Is this Truecrypt a CIA honeypot article bogus or any truth to it?

I suspect it is completely bogus as I have been looking up encryption for a while now and TC come up as a solid product.

http://www.privacylover.com/encrypt...oor-in-truecrypt-is-truecrypt-a-cia-honeypot/

Just curious what you guys who hang here have to say about it?

 

At least he admits he's just tossing mud against a wall to see what happens:

And apparently doesn't have much belief in his own hypotheses:

Those two statements tell me about all I need to know on how much weight I should give his ponderings.

 

The following isn't automatically directed at the writer in the link, but FYI.

What people should Always be alert to is, there have been, and will be, people who post misleading/wrong info on purpose to try and lead us astray.

Some people actually get paid to do this, and every day. They post on forums, write articles, appear to be on our side etc, but are Spooks and/or Spook puppets. And that's not including those in the mainstream media who are involved too

Imagine if based on that article, everyone dropped TC and started using backdoored stuff approved by the NSA etc Well that's just the kind of thing the Spooks want you to do of course !

 

Frank posts here at Wilders as box750. He's been a member here for almost two years and contributes good information.

 

I have various points to make here:

The article has a clear question mark on it: "Is Truecrypt a CIA honeypot?", this is not a clear affirmation of a fact and if someone takes it that way, then he made a mistake because it is not.

We are getting to a point where Truecrypt has become a religion and you can't question it and anyone doing so suddenly becomes an AntiChrist or a paid CIA puppet who wants to confuse everyone, etc, etc.

I think there are a number of question marks that Truecrypt has on its product and highlighting them does nothing but good to the community, looking the other way and never question if security is good enough is not the way to go.

The article makes these specific points:

1- Truecrypt developers identity hidden

2- Truecrypt developers working for free

3- Compiling Truecrypt source code increasingly difficult

4- Truecrypt license contains distribution restrictions

5- Truecrypt open source code has never been reviewed

6- Censorship at Truecrypt forums

If you want to debunk and discredit any of the points above then great but if instead you are going to go into the game of "the author is a tosser" or something like that, then off you go.

Some people take the questioning of security as a clear affirmation that something is not safe to use, but that is their own assumptions not the poster's who textually says on the conclusion " I still recommend Truecrypt, they are my second choice of full disk encryption software after DiskCryptor".

 

No, of course you meant no insinuations-- hence the title you chose for the article.

~ Removed Political References - Please see this Post for Guidance ~

 

I guess I would make the opposite point. If you were going to make a honeypot, you wouldn't appear to be so secretive. You would appear open and friendly and welcoming.

 

If it's a CIA honeypot then they are doing a good job at locking their own government counterparts out of drives encrypted with Truecrypt, as recently shown in the Brazilian case where the FBI could not decrypt such a drive. Moreover, the TC source code is there available for public review. It would be pretty hard to hide a backdoor -- someone would find it eventually.

 

Yes, I find this strange too. However, it makes sense when you think about all the problems Phil Zimmerman and others faced in the 90's. They probably don't reveal their identities because they don't want to have to deal with any legal issues (specifically US export restrictions).

Not a good point at all. Lots of open source developers work for free. Are you going to say that Linux or OpenOffice are done by the CIA? How about Apache?

What do you mean by this? If there's source code, it can be compiled.

Their licensing is weird, but I see no reason to believe that the CIA is responsible. I mean what would be the point?

How do you know this? TC has been around for years and you know that some cryptographers somewhere have gotten curious about it. I would be very surprised if no one has reviewed it.

The TC devs might just be ~ Snipped as per TOS ~. There are lots of ~ Snipped as per TOS ~ out there, but this doesn't mean they all work for the CIA.

Bottom line: I find it humorous how some people question TC (which is 100% open source with nothing to hide) yet somehow trust encryption software that is released in binary only format by a vendor. Vendors are much more likely to be strong armed by the CIA than private citizens working on a voluntary basis. It is well known that NSA sent out "auditors" to Silicon Valley in the 90's to make sure hardware and software crypto companies "complied" with their requests (i.e., put in a backdoor or you go out of business).

 

It intrigues me that Truecrypt is perhaps the first or only encryption software that claims/provides multi-layer encryption AES-Twofish-Serpent.

Has anyone conducted penetration testing or any independent research out there?

 

Also known as cascading. The crypto experts I have talked to question the value of cascading. It doesn't mean it's worthless, but it's probably overkill. And if there was a breakthrough in cryptography that could break, say, AES, then Serpent and Twofish would likely fall closely behind.

 

I like, use and recommend TrueCrypt, but I would never trust TrueCrypt under all conditions. It's good software and it serves my purposes well, but there's simply no justification for blind trust.

If we find out someday that various government agencies been able to crack TrueCrypt for years then I will not be particularly surprised or alarmed.

 

I'm in that school of thought.

[IN_GENERAL]

Basically, when cryptography fails, it most often does so at the implementation level -- not at the mathematical level; with that in mind, and understanding that more options leads to more complexity, it's counterproductive to make a non-problem even more of a non-problem (i.e., piling on the cryptography) while making a big problem even more of a big problem (i.e., clogging the implementation with said cryptography).

It's not that cascading decreases cryptography security; we have "proofs" that show quite the contrary. However, there is the potential for decreasing implementation security, which is a bigger problem. That's the argument's foundation.

It makes the most sense to look to history for the answer to this kind of question. The likelihood of an implementation fluke is, as I say, a stack of magnitudes greater than the likelihood of a practical attack on a secure block cipher, such as the AES. And, despite the seemingly conservative idea of cascading, "just in case," it's actually more conservative to design with the implementation in mind, since that's where you're most likely to spring a leak. Then again, I could keep on with a dozen ways to say the same thing; as you can see, this is near and dear to my heart.

[/IN_GENERAL]

 

Justin,

What do you make of Nicolas T. Courtois' XSL attack on AES? A few people have doubted the claims (Don Coppersmith and Prof. Moh are two people he mentions). But Courtois fires back and says neither understand the attack. He claims Moh is a good mathematician but understands nothing about cryptography. From his website, I note the following:

 

Since they first surfaced, I haven't heard much about these attacks. Although I'm not particularly worried about this attack, I'm always cautious when new attacks arise - even if they don't work as advertised. It's easier to mildly entertain them, rather than completely discount them. But, I don't let them influence my design decisions.