TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

Discussion in 'privacy technology' started by Palancar, May 28, 2014.

  1. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    I've been thinking about this. As to the question of the license, at this point - really - who cares? Who's going to call you on it? The people that have never exposed themselves? If it comes to this, the license is the last thing that anybody will be concerned with.

    Another thing...if the TC site were to come back up: would you trust it?
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Update frequency is not guide to how secure this type of application may be, especially if the app is already feature complete. IMO, Chrome and Firefox among others have poisoned peoples thinking, convincing them that constant change is a measure of progress. AFAIC, the adage "if it isn't broke, don't fix it" applies, especially to encryption software. As for Windows 8, maybe there's a reason that they haven't supported it.
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    I also thought about this and it seems a reasonable explanation... up to a certain point. And this point is: why would someone, after working more than 10 years on a project, put up a page that discredits that very project by saying that it contains bugs and that you should switch to another solution? Even more, why wouldn't he let all the pages/forums/downloads in place, and just say that it won't work on it any more?

    That might have something to do with the extremely outdated tools that were required for compiling it.
     
  4. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Yeah, regardless of what's going on and why- I know I'm not going to be using TrueCrypt now. Maybe that's the REAL conspiracy, to get people to untrust a secure thing! (I'm joking). I don't see why they'd stop developing their privacy/security based thing in this age where such things are wanted more than ever- I just can't see them just suddenly not wanting to continue development now.

    The developers being unknown isn't helping them now either- could something have happened to one of them where continuing the project would be impossible? Could one them be jailed for something unrelated? I mean, even if this is all actually in the end for very mundane reasons, to not even consider something more went on, I don't know.

    edit

    Basically, leaving people in the dark leaves them to assume the worst.
     
    Last edited: May 29, 2014
  5. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    Okay here's my post on this.

    Ars lists some of the main theories:
    Bombshell TrueCrypt advisory: Backdoor? Hack? Hoax? None of the above?

    Security expert Bruce Schneier collected some good links to (and there's good discussion in comments):
    TrueCrypt WTF

    Bottom line is, I was sure this was a hijacking when I first saw that page. It's so amateur and of course the logic presented makes no sense. Not to mention the push for Bitlocker? From the TrueCrypt guys? Too weird.

    However, now it's seeming more and more legit. At least, not the actions of hijackers. It's still too weird for me to rule out any nefarious behavior. Sure, it's not like Lavabit in the sense that the devs don't have any secrets of potential targets to give up...but at the same time they're creating crypto that is super easy to use, and that the FBI can't get through. Is it really so hard to believe they were found (possibly through their being in contact with the audit project?), and basically given "an offer they couldn't refuse"?

    Here's what we know:
    (https://news.ycombinator.com/item?id=7812133)

    The source code changes are what stick out most to me. The U.S. => United States is the kind of tiny innocuous thing that someone with their mouth gagged could use as a nice little tipoff for the security/privacy community that they know would be paying attention. Or on the other hand, as one commenter suggested:

    But also, the removal of the most consequential parts of the license...making it TrueCrypt License version
    3.1...

    I read one suggestion that the changes basically remove the parts that were preventing it from being OSI and FSF approved. What I'm not clear on is if this license version 3.1 applies to the whole project, or just this neutered Version 7.2 of the software.

    Does anyone know? Has each new license version superseded the ones before it, and been the effective license for all versions of the software prior to it?

    If that's the case, then it would seem this is breaking the chains and opening the project to be taken up by others. Let's just say if this is all real, I sure hope that's the case.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798

    If you were trying to eliminate an encryption program that you couldn't break, isn't that exactly how you would do it? Try to discredit it and create doubt, hoping people will migrate to less secure options? Everything there fits that pattern, the pattern that's laid out in one of Snowdens releases. If no other information that can be confirmed as coming from the developers becomes available, that's the assumption that I would make. I'd consider the previous versions trustworthy, those from before the SourceForge hack but nothing afterwards.
     
  7. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    Continuing that crowdsourced audit would really help at this point...
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That may be deliberate as well. See https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
    It has been demonstrated that compilers can be compromised to insert specific code whenever specific conditions are met.

    This does open up another possibility. It's possible that they've found their compiling equipment has been compromised all along.
     
  9. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    http://arstechnica.com/security/201...dvisory-backdoor-hack-hoax-none-of-the-above/
     
  11. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    Very sad to conclude that given the amount of time the TC website has been abandoned; and given the authentic signature on Version 7.2; and given the new capability to decrypt partitions - to enable users to more easily stop using TC - I think that TC is gone.

    Good-bye old friend. Thank you for being there for my privacy.

    My guess is that the notice on the TC site was in fact a message composed by the TC developers following a decision, made under duress, to abandon their, and our, beloved TC. It is significant that prior to this the TC site included a notice of future plans that stated the devs planed to make TC compatible with Windows 8.1. One forum poster had also received a message from the developers stating that they were working on same. So to abandon TC based on an explanation that TC is no longer necessary after the end of support for Windows XP, and no other explanation really doesn't fit the mold of logic.

