The Sudden Policy Change In Truecrypt Explained

X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?

That's not proof!

[Threni]

You're taking twitter posts too seriously. That's just speculation based on what appeared on their site the other day, followed by:

"Alyssa Rowan @AlyssaRowan
@munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"

Sorry, who the fuck are you?

Re:That's not proof!

[mmell]

Wow, they implemented the canary on their website? That by itself is major league cool!

I am however very sorry to hear that TrueCrypt may be going away. I personally use LUKS (being a Linux user), but this is still bad news for end users in the computing community.

Re:That's not proof!

[arglebargle_xiv]

"Alyssa Rowan @AlyssaRowan @munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"

Sorry, who the fuck are you?

If it's the real Alyssa Rowan tweeting that then it's a pretty reliable source.

Re:That's not proof!

[jbmartin6]

Could you clarify? Who is Alyssa Rowan to TrueCrypt? Sorry for my ignorance, I tried Googling a bit and just got links to this article.

Re:That's not proof!

[arglebargle_xiv]

Could you clarify? Who is Alyssa Rowan to TrueCrypt? Sorry for my ignorance, I tried Googling a bit and just got links to this article.

It's someone who has been active in the crypto/security community for awhile now. Personal details are pretty scarce (i.e. it could be a front for the NSA for all anyone knows), but the persona has been active in crypto. If you want something to Google on try "alyssa rowan cryptography".

Re:That's not proof!

[rogoshen1]

clearly the name is an anagram that you aren't Robert Langdon enough to suss out.

Re:That's not proof!

Just an old, jaded reverser who hung around in a few places with a few people. I didn't always use my real name. /akr

Re:That's not proof!

[fnj]

very sorry to hear that TrueCrypt may be going away

Ya think? Really? You are hereby awarded the prize for most spectacular understatement of the obvious. Sorry, I do not intend to be mean; it just hit my funny bone; peace, man. It's somewhat akin to stating that the US "may be entering a period of decline" or saying in 2004 the space shuttle program "may be winding down".

OTOH, seriously, the project may have gone deader than a doornail overnight, but use of 7.1a is still just as viable as it was before the stunning suicide note. It has passed the independent stage 1 security audit with thumbs up, and if you don't already have a copy it's not hard to find out there. Pretty sure in the long run somebody will pick up the pieces and carry on. The HQ for the next project will clearly have to be located some place other than the inheritor of the Nazi Germany/Soviet Russia mantle of most despicable police state.

LUKS is very good, but until someone works out a way to do hidden containers, it's not even close to a replacement for the most critical feature of TrueCrypt.

Re:That's not proof!

[Threni]

Already there, dude.

http://truecrypt.ch/

Switzerland!

Re:That's not proof!

[philip.paradis]

LUKS is very good, but until someone works out a way to do hidden containers, it's not even close to a replacement for the most critical feature of TrueCrypt.

Hidden containers are less useful than you might imagine in practice for a variety of reasons. Some of these points are relevant. I don't have any use for hidden containers, although I do use LUKS on a large number of systems.

Re:That's not proof!

[fnj]

It's a good step, no doubt about it, although given recent caving of Swiss entities to US bullying I do not feel as ebullient as I want to.

Re:That's not proof!

[AmiMoJo]

Considering all the hints that the TC developers put on their web site and in the new license agreement it seems that if she is trying to claim it is innocent she must be an NSA persona. Everything she ever worked on must now be questioned and re-examined, every statement she made re-evaluated on the assumption that it is malicious.

Re:That's not proof!

[ColaMan]

Or we could just, like, not bother.

Re:That's not proof!

[blueg3]

It's someone who has been active in the crypto/security community for awhile now.

So are all the other people in that Twitter conversation, most of whom are more than a little bit skeptical of a completely unsubstantiated claim like this. All of the claimed elements of the "canary" are odd changes in the source code that were commented on long before they were "revealed" as parts of the canary. One of them is a change to source that post-dates the claimed 2004 date the canary was established.

Re:That's not proof!

