TrueCrypt possibly compromised/unsafe to use.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
donfairplay
Posts: 143
Joined: Mon Oct 06, 2008 8:16 pm

TrueCrypt possibly compromised/unsafe to use.

Post by donfairplay » Wed May 28, 2014 8:52 pm

This is deserving of a new thread because TrueCrypt has been mentioned on this forum for a while.

The story is still developing, the newest version of TrueCrypt only decrypts, and it refers users to bitlocker. The private signing key of the program indicate it wasn't just a website hack, but like I said the story is still developing.

My personal, some may say irrational, fear about uploading encrypted file containers to a cloud just went up a nudge.

ArsTechnica:
http://arstechnica.com/security/2014/05 ... tly-warns/

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ged » Wed May 28, 2014 9:02 pm

There is a lot of speculation including the possibility of a Lavabit style scenario.
Last edited by Ged on Wed May 28, 2014 9:08 pm, edited 1 time in total.

donfairplay
Posts: 143
Joined: Mon Oct 06, 2008 8:16 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by donfairplay » Wed May 28, 2014 9:06 pm

I suppose the Lavabit scenario would make sense.

Would TrueCrypt's founders really just hand over the cryptographic key? It would make sense to shut it down if it really got forced to, perhaps they don't have a legal defense fund.

Quickfoot
Posts: 999
Joined: Fri Jan 11, 2013 1:03 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Quickfoot » Wed May 28, 2014 9:07 pm

A lot of effort has gone into TrueCrypt over the years, I find it likely they would provide more information if there were specific known vulnerabilities. It seems likely they were ordered to make changes they weren't comfortable with and instead are shutting down.

Best course of action right now is to do nothing and see where the dust settles, the community will figure it out. It's possible there may be a fork and if not a better explanation will leak at some point.

In any case TrueCrypt is just as secure today as it was yesterday, no immediate need to make changes.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ged » Wed May 28, 2014 9:17 pm

Another strong possibility is a site compromise.

In any case TrueCrypt probably should be considered compromised until proven otherwise.

The suggestion to use BitLocker is not reasonable as it is closed source.

patrick
Posts: 1624
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: TrueCrypt possibly compromised/unsafe to use.

Post by patrick » Wed May 28, 2014 9:34 pm

donfairplay wrote:I suppose the Lavabit scenario would make sense.

Would TrueCrypt's founders really just hand over the cryptographic key? It would make sense to shut it down if it really got forced to, perhaps they don't have a legal defense fund.
Such a thing shouldn't happen. There's no reason they would need to have the keys used to encrypt users' files. They shouldn't have any key to hand over.

donfairplay
Posts: 143
Joined: Mon Oct 06, 2008 8:16 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by donfairplay » Wed May 28, 2014 9:50 pm

patrick wrote:
donfairplay wrote:I suppose the Lavabit scenario would make sense.

Would TrueCrypt's founders really just hand over the cryptographic key? It would make sense to shut it down if it really got forced to, perhaps they don't have a legal defense fund.
Such a thing shouldn't happen. There's no reason they would need to have the keys used to encrypt users' files. They shouldn't have any key to hand over.
Right a file container or w/e with its own key, TrueCrypt founders wouldn't have access to that.

I was just parroting info from near the bottom of the article: "Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers."

I don't understand it all. I'll leave it to the experts. :)

Quickfoot
Posts: 999
Joined: Fri Jan 11, 2013 1:03 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Quickfoot » Wed May 28, 2014 9:55 pm

Truecrypt signs the distributions with a crypto key, they could be forced to hand over that key to allow compromised binaries and source code to be signed. They also could be forced to put non trusted or backdoor code into truecrypt. Such an order would be issued by a secret court and they would not be allowed to discuss it.

Given such a scenario killing truecrypt makes sense.

XP reaching end of life doesn't make sense for a reason to kill truecrypt because there were open source virtual disk image software solutions based on gpg long before truecrypt existed (I was using it in 1998/1999), meaning there were already viable alternatives the predated truecrypt yet they still created it.

