Truecrypt Audit Phase II ?????

Discussion in 'privacy technology' started by Bill S, Oct 20, 2014.

  1. Bill S

    Bill S Registered Member

    Joined:
    Oct 20, 2014
    Posts:
    2
    On Steve Gibsons blog,, https://www.grc.com/misc/truecrypt/truecrypt.htm, he indicates that “We should know much more about a trustworthy TrueCrypt in the late summer of 2014.” It is now officially fall and I cannot find any information on how phase II is progressing even after doing a variety of searches with Google using several different search terms. The latest entry on the “official” audit page, http://istruecryptauditedyet.com/, dated April 14, 2014 indicates that phase I is complete and that “Phase II begins on the formal cryptanalysis.” That was over six months ago.

    Has there been any news on how the audit is progressing?

    You would think someone would have time to post at least a couple of lines even if it isn’t complete to keep the people who donated funds for the audit informed.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Ummm, that's months old :eek:
     
  4. Tadoussac

    Tadoussac Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    118
    TrueCrypt audit status - unknown
    The 2 announced TrueCrypt successors (TCNext and Ciphershed) - all quiet, nothing released.

    It's a strange situation. The last version of TrueCrypt was downloaded 4 million times, and there was once an active user forum. Now there is just silence.

    Where did everyone go? LOL
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Don't forget VeraCrypt, which someone urgently reminded me of.
     
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I guess the publication of any information before they've completed is dangerous, because people at risk could take the wrong call.

    However, I see nothing wrong with publishing updates of planned dates and so on.

    So yeh, this is very worrying. It'll be quite a while before successors can take up the reins, I'm not surprised they haven't released anything so far, I'd be suspicious of quality if they had.
     
  7. Tadoussac

    Tadoussac Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    118
    J_L

    You're right, I forgot to add VeraCrypt to the mix. However, consider the following:

    (1) VeraCrypt claims to be more secure than TC (more iterations during RIPEMD160 and SHA-2 encryption). This may be true, but the entire encryption / decryption process has not been independently reviewed.

    (2) On its own page, VeraCrypt claims that its latest version (released September 4) has approx 18,000 downloads.

    I don't wish to judge the effectiveness of VeraCrypt, nor can I. However, the download data hints that VeraCrypt has not been widely adopted by the millions of TrueCrypt users. My wild guess is that a very large % are still using TC on a "wait and see" basis.
     
  8. Bill S

    Bill S Registered Member

    Joined:
    Oct 20, 2014
    Posts:
    2
    I was not aware of their actually being some forks until after I started this thread. Since then I have downloaded VeraCrypt and installed it. What I found in using it is that it looks very similar to Truecrypt. I guess that is not all that surprising since it is a fork of Truecrypt but to my mind it makes the Truecrypt audit even more important. I know the author of Veracrypt indicates that he looked at the source code and found there were no problems or back doors and that he actually altered the code a bit to improve the security, but the foundation of it is still Truecrypt. The bottom line is that until we know how safe and secure Truecrypt is, we have no way of knowing if the starting point for the forks is safe and secure. If the audit finds a weakness in Truecrypt, I would bet that all the forks will have it as well.

    I agree with deBoetie that I can see no reason for not publishing timelines and providing some indication of progress. The fact that it is taking so long certainly gives the appearance of the auditors doing a detailed analysis but it is just that, the “appearance”. For all anyone knows they could do nothing for many months and then do a quick once over in two weeks time and say it took many months. Who is auditing the auditors?

    In the end, for the average user who is not versed in cryptography and programming, using any encryption program is based on faith and ever since the authors of Truecrypt cast doubts on their work my faith has been shaken for all encryption programs.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    What's really happening is impossible to say. I have to wonder if the auditors are being coerced or silenced. Possible scenario. If the audit found a fatal flaw, would the government use an NSL or another countries equivalent to prevent its revelation as a national security issue, so that only they could use it?
     
  10. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    It is all very very suspicious, the developers announcing they is abandoning the project in the middle of the audit and now 6 months after phase 2 was supposed have began, not a word about it.
    Everything is very suspicious, you no longer know who's opinion to trust on anything.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Without hearing from the developers in a verifiable way, we can't know if they did abandon TrueCrypt or if they're even alive. IMO, this whole thing stinks of deception, coercion, and creating doubt among users. I'm not a TC user but if I was, I'd stay with the last known good version. I still think that there's nothing wrong with TC itself, but that something was found to be very wrong with Windows.
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I am on your "page". I will defend TC to the end until I know something different. Windows on the other hand is another story - no proof, just an educated guess.
     
  13. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    No direct proof but plenty more than enough circumstantial evidence.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Agreed on pretty much all counts. It reaks of them being coerced, as you said to abandon the project by a 3 letter agency they hinted at, not even subtly. And the way they said it made it sound like they can't guarantee your safety anymore because XP is no longer supported, and they trust no MS OS since, more-so than an indictment of their own product. They don't really recommend BitLocker, but rather just say you may as well just use them because it doesn't matter anyhow post XP.

    It's something I've suspected for a long time now and this has only confirmed it all the more. And I don't even trust any of these auditors... I don't know them or anything about them.

    Until I personally see people's volumes being decrypted before my very eyes I'm not going anywhere. Currently using v7.1, and suspect I will continue to for a long time.
     
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Maybe there'll be no absolute way to confirm TC's security, but I personally hope auditors are still doing their job well and they're genuine.
    Some will laugh at me as too much optimistic, but simply there's not so much alternatives.

    DiskCryptor doesn't support container usage and VHD mount is not convinient at all, and even doesn't support Linux.
    BestCrypt is paid and I don't know how much they're secure.
    VeraCrypt is almost same as TC and has serious performance issue.
    EncFS with Dokan, EncFS is proved to be not robust (though I'm looking forward to update) and Dokan is almost abandoned software.
    Bitlocker? My Windows doesn't support it and anyway it doesn't support Linux.

    Yeah, TC is the best untill serious vulnerability is discoverd.
     
  17. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    87
    Weren't they paid for it? I'd find it very bad if they don't finish the Audit.
     
Loading...