TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

Discussion in 'privacy technology' started by Palancar, May 28, 2014.

  1. _Owl_

    _Owl_ Registered Member

    Joined:
    Jun 19, 2014
    Posts:
    8
    Hi all.
    I just registered, because I think there are a few theories circulating, that could be excluded.

    TC was a CIA honeypot.
    If it was, why should the CIA suddenly make people suspicious with this latest move?
    Doesn't make any sense.

    Now let's put ourselfes into the position of a developer.

    The NSA knows your identity and you are threatened to cooperate.
    What would a real collaborator do?
    He would release the next version and would not make people suspicious by posting these things.

    What would you do, to warn people?
    Is it enough to post on security blogs or forums? No, because you can't proove who you are.
    The only real option you have, is to send a message through the TC webpage.

    The message:

    If you are the developer and you discover a security flaw in Win XP, what would you do?
    You would warn about XP. But you would mention the other Win and the Linux version is unaffected and can be used further.

    If the flaw affects all Windows versions, you would warn about Win, but again mention that Linux is ok, wouldn't you?

    So we can conclude from the message already, that the problem is NOT Windows related!
    No matter what the text says, it's the only logical conclusion.

    But a problem stays: how can you, if you put yourself into the shoes of the devs, warn the public - warning them is not allowed, it must be legally watertight.

    HOW could you warn and WHEN would you do it?

    I would exaggerate my recommendation that really everyone is rubbing his eyes. "Use MS Bitlocker."
    In the same sentence, they even mentioned that a product of Win was not secure, without any technical useful explanation, but then they recommend MS in the same sentence. That's brilliantly obvious!

    Only if the hidden warning is so extreme, that it contradicts every reason, why people use your software! You just recommend an most obvious contradiction to everything why TC is being used.


    And WHEN would you send the warning?
    The best moment would be, BEFORE the first unsecure version is about to be released.


    The job for the project, to check the TC code, maybe just got much easier:
    If I were Green, I would now concentrate to analyze the differences between 7.2 and 7.1a first.

    That could be the third big hint, packed into this one sentence.

    So this sentence contains at least 4 warnings:

    1. If TC was from the beginning a CIA honeypot, this warning would not exist. TC would still be a perfect honeypot, until the flaws are discovered. No need to blow it up previously. The developers are unknown anyway.

    2. Win is not the problem.

    3. Do not trust the software from now on. Check the differences between 7.2 and previous versions!

    4. The acronym n...s...a... in the warning.


    And why did the devs not simply stop developing TC instead of releasing an unsecure version?
    Since the NSA knows you, and you have broken several licenses, you have a huge potential legal problem. It could mean to ruin you financially and get you into jail.
    But if you are collaborative and release a version, that helps us...
    Being blackmailed you agree to collaborate.
    And if you could find a solution to warn the public in the right moment, the damage to users would be minimal...

    My 2 ct.
     
  2. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,058
    Location:
    United Surveillance States
    I never noticed warning #4. Good catch!
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    You left out one scenario, that the versions after XP are the problem. Their linking it to XP support suggests this.
    The rest of your assessment makes sense.
     
  4. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    I've explained the acronym here https://www.wilderssecurity.com/thre...ment-or-was-hacked.364391/page-7#post-2378401
    And off course this theory makes sense if we take into consideration the history of the three letters agency, its implication in Cryptography research and corruption (remember Dual_EC_DRBG ), and what is already known (http://rt.com/usa/158460-cia-director-metadata-kill-people/ ) and still to be discovered...
    I doubt that the rest of the audit will help in pointing out the real truth behind TrueCrypt dilema.
    So after the basketball go Spurs, the soccer go France!

    Rgds
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    What's ridiculous is thinking those things assure your safety. That's just a few settings that allow you to customize things the way you want them. It's also misguided to believe that just because something is open source that it must be safe. People just assume that "somebody" would have found it by now if something shady was going on... but the problem is everyone assumes that and nobody actually audits it to verify it. Or at least there's so few people that do and too much code to go through. Just look at OpenSSL... there were vulnerabilities found recently that everyone was oblivious to for 10 years. The same may be found when TrueCrypt is thoroughly audited. It takes a lot of time, money and resources to do this stuff. And even then, a very clever person can still hide something in a way that could elude those prying/auditing eyes. So we'd be naive to think the same doesn't hold true for Firefox.

