead.
The NSA is lieing like crazy at the moment, with politicians and others jumping on the bandwagon. "There was only one email complaint from Snowden", they claim, though convieniently not mentioning he complained in person on at least ten different occasions to senior officials and was told to keep quiet. They may have destroyed any other complaints evidence already I imagine.
Also lies about Snowden being some very low level analyst, who just happened to have access to very high security clearance and worked in a number of important senior roles, but tell John Kerry not to mention that also. "Snowden exposed the inner workings of very important terrorist surveilance systems", just be sure not to mention that Snowden didn't actually reveal how these systems worked, instead he revealed the same systems being used to spy on terrorists were also being used against the public populations, including US citizens, and extensively used against foreign populations and government allies. The inner workings of such surveilance systems were never revealed by journalists working with Snowden or Snowden himself, and anything that could possibly hint at any technical specs was carefully blacked out and censored. More technical information can be found about surveilance software and hardware, and their mechanics from the actual manufacturers online promotional materials.
Likely faith in TrueCrypt maybe being rattled purposely by GCHQ and NSA as they are getting increasingly nervous as their arguments keep falling over and they continue to contradict themselves. Maybe they are worrying some very serious criminal behavior they conducted for quite some time is about to be revealed? Quick, discredit the messenger before everyone finds out!
bader contractor • May 30, 2014 12:49 AM
TrueCrypt alternatives would be a good idea though. Cryptanalysts need to collaborate on a couple of new open source alternatives that are subject to a wide array of detailed reviews by a number of independent math and crypto collectives before each new stable release candidate is publicly recommened, or any unvetted code contributions are allowed to be added to any version at any stage of the development process.
Universities, privacy orginisations and experienced members of the public with a strong background in crypto could also conduct open public reviews of each new public release or update of crypto solutions to help ensure a set of standards is developed to rate and assess the effectiveness of each and any build version of a crypto solution. This would help to avoid ineffective home baked implementations or poisoned repositories and purposely weakened code contributions. Now that orginisations such as RSA and NIST have had serious questions rasised over their proceedures, a whole new variety of vetting processes and independent collectives is needed to ensure public and private trust in security standards.
Thoth • May 30, 2014 1:31 AM
Truecrypt imploded and I think that fact. There are a few alternatives to Truecrypt but I believe none are as usable as what Truecrypt offers. If we want to make cryptography accessible to the masses, I think the most logical next step is how to drive other alternatives a few more steps closer to the usability of Truecrypt or to form a community driven cryptography project to create some kind of Next Generation Disk and File Encryption System.
Here are some options we have in hand to return to normalcy during the chaos:
- Stop panicking.
- Transferring Truecrypt encrypted materials to other encryption system that you are not comfortable or familiar with should be done with extreme care or not done at all.
- Rumours would always be rumours until after a period of time and the truth surfaces.
Here are some options we can do to future proof from something similar from happening again:
- A set of community vetted standards to export and store secret materials in a secure and plausibly-deniable manner to transit from one Encrypting Filesystem to another.
- A set of secure coding techniques to be expected in cryptographic products released to the community (i.e. wiping secrets in RAM memory, wiping and securing unused keys in RAM memory, audit-able encryption and erasure of secret materials ...etc...).
- Documentation and coding standards in secure software with features to make software codes easily audited.
Roy Badami • May 30, 2014 2:20 AM
@unhappyApples
I wasn't aware that the encryption code *has* been removed, just the ability to create new encrypted volumes.
Besides, is there any reason to believe that all E4M-derived code has been removed from TrueCrypt 7.2? I'm highly skeptical - very little code has actually been removed.
Does anyone have a reference as to what actually transpired beyond the orignal accusations? All I can find is that there was a dispute between the original author Paul Le Roux, and SecureStar, a company he at some point worked for, over the ownership of the E4M code. But by some accounts he only worked for them some years after releasing E4M, so anything derived from a version prior to that should be safe, one would imagine.
roy
Jason • May 30, 2014 3:56 AM
Steve Gibson has posted a nice abstract of recent communications *with the TrueCrypt developer(s)* and Steven Barnhart.
I tend to agree with his summation, that we will all still be ok to use TC v 7.1 given that it looks like:
a) the audit is going to be completed, and;
b) the Linux Foundation may be creating a true FOSS fork.
https://www.grc.com/misc/truecrypt/truecrypt.htm
He also has v7.1 available for download from that page for anyone looking to grab a copy, binaries and source.
Bena • May 30, 2014 4:07 AM
I am a TrueCrypt user, but no computer expert. Given the extraordinary turn of events, I can think of only two plausible explanations.
1. TrueCrypt is perfectly kosher, and the developers have come under government pressure to compromise it, but they have chosen to shut it down instead, and have done so in such a daft way to signal the truth.
2. All along, TrueCrypt was an NSA ruse with only a few top people in on the secret, so in many lesser cases, where law enforcement wanted access to encrypted material, help was not given so as to maintain the secret. And now, for some reason we don’t know, the game is up and government wants people to believe the explanation above.
Mike the goat (horn equipped) • May 30, 2014 4:27 AM
Nick: yeah, it is certainly a strange turn of events. The twitter discussion I linked to was pretty indicative of the responses received from those who claim to speak for the TC team. As you know I have always been very wary of it and advised all on my blog to not entrust your data to it. That said, knowing what I now know - this smells like an NSL compelled shut down. When I am finished working I will put my rationale to paper (here and on my blog) and justify my conclusion.
Mr C: yes - but you must understand you are using abandonware and be prepared for the inherent risks involved in entrusting your data to an unsupported product. There were one or two vulnerabilities disclosed for it, all I believe have been patched.
All - FDE isn't magic, and a clean room reimplementation of TC (due to its licensing) would be a viable option at this point. Were I not so time poor I would volunteer. I will document later just what would be required to reimplement tc and to actually "do it right". I believe that the successor of TC should attempt to encode the disk so that it can be read by other existing open source crypto - for example, LUKS, dm-crypt or geli. I believe I have a sensible proposal, which I will speak of when I have some more time.
All, pt 2: I would encourage users who already have important data encrypted with TC to not panic. Migrating your data may be what an adversary is actually trying to achieve. If you are truly concerned that TC is broken and you are using a container and not FDE, there is nothing stopping you from encrypting the existing container file with another tool, e.g. gpg in symmetric mode. We usually discourage multiple layers of encryption but this would merely be a stop gap measure.
Users who have not yet installed TC but were considering it should probably consider other alternatives. If you decide to use TC then download v7.1a from one of the many mirrors. The SHA1 for it is 7689d038c76bd1df695d295c026961e50e4a62ea
The MD5 is 7a23ac83a0856c352025a6f7c9cc1526
(The PC mentioned is not connected to the Internet. As a result these hashes were hand typed. I checked for typos but there may be human error, albeit unlikely)
yesme • May 30, 2014 4:32 AM
What if the developer of TrueCrypt is on a 5 day fishing trip? And what if the NSA found that out a couple of weeks ago, knowing that during these 5 days he is not on-line, placed the story of abandoning blah blah on his site? They can do this.
After the fishing trip, let's say sunday evening, the developer comes home, goes on-line and... ouch.
I don't think that this kind of damage is reparable unless the guy goes public and shows his face, because the trust is gone. But going public is probably the last thing this guy wants.
yesme • May 30, 2014 4:36 AM
Sorry, I forgot to check the HTML filtering stuff.
I put "laughable conspirace mode on" in "" brackets and at the end "laughable conspirace mode off". Don't take this posting too serious.
So it should look like this:
[laughable conspirace mode on]
What if the developer of TrueCrypt is on a 5 day fishing trip? And what if the NSA found that out a couple of weeks ago, knowing that during these 5 days he is not on-line, placed the story of abandoning blah blah on his site? They can do this.
After the fishing trip, let's say sunday evening, the developer comes home, goes on-line and... ouch.
[laughable conspirace mode off]
I don't think that this kind of damage is reparable unless the guy goes public and shows his face, because the trust is gone. But going public is probably the last thing this guy wants.
yesme • May 30, 2014 4:43 AM
s/conspirace/conspiracy/g
Mike the goat (horn equipped) • May 30, 2014 5:04 AM
Nick and others - in fact, if we are discussing a "new" truecrypt alternative, how about this proposal...
A small board with SATA power and data on each side such that it sits inline between disk and controller.
It would be trivial to implement a basic command set so that the board can emulate a HDD. Encryption and decryption occur on the fly and transparently meaning OS support is universal.
By leveraging the existing command set the MiTM controller will reveal the correct media size, etc to the BIOS and by leveraging the ATA PASSWORD feature - which most modern machines support, the BIOS can query the user for the password so we need not worry about having a "fake" boot partition that chainloads everything after authentication.
Initial setup of the drive and reconfiguration is achieved using a small utility which talks with the drive using ATA commands.
If we wanted to be really fancy we could have an RS232 header on the board so users could optionally connect up a smartcard reader to achieve either two factor auth or just to do away with the password prompting.
Mike the goat (horn equipped) • May 30, 2014 5:07 AM
Oh, and of course if we changed our form factor to PCIe we could do our mojo via the option ROM and things would be even easier. Now I know some raid controllers have this very feature but I am talking about doing something simple and with a price point that brings it to the masses.
Zozar • May 30, 2014 5:40 AM
@Bob S. "Maybe so. I wonder if NSA has that kind of reach however...that is...overseas? I don't think an NSL would work there. ": The "TRUECRYPT FOUNDATION" is registered as a "Domestic Non-Profit Corporation" in the Jurisdiction of "NEVADA" (a state in the western, mountain west, and southwestern regions of the United States) by ONDREJ TESARIK, 2360 CORPORATE CIRCLE STE 400, NV, USA.
Zozar • May 30, 2014 5:41 AM
@Bob S. "Maybe so. I wonder if NSA has that kind of reach however...that is...overseas? I don't think an NSL would work there. ": The "TRUECRYPT FOUNDATION" is registered as a "Domestic Non-Profit Corporation" in the Jurisdiction of "NEVADA" (a state in the western, mountain west, and southwestern regions of the United States) by ONDREJ TESARIK, 2360 CORPORATE CIRCLE STE 400, NV, USA. See: http://nvsos.gov/sosentitysearch/CorpDetails.aspx?lx8nvq=djRu2RWGpIESdKlMBbSrDw%253d%253d&nt7=0
Mike the goat (horn equipped) • May 30, 2014 7:01 AM
I don't particularly want to pollute this thread with my verbose rantings, but if anyone is interested I have posted an update on the TC situation - a primer detailing what we know, what we don't know (lots) and my conclusions and suggestions on moving forward from this.
At the risk of repeating myself - we need a TC alternative that uses none of the potentially tainted (copyleft wise) code. One that has support for UEFI and large disks partitioned with GPT. The software need not be overly complicated. I foresee a simple shim loader, a windows device driver and a simple userland GUI for management. The on disk format should be readable by LUKS. If the machine has an AES accelerator then it should be used (with an option to disable it).
Of course the security provided by any FDE solution isn't perfect and there are much better ways of doing things, but by making what amounts to a modernized FreeOTFE we are at least giving people *something*. So long as people understand the pitfalls and limitations of the technology they use I think it is perfectly acceptable.
I would love to hear Nick's view on this, and in particularly his thoughts on how difficult it would be to make a piece of hardware to do the job. If we could do this at a price point that is accessible for the average Joe then it might be a viable kickstarter or other crowdfunded project.
Swabbie • May 30, 2014 7:14 AM
I found this website which appears that Truecrypt has been moved to Switzerland.
Mustafa Monde • May 30, 2014 7:24 AM
Yet again, the BBC news site is very quiet on this sort of thing ... i.e. anything that may be remotely related (either by rumor, conspiracy theory, hearsay or fact) to the activities of no such agency.
Mr. Pragma • May 30, 2014 7:35 AM
Alternative? Replacement? Why? Whatfor?
truecrypt users trusted in tc for years without much more than hardly verifyable promises in their hands. tc 7.1 has been audited (part 1) and found more or less ok. So, actually the situation for tc users has strongly *improved*.
As for 7.2.: Is there some new and vital feature in 7.2? Don't think so.
As far as I'm concerned, the problem of tc users isn't what's currently happening, who is behind it, etc, etc, but the fact that they use windows and truecrypt in the first place.
Another problem that I see in that context is that every other Joe and Jane feel the necessity to have an encrypted volume; quite typically without really understanding what they want and do. And this is not limited to windows, this includes linucks users, too, at least many, many of them. And, sorry, bot No, knowing *how* to configure encrypting disks, containers, whatever, on linucks does not equate to knowing *what* one does and how it works or its potential side effects or potential problems (which can be outside of tech., e.g. legal), risks, etc.
