Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?

Discussion in 'privacy technology' started by popcorn, Oct 28, 2012.

Thread Status:
Not open for further replies.
  1. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Daniel Dantas' data is still secure, so if there is a BD, they are playing it to the hilt. :D

    PD
     
  3. Jim1cor13

    Jim1cor13 Registered Member

    Joined:
    Aug 4, 2012
    Posts:
    453
    Location:
    US
    Thanks popcorn :) My thoughts are fairly simple. I think some of the info regarding true crypt and the possibilities that exist have some merit in regards to potential back doors etc. I think few care to admit this is likely more the norm now than it was say even 5 - 10 years ago. I do not use truecrypt, so although I am aware of it, I have no idea all that is or has been stated about its developers is based upon fact or speculation.

    I think over the last few years it is likely that many softwares are in some way 'conforming' to some form of back door style tricks, including more common apps such as web browsers, etc. It does not take much digging to see there *could* be more going on within say browsers than just 'security' related constant updates like FF and Google Chrome have experienced, especially over the last 18 months or so. When a final version is released and then a new beta comes out within literally a few days, it gets to be lunacy and sometimes causes me to consider other things going on behind the scenes, and I will leave it at that, just personal opinion.

    On the other hand, such things as truecrypt speculation about their developers and all the possibilities going on with other softwares and even OS's could be nothing more than speculation that does little more than feed into paranoia. Without cold hard facts, all we can do is speculate, and in my mind, i find it likely possible that our "privacy" has been tossed out the window years ago.

    if one has nothing to hide, then most are not bothered by such a notion. Personally, I realize the bottom line is, if one is that concerned about true privacy online, then the only real solution is to stop using internet based applications and stop allowing internet connectivity on ones computer and avoid exposing it to such things.

    As far as truecrypt, which is not an online based app, one could say if the FBI were unable to crack an encrypted drive from a criminal banker, that alone is enough to, at the very least, doubt the accusations about any level of compromise regarding the use of such utility. So personally, I take what has been stated on the links as being at best pure speculation, even though there are legitimate questions as to their usage policy, etc., and some of the concerns appear valid, but unproven.

    Just my thoughts :)
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    and if people doubt it they might go for a different solution instead which might indeed contain a backdoor.
     
  5. Jim1cor13

    Jim1cor13 Registered Member

    Joined:
    Aug 4, 2012
    Posts:
    453
    Location:
    US
    Good point Cudni. One could look at it in just this way, by instilling doubt about what appears to be a solid encryption software such as truecrypt and one that is popular, in order to potentially search for a different solution that could take a user in a direction that would indeed end up with a compromised product. Good observation and very valid concern. :) There is no doubt a lot of tricks played today and sometimes competitors can play nasty and be very manipulative.
     
  6. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi all

    First off, I trust TC. I trust in the technology, my understanding of it anyways, combine this with the fact that the feebs cannot (apparently ;)) decrypt it and
    why wouldn't I ?
    Who's to say that the majority of systems aren't already backdoored o_O
    groups like the French based Vupen Security are getting rich because of the governments need for zero-day exploits and I'm sure governments have there own "friendly" developers in many companies.
    What raised my eyebrows is the ability to murk the waters of an open source project like TC, I cannot audit the code, I trust in others to do this, now if as the article implies these others are "very few" whom exactly are we trusting ?
    That been said I'm sticking with TC, like you say Jim1cor13 there's only one sure fire way to 100% guarantee you privacy online and thats stay offline...in the end you have to put your trust somewhere.
    I also agree with Cudni, the groups that would monitor every last one of us operate through instilling doubt and creating murky waters o_O
    my thoughts also :)
    popcorn
     
    Last edited: Oct 28, 2012
  7. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    This is an interesting question. Truecrypt is open source so lots of people have taken a look at the code. The question is, how many methodical code reviews have been conducted?
    I can look through the code but I am not a C++ or assembly expert let alone a crypto expert.
    To "prove" Truecrypt does not have a back door, someone would have to first create an independent windows driver designed to perform XTS encryption of a hard drive the same as Truecypt. Then encrypt many Terabytes using both and do a bit for bit comparison to see if Truecrypted data is identical. This takes a lot of work and I am not aware of any published study like this.
    That said, if Truecyrypt did have a back door, there would be cases where a three letter agency had gained access to encrypted data. I haven't heard of anything like this.
    If there were a back door, it would be used extremely rarely because if a backdoor became public knowledge, everyone would instantly stop using Truecrypt.
     