There are several likely explanations:

1. Source code audits revealed problems too expensive (time wise) to fix
2. Governments are taking action to make truecrypt easier to break (it is a huge headache for them) via secret court orders.
3. They were compromised and it's a hoax
4. They are tired of maintaining truecrypt and would rather do something else
5. They think bitlocker meets the future needs of their users better than truecrypt

Any or all of the above could be true.

Quickfoot
Posts: 999
Joined: Fri Jan 11, 2013 1:03 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Quickfoot » Wed May 28, 2014 10:00 pm

Also XP reaching end of life resulting in the end of TrueCrypt is further unlikely because such decisions are usually made months to years in advance and are clearly communicated so users can transition to alternate products. I'm in charge of setting what platforms we support for my company and it takes us about 18 months to end support for a version of Internet Explorer, this is much larger.

If TrueCrypt had planned to end development at the end of XP they would have been talking about it for quite a while, this announcement surprised everyone meaning if it is true it was probably a decision that was hastily made.

User avatar
MossySF
Posts: 2308
Joined: Thu Apr 19, 2007 9:51 pm
Contact:

Re: TrueCrypt possibly compromised/unsafe to use.

Post by MossySF » Wed May 28, 2014 10:04 pm

patrick wrote: Such a thing shouldn't happen. There's no reason they would need to have the keys used to encrypt users' files. They shouldn't have any key to hand over.
They wouldn't have the keys to user data.

What they have is a key to sign the binaries so when you download them, you can verify it really is from the TrueCrypt project. So if a 3-letter agency gets a hold of that key, the 3LA could publish a compromised version as a valid TrueCrypt.

sunnyday
Posts: 1679
Joined: Sat Jul 16, 2011 8:48 am

Re: TrueCrypt possibly compromised/unsafe to use.

Post by sunnyday » Thu May 29, 2014 8:20 am

http://krebsonsecurity.com/2014/05/true ... ot-secure/
Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently.
As far as migrating, should an encrypted partition using disk utility or bitlocker be used - http://truecrypt.sourceforge.net/OtherPlatforms.html

User avatar
BigFoot48
Posts: 2592
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: TrueCrypt possibly compromised/unsafe to use.

Post by BigFoot48 » Thu May 29, 2014 8:42 am

For now I'm sticking with version 7.1a until this announcement is clarified.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 12-time loser

User avatar
Ice-9
Posts: 1326
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ice-9 » Thu May 29, 2014 9:59 am

I was sad to read this about TrueCrypt, but I'm pretty sure I feel comfortable taking my time coming up with an alternative. I'm not trying to keep the NSA or law enforcement out. My goal with TrueCrypt has simply been to keep any files on my computer with Soc. Sec. # or account numbers safely locked away in a container in my Dropbox folder.

Dropbox does have it's own encryption, and if the existence of the FileThis.com app is any indication, plenty of people put sensitive files in Dropbox without any additional encryption. So, even with TrueCrypt I'm at least taking that a step farther.

Hopefully another open source, cross-platform option will emerge before too long. A LifeHacker article listed four encryption options alongisde TrueCrypt, one of which is called GNU Privacy Guard and also appears to be cross-platform. I may try that out at some point, but if anyone has any experience using this on the various operating systems, I'd be interested in hearing how it compares to TrueCrypt.

astrohip
Posts: 441
Joined: Tue Dec 21, 2010 4:29 pm
Location: Houston TX

Re: TrueCrypt possibly compromised/unsafe to use.

Post by astrohip » Thu May 29, 2014 12:01 pm

Just to be clear, NOTHING they have, could have, or could turn over, will allow access to your TrueCrypts. As open source software, older versions have been scrubbed, and there is no back door.

I think very few of us have NSA type secrets. As ice-9 says, most of us just want to keep prying eyes off our files. In my case, using a laptop, I want to make sure if/when I lose it, that my private files remain private. No other reason for TrueCrypt.