Don't forget: nsa isn't so successful because they have so many eggheads with thick glasses but because so many companies you trust are colluding with nsa and because the vast majority of the victims know -- and care (beyond lip movement) -- about as much about security as cows know about dancing tango.
So we have reason to believe in miracles now (in this small segment of security)? Don't think so.
So just go ahead and make a backup of your tc 7.1 (incl. hashes!) and walk on. Nothing to see here.
Mike the goat (horn equipped) • May 30, 2014 8:00 AM
Pragma: I agree with you - up to a point. As we all know, security is a numbers game. It shouldn't be but with the way modern hardware is - we are unable to discount the possibility that our PC hardware comes to us "prepwned". I think many TC users *know that* and aren't safeguarding their files from a L3+ adversary -- many just want to ensure that if someone steals their laptop that their secrets remain safe (something ATA PASSWORD was supposed to do - not by encrypting, just a firmware level restriction - but in so many cases it was trivially bypassed). And yes, these people would be fine candidates to migrate to bitlocker.
What concerns me is the users who believe that FDE is some magic bullet that is going to take their stock standard windows machine and make it impervious to government attacks. FDE is only one part of what should be a well considered threat mitigation matrix. Cold boot attacks must be considered - even if the software is doing a great job it can't protect you if the attacker gains physical access. And let's face it, if you have secrets of the level that may raise the ire of intelligence agencies - it is only a matter of time before your lock is bumped.
Mike the goat (horn equipped) • May 30, 2014 8:06 AM
Oh and pragma - I do understand and agree with you fully on the first point you raised. Users are happy to run a closed source OS that we believe either already has TLA backdoors or can be configured to enable such access (possibly by a "special" update delivered through normal channels) so long as they have TC performing full disk encryption. This seems crazy, as when the OS is running the volume is obviously mounted and your data is there for the taking. I can only see FDE being useful as an adjunct to file level encryption - that is, to protect against stealth copying of the clear text file as you are working on it by software. It also makes effective erasure of media easy - just zero out the blocks which contain the key.
So there are benefits, even on a platform like Windows.
But I absolutely agree with you. A migration to FreeBSD, Linux or pretty much anything else would vastly improve their operational situation - *if they have the knowledge to use it correctly* (and the latter is Schneier's excuse as to why he runs Windows).
I don't think this is the work of the NSA.
First, the NSA is not the only agency out there that doesn't want peons to have good crypto. No government does, regardless of what they say publicly. Good quality encryption applications are problematic for all governments. With the Snowden revelations, it is too easy to assume the NSA/GCHQ are the only players in the game when it is not the case.
Second, if the NSA had enough access to get the TC developers' private keys, this would be an idiotic way of using them and not very NSA like. I'd expect a couple source code modifications and a new version silently pushed out signed with the stolen key. Announcing to the world like this would be a wasted opportunity and too high profile.
Third, if this is the result of pressure from the US government, it would probably not be the NSA doing it. There are many agencies and offices of the government that can be used to coerce people to do what the gov wants. The CEO of Qwest was investigated by the SEC, not the NSA. If the developers are outside the US, the most likely scenario is that th State Dept put pressure on the host country.
The Brazilian • May 30, 2014 8:24 AM
GRC has a Truecrypt page up. The devs communicated via Twitter and just said they didn't want to maintain the project. The audit will continue, and the project may continue in the FOSS community. Are we done with this panic, or do we not believe any of it?
Zonzo • May 30, 2014 8:29 AM
I made reference to the USS Pueblo incident earlier.
The emails "from" the Devs could be impostors or coerced.
I still think the endorsement of bitlocker is a dog whistle to security minded folks to communicate that something is amiss. Just like our boys from the USS Pueblo slipped the bird into propaganda photos by their captors
Bobo • May 30, 2014 9:11 AM
"Not Secure As" - why is anybody looking for more steganography?
Mr. Pragma • May 30, 2014 9:14 AM
Mike the goat (horn equipped)
It's worse.
Security is also to a large degree (as Bruce illustrated so often and well) a theater.
And security, at least for the vast majority, a widely not or misunderstood book with seven seals. Unfortunately shockingly often (to avoid saying "almost always") even the simple steps are not taken, most importantly analysis.
Security is very very different things for, say, a member of a terrorist group, an average company, and a home user.
In most companies, even the basics of security fail to be understood; security to them usually is something to be bought. It's things like access controls (often only in rudimentary form, e.g. locking systems), firewalls, and "security cards or keys".
Their concern typically is two issues: disgruntled or otherwise "evil" employees and competition.
Often such companies shell out considerable amounts of money for (what the feel to be) "security" but at the same time they fail to understand even basics such as having a dedicated "internet box" in their, say r&d department; instead they install some security theater snake oil (AV and a windows "firewall") on the very systems their engineers use to design products with, say autocad inventor; and then the engineers happily surf and email from those very boxes without any worries because, you see, each of the boxes has "security" for 300 us$ on it! How can there be a problem?!
Next they have a "secure" file server. It must be secure because there's a, say, red stripe on it and it cost serious money! Now they happily "back up" their sensitive work to the "secure file server" using cifs/samba. And hell is that file server secure; there's even a security dongle in an usb port. How can there be a problem?!
Last but not least the r&d department has dual doors and an intrusion detection/alarm system. There is even a small rfid box right under the light switch where authorized personel must swipe their "security cards". And the central device to make those "security cards" is only at the secretary of the human resources boss. And only well selected engineers have such a "security card". Oh well, and there are 3 or 4 cards with some outside service providers (e.g. cleaning). Now, if that's not security, then what is?!
Of course, the chief of r&d being a smart and mistrusting fox has a second backup of all important r&d stuff. Just in case. And of course it's encrypted. With "security drives w/encryption" on his windows 8 box. Or maybe he put it in the cloud. So that eventual burglars wouldn't get at it.
And then comes you. Wanting to advise them on security.
Forget it! Symantec has a name. And so has microsoft. And xyz, the company producing and selling the security file server with a red stripe. And who the fuck are you? Can you be trusted? No, better no risk with you. We'd rather buy another *real* security product. Maybe we are lucky and symantec soon offers a cloud security file server with an impressive yellow/black stripe. How much, you say? 12.000? Sounds reasonable. After all security is important to us!
Bobo • May 30, 2014 9:18 AM
The fact that truecrypt.org has been excluded from Internet Archive is really weird. Why would an honest non-profit do that without being forced? The cumulating weirdness really cries Lavabit.
Bobo • May 30, 2014 9:27 AM
Google search on ONDREJ TESARIK seems to be censored.
Bobo • May 30, 2014 9:28 AM
Take it back. Nevada is confirmed:
Christer Weinigel • May 30, 2014 9:30 AM
So, something has happened with the truecrypt web page, the signing keys have been compromised or maybe there was a spat between the truecrypt developers. Fishy and I have no idea what's going on. But does this really mean that the trust people have placed in older versions of Truecrypt (7.1A) has been misplaced?
What are the possible problems with truecrypt? Well, there might be a backdoor in the code which leaks key material or there is some fundamental weakness in the on-disk format and the maths behind truecrypt.
As far as I know no backdoor has been found so far during the audit of truecrypt's source code.
As for the on disk format, it is known and it's fairly easy to verify that data on disk written by truecrypt actually matches the documented format. For example, here's a proof of concept truecrypt implementation in python, using python's crypto libraries, which can read truecrypt volumes:
http://blog.bjrn.se/2008/01/truecrypt-explained.html
(The code might not work as is, if I recall correctly I had to tweak things a bit when I played around with it, but after that I was able to decrypt the volume header and data from the disk.)
If any of the algorithms in truecrypt have been weakened they would produce different ciphertext and thus a third party implementation of truecrypt should not be able to decode the data. Except for the volume header I don't think there is any space on a truecrypt volume that shouldn't have a predictable mapping between ciphertext and plaintext, so there should be no place to store a side channel data and leak key material. So I believe we can be fairly confident that truecrypt actually encrypts data the way it's supposed to.
It should also be fairly simple to verify that the only sectors written to by truecrypt are the ones truecrypt should write to and thus be pretty sure that there is no leakage of the keys.
The truecrypt bootloader should be found in sector 1-62 and can be compared with the bootloader inside the truecrypt binary. The encrypted volume header is in sector 63 and it can be decrypted and the contents examined and the source that creates the volume header can be audited. Finally, the sectors of the encrypted volume can be decrypted and compared with the data written to it.
Of course, a trojan running side by side with truecrypt could extract the encryption key from memory, encrypt it with a known key and store it in an unused sector of the drive. But that's true for all software encryption.
Another option is that there is some weakness in the way truecrypt performs encryption. The default algorithms used by truecrypt generate a key by performing PBKDF2 with the RIPEMD160 hash algoritm on the passphrase and a salt from the volume header. This key is then used to decrypt the volume header using AES256 in XTS mode. The actual key used to decrypt the rest of the disk is stored in the volume header, and once again AES256/XTS is used for encryption/decryption of the sectors.
I'm not an expert on cryptography so I can't tell if the cryptography behind truecrypt is sound or not. But it does look like a fairly straight forward implementation of the algorithms. If truecrypt's usage of these algorithms is broken, won't for example LUKS be broken in the same way?
I haven't looked into LUKS key management in depth but the description sounds very similar: Use PBDKF2 with some HMAC function to expand a passphrase to get a key. Use the key to decrypt the data in the key slot to get the master key. Use the master key with AES256/XTS (the default in luks) to encrypt/decrypt the sectors on the volume.
Actually, all that the truecrypt application for Linux does is to perform the key expansion and then set up a dm-crypto mapping that uses Linux built-in AES/XTS implementation to perform the bulk encryption/decryption.
So if truecrypt is broken, won't most other disk encryption software using the same algorithms and principles also be broken? Or is there some subtle breakage in truecrypt's key management that I'm not competent enough to see?
Bobo • May 30, 2014 9:32 AM
Somebody just using TrueCrypt as a name?
http://nvsos.gov/sosentitysearch/CorpDetails.aspx?lx8nvq=djRu2RWGpIESdKlMBbSrDw%253d%253d
This was my last post, promise.
Leon Wolfeson • May 30, 2014 9:38 AM
@Christer - Indeed, that's why it's important to examine the crypto formally, which is still going to happen.
The loader can be replaced, and has alternatives today, but if the on-disk format is proven-good, it's worth keeping.
(I don't think there's a good windows alternative, but I'd prefer a new loader for a proven encryption container than a new both!)
Christer Weinigel • May 30, 2014 10:50 AM
Another thing, all my points relate to data at rest when the computer is off. There may be other issues with timing analysis or power analysis on truecrypt when running. Or just other ways of getting into Windows on a running computer.
Tony • May 30, 2014 11:21 AM
Has Snowden commented publicly on this? Perhaps he could provide some insight ...
Dilbert • May 30, 2014 11:24 AM
@bae24d3fff
I dropped by www.archive.org in the hopes of finding the forum data preserved there. I was sad to see the following message:
Sorry.
This URL has been excluded from the Wayback Machine.
xd0s • May 30, 2014 11:43 AM
At the risk of straying too far into conspiracy land...
The "TRUECRYPT FOUNDATION" is registered as a "Domestic Non-Profit Corporation" in the Jurisdiction of "NEVADA" (a state in the western, mountain west, and southwestern regions of the United States) by ONDREJ TESARIK, 2360 CORPORATE CIRCLE STE 400, NV, USA.
Anagram for ONDREJ TESARIK
Trained Jokers
Just sayin' they go to lengths to hide who they are.
Nick P • May 30, 2014 11:57 AM
@ Mike the Goat re FDE solutions
I've replied to you here in Squid thread. Building truecrypt replacements and what's happened to Truecrypt are separate discussions. So, we should probably keep that tangent in Squid thread.
Dewi Morgan • May 30, 2014 12:52 PM
You know what would be interesting?
Running the TC docs and website, and that announcement page, through a language analysis program, seeing how likely it is that they were written by the same people.
Does anyone have such software, and willing to post steps how to do that?
CHANGE NAME OF TRUECRYPT IN TRUE"NSA"DECRYPT MAYBE...
Pascal Hoang Duy Roget • May 30, 2014 1:53 PM
my bad.
noonnee • May 30, 2014 2:01 PM
@Dewi Morgan
Search for authorship identification, or authorship attribution, and you'll find programs or methods of doing that.
