Truecrypt developer reliability?

[wearetheborg]

Regd
http://www.privacylover.com/encrypti...-cia-honeypot/

Most of the points are non-issues, my only concern is the two developer point

Quote:

Closed source full disk encryption competitors like WinMagic, DriveCrypt (Securstar) and PGP Corporation have a full time team of software developers working in their products, creating such a product is not an easy feat as any of them will tell you.

Meanwhile two unpaid Truecrypt developers manage to work on Linux, MAC and Windows versions, on 32 and 64 versions and support the next Windows 7 as soon as it has been released, at the same time, presumably, these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages .

I thought they had more developers.

The source code compiled without any problem on linux.

[chiraldude]

I too have had an uneasy feeling about the secret identities of the developers. At first there was a plausible explanation: Many restrictive governments around the world depend on spying on citizens and quashing those who speak out against them. Encryption makes it harder to do this so the Truecrypt devs could have possibly been targets for assassination, kidnapping, torture, etc.
Does that apply today? TC website would continue to offer encryption even if the devs were killed so what would be the point?
Does any of this really matter? TC devs are not interested in development. No new features recently and none expected. I wouldn't be surprised if TC became obsolete in the next 2 years. New PC BIOS (UEIF) replacements are not TC friendly and there is no reason to expect a new TC version to fix this.

[Technical]

Quote:

Originally Posted by chiraldude

TC devs are not interested in development.

Well, see the release timetable and you'll see the software being developed and new versions released.

[chiraldude]

Future development:
-Command line options for volume creation
-'Raw' CD/DVD volumes

History:
No important changes since V7.0 (July 2010)

Command line options and Raw CD volumes still not implemented.
Perhaps they are just really busy and don't have time to work on code?
I don't see any notes from developers apologizing for lack of activity. I only see a banner asking for money.

[kareldjag]

hi,
There is much more food for backdoors with closed/proprietary sources and codes
There is a study with an old version done for the french GVT:
http://esec-lab.sogeti.com/post/2008...ecrypt-english

rgds

[PaulyDefran]

More features = more chance for problems. It works well as it is...I don't care if they don't do jack but keep up any security patches. It isn't an OS.

PD

[Technical]

Quote:

Originally Posted by chiraldude

No important changes since V7.0 (July 2010)

The code is completely reliable and stable. They're just not adding further features.
I understand the opinions, but just that seems some of them are becoming FUD imho.

[Palancar]

Rubbish. TC is a solid product. I have compiled it many times and edited the source to add features that I wanted, which were not in the public binary.

Attention to security details is outstanding. My computers literally never skip a beat because of anything TC related. It took a few years to get a grasp of understanding the "ins and outs" but its an amazing learning experience. If you are up to the challenge I would suggest you grab the source and the few software tools needed to rip into it. You'll have some fun and learn some cool stuff.

[wearetheborg]

So, you feel two developers are enough to create and support this product?
Why do other commercial encryption tools employ more developers then?

[kupo]

It's not about the number of developers. I've seen many good reviews of truecrypt and even heard it in the news. You're using sandboxie right? It is developed by a single person you know.

[wearetheborg]

Quote:

Originally Posted by skudo12

It's not about the number of developers. I've seen many good reviews of truecrypt and even heard it in the news. You're using sandboxie right? It is developed by a single person you know.

Yup, but
1. It has a paid version.
2. The technical level of sandboxie is way lower than that for truecrypt.
Truecrypt requires competence for understanding various crypto protocols, correctly implementing them, cross platform support for linux/mac/windows etc.

[chiraldude]

Truecrypt Foundation has chosen to speak of only two developers but, as with any complex coding project, many more people contribute than are credited. The paranoid among us may jump to the conclusion that the "two" developers and the secrecy that surrounds them leaves room for a great conspiracy theory.
I am still inclined to accept TC at face value (no back doors, etc).
It would be hard to believe that someone found evil code in TC but kept it quiet.
The OP makes a good point. TC compiles on LINUX without too much hassle. If someone is really serious about security, they will use LINUX. One reason for the devs not addressing some of the Windows issues is that they may have concluded that Windows cannot be completely trusted to host encryption of any form.

