TrueCrypt - Current Thoughts??

Hey All,

After doing some major reworking of my hardware, I've come to an difficult decision. TrueCrypt.

I used to stand behind it 100%, back with v5.1a. Then with the introduction of v6, the forums became a highly-controlled nothing-negative said, no bugs exist unless we admit they exist, no privacy environment(Granted it was a little privacy-less before then, but the elimination of private messaging on the forums added a whole new level to me). Its almost as though something majorly changed behind the scenes with TrueCrypt. Ever since, I've been resistant to upgrading, but I seem to see more and more sites and sources jumping on the 'TrueCrypt is Great, Use It' bandwagon.

My question is, am I just being overly suspicious and not keeping up on a great piece of software, or do I have a legitimate concern and are these people a bit late on jumping wagon of how great TC is?

-- Addendum - I've just been directed to Fedora Project's page with a 'strong' warning against it due to the license. See: http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt

I'm so NAL, but could a couple others lend their eyes to the License (Found here: http://www.truecrypt.org/legal/license ) and see if anything jumps out at you? Thanks

 

I use 6.2 and it has worked flawlessly. I don't frequent their message boards because I never had need to - I've never had a problem.

 

I still keep a copy around of TC but I really prefer FreeOTFE. They are not the same but in many ways, they are. That said, I like the interface of FreeOTFE much better...
http://www.freeotfe.org/

 

i think TrueCrypt is released under an open licence so there's nothing wrong with it.

there are a lot of very, very strange people in the linux community with odd ideas about software licences. if you want a laugh listen to the linux action show's review of fedora and how these people think about software licnces (the bit about the FSF - (the free software foundation) and the Amazon Kindle). the fedora review comes a little later, but in short they've spent time taking out all mono software and replacing it with exact clones, with the exact same bugs, while some parts of the OS don't work - the installer! so i wouldn't take fedora too seriously when they talk about licences.

i think this is the mp3 -
http://feedproxy.google.com/~r/TheLinuxActionShow/~5/jrOjWEStGKk/TheLinuxActionShowEP097.mp3
http://www.jupiterbroadcasting.com/?p=1058

edit, they start talking about the kindle and licencing at about 16:48 minute. the FSF call the kindle the swindle loool

 

Here's a long discussion on the "problem" with the TrueCrypt license:
http://bugs.gentoo.org/show_bug.cgi?id=241650

 

A few items to consider...

• TrueCrypt isn’t FIPS 140-2 validated.
• “The domain name ‘truecrypt.org’ was originally registered to a false address ..., and was later concealed behind a Network Solutions private registration.”
• Some who dare to make negative comments about the product find their forum accounts cancelled.
• The developers are anonymous.

See this thread for additional details.

 

There is a reason that they are anonymous, and I think this is one of the reasons:

 

Well as a user of TrueCrypt on both Linux and Windows I will comment.

This thread (New Attacks on the AES - Wilders Security Forums was interesting to read, once it went off topic to discuss TrueCrypt, especially the comments by Justin Troutman.

I am a little concerned about the problems regarding the TrueCrypt forum. I have never had a need to register on the forum so have no personal experience in the matter. I am not going to stop using TrueCrypt because of it.

It would be nice if TrueCrypt was FIPS 140-2 validated, but for my purposes it just not important.

Countermail's post regarding the possible reasoning for the anonymity of the authors and ‘truecrypt.org’ is acceptable to me.

The FedoraProject "Forbidden items" entry did nothing for me. The "extremely poor license, which is not only non-free, but actively dangerous to end users who agree to it"; with no reference or rational for this statement made my eyes roll. I did read the license, somehow I failed to get the same impression. Probably because I am not a lawyer. The links provided by iceni60 also reinforced my thinking.

The Gento bug link provided by Gerard Morentzy provided much useful information. I am taking the same route as Gento, I will continue using TrueCrypt as I see no real alternative, nor do I see any real problems.

 

Countermail, the material you quoted is historically interesting, but I don’t precisely see an explanation for why the TrueCrypt authors might wish to remain anonymous. Can you elaborate and be more specific? Are you saying that the authors, if they were known, might be subject to legal action from a prior employer and thus are ‘hiding’ to avoid the dispute?

 

Chrisretusn, I am curious: why don’t you see any of the plethora of other encryption solutions as a “real alternative” to TrueCrypt? Stated differently, what essential functionality/feature does TrueCrypt provide that one or more of the competitors lack?

Thank you.

 

TrueCrypt's steganographic features like hidden OS and hidden volumes.