It will be interesting to see where this story goes... quickfoot listed some likely scenarios.
"Happiness is not about doing, it’s about being." - R Branson

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Mudpuppy » Thu May 29, 2014 12:02 pm

If we're going to partake in rampant speculation, I'm going to throw the idea of a dead-man's switch out there. Think about it. If you are the creator of something that is vital to the personal security of many people, you would not want that to fall into the wrong hands if you were injured, killed, incapacitated, or detained. You might be particularly concerned about the last item in that list. In this context, it might make sense to set up a script to self-destruct the project if you are unable to access the Internet for a specific period of time.

astrohip
Posts: 441
Joined: Tue Dec 21, 2010 4:29 pm
Location: Houston TX

Re: TrueCrypt possibly compromised/unsafe to use.

Post by astrohip » Thu May 29, 2014 12:21 pm

Mudpuppy wrote:If we're going to partake in rampant speculation, I'm going to throw the idea of a dead-man's switch out there. Think about it. If you are the creator of something that is vital to the personal security of many people, you would not want that to fall into the wrong hands if you were injured, killed, incapacitated, or detained. You might be particularly concerned about the last item in that list. In this context, it might make sense to set up a script to self-destruct the project if you are unable to access the Internet for a specific period of time.
Again, this is open source software. It has been looked at by people who live & breathe this kinda thing. There are no backdoors, no hidden traps. That's part of the appeal of TrueCrypt.
"Happiness is not about doing, it’s about being." - R Branson

User avatar
telemark
Posts: 2319
Joined: Sat Aug 11, 2012 6:35 am

Re: TrueCrypt possibly compromised/unsafe to use.

Post by telemark » Thu May 29, 2014 12:29 pm

astrohip wrote:Just to be clear, NOTHING they have, could have, or could turn over, will allow access to your TrueCrypts. As open source software, older versions have been scrubbed, and there is no back door.
That's not really an answerable question at this point. The program's authors claim a problem exists. If you don't believe them, why did you trust them before? They could prove their point by revealing the vulnerability, but it would be irresponsible to do that without giving users some warning first.

Need I point out that OpenSSL is also open source?

User avatar
rob
Posts: 2985
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: TrueCrypt possibly compromised/unsafe to use.

Post by rob » Thu May 29, 2014 12:38 pm

astrohip wrote:I think very few of us have NSA type secrets. As ice-9 says, most of us just want to keep prying eyes off our files. In my case, using a laptop, I want to make sure if/when I lose it, that my private files remain private. No other reason for TrueCrypt.
I see this a lot and it's misguided..... Technology does not know who is exploiting the hole... "bad" and "good" guys however you define them have the same ability with any hole. Pretending that the hole will remain secret in only "good guy" hands is deluded.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

User avatar
magellan
Posts: 3469
Joined: Fri Mar 09, 2007 4:12 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by magellan » Thu May 29, 2014 12:44 pm

Mudpuppy wrote:If we're going to partake in rampant speculation, I'm going to throw the idea of a dead-man's switch out there.
A dead man's switch could also be an indirect signal that the creators have been gagged. There was talk with Lavabit about whether shutting down the service was itself a violation of the gag order. With a dead man's switch, no action is required to send the signal that the technology is compromised.

Interesting stuff. However this turns out, I'll bet this incident and related theories will be woven into plot lines of TV dramas this fall.

Jim

UnclePennybags
Posts: 54
Joined: Fri May 09, 2014 10:50 am

Re: TrueCrypt possibly compromised/unsafe to use.

Post by UnclePennybags » Thu May 29, 2014 1:57 pm

astrohip wrote:Again, this is open source software. It has been looked at by people who live & breathe this kinda thing. There are no backdoors, no hidden traps. That's part of the appeal of TrueCrypt.
I live and breathe this sort of thing and it is simply untrue. There was recently a group hired (via an independant kickstarter) to perform a detailed audit of the code to ensure that there were no such vulnerabilities, but they had not completed their work. There have been many bugs found in open source code that led to security vulnerabilities that had gone undetected for a very long time.

richard
Posts: 7961
Joined: Tue Feb 20, 2007 3:38 pm
Contact:

Re: TrueCrypt possibly compromised/unsafe to use.

