Slashdot Mirror
The Sudden Policy Change In Truecrypt Explained
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA."
Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
If you want a project to survive, don't share it with people. People are scum, pure and simple.
You're taking twitter posts too seriously. That's just speculation based on what appeared on their site the other day, followed by:
"Alyssa Rowan @AlyssaRowan
@munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"
Sorry, who the fuck are you?
...isn't the very strange things happening enough proof?
BitLocker? You mean the closed source "encryption" software, made by Microsoft?
Sure, be my guess.
It is pretty much agreed that the devs just got tired of doing the work and decided they wanted to get on with their lives and do other things. That has been much more "confirmed" than an NSL...
There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.
Who the fuck are you, anon? If reputation is important to you, where's your fucking reputation?
He is not making extraordinary claims, so reputation is irrelevant.
Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play
Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.
There is also "confirmation" that the developers are simply tired of the project and don't want anyone else to work on it:
https://www.grc.com/misc/truecrypt/truecrypt.htm
Who do we believe?
That neuron must be feeling lonely by now, doesn't it?
It has to be an NSL. What should be the other explanation? The truecrypt accounts hacked? I don't think so.
However, it is too early for a story "The Sudden Policy Change In Truecrypt Explained". There is no proof of this speculation yet.
U.S. changed to "United States" - "use bitlocker," "use any crypto package in Linux," when setting up an OS X disk image no encryption...
The message is clear what happened.
Nope, it's loaded with neurotransmitters, oh yeah.
http://webcache.googleusercont...
Because that is a lie.
The bottom line is that TrueCrypt was too good for "the man" to tolerate.
You will be spied upon.
You will be surveilled.
You will be monitored.
Refusing to let the government rape your data is going to be called "terrorism", and leave you locked up.
Sickening, isn't it? George Orwell was only wrong about the year...
I do not fail; I succeed at finding out what does not work.
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
According to this page - someone e-mailed a dev contact and claims they called it quits due to lack of interest
https://www.grc.com/misc/truec...
(Scroll to the bottom, the green box).
The only real "confirmation" we have is the info on the TrueCrypt page. It's over (no matter what the reason is), best to move on.
Back door != Keys
The TC devs hold no keys, but could conceivably build a back door into future versions. Or perhaps there already is one, or a weakness overlooked. Its also possible that the NSA has known about the TC devs for some time, has possibly been leaning on one or more of them and this has only recently become evident to the entire team.
Have gnu, will travel.
Literally give the source code and rights to continue development to anyone and everyone.
A new project will pick it up and continue development without breaking the law. And at that point its unlikely the NSA will be able to do anything to it.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.
Some semi-random tweeter is reposted on some random blog? I don't think so.
It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?
No, no, you're not thinking; you're just being logical. --Niels Bohr
Go with BL. What have you got to lose? Information, yours included, wants to be FREE! Set it FREE!
An anonymous coward in the last thread said that a known warrant canary was seen:
http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051
Yeah, absurdly non-true today. OTOH, Hoover did prefer Mormons in his inner circle, and the FBI agents I had occasion to meet in the 60s & 70s definitely came across as uptight and straitlaced Mormon types. Fun Fact: in the 60s, FBI agents helpfully drove AMC/Rambler sedans as undercover cars and used sturdy but crappy Beseler Topcon 35 mm cameras.
Sent from the iPad I found in your car.
This is Slashdot. No one cares whether something is true or not as long as it is negative towards the government. Sad really, since it diminishes any sort of real discussion about actual concerns about the government rather than made up fantasy.
Not only is this mercurial and virtually unknown Alyssa Rowan spotted a canaryu, but so has PeeWee Herman! He just tweeted.
Truecrypt.sourceforge.net doesn't host confidential data. Therefore receipt of a letter from the government seems not only irrelevant but implausible. On the other hand, if the site or source were hacked, that would be cause for posting an explicit notice--with no need for a canary system.
Maybe the NS Letter already prohibits what you envision.
I never use cloud resources. Too many users have been severely inconvenienced if not outright burned by cloud services that have been hacked, suppressed by some government, gone out of business, or gone down for several hours. I keep all my data where I can access it, either on my PC or on a removable hard drive that I store remotely from my PC but easily reached.
