Truecrypt developer reliability?

Discussion in 'privacy technology' started by wearetheborg, Dec 27, 2011.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Regd
    http://www.privacylover.com/encrypt...oor-in-truecrypt-is-truecrypt-a-cia-honeypot/

    Most of the points are non-issues, my only concern is the two developer point
    I thought they had more developers.

    The source code compiled without any problem on linux.
     
  2. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    I too have had an uneasy feeling about the secret identities of the developers. At first there was a plausible explanation: Many restrictive governments around the world depend on spying on citizens and quashing those who speak out against them. Encryption makes it harder to do this so the Truecrypt devs could have possibly been targets for assassination, kidnapping, torture, etc.
    Does that apply today? TC website would continue to offer encryption even if the devs were killed so what would be the point?
    Does any of this really matter? TC devs are not interested in development. No new features recently and none expected. I wouldn't be surprised if TC became obsolete in the next 2 years. New PC BIOS (UEIF) replacements are not TC friendly and there is no reason to expect a new TC version to fix this.
     
  3. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Well, see the release timetable and you'll see the software being developed and new versions released.
     
  4. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Future development:
    -Command line options for volume creation
    -'Raw' CD/DVD volumes

    History:
    No important changes since V7.0 (July 2010)

    Command line options and Raw CD volumes still not implemented.
    Perhaps they are just really busy and don't have time to work on code?
    I don't see any notes from developers apologizing for lack of activity. I only see a banner asking for money.
     
  5. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  6. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    More features = more chance for problems. It works well as it is...I don't care if they don't do jack but keep up any security patches. It isn't an OS.

    PD
     
  7. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    The code is completely reliable and stable. They're just not adding further features.
    I understand the opinions, but just that seems some of them are becoming FUD imho.
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Rubbish. TC is a solid product. I have compiled it many times and edited the source to add features that I wanted, which were not in the public binary.

    Attention to security details is outstanding. My computers literally never skip a beat because of anything TC related. It took a few years to get a grasp of understanding the "ins and outs" but its an amazing learning experience. If you are up to the challenge I would suggest you grab the source and the few software tools needed to rip into it. You'll have some fun and learn some cool stuff.
     
  9. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    So, you feel two developers are enough to create and support this product?
    Why do other commercial encryption tools employ more developers then?
     
  10. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    It's not about the number of developers. I've seen many good reviews of truecrypt and even heard it in the news. You're using sandboxie right? It is developed by a single person you know.
     
  11. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Yup, but
    1. It has a paid version.
    2. The technical level of sandboxie is way lower than that for truecrypt.
    Truecrypt requires competence for understanding various crypto protocols, correctly implementing them, cross platform support for linux/mac/windows etc.
     
  12. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Truecrypt Foundation has chosen to speak of only two developers but, as with any complex coding project, many more people contribute than are credited. The paranoid among us may jump to the conclusion that the "two" developers and the secrecy that surrounds them leaves room for a great conspiracy theory.
    I am still inclined to accept TC at face value (no back doors, etc).
    It would be hard to believe that someone found evil code in TC but kept it quiet.
    The OP makes a good point. TC compiles on LINUX without too much hassle. If someone is really serious about security, they will use LINUX. One reason for the devs not addressing some of the Windows issues is that they may have concluded that Windows cannot be completely trusted to host encryption of any form.

    It really comes down to the Foundation's assertion that TC is developed by two mysterious people. This just doesn't sound right. It leave so much to speculation.
     
    Last edited: Dec 29, 2011
  13. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Exactly.
    It'a a fully open code project. Anyone could check what is going on. If the company fails, maybe the code will survive as it is public ;)

    The code is public. You can compile the code and check, bit by bit, with the final code.

    Hmmm... The encryption is their part. If it fails, they fail, not Microsoft.
     
  14. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I'm fine with TC and just two developers. One thing I have wondered about is how it would be so hard to found out who they are. Have you ever set-up a PayPal account? Their donations are through PayPal and they would need bank info and such. I understand TC is set-up as a foundation, but a foundation still has public directors. PayPal will freeze your funds in a heartbeat if there are questions about identity, etc. So, that's the only thing I've ever wondered about. I love Truecrypt and use it everyday.

    We know the FBI doesn't have the ability to use any possible "backdoor." There are too many cases where they can't proceed because of encryption and TC was mentioned as the product used in a CP case in my own hometown. If it's backdoored, it's CIA or some other covert intelligence operation that would only use it in extreme cases.
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Again, the code is "tested" as solid.

    Where you have no assurances is if you are running the publicly distributed binary. Doing your own private build from code removes doubts. Unlikely as it is, the public binary could be code + "whatever" and you can't detect that. I just mention this for those that freak over "backdoor" thoughts.

    Tons of really major court trials mention locked TC drives where the Feds from many countries have spent a year or more trying to break the encryption. They ALWAYS fail to get in. These felony multi-national cases are in effect the "acid test" for TC's value -- my opinion.
     