With respect, that is the opposite of what I said. I think the changes were made under duress, based on what I've seen (==what you've seen) and a note I saved about duress markers from a chat I had with a dev about a decade ago when the TrueCrypt fork was in its infancy (pre-TrueCrypt Foundation). [I doubt an NSA shill would raise so many concerns about them, let alone ask someone from there to step down from a co-chair position in a cryptographic research forum! :)]

But I would honestly prefer it if you didn't take my lone statement at face-value: I have no proof to give you. Reach your own conclusions based on the evidence available to you. (Would it actually change your response? Having thought about it some more, I don't think it actually would.)

We shouldn't take software at face-value either - the identity of the TrueCrypt devs isn't widely known, and not taking it at face value is why TrueCrypt 7.1a's code is being audited, and that's a hugely positive step all round! - and we should also audit code that we _do_ know the developers of, because as recent high-profile bugs have shown (Heartbleed; goto fail; GnuTLS), there has not been nearly enough auditing in general of security-sensitive projects, and we need more. Much more. Really good auditing can catch bugs, whether they are caused by mistake or malice, no matter who they came from. Please, go help with that if you can. e.g. GnuPG or LibreSSL could use more eyes.

By the way - having noticed the ElGamal encryption subkey on the TC site seems new (was it expired? I didn't think it was) but the 1024-bit DSA key signing it (and TrueCrypt 7.2) matched the old one, hence the same overall PGP keyid - I'm a little worried that in 2014 we still have security-critical software that's probably a target of nation-state adversaries signed using 1024-bit (!!) DSA keys! I think that is insufficient - probably crackable, given the threat model. So I'd wonder whoever @truecrypt.org could decrypt messages sent to the old, authentic 2048-bit ElGamal encryption subkey - but it seems truecrypt.org isn't even accepting email anymore, so we may never know. :-(

Well, no matter what the cause, the TrueCrypt Foundation is definitively toast, and "7.2" isn't useful. A good fork would be great, if it's by trusted people, openly-auditable, deterministically built (á lâ Tor?), and based on 7.1a with updates. That would be a positive outcome overall. I think (left over from the old, far more cursory audit I did) TrueCrypt 7.1a is probably solid, except by any means that any other otherwise-secure FDE could be crackable: to very briefly summarise known practical attacks: rooted boxes/evil maids/keyloggers; crap passwords; available keyfiles; coldboot attacks; $5 wrenches (with apologies to xkcd). The current audit seems to broadly concur, for the moment.

I'd like to see BitLocker, dm-crypt, and everything else audited too. It can't hurt. But triage your attention and focus on what matters to you. /akr

Re:That's not proof!

[viperidaenz]

Alyssa Milano's cousin?

Re:That's not proof!

[Kiwikwi]

Hidden containers are less useful than you might imagine in practice for a variety of reasons. Some of these points are relevant.

None of those points are relevant, except maybe "it's difficult to get right".

The first third of the thread, people are either not talking about hidden containers or don't know what a hidden container is, and instead go on about various steganographic methods of hiding the use of encryption. (E.g. "LUKS header, by design, is visible header."... that goes for TrueCrypt as well, and has nothing to do with hidden containers.)

In the middle third of the thread, they're discussing variations of "it's hard!" and "you can't protect the outer container" (though TrueCrypt does just that).

In the last third of the thread, random people are musing about their little pet-ideas and other off-topic tangents.

There are good arguments for not adding hidden containers to LUKS, most importantly the fact that nobody's stepping up to implement it, but no real arguments against hidden containers.

Re:That's not proof!

[socceroos]

You just echoed the sentiment of 99% of the population - "Sorry, mate, I can't be bothered...". It saddens me. =/

Re:That's not proof!

[ihtoit]

I have one.

If you've attracted the attention of the security services (and if you haven't I'm VERY disappointed in you!), they'll be looking for encryption. If they see a hard drive with only half its capacity in use yet the system reads full, they'll be wondering what's in the hidden container. Assuming you're not about to give them the key to your cat porn collection, they're gonna assume it's something much more insidious.