I encrypt my most sensitive data. No, I do not rely on some corporation's declaration: "Trust us. We are good. We will protect you." Instead, I use an OpenPGP application that has been reviewed by outside experts and that I have installed on my PC. The data on my removable hard drive are encrypted. Some of my PC files are also encrypted. My pass-phrase, without which my private key is useless for decryption, exists only in my head and in an envelope in my safe deposit box at a bank. My private key is on my PC in a non-standard location. If somehow someone else were to access my private key, I have a much greater problem than the compromise of my sensitive data.
See my http://www.rossde.com/PGP
I can't comprehend the conspiracy theories flying around about this.
[TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.
The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).
If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.
Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.
If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.
"Don't use this anymore. It's not maintained, and should therefore be considered insecure".
Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"
''TrueCrypt is not secure,'' official SourceForge page abruptly warns
[Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]
Haha. Frankly, usable crypto kits need security audits.
Take
1.) small Atmel/ATMega CPU
2.) LCD display
3.) a small keyboard (26 keys suffice) suitable for said CPU
4.) three 1.2V rechargeable batteries
5.) symmetric Cipher of your choice that fits into 4K of RAM. E.g. 3DES, GOST,...
Then implement
A) ENIGMA/SIGABA-style cipher machine on said hardware using said ciphers
B) Publish pcbs and source code via strongly anon means, sign using gpg if needed.
This machine can be used via ANY crap comms channel from NSAbook to NSAdroid phones. Or POTS, CB radio, shortwave links. Machine should in later releases not be bigger than a cigarette box. Carry it everywhere.
I thought that you need to be a USA citizen with a business. And IIRC the truecrypt guys are very secretive about their identities, so much that in the past people have speculated about who they actually are (kind of like with satoshi from bitcoin). Isn't it jumping too far from "random unknown people on the internet" to "USA citizens known by the NSA?" just to justify the recent website changes?
DiskCryptor seems fine, but doesn't seem like it supports mounting a virtual hard disk (correct me if I'm wrong); only actual full disk encryption.
There's no real anonymity on the internet. If they operate their own website for downloads, then the authorities just go after their host and registrar to find out who they are. If they instead use something like GitHub, they just go after GitHub.
Who knows. Maybe the leader of the project, whoever he or she may be, was from the US, and that's why an NSL was able to shut them down.
There's nothing in TFA that hasn't been speculated in great detail already.
No explanation totally makes sense. Here's my working model of what happened (all speculation of course):
The project has been gradually disintegrating over the last few years -- developers leaving and not being replaced, remaining developers having less time to spend on the project for whatever reason, and the perceived reward for fixing increasingly difficult bugs is not enough to keep people interested. It's just not fun any more.
The to-do list has some really nasty bugs that are difficult to fix and could potentially compromise all TC containers. The remaining developers in the project have been grinding away at these bugs, but haven't made much progress for reasons outlined above. They realized that the project was going to fizzle out before they got anything fixed. A cursory look at the 7.2 code suggests that they had committed to some major rewriting of the code, and bit off more than they could chew.
At this point, what can they do? Reporting the vulnerabilities would be irresponsible since no fixes are forthcoming. Lives depend on some of the secrets their software keeps. Best to push people gently away from TC until the problems can be fixed, if ever, while keeping the details of the vulnerabilities as secret as possible, and giving people realistic expectations about the future of TC development (i.e. none).
They probably had a plan for creating a migration plan that actually made sense, but ran out of resources before finishing, and decided to go with what they had on hand. At this point they were probably down to one very part-time developer and maybe a few unreliable volunteers. ("Hey Jim, where's that page you were writing about Linux FDE? Jim? Hello? Anybody there?")
There was really no good way forward with the resources remaining, so they did the best they could.
Why didn't they find someone else to take over the project? I guess they tried, but couldn't find anyone in their immediate circle of trust who was willing and able. Perhaps they felt that expanding their circle of trust would jeopardize their anonymity.
On the other hand....
"WARNING: Using TrueCrypt is *not *secure *as ..."
Not likely. The NSA has tried and failed to break into truecrypt volumes in the past. Now, whether or not they were giving it their all is up for speculation, but that was after the 7.1 version was released. So, it's unlikely that there was a backdoor or other weakness at that point.
7.2 is a different matter, that's a much more recent version and it's probably technically possible that it's been compromised.
If the last current build is secure why should we need continued development? The tool is out there and it works. I don't see that as a problem.