 

Yes, something like that, "better be safe than sorry".

I don't know any other stable open source freeware that have system partition encryption for Windows, but diskcryptor.net could be a future competitor.

 

SafetyFirst, the plausible deniability feature of TrueCrypt is often cited. However, as discussed in this thread, “hidden volumes” may have their own implementation challenges. As Justin Troutman noted, “Information leakage is a real killer.”

Beyond the plausible deniability feature (and the price) of TrueCrypt, are there other significant aspects of the tool that now distinguish it from the competition? (I’m just trying to understand its position in the mix of encryption offerings in the marketplace, which is related to KookyMan’s initial question asking for "current thoughts" on the tool.)

 

The plethora of other encryption solutions? You right I don't see it. I use more that one operating system. TrueCrypt is the most convenient for me across 3 of the 4 platforms that I use. I do not need or want whole disk encryption, I use single file encryption when needed but, TrueCrypt's container style encryption more effectively meets my needs and is simple to implement.

I am well aware of other solutions. In Linux I could use an encrypted file system such as ecryptfs or EncFS; however, TrueCrypt does one thing that the others do not, I can move my container files between operating systems the TrueCrypt supports (Windows, Linux, Mac).

 

I did some more homework, looking at Fedora's "Avoid this software" and read some mailing lists from other distributions as well.

It appears one of the biggest issues is that a clause in the license (that is still in v2.7 of it) is a line that effectively states that someone can still be sued for copyright infringement for distribution of the software. (IANAL). That's why most of them avoid TC like a hot potato.

From my reading, it appears that the whole issue is concern over lawsuits from distribution and/or packaging of the application as opposed to the actual use of it.

FIPS-120 isn't important to me, I'm willing to 'trust' that they have it right. My chief concern has been the recent squashing of speech on the forums, as Justin had mentioned. I was actually involved with Justin in trying to get that resolved, and it was like talking to a brick wall.

Something I have not seen though, even in other threads, but I'll have to start vocalizing more is that TrueCrypt isn't real FOSS. Its Open Source. Its Free, but its gratis, not Free (as in freedom).

The Lockdown on the forums (what I called shunning the community) is the single act that made me seriously reconsider whether I wanted to continue to use the software. I looked at FreeOTFE, and while I think it is definitely impressive, I am now needing the multi-OS compatibility of TrueCrypt. Looks like I'll just have to risk it for the time being (I already have TC containers.) Now if TC would make a TCExplorer variant, it would be excellent. (Yes, I know a third party did it, but that was compatible with v4.3 and I don't think was ever updated.)

Thanks for the discussion all, and feel free to keep it up, I'm sure other people have to wrestle with this all the time.

 

Most people don't know that the owner, wilfried hafner, of securstar is a convicted criminal who was into making money from easy to "hack" partylines. The guy tries to uphold some "i'm a l33t hax0rz" image but in real the facts speak for themselves. There is more dirt to find about him as he's not the developer of the drivecrypt software which was originally E4M by someone else who deserves the credits.

Here at this link some more inside information, especially the fact that securstar company did not even exist while the software was free to use and modify as long as proper credits were given:

http://www.pcreview.co.uk/forums/thread-1967957.php



Securstar also wrote malware spreading it and then selling a product to protect against it. I leave it up to the public to form an opinion about that.

Taken from: http://www.dialaphone.co.uk/blog/?p=2257
(check section 5)
(enough other sources who consider this modern extortion and wrote about it)

"
If you’ve noticed any suspiciously-besuited Germans hanging around your handset, casually commenting on how dreadful it would be if there was an accident and inquiring if you’d like to donate to their civic protection fund, don’t worry: it’s just security firm SecurStar GmbH trying to extort money. Ignore them. Everyone else did.A couple of years ago SecurStar issued a press release demonstrating how their PhoneCrypt technology could protect mobile phones from an SMS-delivered virus which can eavesdrop on any communications through that phone. An SMS-virus which SecurStar had themselves developed and announced in the same press release. Named “RexSpy”, SecurStar CEO Wilfried Hafner took care to mention how easy it was to develop and how any reasonable competent coder could make their own version. He then, presumably, left the code on a Nigerian internet cafe table and walked away while whistling casually.

You may have noticed that the mobile world has not been brought to its knees by viral death. We would like to report that this is because SecurStar were beaten to death with 80s brick phones by an incensed crowd of mobile phone users, but will have to settle for imagining it.
"

 

Ok, good for us that he's not involved in TrueCrypt development...