Security 101: if it's not meant to be on a network, don't store it on a network. If you want to hide something, don't hide it where you're gonna glance at it - encrypted/hidden partitions are going to do nothing but raise suspicions. There's good situations to have secure partitions, for example in medium to large business networks where onion security is easily implemented, those without proper credentials are not going to be able to access data in readable form. Period. There's no reason for the mail room to have access to financial data, but they might need the mail database. Secure them both, pass out credentials on a need to know basis. If you want to hide data from outside parties, don't put it in an obvious place like a Truecrypt container (hidden or not) on your fucking laptop.

Re:That's not proof!

[ihtoit]

Alyssa Rowan is a pretty senior figure in the CFRG (Crypto Forum Research Group) which offers advice and technical assistance to IETF and other bodies in matters crypto. They recently had (through December 2013) had a bit of a set-to in attempting to remove a co-chair based on the suspicion that he worked for the NSA. This attempt failed when the (unsurprisingly balanced) decision was made in January not to remove him.

Re:That's not proof!

[Kiwikwi]

If they see a hard drive with only half its capacity in use yet the system reads full, they'll be wondering what's in the hidden container.

They won't see a hardrive that reads full, because they will only have the password to the outer container, and the hidden container will hence not be protected... writes to the outer container will simply overwrite the contents of the inner container, making it impossible to tell that it was ever there.

Whoever the Truecrypt developers are, they're not idiots.

Re:That's not proof!

[philip.paradis]

Please accept my apologies for the delayed reply. You appear to be lacking firsthand experience with interactions involving certain law enforcement agencies and persons who are subject to device examination. The first step will be production of a bit for bit copy of the digital media in question, followed by a quick analysis of the disk image. In many cases, said analysis will rapidly identify media regions which are likely to represent "hidden containers", and interesting interactions between the owner of the device and law enforcement personnel will commence shortly thereafter.

This may disappoint you, but it speaks directly to my original statement regarding the utility of hidden containers. The link included in my prior post was mostly intended to spur further thought, in the hopes that you would consider (at a minimum) the scenario I've just described. Given my apparent failure to spark that trail of reasoning, I elected to provide a more direct example in this post. Cheers.

Re:That's not proof!

[Kiwikwi]

Please accept my apologies for the delayed reply. You appear to be lacking firsthand experience with interactions involving certain law enforcement agencies and persons who are subject to device examination. The first step will be production of a bit for bit copy of the digital media in question, followed by a quick analysis of the disk image. In many cases, said analysis will rapidly identify media regions which are likely to represent "hidden containers", and interesting interactions between the owner of the device and law enforcement personnel will commence shortly thereafter.

I may not have first-hand experience with police overreach, but then I have first-hand experience with cryptography, and therefore I know that an analysis of a TrueCrypt-encrypted disk will determine the presence of the outer, encrypted container. The hidden container, on the other hand, is mathematically indistinguishable from encrypted empty space, and there is no way to determine if a hidden container is present unless you 1) have the secret second key (which we assume you don't), 2) can brute-force the key (which you can't), 3) can learn about it from side channel attacks (of which several are known, but for which countermeasures exist) or 4) exploit bugs in the TrueCrypt software (of which none are known).

Re:That's not proof!

[philip.paradis]

You're still entirely missing the point, so please allow me to clear it up for you. In the scenario we're discussing, specifically the utility of hidden containers with respect to plausible deniability, the police already have access to the outer container. Either the key decryption passphrase was directly conveyed to them, or they had the device owner unlock the outer container to facilitate spot inspection of the device and the device owner complied given his belief that he will be protected by hidden containers. At this point, the device is confiscated. If the outer passphrase was not supplied, it matters little at this point, because the volume is unlocked and mounted. The outer container key will be extracted shortly thereafter as a result by any one of numerous means.

The police now proceed to inspect the digital media in question. In many cases, said analysis will rapidly identify media regions which are likely to represent "hidden containers", and interesting interactions between the owner of the device and law enforcement personnel will commence shortly thereafter.

What part of this is unclear? Perhaps you should explain the nature of your experience with cryptography, preferably with emphasis on practical applications pertinent to this conversation.

Speculation

[borcharc]

There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.

Re: Speculation

[Anonymous+Psychopath]

That's probably where they got this anyway.

Re:Speculation

Ever since actual news stopped mattering and what everyone cares about is clicks (read as money).