Only the State obtains its revenue by coercion. - Murray Rothbard
I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up.
What would be the dollar cost to hire a team of developers to do it?
Let me tank you a lot
http://playgame02.blogspot.com
The new site was clearly designed by the Obamacare people.
The signing keys you dolt.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Ignoring the rumour-based article with zero facts:
What we really need then is a distributed, peer-to-peer, anonymised source-control system.
Publish a hash and that hash corresponds to a certain "official" branch of the code and can't be retracted. Do it right and any fork can publish their hash and maintain their own branch even if the original project goes under. Source-code verification - that's no harder than today, but you could set up code verification of, say, the most popular hash the same way you do TrueCrypt audits.
However, before that, we really need a bunch of people to be pushing out patches to TC and be shown to still be developing it, anonymous or not. I don't particularly care about TC being taken down - to me that just proves it's usefulness and effectiveness, if that's true. What I care about is, whether the project died or was taken down, we need people to develop on it - and at least start adding UEFI etc. support.
Or the devs were encouraged to take a paid vacation from coding... Courtesy of the NSA or Microsoft. My guess the link to www.truecrypt.org/donations/ was not often visited.
Or, it could be a NSA front, pretending to be a legitimate crypto developer, pretending to be a NSA front.
... pretending to be the People's Front of Judea?
It is a sad truth. NSA / USA government will only drive innovation underground or out of the country.
Because nobody on Slashdot would intentionally visit a link to grc.com. If you want us to visit the land of raw sockets and falling skies, you're going to have to mask the destination.
The Judean People's Front crack suicide squad would like a word with you.
All interesting developments in these areas are going to move offshore and become decentralized.
I don't believe that anyone considers the Streisand Effect when the government pushes to end fourth amendment protections.
I blame a two party system backed by lazy and uninformed people whose information is fed by the five corporations who now run the government.
RIPUSA
Correct, they have no keys.
However 7.2 doesn't encrypt at all. Does that not qualify?
If they got a valid legal letter saying they must release a version that can be read by law enforcement then they have complied.
It has come to this
It appears grc has created page where the last final version of TrueCrypt and all source code could be downloaded.
My hope would be that someone will fork the project and continue development for Linux, and Windows XP/2003, at least, AND preferably work on new Version of Windows.
Bitlocker is REALLY not good enough, for most users won't have access to it -- since it is only in the ENTERPRISE version of Windows 7; in particular... Windows 7 Standard and Professional do not have the feature.
As the page clearly states, this is not a genuine letter. It is a work of fiction, presented as such by its author, Steve Gibson.
Dead wrong. They hold the release signing keys.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is a hypothesis, not an explanation. Nowhere near an explanation.
Geez.
And this is why I read slashdot only once every few months now....
I think people should put a picture of a caged canary on their website's homepage. If they get an NSA letter, change it to a dead canary.
The truth is the developers of TrueCrypt all got high-paying jobs at Microsoft, where they get to work on bitlocker instead.
For those complaining that the TrueCrypt developers did not release the code under some other license such as the GPL: Their code, their rules. Given that some want to fork the code, obviously there is some expertise that was poured into the code that is not easily replicable. If they don't want to give away their expertise for free, it's their right.
We all know that if, as an individual, you are targeted by the filth that runs the USA, UK etc, nothing will protect you against their surveillance methods. They will break into your home, and modify your computers directly, if you are a high enough value target. Cameras, key-loggers, EMF sniffers etc will eliminate the usefulness of ANY encryption method.
We are NOT talking about these scenarios in this case. We ARE talking about FULL SURVEILLANCE NSA/GCHQ projects that seek to slurp up every piece of electronic information about every Human on the planet. And such obscene goals need very clear black propaganda psy-ops to increase their effectiveness.
Witness the FUD one sees constantly on sites like Slashdot encouraging people NOT to properly erase their files (by promoting fairytales of 'magic' methods used by forensic scientists to surface scan magnetic media). Truecrypt has been in the cross-hairs of the NSA and GCHQ for years.
One consequence of Snowden's revelations has been a massive reduction in the confidence ordinary people have in the so-called security products from major American tech companies. Microsoft, Oracle, Google, Apple and IBM fight amongst themselves to be the most useful to the NSA, and place back-doors in every one of their products. Truecrypt, which has NEVER been know to have been broken by any security agency, is an extraordinary thorn in the side of the NSA.