It really comes down to the Foundation's assertion that TC is developed by two mysterious people. This just doesn't sound right. It leave so much to speculation.

[Technical]

Quote:

Originally Posted by chiraldude

Truecrypt Foundation has chosen to speak of only two developers but, as with any complex coding project, many more people contribute than are credited. The paranoid among us may jump to the conclusion that the "two" developers and the secrecy that surrounds them leaves room for a great conspiracy theory.

Exactly.
It'a a fully open code project. Anyone could check what is going on. If the company fails, maybe the code will survive as it is public

Quote:

Originally Posted by chiraldude

I am still inclined to accept TC at face value (no back doors, etc).
It would be hard to believe that someone found evil code in TC but kept it quiet.

The code is public. You can compile the code and check, bit by bit, with the final code.

Quote:

Originally Posted by chiraldude

They may have concluded that Windows cannot be completely trusted to host encryption of any form.

Hmmm... The encryption is their part. If it fails, they fail, not Microsoft.

[LockBox]

I'm fine with TC and just two developers. One thing I have wondered about is how it would be so hard to found out who they are. Have you ever set-up a PayPal account? Their donations are through PayPal and they would need bank info and such. I understand TC is set-up as a foundation, but a foundation still has public directors. PayPal will freeze your funds in a heartbeat if there are questions about identity, etc. So, that's the only thing I've ever wondered about. I love Truecrypt and use it everyday.

We know the FBI doesn't have the ability to use any possible "backdoor." There are too many cases where they can't proceed because of encryption and TC was mentioned as the product used in a CP case in my own hometown. If it's backdoored, it's CIA or some other covert intelligence operation that would only use it in extreme cases.

[Palancar]

Again, the code is "tested" as solid.

Where you have no assurances is if you are running the publicly distributed binary. Doing your own private build from code removes doubts. Unlikely as it is, the public binary could be code + "whatever" and you can't detect that. I just mention this for those that freak over "backdoor" thoughts.

Tons of really major court trials mention locked TC drives where the Feds from many countries have spent a year or more trying to break the encryption. They ALWAYS fail to get in. These felony multi-national cases are in effect the "acid test" for TC's value -- my opinion.

[chiraldude]

Quote:

Originally Posted by Technical

The code is public. You can compile the code and check, bit by bit, with the final code.

You can't simply check the compiled code against the compiled Windows executable downloaded from TC website. Digitally signed, undocumented compiler options, etc...
Going through the code looking for flaws or cleverly obfuscated logic that makes some or all the data easy to decrypt is not a simple task.

Quote:

Originally Posted by Technical

Hmmm... The encryption is their part. If it fails, they fail, not Microsoft.

What leverage does TC have to force Microsoft to play nice with TC? If Windows refuses to encrypt some or all your data, how would you know? Who would you complain to?

Personally, if I had "life or death" secrets that needed encryption, I would use TC encryption but not on Windows. I would create a container using LINUX, copy the data from Windows then smash all the disks from the Windows system.

[Technical]

Quote:

Originally Posted by chiraldude

Going through the code looking for flaws or cleverly obfuscated logic that makes some or all the data easy to decrypt is not a simple task.

Sure it is not for common users. But, at least, the possibility is there

Quote:

Originally Posted by chiraldude

If Windows refuses to encrypt some or all your data, how would you know?

Windows does not have such power over the encryption tool. If it works, the encryption is done. If it fails, it's the tool fail, not Microsoft.

Quote:

Originally Posted by chiraldude

Personally, if I had "life or death" secrets that needed encryption, I would use TC encryption but not on Windows. I would create a container using LINUX, copy the data from Windows then smash all the disks from the Windows system.

The data encrypted will be exactly the same. The security level will be exactly the same. A container done by Linux or by Windows are exactly the same security level.
TC is multiplatform.

[chiraldude]

I would not be concerned about an encrypted container such as a flash drive. It's getting the data into the container that is not secure with Windows. How many copies of your secret data did Windows leave scattered around the operating system before moving it to the encrypted container?

With Windows, how sure are you that the System encryption is 100%? You would bet your life on it?

[dw426]

If any of you take TC or any other program at "face value" and fully trust them and the people behind them, you're already failing at the game. As far as these two devs go, instinct tells me they have more to hide than the users of TC do. Instinct also tells me it has nothing to do with them being afraid of being targeted, but that they are working for/with someone and Paypal was told or is willing to play along. If Paypal is even being given real information that is.