Post by richard » Thu May 29, 2014 2:22 pm

TrueCrypt 7.1a is undergoing an independent security audit. So far, no real issues have been found. While this episode makes a lot of people uncomfortable, so far 7.1a appears to be ok.

Are there any good alternatives, especially open source audited by experts? BitLocker is widely feared to have a backdoor, so that doesn't seem the best alternative.

User avatar
BigFoot48
Posts: 2592
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: TrueCrypt possibly compromised/unsafe to use.

Post by BigFoot48 » Thu May 29, 2014 2:29 pm

I get a newsletter, Windows Secrets, and they recently had an article recommending the compression program 7-Zip as a file and folder encryption tool. http://windowssecrets.com/top-story/bet ... ndows-pcs/
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 12-time loser

Quickfoot
Posts: 999
Joined: Fri Jan 11, 2013 1:03 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Quickfoot » Thu May 29, 2014 2:48 pm

AxCrypt is good for individually encrypting files (it uses AES 256). For now if you are using TrueCrypt 7.1 just hang tight, there's no compelling reason to immediately dump it.

Another tool will pop up or someone will fork TrueCrypt and we'll wind up with OpenCrypt or something :)

111
Posts: 210
Joined: Sat Mar 03, 2012 5:20 am

Re: TrueCrypt possibly compromised/unsafe to use.

Post by 111 » Thu May 29, 2014 3:52 pm

I lean towards the theory that since the developers worked for donations over the last 10 years and probably got less than those who called for donations to perform an audit they decided it wasn't worth their time and effort anymore.

THY4373
Posts: 774
Joined: Thu Mar 22, 2012 3:17 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by THY4373 » Thu May 29, 2014 4:53 pm

astrohip wrote:As open source software, older versions have been scrubbed, and there is no back door.
This is not entirely true. There has been no independent completed systemic review of Truecrypt's code though there is an ongoing audit here: http://istruecryptauditedyet.com/ . The initial audit so far has found some vulnerabilities but nothing major and no indications of a back door but the the audit is ongoing. Also note that most Windows users use the binaries which may or may not reflect the open source code. There was one in-depth comparison of the binaries to source that did show that one version of the binaries was a good match to the source but that comparison has not been completed for all older versions. Bottom line I agree there is no major hurry to migrate and no indication that back level versions are "compromised" in some way.

cowboysFan
Posts: 290
Joined: Sat Jan 25, 2014 1:46 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by cowboysFan » Thu May 29, 2014 7:30 pm

rob wrote:
astrohip wrote:I think very few of us have NSA type secrets. As ice-9 says, most of us just want to keep prying eyes off our files. In my case, using a laptop, I want to make sure if/when I lose it, that my private files remain private. No other reason for TrueCrypt.
I see this a lot and it's misguided..... Technology does not know who is exploiting the hole... "bad" and "good" guys however you define them have the same ability with any hole. Pretending that the hole will remain secret in only "good guy" hands is deluded.
There seems to be an irrational obsession with computer security on this board. Take gmail for instance, an adversary could
1) hack into Google
2) hack into a CA and pretend to be Google in a MITM attack
3) Get a job at Google
4) Bribe/blackmail/intimidate someone who works at Google

Despite that, I can't think of any legitimate reason why gmail wouldn't provide sufficient security for 99.999% of home users.