    Another thing that doesn't fit with the history of TC and the TC devs, is for them to state that the software is insecure but say nothing about why it is insecure. The net result of this is that no one knows which other software may be affected because no one knows what defect they are looking for. So the TC developers offer no help in finding safe security software for the future - the same developers who worked for years to help the public have secure privacy. Just doesn't fit. Unless they were restrained from revealing the problem.

    The message pointing to Bitlocker may be telling. Note that the TC site does not say that Bitlocker is secure. But the overall message may be that something is going on that prevents any encryption software from being absolutely secure in the future. Hence the pointer to Bitlocker. Given the possibly unfixable danger to future encryption software, users are protected to the extent possible with Bitlocker.

    I believe the devs either found a potential TC delivery flaw, or were ordered to adjust something allowing the possibility of a TC delivery flaw, to provide the capability for TC be delivered in modified form (as per the NSA intercept program) to individuals designated by Govt.

    The good old days are gone. Sigh.

    To the TrueCrypt developers -- You will be sorely missed. So long. Many thanks and best wishes for your future journeys.

    Regards to all.

    __
     
  12. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    Let's not get too hasty...what are you talking about?
     
  13. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    The TC developers clearly cared about their users. Hence years of software development and maintenance for those users. But now they point the users to closed source Bitlocker. No way to really know whether or not it really is secure because of closed source. They also tell users that TC has unfixed security flaws but don't say what. So no way to tell whether other encryption software has the same flaw even if it is open source.

    Seems to me they are saying that open source is no longer important; and specific knowledge of the specific defect underlying the message on the TC site, "WARNING: Using TrueCrypt is not secure", will also not allow protection of users.

    Hence, a possible implicit message that something is going on that prevents any encryption software from being absolutely secure in the future.

    Sad shrug.

    __
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The fact that they specifically mentioned XP support as a factor leads me to a similar conclusion, that the problem isn't with TrueCrypt, rather it's the operating systems it's used on. I suspect that we'll find out soon enough, the hard way.
     
  15. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    That's not what the message says.

    "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

    This is basically a development way of saying "this is no longer supported or maintained, so it might be insecure. Use at your own risk."

    They said as much in the Ars article:

    "If I developed a piece of security software, and wanted to cease development, I'd make a similar statement. 'Don't use this anymore. It's not maintained, and should therefore be considered insecure.' Otherwise, if a vulnerability is discovered, everyone will scream: 'Fix it now! Nobody told us to stop using it!'"


    Okay yeah that doesn't follow at all. First of all, they didn't say there was a flaw. Second, the preliminary audit came up clean. Third, if there was a flaw, one would think it would have been found by now. And Daniel Dantas and at least one John Doe (probably more) are pretty sure TC is solid.

    Fourth, even if there was a flaw, that in no way suggests that the entire discipline of cryptography is essentially broken. We're talking about some developers walking away from a single project. As I said, let's not be too hasty.

    Fifth, open source will always be necessary for security. You would need serious fundamental breakthroughs in physics and our understanding of the universe before we can even begin to think about encryption being insecure in general.

    That really just doesn't make sense at all.
     
  16. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    @Randcal,

    There are two warning messages on the TC site; one at top and one at bottom.

    Top warning: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

    Bottom warning: "WARNING: Using TrueCrypt is not secure"

    Bottom warning isn't conditional; doesn't say "may" or "might". Says using TC is not secure.

    I freely admit that I was guessing. Nor did I mean to say or imply that the entire discipline of cryptography is essentially broken. To the contrary what we are dealing with is implementation of cryptography via software by users who cannot determine based on their own expertise whether the software, as delivered to them, constitutes a secure implementation of cryptography. Users also cannot determine whether, as per suggestion of noone_particular, an otherwise secure implementation of cryptography via software, has become insecure due to unfixable issues, or possible undetectable issues, that can be introduced into operating system software (constituting the environment for use of the cryptography software) without user knowledge.

    Perhaps there's nothing to worry about. Or perhaps we are entering into a time of "Heisenberg Uncertainty"-like uncertainty in security -- there can be no absolute certainty of security with complex software systems implemented via software delivered to, and not written by, users, and implemented in operating systems connected to internet.

    In my mind I'm pretty sure there's at least one "something just ain't right here".

    But you are certainly entitled to be free from concerns.

    Indeed most of us have always agreed that absolute certainty in security is not possible short of a guarded bomb shelter monitored at all times and not connected to internet. Even so average user is probably safe from expected attacks.

    Regards.

    __
     
    Last edited: May 29, 2014
  17. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    @Randcal,

    Okay sure, at the bottom of the page they have the exact same message, but with the second part left off. I'm not sure how negates the top message. How does simply repeating the first part change anything?

    Well, that's pretty much what it sounded like you were saying:

    -"prevents any encryption software from being absolutely secure in the future"
    -"possibly unfixable danger to future encryption software"
    -"they are saying that open source is no longer important"

    You even repeated that exact same first sentence again in your second post.