  8. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    How would that 'prove' anything ??
    Even using the same password, hashing-algo etc etc the actual keys derived would still be different .. And therefore the random garbage would NOT be bit-identical .
    Besides, it wouldn't reveal that the password was never wiped from the keyboard-buffer . You can't see a backdoor in software by looking at your harddisk !

    The fact that the UK Big Brother felt a need to make it a 4-year jail-time criminal offense not to disclose your password/encryption-key speaks volumes IMO !
     
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    In the end, it is just another matter of trust. Do you trust program X with your data or not? Do you trust that it doesn't have a backdoor? Do you trust that it doesn't have an implementation bug in the encryption algorithm? Do you trust that it doesn't have a bug that will render your data unusable?
    There is no "100% certainty" when it comes to any program (especially the security related ones), so it becomes a question of how much do you trust a program and its maker. Even if the program is open source, even if you look for yourself inside the source code, heck, even if you write it yourself, there will always be a possibility that something will go wrong (i.e. a bug) and the end result is not what you expect.
     
  10. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Enigm
    Of course you would have to set the master keys to be identical.
    You could prove that Truecrypt was correctly implementing AES and that all the data was encrypted.

    A test like that would be good enough for me to trust an encrypted thumb drive to not have a backdoor.

    On a Windows system on the other hand, all sorts of tricks could be used to hide a copy of the password. So, no, not an exhaustive proof. Just a proof that one type of backdoor does not exist.
     
  11. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    From my knowledge, CIA station in Czech Republic has a hand in Truecrypt.

    I would strongly advise privacy lovers to use full disk encryption (FDE) with decoy OS, self-destruction mechanism (eg. password destruction, MBR/partition destroyer)and containers within FDE.
     
  12. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    From my knowledge, MI6 station in Luckenbach, Texas has a hand in Truecrypt - or was it the FSB station in Clayton, Alabama?

    Then you must only use hardware encryption? Because, self-destruction is a marketing trick with software encryption. Any attacker would image your hard drive and they have unlimited attempts with the image.

    No, now I remember, it was the Chinese MSS station in Affpuddle, UK. That's it. Truecrypt's busted!
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Has there ever been a single case where Truecrypt protected files were unlocked? Ever?

    How is software deleting a gimmick LockBox?
     
  14. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Truecrypt is fine - I'm sure you caught my sarcasm.

    'Deleting' isn't a marketing trick, "self-destruct after X number of attempts," is a marketing trick. A drive will be imaged by every forensics investigator and with software encryption they have unlimited attempts despite the fact the sofware claims "X number of times." With an image, every time is the first time. Not true, of course, with hardware encryption.

    `
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That bit wasn't really directed towards you, I'm just wondering if anyone has ever gotten through truecrypt publicly. Outside of, of course, known attacks like pulling they key from RAM.

    Ah, I see. Makes sense.

    I'd assume things change with hardware but, yeah, I can't imagine that's difficult to bypass with software at all.
     
  16. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    When Anonymous leaked the HB Gary e-mails, one of those e-mails discussed how HB Gary got help from the NSA to break the TC container of a botnet operator.

    The e-mails didn't say how it was done, only that it was. So, it could have been as simple as a weak password, etc.
     
  17. JohnMatrix

    JohnMatrix Registered Member

    Joined:
    Apr 12, 2012
    Posts:
    48
    Location:
    Behind you
    I haven't seen any evidence that TC contains a backdoor. But I haven't seen evidence that denies it either. However, if the CIA manages to break a TC container there is very good chance they just use a keylogger, dictionary attack or a brute force attack for short passwords, i.e. "cracking" the container is not a confirmation that TC contains a backdoor.
     