User avatar
bogleblitz
Posts: 459
Joined: Mon Oct 01, 2012 2:51 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by bogleblitz » Thu May 29, 2014 8:00 pm

BigFoot48 wrote:I get a newsletter, Windows Secrets, and they recently had an article recommending the compression program 7-Zip as a file and folder encryption tool. http://windowssecrets.com/top-story/bet ... ndows-pcs/
I use 7-zip and encrypt. Free, opensource, easy to use.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ged » Thu May 29, 2014 8:26 pm

cowboysFan wrote: Despite that, I can't think of any legitimate reason why gmail wouldn't provide sufficient security for 99.999% of home users.
The history of gmail is not that great.

http://blog.cloudflare.com/post-mortem- ... google-app

People have had domains stolen as a result of using gmail for sensitive mail applications. I don't use it for anything important because of that history.

ddoubleu
Posts: 27
Joined: Sun Mar 02, 2014 6:17 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by ddoubleu » Thu May 29, 2014 9:05 pm

Ged wrote:The suggestion to use BitLocker is not reasonable as it is closed source.
It's absurd to say it's not reasonable because it's closed source. Closed source does not make it less secure than open source, each has its pros and cons.

BitLocker on Windows 8 is NIAP-validated so it's approved to be used in U.S. Government systems, including Department of Defense, for encryption purposes.

ddoubleu
Posts: 27
Joined: Sun Mar 02, 2014 6:17 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by ddoubleu » Thu May 29, 2014 9:09 pm

THY4373 wrote:
astrohip wrote:As open source software, older versions have been scrubbed, and there is no back door.
This is not entirely true. There has been no independent completed systemic review of Truecrypt's code though there is an ongoing audit here: http://istruecryptauditedyet.com/ . The initial audit so far has found some vulnerabilities but nothing major and no indications of a back door but the the audit is ongoing. Also note that most Windows users use the binaries which may or may not reflect the open source code. There was one in-depth comparison of the binaries to source that did show that one version of the binaries was a good match to the source but that comparison has not been completed for all older versions. Bottom line I agree there is no major hurry to migrate and no indication that back level versions are "compromised" in some way.
If my memory serves me correctly, the FBI tried for a year to break into a disk that was encrypted with TrueCrypt and were not able to get into it.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Mudpuppy » Thu May 29, 2014 11:17 pm

astrohip wrote:
Mudpuppy wrote:If we're going to partake in rampant speculation, I'm going to throw the idea of a dead-man's switch out there. Think about it. If you are the creator of something that is vital to the personal security of many people, you would not want that to fall into the wrong hands if you were injured, killed, incapacitated, or detained. You might be particularly concerned about the last item in that list. In this context, it might make sense to set up a script to self-destruct the project if you are unable to access the Internet for a specific period of time.
Again, this is open source software. It has been looked at by people who live & breathe this kinda thing. There are no backdoors, no hidden traps. That's part of the appeal of TrueCrypt.
Where did I say anything about a backdoor? Being concerned about a project falling into the wrong hands is not the same thing as being concerned about a backdoor existing in the project before it fell into the wrong hands. And once it falls into the wrong hands, all bets are off when it comes to whether or not it remains open source. Open source projects in security have gone closed source in the past without raising extreme alarm bells (such as Nessus). But an announcement such as this, heads off any such attempt at the pass.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Mudpuppy » Thu May 29, 2014 11:28 pm

magellan wrote:
Mudpuppy wrote:If we're going to partake in rampant speculation, I'm going to throw the idea of a dead-man's switch out there.
A dead man's switch could also be an indirect signal that the creators have been gagged. There was talk with Lavabit about whether shutting down the service was itself a violation of the gag order. With a dead man's switch, no action is required to send the signal that the technology is compromised.
Yeah, I was trying to explain that nuance to a co-worker today who couldn't understand why someone would go to the difficulty of setting up a dead-man's switch. When you have a project like TrueCrypt that spent so much time on plausible deniability when it came to hiding data with the software, it doesn't seem so far fetched to set up a dead-man's switch to have plausible deniability about nuking the project when under duress (or under the confines of a National Security Letter like Lavabit). I'm sure some lawyer would argue that the lack of action is of itself an action though.
111 wrote:I lean towards the theory that since the developers worked for donations over the last 10 years and probably got less than those who called for donations to perform an audit they decided it wasn't worth their time and effort anymore.
The audit was not paid for by the developers, but there is a possibility this was just the developers deciding they no longer wanted to work on the project. However, the custom in open source is to seek someone out to take over the project as the new lead developer, not nuking the project, although there's nothing binding anyone to custom.