    In other news... Mozilla recently partnered with the New York Times & Washington Post. Teaming up with major media news outlets (the ministry of propaganda), is yet another sketchy looking maneuver. Ever since that former N.S.A. crypto-breaker joined the Mozilla team I've been looking for signs of shadiness, and it's all happening even faster and less subtly than I imagined.
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    That's because you can't lock down any version since XP. You simply cannot do it or you lose the functionality to even use your computer & connect to the net. You must make those concessions... more & more of them with each passing version. On XP it most certainly takes a lot of tweaking and trimming to get it tight, but it's possible. I have only 9 services running right now, and 2 of them are Comodo & Sandboxie. Those 2 things & Shadow Defender my only 3 startup items. I don't use IE, have no .NET FW, no Flash, no Java, no PDF. Every "critical" update I see is pretty much irrelevant to me, but I apply them anyway. So I don't exactly feel too paranoid that it's EOL has passed. I still feel much more secure than I would on any version since... and most certainly have more privacy.
     
  10. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
    you make some interesting points i admit , about openssl i dont think anyone had any interest of going through openssl thoroughly thats why it wasnt found for 10 years , unlike TC wich is going through a thorough audit , i recon the guys going through it take it very seriously since they emselves are TC users and wouldnt want theyre nor the peoples privacy jeopardized , about mozilla partnering with new york times and washington post i honestly have no idea what to say on that , maybe some thoughts on this would be appreciated
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Plenty of people had interest, and incentive to comb through openssl, since it was an integral part of the OpenVPN community. Yet everyone remained oblivious for 10 years. The problem, again, is that it takes a lot of time, effort and money to do thorough audits. I remember seeing the figure they were trying to raise to audit TrueCrypt, and they didn't meet it. They've got like 30 grand and are trying to do the best they can with it. 30 grand split between God knows how many people, and God knows how long it will take them all to really go through it with a fine tooth comb. They'd basically be doing it largely on charity. And that's why it's not often done, or at least done thoroughly. And people just assume: "oh, it's open source, SOMEBODY would have found something by now"... severely flawed logic. And these days more than ever.

    Not to mention more and more of these former pioneers/people of integrity are being infiltrated and brought over to the dark side these days by being offered a comfortable lifestyle. It beat combing through code for a pittance, and a thankless job, as you generally only hear from people when they're complaining. Half of them don't trust you and question your integrity, and the other half whine about features/bugs. It's no wonder so many turn rogue, or at least pack up tent.
     
  12. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    This is kind of misleading. It's not as if these were Heartbleed kind of bugs. The one that I assume you're referring to, mentioned here. As the dev mentions, he can't rule out that someone could come up with a creative way to exploit the bug, but he can't really think of one. And with a 1.0.1 server, I wouldn't say you can even really call it a "threat", as the attacks need man-in-the-middle position against the victim and and non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected.

    So the moral is, not all bugs are created equal (not by a long shot), and if one goes unnoticed for 10 years, it's not going to be that big of a deal. Heartbleed was 2 years (which is still obviously way too long) but it was an anomaly (and we're talking 1/5th of the timeframe.)


    What? Where is your source for that?

    The official IndieGoGo page lists $25k as the goal, and $46,420 raised (nearly twice the goal amount). And that's just one source. Throw in the other funding venues, and as Ars Technica reported, around $80,000 was raised in total.

    https://www.indiegogo.com/projects/the-truecrypt-audit/
    http://arstechnica.com/security/201...s-no-evidence-of-backdoors-or-malicious-code/

    What in the heck are you talking about?
     
    Last edited: Jun 22, 2014
  13. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    IF your data really is so sensitive that it requires encryption - The last thing you should do is even HAVE a NIC in the computer .
    What on Earth makes people believe you can 'trust' micr0$0fts IP-stack ?

    On-topic :
    I'm also starting to believe it's a 'warrant-canary' - Even mentioning closed-source third-party encryption was against rules on the TC-forum, wasn't it ?
    And know they recommend it ?? Something just doesn't small right about that .
    And I really don't care what some dude on the internets claims he has talked with some other dude on the internets, claiming to be a TC-developer, about .