 

Just ask yourself whether the US regime would ever accept the existence of anything like TrueCrypt if it would not have backdoor. Folks, get real. We all are attacked by terrorist's terror terrorism attacks.

If you really believe this, then I think you deserve to use it.

This applies to quite a few software products. Exactly the same applies to CCleaner for example.

 

What choice do they have? I don't know what country the TC developers are in, but how could the US government possibly control all crypto software from all countries?

This type of software could come out of any country and be distributed by an almost unlimited number of channels. Killing or controlling a piece of software like this means killing the internet.

I have more news for you. The cat is out of the bag with TrueCrypt. We already have the source code. Any group anywhere on the planet could theoretically continue development if it were needed.

So, as I said before, the NSA long ago gave up on trying to control this stuff in any meaningful way. It's simply not possible anymore. The people that need to get real are those who don't understand the scope of the operation they're suggesting. I promise you if TrueCrypt were killed or compromised in some way, some other group would take it over.

Another thing to consider is that the end user has to have some measure of competence to properly secure their computer. There are a number of avenues of attack even in the absence of being able to break TrueCrypt. Number 1 on that list is weak password choice. Number 2 is operating system leaks. Number 3 is internet-based attacks. Etc., etc.

Edit: If you want to know just how ineffective governments can be at controlling the internet, look at The Pirate Bay. If you don't know what's happening, read up on it. It's like a game of whack-a-mole. They're trying everything, including the kitchen sink to shut down this site, and these 4 guys who've already been sentenced to a year in prison are keeping the site running. They're completely rubbing it in the face of their government. Even if the courts manage to shut down their servers (which has happened numerous times), they're alway up and running again within a day. And this site is extremely high profile. Imagine how difficult it would be if they were actually trying to hide.

The internet is the only place on the planet where the inmates run the asylum. I love it.

 

I understand your ideas and am actually not paranoid.

The discussion is a theoretical one anyway as we both lack information about the actual status.

1. The US regime may have a backdoor we and other opensource programmers are just not aware of. Perhaps a encryption weakness we "experts" are allo not aware of. This means that the regime can comfortably sit back and relax watching us to "encrypt" our danish western movies. And be assured that they would not advertise such knowledge.

2. I really don't know, but Is there really that transparency in the open-source world? OK, the source code is accessible but code can be twirled that bad that nobody can actually verify it or at cost of a hell of a time.

The equotation OSS = transparency is just not valid and a theoretical one. Besides, the real experts who would be capable to verify code may have an agenda or better paid jobs which keep them too busy to verify.

I never understood this idea of “We are safe with OSS because it can be verified and someone in the world, capable and skilled enough, will certainly …probably …perhaps …hopefully …desperately do so”.

Hands up who ever digged through the whole code of FireFox.

And regarding regime’s control of contents in the internet ask yourself a simple question:

How can it be that there is only very little, very fuzzy and shaky footage is rotating on the web for the 9/11 event?

I mean, two big buildings collapse within 10 minutes and all the world is able to see are about 5 or so fuzzy flicks? No way. It happened in one of the biggest cities with million people watching. Cameras available everywhere.

So much for “contents control”. It is there and seems to be very effective.

 

Sorry, Enrico. I don't accept a lot of what the government tells us in the USA, but your claim that there's just a few fuzzy and shaky pieces of footage from the twin towers collapse is so far off the mark. When the buildings fell, it was all on live television. Fuzzy, shaky footage?

Sorry to respond to something so off-topic, but trying to make your arguments on-topic using falsehoods about something off-topic is simply wrong.

 

DiskCryptor

I have been using it for several mos. -- flawlessly -- on one of my laptops.

DiskCryptor was the first open source (GPL) full disk encryption system for MS Windows that allowed the encryption of an entire PC's hard drive or individual partitions -- including the ability to encrypt the partition and disk on which the OS is installed.

 

WTF? How have I never heard of this before?

But, then again, I did a search on this forum for the word DiskCryptor, and it was only mentioned in 8 previous threads. I guess TrueCrypt really benefits from having been first (and its massive user base).

I hope DiskCryptor starts getting some publicity and peer review.

 

I mentioned it earlier in this thread
"...but diskcryptor.net could be a future competitor..."

 

Good point. I wasn't here on August 13. I believe I was in a room with 4 padded walls that day. I just looked at the first and last posts.

I always thought TrueCrypt was the only open-source WDE product. Not only is that wrong, but they were actually beaten to the punch by DiskCryptor. I was wondering why the developers went back on their word about never releasing WDE. Now it's obvious.

I'm planning to re-install my OS and re-encrypt. I might give DiskCryptor a try.