Re:Speculation

We do not need concrete information.
When a major encryption project like this closes shop, without any explanation, duress should be assumed.
The current climate requires it.

Re: Speculation

Exactly. When people get all antsy about this stuff I have to wonder what the fuck they are encrypting to begin with that they feel isn't available already to any agency that wants it. Financial records? The NSA can access those at any time through any number of sources. Secret plans? About what? If you have secret plans that the government should be interested in, then I want them to find out about it - because unless you are planning terrorist activity, there is no reason to fear so much. It's mostly just folks who are paranoid and/or filled will delusions that they have any "secret" information to hide anyway. There is nothing an individual has on their computers that requires such measures, and if you don't want something public, you don't send it out over the Internet period, encrypted or not.

Re:Speculation

[jopsen]

There is no concrete information that the NSA or a national security letter was involved.

Before Snowden we used to say the same thing about NSA messing with encryption standard bodies, or NSA conductive widespread warrant-less surveillance of everybody.

We used to think people wasn't subjected to secret trails in the US. That's no longer the case, we now know by fact that the US doesn't honor basic human rights, not for it's citizens or anybody else.

Do we really need more proof. This isn't the worst thing the NSA have attempted yet.

Re:Speculation

[aaaaaaargh!]

That's exactly what I thought first. But then it came to my mind that Bitlocker is much more secure than Truecrypt, because it has been developed and carefully audited by a corporation with a proven track record in cyber security. That fact makes it practically 100% certain that the developers of Truecrypt just thought "nah, fuck it, we now have Bitlocker, which uses military-grade encryption against all kinds of criminals and cyber-threads, and there are minor to medium potential problems with our code, so we just throw the towel and give up all the work on Truecrypt."

That's obvious, right?

Re: Speculation

It's not necessarily the NSA you always want to protect things from. What if your laptop gets stolen, would you want the thieves to be able to look through the contents?

Re: Speculation

I'm comfortable that some random prick pinching my machine from a pub won't be able to access (or even identify) my old TrueCrypt files, thanks. Come to that, since the reason to swipe my machine would be to either use it or sell it, I'm comfortable they wouldn't even bother. Same goes if I had my stuff in FileVault or BitLocker, or anything.

Re:Speculation

It must be sad living in a world of such heightened paranoia.

Re:Speculation

[Aighearach]

Not really, when the project used an incompatible license all along and while marginally "open source," they were clearly taking a hostile stance towards other FLOSS projects, as nobody could integrate their work with anything else.

In that context their explanation makes perfect sense; they didn't do it for love of FLOSS, they did it because there was no other portable options that included support for all windows versions. Without XP, that ceases being true.

As a supporter of Free Software that reasoning might sound lame to me, but it is very consistent. And if their whole point was to provide an option for windows users, then recommending bitlocker is actually consistent. Having different values doesn't imply he's lying about his.

As far as canaries go, you have to have the live bird before going into the mine, and then have the dead bird. In this case there was no live bird in advance, and there is dead bird afterwards. Not only have we not been warned by a canary, nobody actually even claims to have seen one, dead or alive.

The name of the person who registered a non-profit and for-profit for TrueCrypt in the US was David Morgan. That person has already verified the posted information from an email address @truecrypt, so this other person not known to be associated with TrueCrypt should be ignored.

Re:Speculation

[sysrammer]

It must be sad living in a world of such heightened paranoia.

...sez the AC.

Re:Speculation

[lsllll]

Amen brother! I switched to Bitlocker a while ago and never even looked back at LUKS or TrueCrypt. The problem I had, though, was that I run only Linux on my machine. No worries. I installed VirtualBox, created a VM and installed Windows on it. That way I could make /home/lsllll as a private share available in the VM and have Bitlocker go at it. That is the ONLY reason why I run Windows. God praise the Bitlocker developers. They saved me from the NSA.

Re:Speculation

[fustakrakich]

When did we start linking to random blogs for speculation presented as fact?

Are we supposed to believe regular mass media is any better, or even different? Since we are allowing abusive authority to prevail with no oversight, we have to assume the worse about it. Reddit is every bit as credible as the Times and the Post, which are essentially government institutions.

Re:Speculation

[dcollins117]

What are you doing with your computer that BitLocker doesn't count as safe?