111
Posts: 210
Joined: Sat Mar 03, 2012 5:20 am

Re: TrueCrypt possibly compromised/unsafe to use.

Post by 111 » Fri May 30, 2014 12:54 am

Mudpuppy wrote:The audit was not paid for by the developers, but there is a possibility this was just the developers deciding they no longer wanted to work on the project. However, the custom in open source is to seek someone out to take over the project as the new lead developer, not nuking the project, although there's nothing binding anyone to custom.
Right, the audit was paid for via (I believe) an Indiegogo campaign and another at some other site I never heard of. It looked like they about $65,000 had been pledged toward the audit when I checked. My point was that IF over the past 10 years had only received say $6,000 in donations (made up # since AFAIK nobody knows) and then some random guys get $65,000 donated within a few months to do the audit I could see that that might really piss them off and make them just abandon the project.

Tanelorn
Posts: 1546
Joined: Thu May 01, 2014 9:35 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Tanelorn » Fri May 30, 2014 7:59 am

ddoubleu wrote:
Ged wrote:The suggestion to use BitLocker is not reasonable as it is closed source.
It's absurd to say it's not reasonable because it's closed source. Closed source does not make it less secure than open source, each has its pros and cons.

BitLocker on Windows 8 is NIAP-validated so it's approved to be used in U.S. Government systems, including Department of Defense, for encryption purposes.
If you think the US government hasn't pressured Microsoft to back door all their security software, you haven't been reading much of the news lately. When they're threatening tiny little providers of secure email like Lavabit, you can bet they've compromised everyone bigger already. The end game seems to be to strong-arm all US-based encryption providers and of course any foreign providers fall under the NSA's original mandate to legally hack.

This is why open source is really the only thing you can consider trusting, and even then there are many unintentional subtle security holes, evidence that the NSA has hired people to work on open source products to deliberately sabotage them, etc.

User avatar
Ice-9
Posts: 1326
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ice-9 » Fri May 30, 2014 9:35 am

A little Googling brought me to a few TrueCrypt alternatives that I plan to look into later. In case this list is helpful to anyone else...

* Gnu PG - cross-platform (Mac, Windows, Linux), command line with front ends for Mac and PC, with many possible front-ends for Linux of which KGPG seemed to get good reviews
https://www.gnupg.org/

* Encryption Wizard tool the Air Force Research Laboratory offers to staff and also makes public
http://www.spi.dod.mil/ewizard_down.htm

* pay for BestCrypt, cross-platform
https://www.jetico.com/products/persona ... encryption

* Tails distro in April replaced TrueCrypt with this option (wonder if they had a heads-up on TrueCrypt's plans?)
https://tails.boum.org/blueprint/replace_truecrypt/

* Look through the options on this list
http://alternativeto.net/software/truecrypt/

THY4373
Posts: 774
Joined: Thu Mar 22, 2012 3:17 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by THY4373 » Fri May 30, 2014 12:53 pm

ddoubleu wrote:
THY4373 wrote:
astrohip wrote:As open source software, older versions have been scrubbed, and there is no back door.
This is not entirely true. There has been no independent completed systemic review of Truecrypt's code though there is an ongoing audit here: http://istruecryptauditedyet.com/ . The initial audit so far has found some vulnerabilities but nothing major and no indications of a back door but the the audit is ongoing. Also note that most Windows users use the binaries which may or may not reflect the open source code. There was one in-depth comparison of the binaries to source that did show that one version of the binaries was a good match to the source but that comparison has not been completed for all older versions. Bottom line I agree there is no major hurry to migrate and no indication that back level versions are "compromised" in some way.
If my memory serves me correctly, the FBI tried for a year to break into a disk that was encrypted with TrueCrypt and were not able to get into it.
You are correct but that doesn't mean they cannot do it this year or they cannot do it for the "right" case (I suspect they may have good reasons not to reveal their true capabilities for "lesser" cases). I wasn't arguing TrueCrypt is insecure on the contrary I don't think it is for 99.99% of the folks using it here including me (if one is worried about state level actors then that is another whole can of worms). I was just pointing out that there has been no complete audit of the code. Just because something is open source doesn't mean folks have reviewed the code. Plus most users of Truecrypt are not installing from source but rather the provided binaries which introduced a further complication.