    All I'm saying is that (1) you claimed "They also tell users that TC has unfixed security flaws". And that is untrue (unless you can point to some other place where they claimed this.) And (2) your continued suggestion that they have knowledge of some revolutionary breakthrough that will essentially render all future encryption inherently insecure (a) is a non sequitur (that is, it is a conclusion that does not follow from its premise), and (b) incredibly unlikely, to say the least.

    Regards.
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'll admit that I'm guessing as well. I'm sure it's not necessary for me to say that I'm more distrusting and suspicious than most here either. Barring more verifiable information from the developers, we might not get a clear answer. One thing is clear though. Total warfare has been declared on privacy in all forms and every possible attack vector is being used to compromise it. Just about all of the effective attacks against strong encryption have not been direct. They've scraped data from memory, found or created vulnerabilities in the operating systems, etc. An encryption expert who posts here occasionally made the observation that complexity is the enemy of good implementation for encryption. More features, more ciphers, etc equal more chances for errors in implementation and vulnerabilities as a result. IMO, this should equally apply to the OS that the encryption runs on. The more complex it is and the more integrated the different services become, the greater the chance that vulnerabilities can be concealed. Given revelations regarding the NSA backdooring equipment and Microsoft admitting to their "assistance" with Vista and newer operating systems, I consider that sufficient warning to avoid them.
     
  19. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    @noone_particular,
    That's all fair enough. I can't say I disagree with skepticism and even distrust of major corporations touting closed-source security (in my opinion that's basically an oxymoron. You ever see the quote from cryptography expert Bruce Schneier at the bottom of the KeePass website?)

    I'm just saying that seeing a few developers possibly walking away from a single project and then concluding "Wow, they probably know something that means all future encryption will be inherently insecure, and therefore having security products be open source is basically not necessary and it doesn't matter if something is closed-source and has a backdoor, because everything can be cracked anyway"...is quite a leap.
     
  20. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    Believe whatever you wish. The TC devs have said that TC is not secure. You interpret that to mean that it might be secure. This even though the developers say that "Using TrueCrypt is not secure". You claim the second warning is merely shortening the first warning. I'll take the TC developers at their word, and not at yours.

    I never claimed or suggested (as you claim) that the second warning negates the first (now that's a true non sequitur for you). There's nothing inconsistent in the two warnings. Perhaps you fail to understand there are two warnings, as I said in the first place.

    I never claimed or suggested some "revolutionary breakthrough". The "non sequitur" is your misinterpretation. I agree that your statements are non sequitur based on what I actually wrote.

    Enough with the arguing already. Believe whatever you wish.

    __
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Randcal
    Normally I would agree. Between the way that the site changed, the total lack of usable information, and the references to Bitlocker and XP support just don't point to someone walking away. IMO, this looks too much like Lavabit again. Hopefully we will find out. I wish the developer had set up a dead drop somewhere.
     
  22. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
  23. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    List of TrueCrypt encryption alternatives
    By Martin Brinkmann on May 29, 2014 in Security - Last Update: May 29, 2014 16
    If you open the TrueCrypt website right now you are redirected to a page right now stating that TrueCrypt is not secure and recommending that you switch to Microsoft's BitLocker.


    It is not clear why the message is displayed on the page, and rumors range from a sad goodbye message by the TrueCrypt authors to a hack or NSA intervention.

    As far as facts are concerned, we know the following: The new TrueCrypt 7.2 version has a valid signature that was used to sign older versions as well which may either mean that a key was stolen from a developer, or that a developer used the key to sign the new version.

    The new version uploaded to the site appears to be free of malicious code but displays warnings about TrueCrypt being insecure. While that is the case, it is highly suggested to avoid it at any cost.


    So what can you as a TrueCrypt user do right now?

    If you are running an older version and not version 7.2 you could wait for things to unfold. It is probably the easiest option right now, and unless you are in a situation where you need to be sure that the encryption used is not vulnerable to attacks, waiting a couple of days for official statements or additional information is probably the best course of action.

    If you do not want to wait for whatever reason, you may switch to a different encryption program.

    First thing you may want to do is decrypt the hard drive. This is only possible for the system partition and not for other partitions or hard drives.

    1. The device should be mounted already considering that it is the system partition.
    2. Right-click on it in the TrueCrypt interface and select Decrypt from the context menu.
    3. Follow the wizard to decrypt the drive so that it is no longer encrypted.
    What can you do if you have encrypted a non-system partition?

    Unfortunately, not a lot. The only feasible solution that I'm aware of is to mount the drive on the system and copy the files stored on it to another hard drive.

    This works only if you have enough free storage space on other hard drives available for the operation. TrueCrypt does not support the decryption of non-system partitions, and there does not seem to be another way around this limitation.

    TrueCrypt alternatives



    Sorry, I didn't post the rest as they involve pictures and frankly I find posting them on this site a PITA.




    The original article and links are here.....




    http://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/
     
  24. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
  25. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    Speaking of "leaps", you left out just a few things.

    Nevertheless, you are certainly entitled to believe, based on your obviously keen powers of observation, that the only thing going on is "seeing a few developers possibly walking away from a single project", regardless of what the TC developers wrote, and regardless of what numerous others have written, here and elsewhere.

    __
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.