Billy Y.. • May 30, 2014 2:14 PM
After reading all the comments here, I think it'd be good to take a look at what's brought us to where we are today.
Privacy under attack: the NSA files revealed new threats to democracy | Technology | The Guardian
This is not what I'd call light reading, but is it well worth your time? Yes, it definitely is.
Mike the goat • May 30, 2014 2:28 PM
Dewi: I have done just that.
Nick: no problems, I shall respond in the squid thread shortly.
Rex the Wonder Horse • May 30, 2014 3:04 PM
Given that Archive.org no longer has Truecrypt.org archived, and that Archive.org is a US corporation (non-profit), it stands to reason that they have been served with a NSL to not only takedown Truecrypt.org, but that Archive.org is enjoined from commention on it at all.
There is no mention of Truecrypt on Archive.org's site (as in Trucrypt asked us to remove the site archive), and by now archive.org would be well aware of the controversy about Trucrypt these past couple of days.
Ergo it stands to reason that a NSL was used to take it down.
Hurp • May 30, 2014 3:20 PM
That does not stand to reason at all.
Vincent L Gambino • May 30, 2014 4:11 PM
Re: Internet Archive Wayback Machine, it may be worthy of note that while www.truecrypt.org is not archived, forums.truecrypt.org is:
https://web.archive.org/web/20130820150930/http://forums.truecrypt.org
Not _well_ archived, mind you - the dates are sporadic and there are more posts missing than captured on those dates. But spidering at that level is a hit or miss proposition, those are not the results I would expect from a concerted, fedgov-backed effort at suppression.
Re: "not secure as" as a steganographic representation of "NSA", that's quite a leap, don't you think, especially in isolation?
Re: sour grapes over the 70k USD in donations collected by the audit team as motivation - that has some limited plausibility, but is stupid if accurate. The audit donations tell me that there were people to whom Truecrypt as a reliable encryption product was in aggregate worth at least that much. If the developer or developers (I see indications that this may have been primarily a one man show) was unable to find a way to tap that very same audience, imo that is his or her bad. Not surprising, though, as developers can be pretty awful at understanding markets. Years ago, before FOSS replaced shareware, I tried to elicit some kind of invoice document from developers who wanted to be paid if their product was used commercially. If I had an invoice in hand, I could have coughed up on behalf of my employer, but there is no way I would have been authorized to make a "voluntary contribution" as the model was not at all understood in the "C" suite. I must have made 2 dozen such inquiries of developers, producing perhaps 3 replies in total: 1 sniffing in disdain at the very idea of an invoice; and 2 indicating a complete lack of comprehension of the concept.
It might be interesting to see if the checksums for TC 7.1 on the various archive sites mentioned here match...
-VinnyG
Conspiracy Theorist • May 30, 2014 4:16 PM
GRC reports that TrueCrypt developers have responded with "There is no longer interest."
st37 • May 30, 2014 5:35 PM
This can be a kind of responsible disclosure.
They found a complex vulnerability in the code
that is very hard to fix so they gave a warning
before the audit will also discover it.
Polf • May 30, 2014 6:14 PM
There was this 2005 truecrypt interview:
WolfManz611: Whats your position in the TrueCrypt project?
Ennead: I'm 29 and my main project roles are the following: Project Administrator, Developer, and Designer. I am also responsible for the documentation and the website.
WolfManz611: How much time have you spent on the TrueCrypt project getting it to where it is today and how many developers are working on it?
Ennead: There are currently two main developers (who are also the project administrators) working on TrueCrypt. As for how much time we have spent on the project, I think quite a lot. We usually take a short break after a major release (unless there are major issues that need to be resolved immediately) and then begin working on a new version. A considerable portion of our time is devoted to the work on the project.
Morthawt • May 30, 2014 7:43 PM
Seems Truecrypt is not "dead" it is just going to transform: https://www.youtube.com/watch?v=Hkode8VCcKI
I hope the next people will be as good or better than the previous developers. Truecrypt has been by far the best solution I have ever used and I have always had a fascination with security and encryption. I have tried and tested many products and TrueCrypt has had my support and recommendations more than any other.
Thoth • May 30, 2014 7:45 PM
I wonder if the community has a process that would prevent such situations from happening again in terms of developers for important projects are either coerced or simply just want to kill off their projects.
If their project specifications are built along some form of agreed standards and format and they are under coercion or simply gave up their maintenance, it would be much more easier to verify the sanity of their codes' output to verify by certain authenticated encryption/decryption output.
If someone creates their own encryption format and comes along to pull the plug, the codes must be re-audited again whereas if they follow a specific format or set of standards, their output can be loaded into another codebase that handles the same formats and standards to be checked.
I feel we should be giving more thoughts in this area than to the plausible rumours so that in future we would not face such problems again (especially in regards to important cryptogrphy projects like Truecrypt and LUKS).
Annoyed • May 30, 2014 8:01 PM
@Mike The Goat:
Your SHA-1 is consistent with the one from truecryptcheck.wordpress.com and also the one listed at How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries
@nicola
keys.gnupg.net resolves to a page hosting "OuterSpace, A SciFi MUD"...
Annoyed • May 30, 2014 8:13 PM
@Morthawt
Thanks for the link. I followed the links on the YouTube video to Steve Gibson's site and in this article he makes this statement:
By this time, one of the TrueCrypt developers, identified as David, had been heard from and his interchange confirmed the essential points of my conjectured theory of the events surrounding the self-takedown of TrueCrypt.org, etc
So the question is: How do we know this "David" is in fact a TrueCrypt developer and can he be trusted?
David Henderson • May 30, 2014 9:24 PM
I'm a long time OSX user. Keeping my boot volume encrypted with OSX 10.7.
I was using encrypted *.dmg volumes to hold personal info, then I read Apple's CEO Tim Cook saying "We dont have any illegal backdoors".
Sigh. I interpreted Tim's comment to mean: "We only have legal backdoors" and protected myself with truecrypt. There is no trust left with Apple.
Now it seems like truecrypt might be compromised. I have version 7.1a archived for both Linux and OSX binary formats. I will continue to use it with an recognition that its not trustworthy. Trust is vanishing
I have no big secrets to keep but I really despised being surveiled.
My long term solution is to migrate away from proprietary closed source OS/utilities. That means Linux of some kind or FreeBSD. Open source boot disk encryption is very available here.
My personal options are still fluid, but I favor gentoo Linux on top of Freebsd (which requires a live internet connection) or CentOS (which comes in binary versions that can easily be airgapped.)
I'm a mathematically inclined Solaris/Unix application developer, not a security expert. I want a way to keep trade secrets and to maintain personal privacy.
Proprietary and closed source systems are no longer of interest. Trust has died.
Use your brains people • May 30, 2014 9:31 PM
I could write here a long posts about a highly suspicious international organization called "Truecrypt" with website registrations in "Antarctica" (several of the "truecrypt" websites were initially registered there, look it up), trademark filings in the USA and the Czech Republic...
...by the way: no shortage of addresses for "Tesařík David"...
http://isdv.upv.cz/portal/pls/portal/portlets.OZS.det?pozk=154085&plan=en
...as well as a foundation and a LC in the USA
...an organization which has been developing this wonderful and very complex software for several years completely for free, with unnamed developers who have a great desire to stay anonymous...
OR: I could just give you this link, only accessable through the "Wayback Machine", as it really explains a lot:
https://web.archive.org/web/20040529211445/http://www.justice.gov/criminal/cybercrime/cryptfaq.htm
Why is it so interesting? Well, it contains the thoughts of the US-government, which later was not so outspoken on this issue any more.
"Department of Justice FAQ on Encryption Policy
April 24, 1998"
I would like to highlight the following:
"4. Does the government want to hold everyone's private keys?
No, the government does not want to hold the keys of private citizens or commercial enterprises.
Actually, the Administration encourages the design, manufacture, and use of encryption products and services that allow for recovery of the plaintext of encrypted data, including the development of plaintext recovery systems, which permit through a variety of technical approaches timely access to plaintext either by the owners of data or by law enforcement authorities acting under lawful authority. Only the widespread use of such systems will both provide greater protection for data and protect public safety.
The Administration is not advocating any single product, technology, or even technical approach, and is certainly not insisting upon "escrow" of keys with the government. Key recovery, for example, where the encryption key is held by a trusted third party, is merely one possible approach, and is by no means the only one that would meet law enforcement's goals. Rather, we are flexible -- provided that the resulting solutions and arrangements preserve the Nation's critical abilities to protect the public safety and defend our national security.
B. LAW ENFORCEMENT ISSUES
5. Why does law enforcement oppose the use of encryption? Don't you realize that it will make your job easier by stopping crime?
We do not oppose the use of encryption -- just the opposite, because strong encryption can be an extraordinary tool to prevent crime. We believe that the use of strong cryptography is critical to the development of the "Global Information Infrastructure," or the GII. We agree that communications and data must be protected -- both in transit and in storage -- if the GII is to be used for personal communications, financial transactions, medical care, the development of new intellectual property, and other applications.
The widespread use of unrecoverable encryption by criminals, however, poses a serious risk to public safety. Encryption may be used by terrorist groups, drug cartels, foreign intelligence agents, and other criminals to secure their data and communications, thus nullifying the effectiveness of search warrants and wiretap orders. The Department's goal -- and the Administration's policy -- is to promote the development and use of strong encryption that enhances the privacy of communications and stored data while also preserving law enforcement's current ability to gain access to evidence as part of a legally authorized search or surveillance.
At bottom, it is important to recognize that society has an important choice to make. On the one hand, it can promote the use of unrecoverable encryption, and give a powerful tool to the most dangerous elements of our global society. On the other hand, it can promote the use of recoverable encryption and other techniques, achieve all of the benefits, and help protect society from these criminals. Faced with this choice, there is only one responsible solution.
+++
Any more question???
Use your brains, everyone.
Nick P • May 30, 2014 11:51 PM
@ Skeptical
Forgot to respond to you before. I apologize as I've been extra busy this week. The points you brought up are true. The inside of a person's head can be complex. Even simplified, there's often a few potential reasons for a basic reaction. The overall process I described was simplified for readers. Becoming good at it in practice takes years of practice. Often more like 10-20 some would say. It's why I focused on "probability" of something as a result rather than "you can be sure."
packrat • May 31, 2014 2:30 AM
Question for Bruce. The Register says you told them that you "switched back to Symantec's PGPDisk" as a Truecrypt replacement (http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/). Is that true?
rufo guerreschi • May 31, 2014 3:29 AM
Main things people and IT people hopefully learned from TrueCrypt and OpenSSL events for building privacy tools for ordinary users:
- anonymous developers are an asset, but only if they are a minority and not maintainers or the lead developer
- free software is not a guarantee for adeguate levels of actual verification and therefore assurance of the application
- current tools very far from adequate for the uses many make of them. The problem is not spreading the toools or convince user to use them but to tell them not to and request from the market much much better
- the goal is to build trustless ("Trust no one" or "Zero Trust model") where you do not need to trust anyone or anything
Still to learn for most (although its there in post-Snowden revelation (Foxacid, Turbine, Italian Hacking Team):
- OS, hw and firmware vulnerabilities, which are likely extremely widespread and can likely be exploited and managed for million of devices for a very low marginal cost, by several advance threat actors, make so that automated-targeted surveillance very close in cost to mass passive surveillance.
Next step:
- OS, hw and firmware vulnerabilities can be assessed by a varied community or JV by complete openness and extreme simplicity and minimisation in end-user devices (or more reasonably at least one device/hw-platform) that is so extremely simple and completely verifiable in features, sw, and hw - complementing our ordinary mobile/PC computing - that a community of diverse shareholders actually can AND do extreme levels in ALL its sw, hw, firmware at endpoints and in its manufacturing process, ideally for under few tens of millions of $: User Verifiable Social Telematics
Nilson Vianna • May 31, 2014 6:59 AM
The Truecrypt went down in history as a success story of how an opensource and free tool can be as good as the commercial tools. I remember well a sentence that said posted 'it's so good it could be paid'. I believe that the donations were not enough to keep the effort to update the tool. Everyone needs money. But I think the replacement suggestions presented do not cover all the features of truecrypt, such as:
1 - Hidden volumes
2 - self executable in USB sticks
3 - several choices of algorithms
4 - 'encryption cascade' - Layered Encryption (recent feature, I guess).
honestly, I hope it's not the end of the story yet.
Success story??? • May 31, 2014 9:20 AM
Yes, "Truecrypt" is indeed one of the biggest success stories --- of the NSA!!
(bang head on table)
Ever been to Antarctica???
I have got some links for you.