greensky
Posts: 118
Joined: Tue Aug 05, 2008 9:55 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by greensky » Fri May 30, 2014 1:47 pm

Looks like the project was shut down because the developers lost interest in the project.

http://www.engadget.com/2014/05/30/true ... t-stopped/

EDIT: It looks like it may have been taken down by a letter from the NSA after all: http://yro-beta.slashdot.org/story/14/0 ... -explained

Honestly from how this happened I would tend to believe it was the NSA/US Government.
Last edited by greensky on Sun Jun 01, 2014 10:34 pm, edited 2 times in total.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ged » Fri May 30, 2014 2:15 pm

ddoubleu wrote:
Ged wrote:The suggestion to use BitLocker is not reasonable as it is closed source.
It's absurd to say it's not reasonable because it's closed source. Closed source does not make it less secure than open source, each has its pros and cons.
http://mashable.com/2013/09/11/fbi-micr ... -backdoor/

User avatar
LadyGeek
Site Admin
Posts: 48650
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: TrueCrypt possibly compromised/unsafe to use.

Post by LadyGeek » Fri May 30, 2014 3:05 pm

As a reminder, politics (government pressure) and conspiracy theory (NSA is cracking into everything) are off-topic.

Please stay on-topic, which is to stick to the facts.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Quickfoot
Posts: 999
Joined: Fri Jan 11, 2013 1:03 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Quickfoot » Fri May 30, 2014 3:10 pm

People looking for an open alternative to TrueCrypt should consider DiskCryptor, available at https://diskcryptor.net/wiki/Main_Page [link fixed by admin LadyGeek]
It's absurd to say it's not reasonable because it's closed source. Closed source does not make it less secure than open source, each has its pros and cons.
It's actually not absurd, encryption is incredibly hard to properly implement and closed source implementations can not be audited for security vulnerabilities or even to make sure they are using the ciphers and techniques they claim to be. It is VERY common for closed source cryptography software to be insecurely implemented.

People that care the most about security tend to stay away from closed source solutions because of the inability to audit the product. Open source products also tend to have longer lives and greater availability because if the primary maintainer loses interest someone else will pick the project up.

Closed source security / encryption software has no advantages derived from being closed source.

hoopy
Posts: 108
Joined: Sat Jul 06, 2013 6:26 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by hoopy » Sun Jun 01, 2014 12:12 pm

There have been reports that Bruce Schneier has switched to Symantec's PGPDisk.
http://www.theregister.co.uk/2014/05/29 ... t_analysis

I'm uncomfortable with using a closed-source product like this though.

I intend to continue using Truecrypt for now, until more information becomes available, or until another viable, trustworthy open-source alternative comes along.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Mudpuppy » Sun Jun 01, 2014 12:42 pm

I use dm-crypt with LUKS, but that's a decidedly Linux sort of solution that won't help a majority of Bogleheads. There was only one tool to support dm-crypt on Windows, and it hasn't been developed since 2010. I suppose one could keep a Linux live CD/USB or a Linux virtual machine around just for accessing encrypted data on Windows, but that's probably a bit more work than most wish to do. Since I have Linux machines available pretty much everywhere I go, it works well for me.

User avatar
telemark
Posts: 2319
Joined: Sat Aug 11, 2012 6:35 am

Re: TrueCrypt possibly compromised/unsafe to use.