[Technical]

Quote:

Originally Posted by chiraldude

How many copies of your secret data did Windows leave scattered around the operating system before moving it to the encrypted container?

Sorry. I've twisted the point. I was thinking in a encrypted drive like mine (everything is encrypted on the fly).

Quote:

Originally Posted by chiraldude

With Windows, how sure are you that the System encryption is 100%? You would bet your life on it?

In an USB drive? No.
In a full encrypted system, yes.

[PaulyDefran]

Quote:

Originally Posted by dw426

If any of you take TC or any other program at "face value" and fully trust them and the people behind them, you're already failing at the game. As far as these two devs go, instinct tells me they have more to hide than the users of TC do. Instinct also tells me it has nothing to do with them being afraid of being targeted, but that they are working for/with someone and Paypal was told or is willing to play along. If Paypal is even being given real information that is.

And the 'powers that be' just let Brazilian bankers serve light sentences...to protect the secret that TC *does* have a backdoor...only to be used in cases like 'unTerrorism'...who rarely (if ever) use encryption?

Is this like the protection the FBI did with Nico Scarfo? Where they had a backdoor to PGP, but instead created 'MagicLantern' to keylog his passphrase instead?

Just having some fun, no harm. CryptoAG also proves your point to a degree...but the world has changed a lot since then. But I can't hand roll every piece of privacy/security software I use...I have to trust someone. I use dm-crypt/LUKS on Ubuntu...how do I know *that* is safe?

PD

[dantz]

I have also wondered about the TC developers. TC is a pretty damn sophisticated program to come out of two silent and anonymous developers who've been doing all this incredible work for years without pay. Personally, I don't believe it. Other scenarios seem more likely.

The bottom line, of course, is that nothing is safe. Nations commit major resources to the encryption game and they play it at the very highest levels. You will never know their full capabilities. Whatever form of encryption you are using, the only sensible approach is to assume that it has been broken (and it probably has.)

If you have 'life or death' secrets that need encryption, your best bet is to get rid of them immediately.

[PaulyDefran]

I just don't buy this outlook personally (but to each, their own). On the one hand we have the known decryption failures in the case of the Brazilian banker (TrueCrypt) and Nicodemo Scarfo (PGP), and a few more if I decided to look, probably. On the other hand, there is the 'oh you'll never know what's in the basement of Ft. Meade, it's all cracked' opinion. Fair enough, lets see:

Yemen ops house eavesdropped on by NSA, yet they don't even bother to reverse lookup who Yemen was talking to in the US. (9/11)

Nawaf Al-Hazmi is listed in the San Diego white pages. (9/11)

Both al-Hazmi and al-Mihdhar live with an FBI informant (9/11).

It took 10 years to find OBL.

Count me (as someone who has worked in .mil/.gov) as someone who thinks they are 'barely competent with a ton of cash'.

Wasn't Phil Zimmerman a one man op in the beginning? Wasn't Scramdisk a one or two man show (Shaun Hollingsworth)? Imad Faid with PGP 6.5.8 CKT? DiskCryptor?

PD

[caspian]

Quote:

Originally Posted by LockBox

We know the FBI doesn't have the ability to use any possible "backdoor." There are too many cases where they can't proceed because of encryption and TC was mentioned as the product used in a CP case in my own hometown. If it's backdoored, it's CIA or some other covert intelligence operation that would only use it in extreme cases.

Yeah I remember someone posted a link here about a teen from the U.K. who had some cp on his comp at an airport. His computer was encrypted with TC and they were trying to demand the pass phrase. So evidently the FBI can't crack it. And if the NSA or someone else can, they aren't telling. I would imagine that they would rather keep that option for extreme cases and lead people to think that it is uncrackable. But then again, maybe no one can crack it.

[SplinterCell]

Quote:

Originally Posted by chiraldude

...New PC BIOS (UEIF) replacements are not TC friendly and there is no reason to expect a new TC version to fix this.

I have a UEIF bios and TrueCrypt hasn't had any issues? What sort of unfriendliness should I be looking out for?

~Thanks