They are pretty ... "cool."
http://reverseip.domaintools.com/search/?q=truecrypt.org
http://reversewhois.domaintools.com/truecrypt-foundation
http://whois.domaintools.com/truecrypt.mobi
http://whois.domaintools.com/true-crypt.org
http://whois.domaintools.com/truecrypt-foundation.org
http://whois.domaintools.com/truecrypt.com
The following one is the most interesting links...because it was only registered in 2013....again, IN ANTARCTICA !!!
http://whois.domaintools.com/true-crypt.com
You have all seen that the truecrypt website have been "excluded" from the Wayback Machine....right???
https://web.archive.org/web/20110128083118/http://www.truecrypt.org/
You do realize that usually the Wayback Machine gives the notice that a website has not been captured due to "robots.txt"? So why not in this case?
How much info do you need to stop believing this ridiculous truecrypt story? Truecrypt was designed to supply free high-quality encryption software to the masses - software which then could easily be cracked by the NSA, because they manufactured it themselves.
Now, with the audit, the NSA needed a way out of it. They try to make it appear that somebody pressured the "developers."
No suprise that Snowden didn't know about Truecrypt. There was no need for the program to be discussed in the NSA-slides, because it was an NSA operation all along.
Hurp • May 31, 2014 10:16 AM
No you fool! The Antarctica thing proves it: the NSA are just pawns and Zombie Hitler and his band of South Pole Nazi Holdouts have been behind TrueCrypt all along!
unimportant • May 31, 2014 10:29 AM
@Success story: The source code was available, and the distributed binaries could be verified against a self-compiled version. Nothing suspicous was found (during the entire lifetime of the TrueCrypt project).
Virmaline • May 31, 2014 10:48 AM
"At bottom, it is important to recognize that society has an important choice to make. On the one hand, it can promote the use of unrecoverable encryption, and give a powerful tool to the most dangerous elements of our global society. On the other hand, it can promote the use of recoverable encryption and other techniques, achieve all of the benefits, and help protect society from these criminals. Faced with this choice, there is only one responsible solution."
Ridiculous. If "law enforcement" gets a warrant to search my safe, it can use any skills it has available to it to get into the safe. I do not have help it by providing the combination, nor should I be limited to only purchasing safes that these snoops can get into. The "most dangerous elements of our global society" are the Orwellian spies and the thugs with badges who are their foot soldiers.
Success Story??? • May 31, 2014 11:27 AM
@unimportant
Well, can you point us to a comprehensive review/audit of the software which would support you claim that "Nothing suspicous was found (during the entire lifetime of the TrueCrypt project)."
I believe that nothing exists which comes close to a proper audit. This is exactly the reason why the "IsTrueCryptAuditedYet?" project was put in place in 2013.
I do hope that the members of the audit team won't abandon the project. The government fooled everybody for years. It's time for people to wake up and be less trusting. Use only open source encryption software if the whole process is transparent and truly open source, and watch out for obvious warnings signs (of which there were plenty, as far as "Truecrypt" is concerned).
In addition, Truecrypt was never "open source."
https://threatpost.com/audit-aims-to-put-concerns-over-dubious-truecrypt-license-to-rest/102715
It was obvious for years what was going on with "Truecrypt."
If any of the "believers" would like to try to register a website from an abandoned location in Antarctica, that would be great. Don't forget to let us know the reply from "Go Daddy."
If you don't like what I have to say, what about this:
Quote by Jake Williams, SANS Instructor and Principle at Rendition InfoSec:
“I’ve long suspected that a government was behind TrueCrypt . The code base is hugely complicated with lots of dependencies and is anything but easy to build, particularly for the Windows version. It’s a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code.”
Czerno • May 31, 2014 12:07 PM
@Success Story??? :
“It’s a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code.”
However, here : https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
Xavier de Carné de Carnavalet shows in detail how he - and you - could rebuild Windows binaries which match the official Truecrypt binary executable installer convincingly, with a very few differences fully expected and explained being timestamps, checksums and security certificates.
There may be weaknesses, or there may be backdoors in Truecrypt, but this reproducible build experiment by Carné shows that it suffices to audit the source (provided you trust the MS compilers, but those are independent from the Truecrypt team)
unimportant • May 31, 2014 12:09 PM
I've checked it myself (and I assume that several others also have).
The NSA has other means to present a believable cover. They would not necessarily seek anonymity because nothing bad can happen to them (like NSL, being defined a terrorist, or other systemic surprises).
Success Story??? • May 31, 2014 12:45 PM
@unimportant
I am not sure what exactly you mean when you say that The NSA has other means to present a believable cover."
Fact is - the US authorities were confronted with the following situation:
1. It proved politically impossible to force all creators/distributors of encryption software to implement a backdoor in their products (via law).
See a good overview about the history here:
2. However, government and/or government agencies were absolutely convinced that the only way to guarantee security is for the authorities to be able to read the content of encrypted communications. See the document from the US Department of Justice from 1998 quoted above:
https://web.archive.org/web/20040529211445/http://www.justice.gov/criminal/cybercrime/cryptfaq.htm
Note the conclusion:
"At bottom, it is important to recognize that society has an important choice to make. On the one hand, it can promote the use of unrecoverable encryption, and give a powerful tool to the most dangerous elements of our global society. On the other hand, it can promote the use of recoverable encryption and other techniques, achieve all of the benefits, and help protect society from these criminals. Faced with this choice, there is only one responsible solution."
So what were the US authorities supposed to do? Just do nothing and watch how "Open Source" encryption programs "take over" the market, because they are free and trustworthy, and where it won't be possible to force the creators to install backdoors like they exist in "Bitlocker"? (yes, Bitlocker is backdoored, which is well know in the law enforcement community)
Well, one possible and perfectly reasonable solution for the authorities could be: Take part in the "open source" community, offer the best program, and then dominate the market! Make a program which will be used all over the world, and which includes a very well concealed backdoor.
And that's exactly what they did. They used a cover which was barely credible, as it had the elements of an international, well funded organization with considerable funds, personnel, lawyers etc., but it worked for about 10 years.
In the future, we all should just be more careful, and, as I said before, should not ignore the obvious warning signs.
Czerno • May 31, 2014 12:56 PM
@Success Story??? : not saying it's impossible BUT at this point,
what you're asserting, that Truecrypt was a product of NSA or that it has incorporated a backdoor made for or known to the NSA (or any other unjnown party) - is pure speculation. Or, are you offering proof other than you're convinced it is so ?
Actually, the audit will if it's completed help us see which is which.
Should the audit find nothing hidden, I for one will start using Truecrypt in confidence (which I never used before, because of the doubts which had been floated about its trustworthiness, and the lack of an independent audit).
Hurp • May 31, 2014 1:10 PM
Ask yourself this simple question: if TC was made by a government organization, what exactly has that organization gained by ending the project in the fashion that they have?
Hint: nothing.
Mike the goat (horn equipped) • May 31, 2014 1:41 PM
Nick: regarding building a simple transparent FDE module from COTS hardware, I responded in last week's squid thread here - it has been a few days so not sure if you were still monitoring it for replies.
Success Story??? • May 31, 2014 2:30 PM
@Hurp
That depends what the alternative would have been. Shutting the project down in the brutal fashion we now witnessed might have just been the most convenient method. Continuing Truecrypt with the audit in full swing might just have been too risky. Now, where everybody has suddenly "vanished", nobody has to answer pesky questions any more, and the interest in the Truecrypt audit will also decrease (possibly). However, I do hope that the audit will continue with full force, as it needs to be established once and for all whether Truecrypt was trustworthy or not (in my view, even without the final result of the audit, it was definitely not trustworthy).
When the Truecrypt project started, it is possible that there was no similar "precedent." So the authorities could not have known how the whole thing would end. Sometimes, the authorities are "caught", as it was the case with "Stuxnet", but anyway, the world keeps on turning. For several years, Truecrypt did exactly what is was apparently designed to do: Used by millions of people all over the world, it dominated the "market" of open source encryption software - and ensured that the US authorities could still look at the contents, if needed.
Antarctic • May 31, 2014 3:02 PM
You really don't get the Antarctica thing?
I've done it many times: If I want to give a snarky "FU" to where I'm coming from, I list the country on a new account as Antarctica.
Success Story??? • May 31, 2014 5:02 PM
Bruce, everybody...look at this presentation, page 23:
http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pdf
Success Story??? • May 31, 2014 5:04 PM
Very sorry, I just saw that this had already been mentioned above!
Nilson Vianna • May 31, 2014 5:36 PM
as I said ... 'honestly, I hope it's not the end of the story yet.'
take a look at http://truecrypt.ch and https://twitter.com/TrueCryptNext
Arclight • May 31, 2014 5:42 PM
I've always thought that the "safe analogy" is a terrible model for comparing encryption and physical evidence disclosure. Being compelled to reveal an encryption key is much more like being forced by the state to show the police where you buried your documents in an area the size of Australia. Your cooperation in opening a safe only saves the state money and speeds up the process of collecting evidence that is already in hand.
Maybe our next generation of judges will start to understand this better.
Arclight
"If "law enforcement" gets a warrant to search my safe, it can use any skills it has available to it to get into the safe. I do not have help it by providing the combination, nor should I be limited to only purchasing safes that these snoops can get into."
TheBrazilian • June 1, 2014 3:36 AM
@Success Story???
Maybe that slide said -
"FBI unable to decrypt the hard drives of Brazilian banker Daniel Dantas, despite a two year brute force attempt, after Brazil failed for a year before that"
TheBrazilian • June 1, 2014 3:40 AM
...Or -
"Used by Edward Snowden, Laura Poitras, Glen Greenwald, and David Miranda, the last of which, isn't in jail in the UK for carrying classified government data"
Success Story??? • June 1, 2014 7:22 AM
@TheBrazialian
This slideshow, in which the page about Truecrypt was apparently "Removed at request of US Government" was created in 2010, according to the properties of the document, and it is also stored in an archive from 2010 at the website of this forensics company, therefore we can safely assume that it was actually written in 2010, long before Edward Snowden appeared on the scene.
http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pdf
Yes, the case of the Truecrypt files of the Brazilian banker Daniel Dantas is an interesting one. From the information I could find on the internet, the Brazilian authorities asked the FBI for help. The FBI then, according to the reports, used "a variety of dictionary-based attacks" and failed to encrypt the files.
http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/
The story then appears to have been reported first in Brazil.
So, assumed my theory is correct that Truecrypt is a product of the NSA (or another three-letter agency, I might add), do you seriously believe that the FBI would "blow the cover" of such an important, top-secret project just because another country asked them for help in order to convict a banker?
It should also be noted that Daniel Dantas was sentenced to ten years in prison in December 2008 even without the Truecrypt files.
https://en.wikipedia.org/wiki/Daniel_Dantas_%28entrepreneur%29
The stories about the FBI not able to decrypt the Truecrypt files then only started to appear in 2010.
http://www.itproportal.com/2010/06/28/truecrypt-beats-fbi-encryption-experts-money-laundering-case/
If an US government agency started a project with the aim of covertly distributing "free" high-quality encryption software to the masses, such an agency would never ever blow the cover for such an unimportant investigation.
I am sure that many, if not most of you are familiar with the details of the Enigma-story. The allies in WWII took extreme precautions in order not to reveal the secret - including the decades which followed after WWII.
Success Story??? • June 1, 2014 7:46 AM
Jake Williams, the IT security expert who was quoted by Forbes, saying that he "long suspected" that Truecrypt is the product of a government agency, is also on twitter - ask him how he came to this conclusion:
FUDpunisher • June 1, 2014 8:56 AM
@Success story???
This is true FUD.
Anyway, if it were correct, we'll know fron audit's outcome (this fall).
I'll bet no severe or unfixable bug will be found.
No reason for spreading doubts now.
Really, if TC would be a NSA trap, they would have to be much more smart: they would have indicated the backdoor to the audit team, saying it was a bug found just these days, fixed that and, after a successfully audit, prepare a new revised release with a NEW backdoor.
Everyone would be confident in TC developer team after an OK audit and will follow them.
Since audits are costly, it's unlikely that a new audit will be done soon and the new backdoor will be clouded by the good result of the previous.
On the contrary, that clumsy and unlikely "announcement" says that TC developers suffered form some big pressure, probably by government agencies, were forced to shut but did it giving a hint to all users: agencies are on us and force us to suggest the least trustable of all closed source softwares, so don't use anything after 7.1a.