While sites like Slashdot attempt to confuse the sheeple about the reliability of Truecrypt, informed people know that Truecrypt simply implements known SECURE encryption algorithms, and allows these mathematically validated algorithms to be conveniently applied to user data, creating blocks of encoded data indistinguishable from random noise. A simple driver model allows the file system of Windows to 'see' into the encrypted block when a correct password is provided, but no encrypted version of the password is stored, so reverse table attacks (the common method of 'breaking' password protected encryption) are not useful.
Truecrypt is as trustworthy as it gets, because Truecrypt does almost nothing. And again, we are talking about useful against FULL SURVEILLANCE attacks, not useful against NSA programs against individuals, when all kinds of methods can be used to gain the password, or access to the data before encryption or after decryption.
The NSA doesn't expect to prevent tech-savvy people from removing themselves from the full-surveillance grid. That is an impossible goal. They want to ensure that the 99% never use, or think about using tools like Truecrypt. And then, they want the 99% to automatically demonise anyone from the 1% who does take their privacy seriously.
In a world where a monster like Bill Gates can deploy inBloom, Common Core and the Kinect2 in the same time frame, and spend billions propagandising for the acceptance of all three (inBloom has now been moved to the covert batch of NSA full surveillance projects, and gathers its data on American children by directly accessing the electronic databases of US schools), we should expect those in power to become every more emboldened, and ever more determined to inflict the worst police state methods against the population.
Mod parent up. Grandparent AC is a moron. It's the signing keys, not some nonexistant master decrypt key.
If the thugs have the signing keys, they could have a couple of months from now themselves brought out a new "improved" (but completely compromised) 7.3 masquerading as an improved, updated, security patched TrueCrypt.
Pssst, the keys they have are the SIGNING keys, not some nonexistant master decrypt key.
lolwut? Version 7.2 cannot encrypt anymore. I would say that is "compromised" even if the TrueCrypt developers did it themselves.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Yes the NSL gets them a/the trusted build server and web connections and allows the gov to become the 'project' with their own tame/turned staff over time.
Over time the next tame builds have the classic trapdoor/key/backdoor. The applications still looks the same, all the sites look the same, no 3rd party can get to your data just one extra entity will have a way in too. The new feature over the life of a project after a NSL is the control of the site, server, code, staff and later an extra US/UK gov key is built in over an expected update cycle.
Domestic spying is now "Benign Information Gathering"
It cracks me up to know how many people on this site detest the TEA Party, yet then express outrage at the federal government in situations like this. Are you ready to join the cause, or are you still hoping for change?
That is what I meant when I said they had no keys.
...that everyone seems to assume the Truecrypt developer(s) were in the U.S.
Kythe
With FIPS140-2 4.9.2, SP800-90 10.3, Limiting the block size of AES to 128 bits, limiting the rounds of AES to 10, while misdirecting people to think key size was the important thing, along with effectively blocking progress on DNS security, IP security and other security tracks, the NSA has shown itself able to limit security and put backdoors out there which persist in the wild for many years before discovery.
We should not think they couldn't slip a back door into Truecrypt without being caught. It just requires some crypto knowledge they have which we don't and they employ more cryptographers than the private sector and universities do.
The recent string of results against DLP in prime power fields is an example of knowledge they may well have known before we did. what else is there that they are leaving the public at risk by keeping it a secret?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
But I don't want to interrupt y'all misinformation carry on...idiots
The TC devs hold no keys, nothing to seize/request.
As others have noted, you've just handily demonstrated that you have absolutely no business commenting on issues like these. Failure to grasp the significance of signing keys in this context is breathtakingly stupid.
Write failed: Broken pipe
The TC devs hold no keys
They hold signing keys. Are you aware of the purpose of those keys?
Write failed: Broken pipe
The audit of TrueCrypt is complete and the anonymous authors of TrueCrypt is the n.....ack.....help.....choking...... ...... ......
nobody. Thank you for your cooperation.
Although you have acknowledged the existence of signing keys, you have still failed to express understanding of the utility of those keys.
