Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?

[popcorn]

Hi all

playing devils advocate here
I know this is an older article but would like to here the forums thoughts...

http://www.privacylover.com/encrypti...-cia-honeypot/

Popcorn

EDIT - again been devils advocate, from the same article(updated)....https://tails.boum.org/doc/encryptio...acy/truecrypt/

[PaulyDefran]

Daniel Dantas' data is still secure, so if there is a BD, they are playing it to the hilt.

PD

[Jim1cor13]

Thanks popcorn My thoughts are fairly simple. I think some of the info regarding true crypt and the possibilities that exist have some merit in regards to potential back doors etc. I think few care to admit this is likely more the norm now than it was say even 5 - 10 years ago. I do not use truecrypt, so although I am aware of it, I have no idea all that is or has been stated about its developers is based upon fact or speculation.

I think over the last few years it is likely that many softwares are in some way 'conforming' to some form of back door style tricks, including more common apps such as web browsers, etc. It does not take much digging to see there *could* be more going on within say browsers than just 'security' related constant updates like FF and Google Chrome have experienced, especially over the last 18 months or so. When a final version is released and then a new beta comes out within literally a few days, it gets to be lunacy and sometimes causes me to consider other things going on behind the scenes, and I will leave it at that, just personal opinion.

On the other hand, such things as truecrypt speculation about their developers and all the possibilities going on with other softwares and even OS's could be nothing more than speculation that does little more than feed into paranoia. Without cold hard facts, all we can do is speculate, and in my mind, i find it likely possible that our "privacy" has been tossed out the window years ago.

if one has nothing to hide, then most are not bothered by such a notion. Personally, I realize the bottom line is, if one is that concerned about true privacy online, then the only real solution is to stop using internet based applications and stop allowing internet connectivity on ones computer and avoid exposing it to such things.

As far as truecrypt, which is not an online based app, one could say if the FBI were unable to crack an encrypted drive from a criminal banker, that alone is enough to, at the very least, doubt the accusations about any level of compromise regarding the use of such utility. So personally, I take what has been stated on the links as being at best pure speculation, even though there are legitimate questions as to their usage policy, etc., and some of the concerns appear valid, but unproven.

Just my thoughts

[Cudni]

and if people doubt it they might go for a different solution instead which might indeed contain a backdoor.

[Jim1cor13]

Good point Cudni. One could look at it in just this way, by instilling doubt about what appears to be a solid encryption software such as truecrypt and one that is popular, in order to potentially search for a different solution that could take a user in a direction that would indeed end up with a compromised product. Good observation and very valid concern. There is no doubt a lot of tricks played today and sometimes competitors can play nasty and be very manipulative.

[popcorn]

Hi all

First off, I trust TC. I trust in the technology, my understanding of it anyways, combine this with the fact that the feebs cannot (apparently ) decrypt it and
why wouldn't I ?
Who's to say that the majority of systems aren't already backdoored
groups like the French based Vupen Security are getting rich because of the governments need for zero-day exploits and I'm sure governments have there own "friendly" developers in many companies.
What raised my eyebrows is the ability to murk the waters of an open source project like TC, I cannot audit the code, I trust in others to do this, now if as the article implies these others are "very few" whom exactly are we trusting ?
That been said I'm sticking with TC, like you say Jim1cor13 there's only one sure fire way to 100% guarantee you privacy online and thats stay offline...in the end you have to put your trust somewhere.
I also agree with Cudni, the groups that would monitor every last one of us operate through instilling doubt and creating murky waters
my thoughts also
popcorn

[chiraldude]

This is an interesting question. Truecrypt is open source so lots of people have taken a look at the code. The question is, how many methodical code reviews have been conducted?
I can look through the code but I am not a C++ or assembly expert let alone a crypto expert.
To "prove" Truecrypt does not have a back door, someone would have to first create an independent windows driver designed to perform XTS encryption of a hard drive the same as Truecypt. Then encrypt many Terabytes using both and do a bit for bit comparison to see if Truecrypted data is identical. This takes a lot of work and I am not aware of any published study like this.
That said, if Truecyrypt did have a back door, there would be cases where a three letter agency had gained access to encrypted data. I haven't heard of anything like this.
If there were a back door, it would be used extremely rarely because if a backdoor became public knowledge, everyone would instantly stop using Truecrypt.

[Enigm]

Quote:

Originally Posted by chiraldude

To "prove" Truecrypt does not have a back door, someone would have to first create an independent windows driver designed to perform XTS encryption of a hard drive the same as Truecypt. Then encrypt many Terabytes using both and do a bit for bit comparison to see if Truecrypted data is identical. This takes a lot of work and I am not aware of any published study like this.