TecMan • June 1, 2014 8:58 AM
Just two weeks ago, a Russian website published a detailed investigation into the people who were behind Truecrypt - easy to read with Google translator:
Hurp • June 1, 2014 10:01 AM
"If an US government agency started a project with the aim of covertly distributing "free" high-quality encryption software to the masses, such an agency would never ever blow the cover for such an unimportant investigation."
Fascinating then that they would risk 'blowing the cover' at any time by having the TC source code freely available. This is the one thing I like about your theory Success Story: if it's true then the agency in question must be run by a band of incompetent drunkards who love to do things that make no sense.
Virmaline • June 1, 2014 10:07 AM
"If an US government agency started a project with the aim of covertly distributing "free" high-quality encryption software to the masses, such an agency would never ever blow the cover for such an unimportant investigation."
They wouldn't blow it for any investigation. That's why we could be sure our secrets were pretty much safe with them. I'm still using TrueCrypt 7.0a. If it was the government behind it, I'm sure it wouldn't want that fact to come out even now. If it's the government that doesn't want me to use it, even better.
FUDpunisher • June 1, 2014 10:25 AM
@TecMan
Interesting reading, but the name of David Tesarik as one of the authors is known since ten years ago (look at Wikipedia page on TC).
I guess that the authors are cryptography professionals (TC is a very polished and efficient software and documentation is good) and this is likely the reason they kept their anonimity for ten years: you could be fired if you create a free sw that is better than the competitor product your company sells!
Another hypothesis is they are privacy zealots that belongs or cooperate with some LEAs and in this case in even more understandable they want to stay anonymous.
It could be that they have been uncovered these months, after the start of the audit (they had contacts with audit team), and blackmailed by some government to abruptly shut their work.
This could explain the strange timing of the announcement and the unlikely way they did it.
Greg • June 1, 2014 10:38 AM
If the NSA or any other government agency created TrueCrypt, why wouldn't they just put a face on the project? Having such secretive authors has done nothing to promote the software's adoption and has only given fuel to conspiracy theorists. Given that it is fairly predictable people would respond this way, why wouldn't they just hire an actor to claim authorship.
unimportant • June 1, 2014 1:45 PM
@FUDpunisher: The authors were presumably not cryptographers. Otherwise, they would have composed their initial encryption scheme with E(SectorNumber) during the time when there was no disk encryption standard available. However, they appeared extraordinary cautious, smart and extremly responsible (exempt their final recommendation). Perhaps they had help by cryptographer(s) later on.
Chuck • June 1, 2014 2:32 PM
just as a side note:
cryptsetup aka luks, the de facto standard (also disk) encryption framework on Linux also supports, Truecrypt containers for more than a year
http://code.google.com/p/cryptsetup/wiki/Cryptsetup160
AFAIS, an attack vector would have to be quite elaborate, if Truecrypt itself is an agency setup, since it would mean to re-implement the attack vector in a separate instance as cryptsetup. (an attack vector independent from the actual container definition could still be possible, e.g., in the wrapping code)
DB • June 1, 2014 5:40 PM
@ TecMan, FUDpunisher
Interesting read about the author on that Russian site and on wikipedia.
My takeaway from this is that likely TrueCrypt has only one main primary author, who lives in the Czech Republic. And since it is much less likely that the NSA strongarms people there as much as here, that he's just gotten tired of it and wants to stop programming it, doesn't trust the community to continue his "artwork masterpiece" like code, and decided to tell people you might as well use that other encryption software by the same company that writes your OS anyway! This is me applying Occam's Razor. Grand conspiracy theories are always possible, but sorry, not always the simplest and most likely explanation.
Nick P • June 1, 2014 6:46 PM
@ Greg
Hardly. The opportunity to use a presumably strong, convenient, open source, and free encryption tool led many to adopt it. As potential problems were found, they were usually addressed by the authors. Later came claims Fed's couldn't crack it. This got it adopted even more. If anything, their MO can get results for a government wanting to create a trap program. Not that I think that's what happened.
A face might help a bit in adoption, but that face would have to lie well if it was rigged. And for a long time.
gant • June 1, 2014 7:19 PM
What if the Truecrypt-Team knows or suspects the security issue within Truecrypt?
Call it, fix it?
Apparently, the responsible thing to do is: to keep quiet about it and to end truecrypt (and maybe start something new)!
Just think what happens if they would fix the weakness! A weakness so significant that it would enable an attacker to break a TC container's encryption in reasonable time. Anyone would now know how to crack the containers created until the fix was released.
gant • June 1, 2014 7:22 PM
(I meant: it is responsible to keep quiet about details on the weakness, while telling people that a weakness exists.)
Christer Weinigel • June 1, 2014 7:55 PM
I tend to ramble on a bit. But the gist of my rather lengthy post was that by just observing what truecrypt does we should be able to make sure that truecrypt does what it's supposed to do. Most of the ciphertext on disk has a one-to-one correspondence to plaintext so an independent implementation of the specification should be able to verify that there is nothing wrong with teh data. It should be possible to do that even without a code review.
But I realised that I did forget one important thing: if the random number generator in truecrypt is compromised that is something that can not be verify by just looking at the on disk data and it is something could completely break the security of truecrypt.
For example, if the random number generator only produces 2**80 bits of entropy, that would probably allow an organisation like NSA to brute force the key while keeping out most other organisations. To see if that is the case code review is required.
And even that won't be enough, in theory NSA could have planted a trojan in Windows or maybe even in the BIOS which notices when truecrypt is used to create an encrypted volume and patches the random numbers on the fly to reduce the entropy.
If that is the case, the on disk format, the encryption algorithms and even the implementation of truecrypt could be perfectly sound and truecrypt as a whole could still be broken.
gord • June 1, 2014 8:36 PM
| Operation Dropcrypt
| Problems:-
a/ TLAs can't access huge amounts of encrypted data that has been run through easily available, easy to use, strong encryption.
b/ They need to access this data from everyone in large scale total surveillance.
c/ Vast cracking resources are being strained by the workload due to the extent of investigations in the pipeline because the encryption package is in common use.
d/ Construction of parallel cracking systems to double current capacity will cost 500million US$ which is better spent elsewhere.
| Proposal:
Track down developers of said encryption software, offer huge buyout, with pre-constructed cover story of "compromise" or "warrant canary" to preserve the developer reputations. Developers get rich overnight. Casual users scared away from using the software, though determined users will continue to use previous versions.
| Expected Outcome:
Developers accept the deal, forcing new casual users to use weakened, compromised or methods with easy TLA access via legal or illegal means. Determined or skilled adversaries continue to prove difficult to surveil, but expenditure reductions make the operation a success.
| Maximum Cost:
5 million US$
| Timeframe: URGENT
Must be completed before security audit announces the encryption package is secure and can be trusted because if this is announced in mainstream press the problem will be magnified and utilised by many more than the current users.
--
Please discuss the above fictional scenario.
Thoth • June 1, 2014 9:36 PM
@gord
Would it not be logical for tyrannical governments to outlaw the use of encryption from society and the only allowed encryption is the government's "People's Cryptography Cipher" which is an escrow cipher made by the most government and anyone caught using any other cipher would be publicly prosecuted and possibly executed and the user's family to be blacklisted for a few generations from government benefits ? Any academics trying to reverse engineer or proof the insecurity of the "People's Cryptography CIpher" would also be accused and face the punishment equivalent to treason. Imagine the rules of North Korea and East Germany being revived and spread to a larger population.
Trying to subvert the population's cryptography by politely asking, using backdoors quietly or trying to buyout is too soft for a government whom seek to extinguish the people's rights.
Instead of asking people to vote for parties to be elected, why not just set yourself up as the eternal leader (North Korea) and have the full command of the military and civilian system and random executions and fear mongering as the daily norm.
unimportant • June 2, 2014 2:22 AM
@Thoth: People need the believe that they are free in order to be optimally creative and productive. Lesson from thousands of years of ruling: If freedom is required to guarantee exponential growth of technological evolution, then give the people the illusion of freedom.
DB • June 2, 2014 2:51 AM
Well there is the old saying, "The truth will set you free." :)
Mr. Pragma • June 2, 2014 3:42 AM
unimportant
Very smartly put!
And that also explains "democracy" which maybe (I don't know, I'm no historian) was meant honestly when it began in Europe and usa. Today, however, it's not really important what or whom people vote for; they virtually always end up with a "central united parties" government, sometimes in one colour, sometimes in another. It's not (at least not anymore) about "we the people set the rules and chose the rulers" but about "we the people are ruled by some faceless organisation that, to keep the theater going on, offers seemingly different versions of itself to chose from".
The north korean leader is, in fact, very useful to the powers to be in that he creates and supports the impression that "evil leaders" are about *full and direct control*. Consequently "our" leaders are not "evil leaders" because we enjoy quite a lot of some kind of freedom.
This, however, could also be arrogance; the arrogance of someone not caring as long he a) has de facto control over the *system* (as opposed to everyone everyday life) and b) can extract whatever his major interest is.
Looking at the last decades strongly suggests that that major interest is money, which is a smart choice insofar as money again helps to create and keep more power. Looking at the evolution in virtually all western countries one factor strikes the eye: The richer get ever more rich while the rest gets poorer.
Someone here who is always blindly defending the usa system (and in fact even his nick would be a typical choice for someone in psyop) said something about IP theft costing the us economy some 300 bln$ per year. This is actually closely related to my point here.
Over vast periods of its history in virtually every system the majority of people worked physically, the economy was largely based on goods, and money was closely linked to some physical goods like gold.
This has changed dramatically in a quite short period of time -- in the western imperium that is.
There increasingly many people work in the services sector, an increasingly large part of the economies are linked to quite few huge corporations, and, probably most importantly, the very term "value" has shifted, first to not physical goods related currencies, and later to basically fictitious units - at the same time the term "value" in its more general meanings has changed, too. A products value is more and more to do with intangible and sometimes even nonsensical factors like coolness, brandname, and the like.
And the workload has shifted. The more tangible and physical some work is the more of it is "outsourced" to poorer countries while the richer countries are more and more into services (often also provided from people from poorer countries) and in the last decades into know-how.
When the usa is complaining about billions in losses in IP then that's the lamenting of an arrogant, lazy, rich king whose income is more and more based on owning rights and largely abstracted knowledge and who lets other people elsewhere get "dirty hands" from actually working.
Now the funny part is that, of course, that king will finally be -- and already is -- acting the same way towards his own people. While those, of course, do not like that (-> occupy) they have been led into a rather helpless situation against an opponent who holds pretty much all aces. An experience many people in many countries can tell about ...
Will that king tolerate encryption? Well, why not. Given that some conditions are met, most importantly the one that he and his courtlings, obedient players, and enforcers have the best encryption systems of all; to be able to listen in to the common people is desirable but not necessary because there after all many other ways to subdue them again if needed at all.
Of course, the kings plans will finally be spoiled and he will finally come to an unpleasant end (as we are beginning to see now).
anon • June 2, 2014 3:49 AM
funny recent changes to bitlocker
http://spi.unob.cz/presentations/23-May/07-Rosendorf%20The%C2%A0BitLocker%C2%A0Schema.pdf
unimportant • June 2, 2014 4:12 AM
@DB: good one ;) But "none are more hopelessly enslaved than those who falsely believe they are free." (Johann Wolfgang von Goethe)
lol • June 2, 2014 5:15 AM
There was a java app for crypto awhile back, that had opencl support. I had seen it and didnt download it at the time, it had just been updated. I decided to go back and download it and it was gone. If you look around there are many privacy related projects that have vanished,tons of them. I had been using the SEEKS search a few months ago there were 3-5 instances of it running they all vanished along with the wiki's and any use full info.
Maybe the TrueCrypt dev figured out hardware was back doored and it no longer mattered
Chris • June 2, 2014 9:23 AM
@Mr.Pragma
Very well said!
I guess all money belongs to the King after all.
@anon
Thanks will have a read
//Chris
erlehmann • June 2, 2014 10:16 AM
The first letters of Using TrueCrypt is not secure as it may contain unfixed security issues are uti nsa im cu se – which is latin for If I wish to use the NSA … coincidence?
Nick P • June 2, 2014 11:08 AM
@ goth
NSA will not appreciate you leaking their internal BULLRUN operations. :P
Nick P • June 2, 2014 11:23 AM
@ anon
Thanks for the info on Bitlocker. Goes to show Neils was worth the money in adding the Elephant Diffuser. Also goes to show Bitlocker isn't worth the money as they like *less* protection.