Write failed: Broken pipe
It doesn't seem likely that even the NSA could get a court order, when there doesn't actually exist any "master key" that would benefit them. This isn't like other cases where some central authority has the power to decrypt stuff if only they are willing to hand over the master key. Maybe I'm naive, but I don't think the court would order them to deliberately break the distributed code for the NSA's benefit.
why re-implement it.. just import the code into github and become the new maintainer... have fun with that..
You retards. The NSA does not send national security letters.
Trying to bring attention to this thread whether it turns out true or false.
-metric
Is there any proof that the contributors are even in the US and thus subject to a NSL? At least one of them seems to be from the Czech Republic (David Tesaík).
The corner of a round room
Given the anonymous nature of the TrueCrypt developers, would we even believe someone who claimed to be a dev and gave us an explanation?
Not sure I would. I've read a lot of different articles and comments about this ordeal and I'm frankly not sure what to believe. I'm not sure if I'd believe someone if they said they were a dev.
I know we'd all laugh if the NSA came out publicly and said "we had nothing to do with it."
Hire some proper fucking editors, please.
Re what else is there that they are leaving the public at risk by keeping it a secret? ... that inner core of 'new' friends of friends now owns the project.
Think of classic home network traffic and DES like 'home' isp protections still in use.
Some very low quality efforts floating around many nations networking telco systems.
Long term and short term the idea might be catch and release, a vast cadre of informants and people who have to vouch for 'new' friends of friends.
Projects are started, friendships formed, trust built. Over years that project gains trust and is built in free, open or commercial products.
People move onto other projects, work, study
The consumer crypto landscape will be like Engima or what embassies used in the 1950-80's - back to plain text everytime, in realtime.
We know the software and hardware past, we have a tiny view global data grab of the present.
Domestic spying is now "Benign Information Gathering"
Oh, hell yeah! I see a way to scoop some easy money from the NSA! Do a kickstarter to re-implement TC, then just wait for them to show up to offer you money to put in a backdoor. If you make the code messy as a plate of spaghetti, their backdoor could easily wind up in some dead code.
Unlike with Lavabit, there's no single master key for TrueCrypt that can be gotten from the developers that'll decrypt any TC partition. The best the NSA could get is the ability to create their own signed binary package with their own modifications and have it appear as the official package on TC's site. The problem with that is that the TC code's open so anybody can build from source and compare with the official build and see that they aren't the same. And any compromise of the source (eg. weakening the cryptography) would be instantly revealed in the diffs. The whole NSL thing sounds dodgy, and doesn't quite fit. It seems more likely that, with Win7 and later moving to supporting only GPT disks, the TC developers found they can't add that support and decided to throw in the towel.
In any case, the version of TC from before this change is still available and as far as anyone can tell is still secure. I'd be leery of switching to other encryption software that's known to be less secure until someone comes up with a definitive vulnerability in 0.71.
"Those who make peaceful revolution impossible will make violent revolution inevitable." - John F. Kennedy
My ism, it's full of beliefs.
Not likely. The NSA has tried and failed to break into truecrypt volumes in the past.
Which you know for a fact, because if they had succeeded, they'd definitely tell us. Right?
systemd is Roko's Basilisk.
I think that the Audit itself (or the result) made NSA pull the plug, or the authors refused to oblige in the Lavabit style. Till now, the truecrypt project was quite a border matter, but with auditing it may take attention of commercial sphere and thus became a threat. I wonder if there is any crypto software without a backdoor or a serious vulnerability problem. For example PGP at my work pc uses a "password" which changes once in three months without recrypting the content, and when you take the machine to the it department, they decrypt it without need of knowing this password.
The question is why should truecrypt or anyone else hold a master encryption key to your data. The software should generate a signing key on installation, and that key should be then used for signing. It could then be sent to the provider for them to store in case the original is lost. But truecrypt would not have a master key that automatically unlocks all of their customers data if subpoenaed by the government. Your key will unlock only your data and no one elses.
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
Splitters!
(would slashdot make Brian Himself wait this long to his submit?)
"I opened my eyes, and everything went dark again"
I am usually one of those "conspiracy theorist" with the foil hat. But the fact is, most of us under that label, are very focussed on gathering evidence and scrutinizing it. Observe.
I have heard that Aliens are actually controlling the world governments, but I have not seen enough evidence to convince me of that.
I have seen enough evidence to convince me that Snowden is actually a spy working for Mr. Obama.