How would that 'prove' anything ??
Even using the same password, hashing-algo etc etc the actual keys derived would still be different .. And therefore the random garbage would NOT be bit-identical .
Besides, it wouldn't reveal that the password was never wiped from the keyboard-buffer . You can't see a backdoor in software by looking at your harddisk !

The fact that the UK Big Brother felt a need to make it a 4-year jail-time criminal offense not to disclose your password/encryption-key speaks volumes IMO !

[Nebulus]

In the end, it is just another matter of trust. Do you trust program X with your data or not? Do you trust that it doesn't have a backdoor? Do you trust that it doesn't have an implementation bug in the encryption algorithm? Do you trust that it doesn't have a bug that will render your data unusable?
There is no "100% certainty" when it comes to any program (especially the security related ones), so it becomes a question of how much do you trust a program and its maker. Even if the program is open source, even if you look for yourself inside the source code, heck, even if you write it yourself, there will always be a possibility that something will go wrong (i.e. a bug) and the end result is not what you expect.

[chiraldude]

Enigm
Of course you would have to set the master keys to be identical.
You could prove that Truecrypt was correctly implementing AES and that all the data was encrypted.

A test like that would be good enough for me to trust an encrypted thumb drive to not have a backdoor.

On a Windows system on the other hand, all sorts of tricks could be used to hide a copy of the password. So, no, not an exhaustive proof. Just a proof that one type of backdoor does not exist.

[redcell]

From my knowledge, CIA station in Czech Republic has a hand in Truecrypt.

I would strongly advise privacy lovers to use full disk encryption (FDE) with decoy OS, self-destruction mechanism (eg. password destruction, MBR/partition destroyer)and containers within FDE.

[LockBox]

Quote:

Originally Posted by redcell

From my knowledge, CIA station in Czech Republic has a hand in Truecrypt.

I would strongly advise privacy lovers to use full disk encryption (FDE) with decoy OS, self-destruction mechanism (eg. password destruction, MBR/partition destroyer)and containers within FDE.

From my knowledge, MI6 station in Luckenbach, Texas has a hand in Truecrypt - or was it the FSB station in Clayton, Alabama?

Then you must only use hardware encryption? Because, self-destruction is a marketing trick with software encryption. Any attacker would image your hard drive and they have unlimited attempts with the image.

No, now I remember, it was the Chinese MSS station in Affpuddle, UK. That's it. Truecrypt's busted!

[Hungry Man]

Has there ever been a single case where Truecrypt protected files were unlocked? Ever?

How is software deleting a gimmick LockBox?

[LockBox]

Quote:

Originally Posted by Hungry Man

Has there ever been a single case where Truecrypt protected files were unlocked? Ever?

How is software deleting a gimmick LockBox?

Truecrypt is fine - I'm sure you caught my sarcasm.

'Deleting' isn't a marketing trick, "self-destruct after X number of attempts," is a marketing trick. A drive will be imaged by every forensics investigator and with software encryption they have unlimited attempts despite the fact the sofware claims "X number of times." With an image, every time is the first time. Not true, of course, with hardware encryption.

`

[Hungry Man]

That bit wasn't really directed towards you, I'm just wondering if anyone has ever gotten through truecrypt publicly. Outside of, of course, known attacks like pulling they key from RAM.

Quote:

asm.

'Deleting' isn't a marketing trick, "self-destruct after X number of attempts," is a marketing trick. A drive will be imaged by every forensics investigator and with software encryption they have unlimited attempts despite the fact the sofware claims "X number of times." With an image, every time is the first time. Not true, of course, with hardware encryption.

Ah, I see. Makes sense.

I'd assume things change with hardware but, yeah, I can't imagine that's difficult to bypass with software at all.

[chronomatic]

Quote:

Originally Posted by Hungry Man

That bit wasn't really directed towards you, I'm just wondering if anyone has ever gotten through truecrypt publicly. Outside of, of course, known attacks like pulling they key from RAM.

When Anonymous leaked the HB Gary e-mails, one of those e-mails discussed how HB Gary got help from the NSA to break the TC container of a botnet operator.

The e-mails didn't say how it was done, only that it was. So, it could have been as simple as a weak password, etc.

[JohnMatrix]

I haven't seen any evidence that TC contains a backdoor. But I haven't seen evidence that denies it either. However, if the CIA manages to break a TC container there is very good chance they just use a keylogger, dictionary attack or a brute force attack for short passwords, i.e. "cracking" the container is not a confirmation that TC contains a backdoor.