Business Guy • June 2, 2014 1:34 PM
Very interesting new articles at Forbes, which includes a short interview with security expert Jake Williams, who was already mentioned above, and who does not trust Truecrypt.
http://www.forbes.com/sites/jameslyne/2014/06/02/truecrypt-is-back-but-should-it-be/
Quote by Jake Williams:
"Given the history of software crypto flaws, it seems probable that if TrueCrypt has a flaw, it would be in the implementation of the random number generator. However, it is equally plausible that the AES implementation itself is broken in some arcane manner that mere mortals wouldn’t be able to detect with a cursory review of the code. The TrueCrypt program asked users to move a mouse around the screen randomly to seed its random number generator. This has the appearance of security, but if the seed is used as input to a broken pseudo-random number generator (or ignored altogether), then it is anything but secure. This is precisely why TrueCrypt should be audited for cryptographic security before it is continues to be used by anyone that values his or her data security.
When it comes to the audit, there are two components that need to be examined – source code and binary code . Due to the difficulty of the build process, the overwhelming majority of Windows users used pre-built binary packages rather than building from source. The difficulty of the build process led to a problem with verifiable builds. It is possible that the source code itself contains no noticeable flaws while the binary code distributed does. One of the goals of the TrueCrypt audit was to create a verifiable build process (http://istruecryptauditedyet.com) so that what you see in the source is what you get in the pre-built package.
Think this sounds paranoid? There’s really no reason to take down links to all old versions of the TrueCrypt packages and code on the truecrypt.org website. But that’s what happened. The only versions currently available for download are the current release. This may be a (poorly executed) attempt to discourage study of older versions. While an audit of the last release would be interesting, my spider sense says that an audit of an earlier version is probably more fruitful."
DaveK • June 2, 2014 1:41 PM
If Jake Williams doesn't know or understand that the binary has been verified to be a true build of the source, he's really way out of date.
FUDpunisher • June 2, 2014 4:59 PM
@DaveK
Well said.
There is a lot of people that are uninformed both about TC and about the audit and they show to have no "spider sense"!
BTW, it's not just the old versions disappeared from truecrypt.org website but THE WHOLE SITE is suddenly vanished (recommendations, forum etc.), which is an abnormal behaviour from authors, if they were on their own accord.
Stressing just the disappearance of old versions links is a very bad argument.
GMan • June 2, 2014 8:51 PM
All of this just a week after my inquiry about possibly using TC for classified work.
To those folks who doesn't know, there is a nice Linux implementation of TrueCrypt -- tcplay
https://wiki.archlinux.org/index.php/Tcplay
tcplay is a free, fully featured and stable TrueCrypt implementation including multiple keyfiles and cipher cascades.
BTW, there is also an interesting note in tcplay project's readme:
https://github.com/bwalex/tc-play
(scroll down)
===== Bugs in the TrueCrypt documentation =====
The TrueCrypt documentation is pretty bad and does not really represent the actual on-disk format nor the encryption/decryption process.
Some notable differences between actual implementation and documentation:
PBKDF using RIPEMD160 only uses 2000 iterations if the volume isn't a system volume.
The keyfile pool is not XOR'ed with the passphrase but modulo-256 summed.
Every field except the minimum version field of the volume header are in big endian.
Some volume header fields (creation time of volume and header) are missing in the documentation.
All two-way cipher cascades are the wrong way round in the documentation, but all three-way cipher cascades are correct.
--------------------------------------------------------------------
If we speak about the backdoors, even if there is nothing obvious found in TrueCrypt, there can be backdoors in the OS/HW that definitely are not obvious. In such case I'd suggest not to use any proprietary software / OS;
To get completely paranoid, I'd suggest moving to a completely Free, Open Source SW/_hardware_(!), as an example see how Richard Stallman does his computing: https://stallman.org/stallman-computing.html
Gerard van Vooren • June 3, 2014 4:17 AM
@ Arno
"If we speak about the backdoors, even if there is nothing obvious found in TrueCrypt, there can be backdoors in the OS/HW that definitely are not obvious. In such case I'd suggest not to use any proprietary software / OS;
To get completely paranoid, I'd suggest moving to a completely Free, Open Source SW/_hardware_(!), as an example see how Richard Stallman does his computing: https://stallman.org/stallman-computing.html"
Free / Open Source helps with avoiding deliberately built-in backdoors. It doesn't prevent you from bad programming practices and unsafe programming languages.
Talking about GNU / Linux, from a security POV it is just too bloated. If you want to see good C and a good architecture, look at Plan-9. You will notice the difference right on.
I haven't look at the TC code, but the Auditors have mentioned that the code is badly written. Badly written code is what brought us Heartbleed in the first place.
If you really want better security, I would recommend another ideology, the one from Dijkstra, Hoare and Wirth.
MyRapture • June 3, 2014 10:15 AM
1. compairsons with lavabit
comparisons with lavabit are mislead IMHO. lavabit, for bad reasons, was in possession of countless private keys from their users and hence was legally forced to turn them over. applebaum wrote a compelling article on this.
the authors of truecrypt don't have anything interesting in their direct possession (from the thugs' perspective)! and thus they cannot be legal****ed into submission. since their product enables people worldwide to enforce their rights it has been correctly identified as the most serious threat by the enemy in oval and other "offices" around the world. it's journalists, Schneier's and drug dealers first choice.
2. timing
why has this not happened before?
because people, even IT professionals, didn't give 2cents to security. ask any MtGox customer. only now it begins to dawn on people who the real enemy is and usage of crypto tools is prolly increasing at a pace like it never has before. the gov is not worried about fortune400's, they can always legally **** them into submission, enabled by a highly political supreme court which reminds me of a queen/king.
3. conclusion
so i think the government might have opted for something i'd call brute force - but not the 'brute force' cryptographers work with but rather the brute force known from schoolyard bullies and professional torturers (aka military employees (a fraction of them)).
remember: water boarding is considered fair game by the rogue nation's legal team while the president is considered to be above the constituion.
secret agencies commit ten thousands of law violations internationally every year (there is an official source for this that i couldn't find for a couple of years - a senator once asked).
i wouldn't be surprised if some eastern europeans with great coding skills were offered a free involuntary stay at a reclusive mental institutions with soundproof walls.
The Council of Europe's investigation into illegal transfers and secret detentions in Europe: a chronology
http://assembly.coe.int/ASP/APFeaturesManager/defaultArtSiteView.asp?ID=362
http://www.hrw.org/news/2007/06/07/council-europe-secret-cia-prisons-confirmed
4. downloading truecrypt
be careful when downloading truecrypt! don't download it from the NSA ^^
https://twitter.com/OpenCryptoAudit/status/472358613751963648
i do not know how trustworthy @opencryptoaudit is. maybe the resident guru can give his view?
I am aware that this URL has been posted before, but since the comment section is as long as Tolstoi's War & Peace I thought some redundancy won't hurt:
https://github.com/DrWhax/truecrypt-archive
drwhax goes by the same name on titter.
disclaimer: I cannot proove much of what i just wrote and do not claim these thoughts and accusations to be facts except this one:
obama you are spineless!
@myrapture
KnottWhittingley • June 3, 2014 12:16 PM
Re: Lavabit, it seems to me that either all the coverage I've seen misses a hugely important point, or I've missed a major point myself.
Ladar Levison did give the feds the private keys for the site, allowing them to decrypt all the old traffic on the site that they'd been capturing for however long.
He got in trouble for printing them out in a very small font, and handing them over on paper, but as I understand it they were still more or less readable---readable enough that even if they couldn't read some of the characters in the printout, NSA would have plenty of information about the keys to narrow a brute-force attack dramatically, and easily crack the missing parts.
Right?
So the NSA probably has all the old email that went through Lavabit, likely since it started, since it's exactly the kind of site they'd bulk-collect all the traffic from. (Using their "legal" authority to save any encrypted traffic just in case they need it and can ever decrypt it.)
What are the chances that a Lavabit user's old mail has not already been read by NSA? What are the chances that Snowden's Lavabit emails have not been read?
It seems to me that the latter is near zero, and the former is pretty low. If you used Lavabit---and especially if you ever knowingly or unknowingly had any communication with Snowden or anyone else who did---you are now thoroughly compromised, and they're reading your old Lavabit mail and anything else they can hack into by any of their dozens of means. (Including hardware and BIOS implants, and exploits at every level above that, which is pretty much anything.)
(A less hugely important point there is that Levison himself did completely cave and give away the store, betraying all of his users to the NSA by handing over the keys. He still got in serious hot water for token gestures of resistance.)
Do I have that right? (I'm not a security pro, just an interested amateur trying to connect dots in what's already public information.)
John Campbell • June 3, 2014 12:17 PM
What is 7.2 delivers the pass-phrase somewhere so that a previously snarfed dd copy of the disk image can be decrypted?
Yes, my paranoia goes to eleven... if not higher.
Bill Cox • June 3, 2014 1:12 PM
Comments from those in charge of truecrypt.ch may indicate they don't know what they're doing when it comes to cryptography. While I hope this is not the case, I'm forming a competing TrueCrypt fork just in case, http://GeekCrypt.net for now, and I hope to work with solid crypto coders to build a secure TrueCrypt fork.
Rocki • June 3, 2014 1:47 PM
http://truecrypt.org/robots.txt was modified on Mon, 02 Jun 2014 17:05:56 GMT.
Status: HTTP/1.1 200 OK
Date: Tue, 03 Jun 2014 18:45:03 GMT
Server: Apache
Last-Modified: Mon, 02 Jun 2014 17:05:56 GMT
ETag: "34101-26-4fadd6897fc46"
Accept-Ranges: bytes
Content-Length: 38
X-UA-Compatible: IE=Edge
Connection: close
Content-Type: text/plain
It returned http status code 410 "Gone" before...
Zonzo • June 3, 2014 4:27 PM
@Bill Cox:
Have you looked at the "Veracrypt" thing?
http://sourceforge.net/projects/veracrypt/
Looks like an unauthorized (and most probably license violating) fork (purportedly) designed primarily to harden the password hashing to make brute force attacks more difficult.
I would be interested if any of the coder types have run diffs against the Truecrypt 7.1a sources, or otherwise examined this code.
Jeremy Pyne • June 3, 2014 10:36 PM
It seams unlikely to me that this was due to some "potential backdoor" being found in the code review. The code review may be called off yes, but then again it may not. If it was all to save face for that sort of situation it would be unlikely to work. Even if a code review goes on a back burner it could still come out in the future that there were backdoors.
But there almost certainly weren't any. We can deduce this through simple logic. There have been to many legs cases where the authorities were unable to break true crypt volumes. And no more cases but big ones including ruling about self incrimination. I just seams like if the system was so flawed that there were known backdoors for feds then those recent cases would have played out entirely differently. And if there are unintentional/errors that may lead to vulnerabilities why go bat shit and try to hide them.
What seams infinitely more likely is that the dev team got sealed court orders demanding that they remove the product/source code and gag orders to boot. The "heres how to convert to windows encryption" is just icing on the cake to prove my point. You can't honestly tell me you expect a group who produces open source/cross platform software to pull it and provide instructions to only migrate away "windows" users, not mention of linux/osx at all witch they certainly use. Seams more like a "here use this one, we sware we don't have our fingers in their pie".
Steve Gibson (from GRC.com) has a few intelligent comments to make on the matter, and, apparently he is kind enough to run a mirror for the code and the hashes:
https://www.grc.com/misc/truecrypt/truecrypt.htm
Wael • June 4, 2014 3:31 AM
Slightly OT, but complimentary...
I think TrueCrypt alone isn't sufficient. It protects one third of the data states. States being, data at rest, data in transit, and data in use. TrueCrypt or similar encryption solutions are best used on Air-gapped devices. If the device isn't Air-gapped, then Data at rest could potentially mean the following:
"Rest assured that your data is resting somewhere else, possibly with someone who has the power to arrest you" :)
The possible exception is if one created the data on the same device, or transferred it using physical media...
Mike the goat • June 4, 2014 5:51 AM
Knott: yes, I believe that if you were a lavabit user you should assume that your correspondence is/was compromised.
Jeremy: absolutely - this is the same conclusion that I have reached, and several people I have discussed this issue have indicated "off the record" that this was the case. Some security 'experts' have loudly jumped up and down saying that the devs just got tired but this makes no sense. If the developers simply wanted to close down the project, they would a) make a statement that isn't as cryptic as the one currently on their SF site b) leave archives, forum etc. up for historical reasons c) not make one "final" release that was crippled, seemingly to force people to migrate their data. The latter makes little sense as there are mirrors everywhere. The only thing that disappoints me is that they didn't release their source into the public domain. If they were trash-canning the project (for example, to spite a secret order) then it wouldn't matter much anyway.