That's none of your concern. That being said, you're kinda missing the point of privacy. The use of encryption in no way implies that you are doing anything wrong. Just the opposite - you've taken steps to insure your data is not accessed by an unauthorized person. So in fact, you're doing something right.

Re:Speculation

It is not a matter of being FLOSS friendly, but to recommend a black box made by someone with the track record of Microsoft. It is not a canary, it's what people resort to when they have to send a message that something is wrong. If somebody comes up and says it's a canary, well, his call. IIRC indirect disclosure using a canary technique is equivalent to disclosure, if you get the NSA at the door. If you discredit him and because of that you assume that everything is ok, you make a leap of faith. Your call.

Re:Speculation

[dcollins117]

Upon reflection, I think I probably misinterpreted your initial point, and then went off a a weird tangent. I'd retract my post if I could.

Re:Speculation

[YukariHirai]

Which is all well and good... except for the facts that A) the NSA doesn't seem to be constrained by what is legal or not, and B) whistleblower protections aren't doing people who blow the whistle on this sort of level a whole lot of good.

Re:Speculation

[The+Snowman]

Which is all well and good... except for the facts that A) the NSA doesn't seem to be constrained by what is legal or not, and B) whistleblower protections aren't doing people who blow the whistle on this sort of level a whole lot of good.

Don't forget that the GP's 1st amendment comment assumes TrueCrypt was developed by U.S. citizens. Being that the domain was registered in Antarctica and the developers are rumored to be European, that could be another blow: the NSA then has full authority under U.S. law to do whatever they want to the project.

Re:Speculation

[shutdown+-p+now]

As far as canaries go, you have to have the live bird before going into the mine, and then have the dead bird. In this case there was no live bird in advance, and there is dead bird afterwards.

The canary in this case is the specific changes that were made to the code (specifically, the subtle wording of some of the comments) - or so it is claimed.

Re: Speculation

[jelIomizer]

Secret plans? About what? If you have secret plans that the government should be interested in, then I want them to find out about it - because unless you are planning terrorist activity, there is no reason to fear so much.

Wow. Did you seriously just use "Nothing to hide, nothing to fear"... seriously? Are you retarded, or do I have to point out that hundreds of millions of people were abused and/or murdered by governments--including the US government--throughout history? If you knew, then why do you seem so confident that people who wants to keep their plans secret must be doing something immoral? History just isn't on your side, fool.

Re:Speculation

[jelIomizer]

The more people that use encryption, the more people that can provide cover for those who do things the government doesn't like (Which isn't necessarily immoral!) and prevent those people from being abused. If very few use encryption, those who do use encryption may be singled out and harassed.

So, how about caring about someone other than yourself? Perhaps you should also start caring about the constitution, fundamental liberties, and the ability to know what the software on your computer is doing?

Re:Speculation

[jelIomizer]

And to suggest that the government can just get all this information elsewhere is just absurd.

Re: Speculation

[Euler]

Ah, yes... "If you aren't doing anything wrong, then what do you have to worry about"
Except there are plenty of cases of persecution if you happen to be:
  - Gay,
  - A former member of the communist party,
  - Union organizer,
  - Whistle blower,
  - Protester, objector, not in line with corporate America,
  - Catholic, Jewish, Japanese, or anything else not favorable at the time...
None of these people are terrorists, but clearly lost their liberties, reputation, or assets when they were "outed"

Re:Speculation

[Euler]

There isn't any way they can give us confidence that they are playing nice either. This is what happens when you violate the trust of the US people and the rest of the world. People used to believe that the US Constitution was the fire-block that was stopping this same nonsense that you would expect from China or other authoritarian governments with no protection of human rights. Now its official, there is no difference.

US corporations have lost major credibility in the world technology market: "We promise this time we won't put secret back doors in our products that we won't tell you about because our government forced us to and we couldn't tell you. We promise this won't happen anymore."

Re:Speculation

> Did you forget what site you're on?

According to our collected metadata, you're new here.

Re:Speculation

[epyT-R]

There are plenty of the faux intellectual type liberals here, more than enough to offset the smaller but very vocal libertarian contingent. There are few if any neocons here.