[chiraldude]

If a backdoor existed, how long could the NSA keep it quiet?
I agree with JohnMatrix. Three letter agencies would get more value for the money by developing tools for capturing your password as you enter it.
Cameras, keyloggers, spyware, EM capture, etc...

[Techwiz]

I have seen nothing to suggest Truecrypt is backdoored; however, I would never leave personal/private/sensitive data on a networked computer even if it was encrypted. If they can not gain access to the device physically or remotely then it doesn't matter whether the product has a back door or not. I will say this much though, anyone that goes snooping for my external drives .... the nearest hospital isn't nearly close enough.

Also, I don't think the NSA is going to have a difficult time stealing information from Windows users. Not only is it the most popular OS, but Microsoft as allegedly already been caught in bed with the NSA in the past. Once someone has physical access to your system it really doesn't matter what security/privacy software you install. To put it a simple way, if you lock the fox in the hen house ... what good are the locks?

[mant]

Quote:

Originally Posted by Techwiz

Also, I don't think the NSA is going to have a difficult time stealing information from Windows users. Not only is it the most popular OS, but Microsoft as allegedly already been caught in bed with the NSA in the past. Once someone has physical access to your system it really doesn't matter what security/privacy software you install. To put it a simple way, if you lock the fox in the hen house ... what good are the locks?

More. See FCC sticker on all devices gadgets and keyboards.

Even on the Wireless Router clearly states: This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation.

That's it! If you mess with the NSA and suddenly your wireless device explode like a pieces of cake, it's because accepting negative interference from the space satellite.

[Frank the Perv]

Quote:

Originally Posted by LockBox

From my knowledge, MI6 station in Luckenbach, Texas has a hand in Truecrypt - or was it the FSB station in Clayton, Alabama?

Then you must only use hardware encryption? Because, self-destruction is a marketing trick with software encryption. Any attacker would image your hard drive and they have unlimited attempts with the image.

No, now I remember, it was the Chinese MSS station in Affpuddle, UK. That's it. Truecrypt's busted!

LOL.... exactly.

Having just a little bit of knowledge about the US Intelligence Community -- the CIA station in the Czech Republic would not have participated as rumored. The stations have a different purpose. The CNA & CNE guys would be at a location in the US.

For a minority opinion on this… I wish the CIA, NSA and others would more actively do those types of operations. They seem to be in ‘react mode’ rather than having proactive applications such as this one discussed.

The Chinese seem to be very good at putting bugs and backdoors deeply buried in software code. The US seems to be mired in bureaucracy and indecision about these things. But now USCYBERCOM is examining the possibilities carefully.

With the proliferation of violent extremist organizations (VEOs) in the world, more steps are needed to find and fix these folks.

I’m rooting for the defenders of the people to more actively develop policies and programs to find, fix and target bad guys.

Go get ‘em.

[chronomatic]

Quote:

Originally Posted by Frank the Perv

For a minority opinion on this… I wish the CIA, NSA and others would more actively do those types of operations.

They've been doing these sorts of ops for a long time already. Backdoored crypto machines is how Reagan knew Gadaffi was behind the Berlin disco bombings in the 80's. It's also how the US knew who bombed the Lockerbee plane.

Here's a list of some NSA ops: http://cryptome.org/nsa-sabotage.htm

[PaulyDefran]

CryptoAG!

PD

[SourMilk]

TrueCrypt is open source and anyone can check out the programming deciding for themselves if it has a back door.

As for myself, I'm strapping on my aluminum foil helmet and using xor with 5 seconds of white noise for my key. I keep the key on a USB stick which is hidden in a neighbor's back forty. I believe it is brute force proof but not rubber hose proof .

SourMilk out

[kareldjag]

A few years ago Sogeti has audited TrueCrypt 6 for the French gvt and no backdoor was discovered
http://esec-lab.sogeti.com/post/2008...ecrypt-english

Hard drive encryption is one of the most effective anti-forensic solution
http://g1.globo.com/English/noticia/...el-dantas.html
Now why most western countries have adapted the law to mitigate this evidence dead end if the most widely used encryption software was backddored by US security agencies?
http://www.out-law.com/page-8515
Of course in some coutries this might become much more persuasive
http://imgs.xkcd.com/comics/security.png

Attacks are possible on TrueCrypt, but this is here only an extension of the the original question and toppic.
PS. this morning my cat ( http://www.wilderssecurity.com/attac...1&d=1298338621 ) was watching what is going on my laptop...i guess that he was RFID backdoored by the CIA in order to see if i am a member of ANONYMOUS or if i was selling an IE vulnerability to Vupen...

Rgds