I am not convinced the WTC was taken down by explosives on every floor, but I am convinced it was an inside job of sorts.
This case is no different. Yes I know the New World Order is doing everything they can to seize control of communications and the Internet (Net neutrality), but I need to see some more evidence than just the theory. It's a little, but not enough.
Alyssa Rowan is an anagram for "also warns ya"
I can't comprehend the conspiracy theories flying around about this.
However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.
You're in denial about how bad things have gotten in the USA. "Conspiracy theory" doesn't imply untrue anymore. We know that the NSA is conspiring against us, it's just a matter of how. It's completely reasonable to assume security agencies are involved, despite your attempt to mock everyone who thinks so by equating it with an assumption of "reptiles".
You mean the People's Front of Judea. Or is it the Popular Front?
...in a word why I won't go anywhere near such open source projects when no-one is in charge, the maintenance and governance processes are as clear as mud and when the key players are anonymous.
BitLocker has proved secure enough but if NSA cane sniffing, at least I know who I'm dealing with
"As nightfall does not come all at once, neither does oppression. In both instances, there is a twilight when everything remains seemingly unchanged. And it is in such twilight that we all must be most aware of change in the air — however slight — lest we become unwitting victims of the darkness."
This sure sounds like the scenario that Justice Douglas was talking about.
Maybe it's about time to dig up the rifles?
Is this authoritative?
https://www.grc.com/misc/truecrypt/truecrypt.htm
Are these hashes correct?
https://defuse.ca/truecrypt-7.1a-hashes.htm
I understand that if they acquired the signing keys they could sign their own package and, presuming the loss of the signing keys was not known, have people accept the new packages as legit. But can possession of the keys allow them to create a fake and apparently correctly signed version 7.1a? If so, then the reason for wanting the keys seems obvious to me, to create a fake version which they can send to targeted people/entities, either through a trojaned download site, or by playing man-in-the-middle and changing what is sent from a legitimate mirror. The target gets the fake version and it passes all the tests so uses it, and the government now has their backdoor in place.
:).
I haven't studied how packages are signed, and am too busy at the moment to go read up on it, so maybe I am just naive. (I am sure there are plenty of posters on Slashdot that will let me know if I am
I would still say that the conclusion is speculative. There's also another possibility that nobody (that I've seen at least) has brought up. The TrueCrypt authors attempt to be anonymous, which could mean a number of things, such as they are government spies, demand the upmost privacy, or possibly they are affiliated with organized crime, as well as others (aliens maybe?). It seems odd that they would voluntarily want anonymity, as most of the security field is obsessed with getting their name out there because it bolsters their career. I'd like to throw my personal speculation into the ring, which is the organized crime angle. What better way to provide security for sketchy people doing sketchy things than to release a totally free and readily distributed public facing program that provides strong encryption. You get a number of advantages by doing this, the two primary being: ease of access and non-attribution. It could be the whole effort was really bankrolled and promoted by organized crime in order to provide tools that will in the end save them money and reduce their risk. This is also my opinion on the genesis of Bitcoin. It all goes towards solving some of the unique problems they have. Just my $.02, so please feel free to flame away :)
I have downloads of older versions of TrueCrypt that I have been using for years. Since some of these could potentially be pre-NSA versions, would they be safe, or has TrueCrypt given over their algorithms used for all versions?
You mean app signing keys? If TC has been compromised by an insider, or may be in the future, that signature will mean nothing.
Have gnu, will travel.
The message on TrueCrypt's new website got me thinking:
Using TrueCrypt is not secure as it may contain unfixed security issues
Let's isolate the first letter of each word:
(U)sing (T)rueCrypt (i)s (n)ot (s)ecure (a)s (i)t (m)ay (c)ontain (u)nfixed (s)ecurity (i)ssues
Result?
utinsaimcusi
Let's spread that!
uti nsa im cu si
That is latin for
"If I wish to use the NSA"
Stay away from future Truecrypt releases. This is clearly a warning from the developers.
"If any question why we died, Tell them because our fathers lied."
The concern isn't compromise of TC by an insider. The concern is forced conveyance of signing keys to an intelligence agency. Are you aware of the consequences of such a scenario? I suspect you're feigning ignorance at this point in an attempt to minimize perceived risk. Why would you do that?
Write failed: Broken pipe
Why haven't you replied to my last question?
Write failed: Broken pipe