That said, looking at the TC source code quality - it probably isn't really suitable as either a base or as a reference. The developers of the 'next' FDE solution would do best to do a clean room reimplementation of it, taking only the on-disk format. A bit like what the tcplay developers did - which works brilliantly with dm-crypt on Linux.
I am not sure what a government agency would gain from asking TC to a) cease operations, b) cripple their software, or c) backdoor their software. Given everyone knows how to use 'diff' both b and c would be easily detected, and option 'a' appears to achieve very little given that people still have working copies of TC installed and 7.1a source and binary are mirrored all over the 'net. I can only surmise that the idea is to create fear and uncertainty, and perhaps convince people to move their data out of TC containers and into something else. As everyone already knows - I was quite an outspoken critic of Truecrypt - not just because of the code quality, but the secretive organizational structure, how it operated and was funded, etc.... it all basically stunk and triggered my crypto-spidey-sense. But putting that aside, having TC gone; esp. on the cusp of the audit, isn't a 'good thing' for anyone.
Wael: I agree with you wholeheartedly there! Anyone who thinks that a FDE solution solves all their problems is deluding themselves. Unfortunately, we; and I say we to mean all privacy loving users of technology - have got really big problems with 'trust' and the tech of today. Basically, we have absolutely no way to validate *anything*. I don't know the answer or the solution to this problem, but I predict that this elephant is going to move from the corner of the room to center stage before too long.
Clive Robinson • June 4, 2014 6:26 AM
@ Wael,
Yes TCs replacment only protecting the "lazy" data at rest would be the starting point.
However whilst adding some low level additions for data in transit would be fairly trivial it becomes problematic, not just because there is not a clear industry API you would use to bring the low level additions into somebody elses comms application, but also due to the side channels from the processing of data from plain text to cipher text and back.
Thus whilst I might be keen to see TC's replacment do file compresion/archive and encryption for secure communication/backup, I would not be happy if it encoraged people to break the "air gap" they should be using when processing sensitive data in any way, especialy when supposadly secure comms have been shown to suffer from timing attacks for over a decade [1].
The issue of processing data securely has developed a "Holy Grail" feeling about it. Until recent times the assumption was that at best you would only be able to do a small subset of operations without going back to plain text, and even those problematicaly.
Thus the idea generaly followed was to place the crypto between the CPU and main memory, on the incorrect assumption that once inside the CPU chip it was not possible for an attacker to get at the data.
However cache timing side channel attacks on AES [2] in the majority of CPUs made it obvious that such a simple crypto measure was very far from sufficient (the likes of the NSA had known about timing attacks since well before DES). Further as some secure FPGA designs showed getting at the actual KeyMat was possible. Unfortunatly KeyMat handeling issues are not seen as Sexy-Research, thus there is not much in the way of open communiry papers on it and those with practical knowledge are usuall prevented legaly from talking about it.
The simple fact is even if we do get efficient ways to process data whilst encrypted, the chances are practical implementations will in some way leak via side channels information about both the processing and the data.
Rohobojo • June 4, 2014 12:25 PM
If it were planned, they would have said something in advance to warn users. They did not. If they grew tired or bored, why not just say so? If TrueCrypt was no longer going to be supported, why not just say so? Why tell people to stop using TrueCrypt, then tell them to use Bitlocker which cannot be trusted? This was so abrupt and poorly worded that it shouldn't be a surprise people have grown paranoid. Based on appearances alone, it looks as if the development team for TrueCrypt either rabbited because a government agency was breathing down their necks, or they had something to hide, and thus fear, from the audit. The third option, the only other one that fits what we've seen with our own two eyes, is that this is a case of "I'm taking my ball and going home!" which is something that can happen with an emotionally disturbed person. Deleting everything is a strong indication of this being the case. Maybe someone over there didn't feel appreciated enough, that they were being taken for granted, that people should be donating money to them and aren't, that nobody understands them... who knows. Those are the three most likely possibilities IMHO.
Chris • June 4, 2014 1:59 PM
Another (unpopular) theory is that the anonymous Developers managing TrueCrypt were actually part (or on behalf) of NSA... wouldn't this be the biggest joke on the us if TrueCrypt turned out to be a plant...
Seriously though, for anyone who easily dismisses this theory I would ask why the developers remained anonymous and why they abruptly ended the project in the middle of an external audit?
Hopefully this mystery will be put to rest some day...
omnichad • June 4, 2014 4:14 PM
To anyone making a big deal about ONDREJ TESARIK being listed in the incorporation, it will get you nowhere.
http://nvsos.gov/sosentitysearch/CorpDetails.aspx?lx8nvq=djRu2RWGpIESdKlMBbSrDw%253d%253d
Ondrej Tesarik is a registered agent via InCorp Services, Inc, and not actually involved with the Truecrypt group at all. Incorp provides registered agent services to corporations, allowing those like Truecrypt to reveal only this name in public.
At least we can still trust in the math… 1+1=0
Wael • June 4, 2014 9:58 PM
@Mike the goat,
Basically, we have absolutely no way to validate *anything*. I don't know the answer or the solution to this problem, but I predict that this elephant is going to move from the corner of the room to center stage before too longUnless one builds everything from scratch, one cannot have full trust in the device. One has to be the root of trust of one's self. Otherwise the problem of trust is a formidable one. I don't believe voting systems can totally solve this problem of trust either, because they can be gamed as well -- one way or another.
Dirk Praet • June 5, 2014 6:04 AM
@mcderp
Bitlocker is fine for Win FDE unless your adversary is a government. If it is then you wouldn't be using proprietary windows software anyways, so TC is fully redundant and should die
No. One of the fine things about TrueCrypt was that it was cross-platform. Believe it or not, there's a lot of people out there that work on more than one OS.
Clive Robinson • June 5, 2014 7:59 AM
@ Dirk Praet,
Long time no hear, I trust you've been well and enjoying life.
One or two of the "usuall suspects" here have been wondering where you have been. Now all we need is RobertT to pop up :-)
Mike the goat (horn equipped) • June 5, 2014 8:16 AM
Wael: I agree. My interim solution is to store my secure material on ancient hardware (SPARC) that should be old enough to either predate government interest in IT surveillance or, and more reliably I guess - given its vintage, they wouldn't be able to "silently" compromise such hardware in the way that they can now with nanometer scale tech. The other thing we have in our favor is the political situation back when my SPARC was minted was much different and hopefully interest in COTS hw - particularly obscure stuff likely destined for academia - was not quite as intense. Of course, I am making assumptions and playing the numbers so to speak.
But this isn't a viable long term solution - and using modern hardware in a Faraday cage completely disconnected from the world isn't really an option either.
I - like many - regularly think about this very problem and how we can mitigate it. Obviously the solution lies in building a "verifiable" computer. Unfortunately such a computer is going to be slow by design. That said, look at what Mac did - a nice little GUI and multitasking (well, with AUX - I believe System simply was task switching) and all done on a Motorola 68k.
Mike the goat (horn equipped) • June 5, 2014 8:32 AM
Nick&Clive: I found this page recently, which details an attempt to shoehorn an 80386 into a development board. Thought it would interest y'all.
Dirk Praet • June 5, 2014 9:34 AM
@ Clive
Thanks for the concern, Clive, but I am doing quite allright indeed.
I have been taking some time off to pursue other things like learning Japanese and getting my body back in shape through intense cross-fitness. "Mens sana in corpore sano" and that sort of stuff. The former is going quite well, whereas the latter has been yielding quite some spectacular results too. Never thought I'd be able to deadlift 400 lbs. and do 21 pull-ups in 30 seconds at my age.
@ Mike the goat, @ Wael
What I would like is some sort of Raspberry Pi with all verified components. Would make for an interesting open source hardware project, I think.
Wael • June 5, 2014 10:04 AM
@Dirk Praet,
Glad to find you are well. Was wondering what happened to you...
Nick P • June 5, 2014 1:27 PM
@ Wael
It's an unsolvable problem in the absolute case. It's just a matter of where one draws the lines. For software, it's fairly straightforward and I've already got enough work covering that (for "correctness," anyway). For hardware, another matter entirely as I'm still working on that.
@ Dirk Praet
DIIIRK!!! What's up dude!
Good to see you again. Glad you're getting your mind and body into even better shape. That you have years on me and are pulling that much weight gives me less excuse to be dodging the gym. ;) Hope things keep working out for you.
@ Mike the goat
Yes the past shows us that quite usable (and still inspectable) chips can be built. The fab model doesn't help there as RobertT showed us one type can be hidden in another without a chance of optical or electrical inspection finding it. That leaves much older tech, like discrete logic chips. (Pauses) Darnit, same problem! (Sighs) My latest itch on that is to create an architecture portable to many older chips, write emulators for it, and then make a board with nothing but old CPU's/DSP's emulating various chips for that architecture. Is the situation really bad if I'm considering extreme nonsense like that?
Re 386 link
It's certainly interesting from a board hacker perspective. Might have useful information. Might interest in these old things is to create a board from modern components that integrates with them. We leverage COTS stuff where using it doesn't present trust issues. The very programmable stuff, esp CPU, is from old servers. They have to integrate on same board. The link seemed to be a guy trying to shoehorn a chip into a board totally not designed for it. I'm sort of doing the opposite, although I see myself running into similar issues if I try. I had no idea the 386 was so complicated to get into a board, though.
name.withheld.for.obvious.reasons • June 5, 2014 5:00 PM
@ Dirk, Nick, Clive, Wael, RobertT, Buck, Mike the Goat
Looks like it is just a few short of a team...I intend to release previously proprietary designs (my company) in open source form. One issue is liability, software licensing under a GPL, Gnu, or Stallman framework is different than in hardware. This I believe is the first component of a "true" open hardware effort that focuses on integrity and traceability.
Each of you has identified various components, devices, and sub-systems that would be part of a deliberate architecture that can be openly developed and can be robust against deliberate attempts at subversion. I will continue to advocate for simple, scalar, and performance based designs that do not sacrafice the robustness that everyone here has reecognised as problematic. It seems to fall to groups like these, and is the perfect test bed, for just such an effort. Formalizing an arrangement (logistics) is the second component to such an effort. I don't think the current FOSS funding and mission is sufficient to be useful or productive, The focus resembles a "forest for the trees" problem. Parallel to the HW licensing issue is a certification process that can be drafted that serves the mission of producing a piece of hardware that doesn't get labeled 'CE'.
@ Dirk
I too share with many the return of another thoughtful and deliberate thinker back to the realm--I'd sensed a disturbance in the force...
By the way, two of my vax's have returned from mothballs and will be joining the enclave in the faraday lab.
Dantz • June 5, 2014 5:24 PM
@bae24d3fff
Some of us are at Wilders (wilderssecurity)
Dan/Dantz
Wael • June 5, 2014 11:46 PM
@ Mike the goat (horn equipped),
store my secure material on ancient hardware (SPARC) that should be old enough to either predate government interest in IT surveillance...Yes, good approach given the information we have and the scarcity of viable alternate solutions... However, IT surveillance, I believe, was not missing in the relatively early days. Remember Clifford Stoll's "The Cuckoo's Egg"? It probably predates your SPARC station...
Obviously the solution lies in building a "verifiable" computer.Verifiable by whom? That's the question.
Wael • June 6, 2014 12:02 AM
@ name.withheld.for.obvious.reasons,
Re: Open source HW:
What sort of designs are they?
@name.withheld.for.obvious.reasons • June 6, 2014 7:07 AM
@Wael
Arduinos.
Open hardware will progress even slower than Linux on the deskop.
Somebody • June 6, 2014 7:13 AM
To all those demanding that we all dump Windows and use Linux and open source.
Good news. Debian had a REDUCED ENTROPY Random number generator for TWO YEARS
https://www.schneier.com/blog/archives/2008/05/random_number_b.html
And debian has more EYES on it than TrueCrypt has.
So much for many eyes approach and open source being a much better alternative, I always found this many eyes claim to be pure BS.
Siphon_Soul • June 6, 2014 5:20 PM
The question here is: presuming there is an outside player who has the goal of undermining TC security, is the outside player able to do this retroactively? Has a vulnerability been discovered that allows outside player to decrypt files made with earlier versions of TC, or is the outside player aiming to undermine future versions.
So:
a) Genuine message, volumes made with all or some of previous versions are at risk
b) Genuine message, volumes made (or opened) with future versions are at risk, but not current (7.1a) and earlier
c) False message, the software works as intended, which is why OP wants less people using it.
These possibilities take into account security problems that stem from the OS, not from TC code itself.
So where do you place your bets?