  16. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    You can't simply check the compiled code against the compiled Windows executable downloaded from TC website. Digitally signed, undocumented compiler options, etc...
    Going through the code looking for flaws or cleverly obfuscated logic that makes some or all the data easy to decrypt is not a simple task.

    What leverage does TC have to force Microsoft to play nice with TC? If Windows refuses to encrypt some or all your data, how would you know? Who would you complain to?

    Personally, if I had "life or death" secrets that needed encryption, I would use TC encryption but not on Windows. I would create a container using LINUX, copy the data from Windows then smash all the disks from the Windows system.
     
  17. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Sure it is not for common users. But, at least, the possibility is there :)

    Windows does not have such power over the encryption tool. If it works, the encryption is done. If it fails, it's the tool fail, not Microsoft.

    The data encrypted will be exactly the same. The security level will be exactly the same. A container done by Linux or by Windows are exactly the same security level.
    TC is multiplatform.
     
  18. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    I would not be concerned about an encrypted container such as a flash drive. It's getting the data into the container that is not secure with Windows. How many copies of your secret data did Windows leave scattered around the operating system before moving it to the encrypted container?

    With Windows, how sure are you that the System encryption is 100%? You would bet your life on it?
     
  19. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    If any of you take TC or any other program at "face value" and fully trust them and the people behind them, you're already failing at the game. As far as these two devs go, instinct tells me they have more to hide than the users of TC do. Instinct also tells me it has nothing to do with them being afraid of being targeted, but that they are working for/with someone and Paypal was told or is willing to play along. If Paypal is even being given real information that is.
     
  20. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Sorry. I've twisted the point. I was thinking in a encrypted drive like mine (everything is encrypted on the fly).

    In an USB drive? No.
    In a full encrypted system, yes.
     
  21. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    And the 'powers that be' just let Brazilian bankers serve light sentences...to protect the secret that TC *does* have a backdoor...only to be used in cases like 'unTerrorism'...who rarely (if ever) use encryption? :D

    Is this like the protection the FBI did with Nico Scarfo? Where they had a backdoor to PGP, but instead created 'MagicLantern' to keylog his passphrase instead? :D

    Just having some fun, no harm. CryptoAG also proves your point to a degree...but the world has changed a lot since then. But I can't hand roll every piece of privacy/security software I use...I have to trust someone. I use dm-crypt/LUKS on Ubuntu...how do I know *that* is safe?

    PD
     
  22. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I have also wondered about the TC developers. TC is a pretty damn sophisticated program to come out of two silent and anonymous developers who've been doing all this incredible work for years without pay. Personally, I don't believe it. Other scenarios seem more likely.

    The bottom line, of course, is that nothing is safe. Nations commit major resources to the encryption game and they play it at the very highest levels. You will never know their full capabilities. Whatever form of encryption you are using, the only sensible approach is to assume that it has been broken (and it probably has.)

    If you have 'life or death' secrets that need encryption, your best bet is to get rid of them immediately.
     
  23. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I just don't buy this outlook personally (but to each, their own). On the one hand we have the known decryption failures in the case of the Brazilian banker (TrueCrypt) and Nicodemo Scarfo (PGP), and a few more if I decided to look, probably. On the other hand, there is the 'oh you'll never know what's in the basement of Ft. Meade, it's all cracked' opinion. Fair enough, lets see:

    Yemen ops house eavesdropped on by NSA, yet they don't even bother to reverse lookup who Yemen was talking to in the US. (9/11)

    Nawaf Al-Hazmi is listed in the San Diego white pages. (9/11)

    Both al-Hazmi and al-Mihdhar live with an FBI informant (9/11).

    It took 10 years to find OBL.

    Count me (as someone who has worked in .mil/.gov) as someone who thinks they are 'barely competent with a ton of cash'.

    Wasn't Phil Zimmerman a one man op in the beginning? Wasn't Scramdisk a one or two man show (Shaun Hollingsworth)? Imad Faid with PGP 6.5.8 CKT? DiskCryptor?

    PD
     
  24. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Yeah I remember someone posted a link here about a teen from the U.K. who had some cp on his comp at an airport. His computer was encrypted with TC and they were trying to demand the pass phrase. So evidently the FBI can't crack it. And if the NSA or someone else can, they aren't telling. I would imagine that they would rather keep that option for extreme cases and lead people to think that it is uncrackable. But then again, maybe no one can crack it.
     
  25. SplinterCell

    SplinterCell Registered Member

    Joined:
    Jan 5, 2011
    Posts:
    48
    Location:
    Wisconsin
    I have a UEIF bios and TrueCrypt hasn't had any issues? What sort of unfriendliness should I be looking out for?

    ~Thanks
     
Loading...
Thread Status:
Not open for further replies.