    Obviously, because it wouldn't be 'TrueCrypt' .
    Christ, the Debian-fundamentalists have really messed things up - There is NOTHING in the TC-license that prevents you from from using the source-code of TC to compile a version that you call something else .
     
    Last edited: Jun 22, 2014
  14. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Well maybe it was a dated article, but the person (a Mr. Green, if I recall... could be wrong) claimed he had 30K to do it. The article was linked from this very place (Wilders), so I was lead astray by someone else in here and just assumed they were providing good info. One can never do that, obviously.

    That one thing hardly invalidates my entire argument though, as you make it seem: "What in the heck are you talking about?" Very common tactic there though. That's why I try not to be wrong about 1 single, minor detail when I post. But in this case I didn't do my due diligence and trusted someone elses intel. A lesson learned/remembered.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Not "bugs" per say, no, but gaping holes just waiting to be exploited that people were completely oblivious to. And quite possibly put there by design by someone that'd infiltrated the project.

    Speaking of the recent FF/N.S.A. connection... OpenVPN had a very similar situation semi-recently. A former N.S.A. employee joined their team starting with version 2.2.2. And because of this a lot of people wouldn't upgrade from v 2.2.1, including me for awhile. But now it's like there's nowhere to run/hide, because all versions now are untrustworthy, old and new. Even GnuTLS was recently found to be vulnerable, which I always considered the best crypto engine, and hoped OpenVPN would move in that direction in the future. But now it's just like there's nothing left... And IMO it's because "the man" has infiltrated all of these ventures and broken them by design, cleverly hiding backdoors/holes that they know independent/private/small teams of software developers don't have the time or resources to comb through thoroughly and find.
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Agreed there. I keep nothing sensitive on any machine connected to the internet... I don't care what OS it's running (even non-MS). But heck, these days supposedly they have the means to grab data from machines that aren't connected to the net, and possibly even turned off entirely. So is it even worth our effort at all to bother trying? Or do we have to deploy my code/runes methodology mentioned above to ensure end to end encryption by word of mouth & pen & paper only?

    But still, even if it's just watching Youtube videos on paint drying I still want it to be as private as possible... just because I feel I'm entitled to it. Even if I have nothing worthwhile to hide. So I'm still gonna make it as difficult on them as possible.
     
  17. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Zactly, and well said. And even if there WERE legal reasons/TOS not to develop forks/continue development of property rights, I say screw it. These shiesters are breaking the law themselves, even pissing on the constitution by infringing upon our rights. Sometimes you have to fight fire with fire, or you get burnt with no hope of retaliation. In the true spirit of pirates let's take XP and legacy versions of apps (before they went bad), upgrade them and carry the torch from there, and distribute them over the web for people to have. We're being left with no other choice than to just bend over and accept that privacy & anonymity are things of the past. And I'm personally not ready to give in like that and hand them the KY.
     
  18. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    I only asked it that way because you said it so matter-of-factly, and basically used it as the sole support for your whole claim about audits. I wasn't suggesting it "invalidates your argument", which is really nothing more than "full audits are tough and expensive and therefore don't happen very often"? I mean that's not exactly a huge epiphany.

    Contradicting this was the whole point of my comment. You were basically making a sweeping claim, implying that serious security flaws were going unnoticed for a decade. And I was just pointing out that that is a gross overstatement, basically to the point of being just plain false.

    Do you have even circumstantial evidence to support this?
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I don't think that "joined their team" is accurate here. A suspicious company made major contributions to the code. But everything was in public, and the changes were carefully reviewed. Right?
     
  20. wilder7500

    wilder7500 Registered Member

    Joined:
    Dec 30, 2013
    Posts:
    67
    Location:
    USA
    Could someone post SHA-256 for a version of truecrypt-7.1a-setup-x64 that was downloaded before the shutdown? This is the 64bit linux version.
     
  21. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,168
    hi
    but it's true crypt v 7.2 or 7.1?
    thanks
     
  22. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
  23. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,168
    hi
    will you continue to use true crypt 7.1a?

    thanks
     
  24. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,168
     
  25. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Maybe it's just me, but frankly : I find it highly suspicious that someone commits a change 15 minutes before the end of a year ..
    You know, when all normal people are more or less drunk and partying ?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.