Globo • June 6, 2014 6:10 PM
I am the NSA and have the problem that I cannot read TC files. What am I going to do? I tell my partner Microsoft to make Windows detect when TC is running. Windows then extracts the keys and encrypts them and siphons them out home - together with the unique ID of the hard drive on which the TC volume was created. Problem solved. For Linux I add the same functionality myself, I mean, for what do I have my exploits? What I want to say: the developers are sooo true when they state that TC is not secure, cannot be, given zero endpoint protection.
Wael • June 7, 2014 1:48 AM
@name.withheld.for.obvious.reasons,
RE: Arduino...
Oh, man! AVR 8-bit? Been a long time since I messed with those! They were good for crypto stuff -- 3DES. I hear some hackers used them (the AVR) on an extender card to simulate smart cards on Satellite receivers. They got free channels ;)
So what would be the difference between the Arduino and something like this: http://www.atmel.com/tools/stk500.aspx ? Open Source Hardware would not describe the internals of the micro-controller, would it?
Sorko • June 7, 2014 3:43 AM
What about a fork of truecrypt, already freely available?
Wael • June 7, 2014 3:52 AM
@ Mike the goat,
When are you "horn equipped"?
Mike the goat • June 7, 2014 4:56 AM
NWFOR: I like the idea of a team. Perhaps we can call ourselves "Ocean's seven"; then again, maybe it will be "Ocean's six" assuming that one of us has to be Ocean and that Ocean is presumably not included in the count. *mind blown* ;-) Seriously though, nwfor - you know my feelings about this and I'd do whatever I could to facilitate such an 'open hardware' movement.
Somebody: you're right and I agree with you in up to a point. Sure, open source projects can indeed have vulnerabilities -- nobody is downplaying that. I believe that FOSS projects, when run in an open, transparent and sensible manner (and the latter has to include having source code management procedures and importantly asking the opinion of and forwarding any modifications made by the maintainers to the actual source package's author; as well as more stringent auditing on security/crypto code) are more likely to be safer than closed source projects. I expect that we have had several such massive fails with, say Windows, and we haven't heard anything about it or they have been quietly fixed in the next release.
Dirk: good to see you back!
Wael: when I am posting from my smartphone. Yeah, I know you were expecting something more interesting :-).
Bill Cox • June 7, 2014 5:27 AM
@Zonzo
Yes, I've looked into VeraCrypt, and exchanged a couple of emails with the author, inviting him to work with the TC fork where I'm participating (now called CipherShed.org). The author sounds like a decent low-level coder, and has some ideas for supporting UEFI drivers, so we could drop the code requiring a Microsoft compiler from 1991. The RealCrypt fork seems clean to me, and I think that project provides a decent template for what has to be done to conform to the TrueCrypt 3.0 license.
Those of us participating at CipherShed.org still want to merge with the truecrypt.ch effort, but their forum is down, and there's been little communication... Hopefully it will all work out.
Mike the goat • June 7, 2014 7:07 AM
Bill: What worries me is that the massive number of forks that are springing up may work to further fragment and reduce confidence in the truecrypt code. I haven't seen anyone yet turn around and say, "yes - we like everything that TC has done, but it has significant systemic issues that can't easily be resolved by hacking the existing code base" and then work to make a fresh implementation that attempts to address the deficiencies in TC whilst maintaining the on-disk format for backwards compatibility. I don't believe any group has done this yet.
Wael • June 7, 2014 10:48 AM
@MIke the goat,
when I am posting from my smartphone. Yeah, I know you were expecting something more interesting :-).I guessed it's a flag of some sort, just didn't know what state it indicates :)
Mike the goat • June 7, 2014 11:20 AM
Wael: now you know, please don't use it against us.
Wael • June 7, 2014 3:04 PM
@MIke the goat,
please don't use it against us.It'll cost you a hoof, a horn, and a tail.
Mike the goat • June 7, 2014 6:49 PM
Wael: I am afraid that our god would not be too happy with all this talk of removing (quite necessary, I might add) appendages from his brethren. :-). Glad to see you and Dirk are back commenting. I haven't seen either of you around for a few days - but it may just be my early onset senility.
Wael • June 7, 2014 7:40 PM
@Mike the goat,
I haven't seen either of you around for a few days - but it may just be my early onset senility.What do you mean? We chatted twice in the past two days! Cut back on the dose, bud… I wouldn’t worry too much about Pan, some TLA caught him forking TrueCrypt, and asked him for the password. He claimed he forgot it. They gave him some " Memory Enhancers" — rubber hose crap didn’t work well on him. Some say he committed suicide (shot himself 14 times in the head), and some say he had a mild allergic reaction to it…
Mike the goat • June 9, 2014 9:50 AM
Wael: forgive me, satyrs aren't exactly known for their short term memory. I assume those links are of beer labels? Interesting... :)
Bill Cox • June 9, 2014 5:18 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@Mike the goat:
What worries me is that the massive number of forks that are springing up may
work to further fragment and reduce confidence in the truecrypt code.
SFAIK, there are only two efforts to revive TrueCrypt: truecrypt.ch, and CipherShed.org.
At CipherShed.org, a primary goal is to merge efforts with truecrypt.ch, so hopefully
there will be only 1 fork. Two others are VeraCrypt and RealCrypt, but those are existing
projects, not new forks.
Last week, compul, srg, frank, PID0, and others did an incredible job moving CipherShed
forward. I ran what has become the CipherShed project like a dictator for maybe 24 hours,
and then gave away all control over the domains, web sites, email list, github repository,
and social media accounts to those who seem genuinely interested and talented at such
things. I am gaining confidence rapidly in the CipherShed team, and look forward to being
part of it. I firmly believe CipherShed will save TrueCrypt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
iEYEARECAAYFAlOWMkAACgkQOWoeo052SL7qTQCeJxo4VdJVJSxwecPTkYecqM7u
8UcAnR9YsqqcPYxCU6LeWeGMmABEEuJd
=kOW7
-----END PGP SIGNATURE-----
Wael • June 9, 2014 10:09 PM
@ Mike the goat,
forgive me, satyrs aren't exactly known for their short term memory.Bleat, bleat...
I assume those links are of beer labels? Interesting... :)
I honestly don't know :)
A small board with SATA power and data on each side such that it sits inline between disk and controller.I guess customizing a self encrypting drive (SED) is not to be trusted either.
Mike the goat • June 11, 2014 8:08 AM
Wael: the problem is - nobody and nothing can be trusted. I am going to have to start living in a freaking Faraday cage. Okay, scratch that - I will need to go into one of those anechoic chambers. You know, they say that you go slowly mad if you spend too long in such an environ. I guess it is an acoustic take on the Ganzfield effect.
Bill: I hope my little article on your project was okay.
Wael • June 11, 2014 9:09 AM
@Mike the goat,
I believe I Ganzfielded one or twice...
You can live like Edward Abbey. No Faraday cage needed. All is needed is appreciation of solitude...
Nick P • June 11, 2014 10:26 AM
@ Mike the goat
Where did you get the cage from? Did you verify the material? Did you verify the testing equipment free of subversion? And does your cage deal with bugs outside common frequency ranges or using techniques such as ultrasound or infrasound?
Unfortuntely, the rabbit hole doesn't stop at Faraday cages.
Bill Cox • June 11, 2014 7:27 PM
Here's my new theory about what happened to TrueCrypt:
These guys released their best version ever, 7.1a, in February 2012. They had a party, said goodbye, and moved on with their lives. Everyone assumed that since it's open source, some new guys would come along to take over the project. Instead, for two years, there were no security updates, and no credible fork. TrueCrypt was languishing. One of the developers decided to force the world to take action. He pulled that amazing stunt, complete with recommending everyone use Microsoft BitLocker. Now he's kicking back with a beer and watching the world go nuts. It's like kicking an ant hill.
Nick P • June 11, 2014 10:40 PM
@ Bill Cox
It's possible. One of the reasons I always guarded my I.P. (and how it was extended) is I worked hard to ensure its quality and security. The last thing I want is someone taking it over, re-architecting it, etc to some great negative effect. Then, it might come back on my professional reputation or me personally somehow. Let's just call that "the wisdom of crowds." I try to avoid it. ;)
Wael • June 11, 2014 11:29 PM
@Nick P,
One of the reasons I always guarded my I.P. (and how it was extended) is I worked hard to ensure its quality and security.How have you guarded it by sharing it with us? Perhaps the fact you shared on this blog is the method, like @ Dr. Kevorkian did? It's a double edged sword, I do remember some of our discussions that ended up in academic papers, for example here
@AC2,
Not to worry, the next version will use a planchette, much faster and more secure...Whats the status? :)
@Nick P,
The last thing I want is someone taking it over, re-architecting it, etc to some great negative effect."Re-architecting" implies there was an "architecture" to start with :)
Nick P • June 12, 2014 12:11 AM
@ Wael
"How have you guarded it by sharing it with us?"
Some is still secret, some is semi-shared, and some is fully shared. Even the fully shared I.P. is typically at design level minus some implementation details. Any derivative product is a *knock-off* of a high level description of my own work. What it's not is *my* product, which might retain it's unique advantages or legacy.
Not sharing any actual high assurance products also has legal and extra-legal advantages in the Cover Your A** area of INFOSEC work. Especially in the United States.
Mike the goat (horn equipped) • June 13, 2014 1:06 PM
Nick: exactly - you could write an RFC or spec document for a technology and we could both end up with wildly different approaches to comply.
somerandomguy • June 19, 2014 4:32 AM
Just throwing my 2cents in...
If you're into stylography check this out:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
"as it MAY" = doubt, uncertainty, inconsistence
Why would the master of this here masterpiece have any doubt about his code untill now?(and not earlier on?). Theres been so much time to look over it again and again and again. Having to panic just now in my mind triggers an image of someone having been invaded/altered in his/her life/work/etc.
As someone above me said, there is no need for the developer to point out security flaws, as all the previous updates have been done silently, patching up holes, without catching too much attention, so why give up NOW?(notice how the order in which events occure here is very VERY important).
NSA can't stop people from using TrueCrypt, or remove it manually from everybody's computer, BUT THEY CAN MAKE YOU BELIVE SOMETHING, SO YOU CAN REMOVE IT YOURSELF.
Keep using TrueCrypt friends, NSA can suck it.
Sam • June 19, 2014 12:34 PM
I'm just wondering if this is the reverse of the NSA conspiracy theory - i.e. the NSA paid off the TrueCrypt developers to add a vulnerability, but now the Open Crypto Audit has published its report saying that it's a largely solid piece of software, the devs are ducking and running :)
Where's my tinfoil hat gone...
I never realized until now that the authors of Truecrypt are anonymous? Why?
Nick P • July 10, 2014 3:48 PM
@ TC
If you wanted to put me in prison or kill me, would it help to have my name, place of business, and home address? Anonymity has its benefits for people who build things that attract the attention of aggressive people.
Gorgo • July 28, 2014 11:59 PM
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
This message is entirely legible if one reads from the perspective of the authors. They, after all, already know why they abandoned TrueCrypt, and they apparently feel no need to address that point.
Therefore, they only instrumentally address future users -- two years, five years, ten years down the road. From that perspective, it's quite reasonable to say TC "may contain unfixed security issues." A couple of years from now, it very well might.
The sentence doesn't imply that TC currently contains mysterious unfixed errors. The authors are simply writing to posterity.
The final message is "Using TrueCrypt is not secure." Again, this is just accurate from the perspective of the needs of the audience that the authors are imagining. If TC is not being developed, then when Joe Blow stumbles on it in 2018, this warning will be entirely true and accurate. Who would use an encryption tool that hasn't been updated in five years?
It's like parking your trusty, well-made car in an alley, walking away forever, and leaving a sign advising that it might have mechanical problems that make it unsafe to drive. Of course it might: you know you're never coming back, and you have no idea how long it will sit there, rusting into obsolescence.
Providing a means for folks to decrypt their data and thereby safeguard it against the ravages of time is, again, prudent and even obvious best practice.
Finally, is it not possible that BitLocker is actually good enough? That seems to have been the conclusion right here in 2006:
https://www.schneier.com/blog/archives/2006/05/bitlocker.html
My guess is that the authors simply made TC as good as it could be made under XP, then found themselves absorbed in other priorities and let it go. The closing message is just due diligence from that perspective.
Just my two quatloos!
Vincent • October 31, 2014 1:14 PM
Here is my analysis of the implications of Truecrypt's demise. I wrote it just over 3 weeks after the initial news about this incident broke.
Subscribe to comments on this entry
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.
Leave a comment