  18. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    If a backdoor existed, how long could the NSA keep it quiet?
    I agree with JohnMatrix. Three letter agencies would get more value for the money by developing tools for capturing your password as you enter it.
    Cameras, keyloggers, spyware, EM capture, etc...
     
  19. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    I have seen nothing to suggest Truecrypt is backdoored; however, I would never leave personal/private/sensitive data on a networked computer even if it was encrypted. If they can not gain access to the device physically or remotely then it doesn't matter whether the product has a back door or not. I will say this much though, anyone that goes snooping for my external drives .... the nearest hospital isn't nearly close enough.

    Also, I don't think the NSA is going to have a difficult time stealing information from Windows users. Not only is it the most popular OS, but Microsoft as allegedly already been caught in bed with the NSA in the past. Once someone has physical access to your system it really doesn't matter what security/privacy software you install. To put it a simple way, if you lock the fox in the hen house ... what good are the locks?
     
  20. mant

    mant Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    73
    Location:
    DIY

    More. See FCC sticker on all devices gadgets and keyboards.

    Even on the Wireless Router clearly states: This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation.

    That's it! If you mess with the NSA and suddenly your wireless device explode like a pieces of cake, it's because accepting negative interference from the space satellite.





    :doubt:
     
  21. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA

    LOL.... exactly.

    Having just a little bit of knowledge about the US Intelligence Community -- the CIA station in the Czech Republic would not have participated as rumored. The stations have a different purpose. The CNA & CNE guys would be at a location in the US.

    For a minority opinion on this… I wish the CIA, NSA and others would more actively do those types of operations. They seem to be in ‘react mode’ rather than having proactive applications such as this one discussed.

    The Chinese seem to be very good at putting bugs and backdoors deeply buried in software code. The US seems to be mired in bureaucracy and indecision about these things. But now USCYBERCOM is examining the possibilities carefully.

    With the proliferation of violent extremist organizations (VEOs) in the world, more steps are needed to find and fix these folks.

    I’m rooting for the defenders of the people to more actively develop policies and programs to find, fix and target bad guys.

    Go get ‘em.
     
  22. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    They've been doing these sorts of ops for a long time already. Backdoored crypto machines is how Reagan knew Gadaffi was behind the Berlin disco bombings in the 80's. It's also how the US knew who bombed the Lockerbee plane.

    Here's a list of some NSA ops: http://cryptome.org/nsa-sabotage.htm
     
  23. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    CryptoAG! :D

    PD
     
  24. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    TrueCrypt is open source and anyone can check out the programming deciding for themselves if it has a back door.

    As for myself, I'm strapping on my aluminum foil helmet and using xor with 5 seconds of white noise for my key. I keep the key on a USB stick which is hidden in a neighbor's back forty. I believe it is brute force proof but not rubber hose proof o_O .

    SourMilk out
     
  25. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    A few years ago Sogeti has audited TrueCrypt 6 for the French gvt and no backdoor was discovered
    http://esec-lab.sogeti.com/post/2008/12/08/46-cspn-truecrypt-english

    Hard drive encryption is one of the most effective anti-forensic solution
    http://g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html
    Now why most western countries have adapted the law to mitigate this evidence dead end if the most widely used encryption software was backddored by US security agencies?
    http://www.out-law.com/page-8515
    Of course in some coutries this might become much more persuasive
    http://imgs.xkcd.com/comics/security.png

    Attacks are possible on TrueCrypt, but this is here only an extension of the the original question and toppic.
    PS. this morning my cat ( https://www.wilderssecurity.com/attachment.php?attachmentid=225305&stc=1&d=1298338621 ) was watching what is going on my laptop...i guess that he was RFID backdoored by the CIA in order to see if i am a member of ANONYMOUS or if i was selling an IE vulnerability to Vupen... :)

    Rgds
     
Loading...
Thread Status:
Not open for further replies.