Post by telemark » Sun Jun 01, 2014 5:31 pm

hoopy wrote:There have been reports that Bruce Schneier has switched to Symantec's PGPDisk.
http://www.theregister.co.uk/2014/05/29 ... t_analysis

I'm uncomfortable with using a closed-source product like this though.

I intend to continue using Truecrypt for now, until more information becomes available, or until another viable, trustworthy open-source alternative comes along.
I'm unable to find any statements on Bruce Schneier's blog that indicate a recent switch. In the story they reference he was using PGPDisk in 2007, and that could very well be what he uses now.


User avatar
LadyGeek
Site Admin
Posts: 48650
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: TrueCrypt possibly compromised/unsafe to use.

Post by LadyGeek » Sun Jun 01, 2014 6:34 pm

^^^ Thanks, that's what I was waiting for - Steve Gibson's take on this whole thing. As I thought, just wait for things to settle out.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ged » Sun Jun 01, 2014 8:22 pm

The evidence for the Lavabit scenario seems to be increasing.

http://yro.slashdot.org/story/14/06/01/ ... -explained

Sic transit gloria mundi

User avatar
BigFoot48
Posts: 2592
Joined: Tue Feb 20, 2007 10:47 am
Location: Arizona

Re: TrueCrypt possibly compromised/unsafe to use.

Post by BigFoot48 » Tue Jun 03, 2014 5:28 pm

I saw this highlighting of the message that started all this on Reddit:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 12-time loser

User avatar
LadyGeek
Site Admin
Posts: 48650
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: TrueCrypt possibly compromised/unsafe to use.

Post by LadyGeek » Tue Jun 03, 2014 6:18 pm

According to GRC's Steve Gibson:
TrueCrypt.ch: A just launched, Swiss-based, possible new home for TrueCrypt. Follow these folks on Twitter: @TrueCryptNext. Given the deliberate continuing licensing encumbrance of the registered TrueCrypt trademark, it seems more likely that the current TrueCrypt code will be forked and subsequently renamed. In other words . . . for legal reasons it appears that what TrueCrypt becomes will not be called “TrueCrypt.”
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

ddoubleu
Posts: 27
Joined: Sun Mar 02, 2014 6:17 pm

Re: TrueCrypt possibly compromised/unsafe to use.

Post by ddoubleu » Tue Jun 03, 2014 6:42 pm

Quickfoot wrote:
It's absurd to say it's not reasonable because it's closed source. Closed source does not make it less secure than open source, each has its pros and cons.
It's actually not absurd, encryption is incredibly hard to properly implement and closed source implementations can not be audited for security vulnerabilities or even to make sure they are using the ciphers and techniques they claim to be. It is VERY common for closed source cryptography software to be insecurely implemented.

People that care the most about security tend to stay away from closed source solutions because of the inability to audit the product. Open source products also tend to have longer lives and greater availability because if the primary maintainer loses interest someone else will pick the project up.

Closed source security / encryption software has no advantages derived from being closed source.
This is false. Closed source software can be audited, that is the purpose of Common Criteria. Glancing at NIAP's (U.S. entity of Common Criteria) compliant product list for full disk encryption, I see products from Check Point, McAfee, and Mobile Armor (since bought out by Trend Micro).

The problem with NIAP/CC validation is that it costs the vendors a lot of money to go through the process, but those vendors do it as a selling point especially to be able to use it in government. The U.S. Department of Defense requires all IA (ex. encryption products, firewalls) and IA-enabled products (ex. operating systems) to be NIAP validated *and* for the cryptographic modules to be NIST FIPS 140-2 compliant to be allowed to operate on a DoD network.

Show me one open source product that has done either.

User avatar
Ged
Posts: 3616
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: TrueCrypt possibly compromised/unsafe to use.

Post by Ged » Tue Jun 03, 2014 7:01 pm

Show me one open source product that has done either.
There are quite a few actually. Including some versions of Red Hat Linux.

http://www.redhat.com/solutions/industr ... tions.html

The problem with closed source is you don't know if what you have is what has been audited.

Post Reply