Re: Speculation

[epyT-R]

Unless the bitlocker master keys leak (or are bruteforced in the future)..

Re:Speculation

[tlhIngan]

We do not need concrete information.
When a major encryption project like this closes shop, without any explanation, duress should be assumed.
The current climate requires it.

The problem is, it doesn't make sense.

First of all, Lavabit is a bad example because they used one encryption key for everything - hence the FBI's request for all user's email because it's impossible to isolate just one mailbox. That was a Lavabit fault (one would reasonably assumed there was no master key involved).

TrueCrypt though doesn't have a "master key" - there is no one key that when disclosed will unlock every TrueCrypt volume out there. (At least, that's what the preliminary audit reports say).

And given the nature of TrueCrypt, it would be a challenge to implement such a backdoor - the audit verified that it's possible to recreate the binaries from the source.

And there's no real update in over 2 years. A NSL that forces them to implement something that sends the master key to the NSA would be known - it's not like people won't diff the source code or build and compare to see if there were holes.

And the audit itself didn't reveal anything big or major.

A more likely reason cropped up when someone claiming to be a TrueCrypt developer stepped up and claimed boredom as the reason. Basically the developers were burned out and didn't want to do it anymore. Perhaps some of the minor flaws in the audit would be too boring to fix, for example.

So why the announcement? Because unsupported it IS less secure - eventually more holes and vulnerabilities will turn up and it might be fatal. Better to get everyone off it rather than believing their data is secure against unknown future attacks.

And other people are trying to resurrect/fork it, trying to get all the legal ducks in a row to meet the requirements of the license.

Re:Speculation

[epyT-R]

well if second hand computer shops and unethical civilians can crack bitlocker, then it isn't very useful at all as it implies there are master keys in the wild.

Re: Speculation

[gsslay]

If you have secret plans that the government should be interested in, then I want them to find out about it - because unless you are planning terrorist activity, there is no reason to fear so much.

I really hope you're not giving us the "if you have nothing to hide then you have nothing to fear" line? Because that one has always been bullshit.

You are totally clueless to what "the government should be interested in", and have even less of an idea on "the government is be interested in".

Re:Speculation

[gsslay]

The point is that some people's machines may have sensitive information on it. Just because you personally can't think of any doesn't mean there are none. Maybe commercial secrets. Maybe juicey blackmail material. Maybe they live in an oppressive regime and are writing a book the government doesn't care for. Or maybe they've just got a sexual orientation that the religious police don't find acceptable, and any evidence of that would be fatal. Withdrawal of things like Truecrypt hurt these people too. It's not all about self-interest.

Do you trust all governments, and all future governments, to never use their backdoor into that for any other purpose, other than the all the good, wholesome things they say they need it for? You know, the holy trinity of "war against terrorism", "national security" and "protecting the children". You really think that "protecting economic interests" never, ever, features? Really?

Re:Speculation

[TheCarp]

I was thinking that myself as I typed a response to a previous comment but, I canceled it because I realized something.....few other scenarios make sense.

If their signing keys were compromised, they could issue revocations, they could announce it. They would be foolish not to. If they just wanted to end the project, why such an off the wall announcement? Why release a decrypt only version?

These actions together make no sense unless they have some reason that they cannot talk about. There are not a lot of reasons that I can think of that they would be unable to disclose some information, like their real reason for stopping or what real vulnerabilities may or may not be out there.

It is really hard to find much else that fits here. Maybe not an NSL but some sort of goverment action with a gag order attached. What else could they not talk about unless it involved their own misdeeds? However, if they had backdoored trucrypt in some way (and no passing a security audit doesn't mean they didn't do it)....why release a decrypt-only now? Why not just, end the project and call it a good run? It doesn't add up, criminals don't clean up the messes they leave behind, not when it doesn't actually cover their tracks in any way.

No this stinks and there are not too many reasons I can think of for it to smell like that. Not proof but, I think suspicion is warranted. I have seen a lot of projects end a lot of different ways, from pissy developer infighting to lack of funds to life issues taking over. This doesn't look like any of them. This isn't how long running projects usually end.

And that is the whole point of the Canary, by its most sudden and peculiar death, you know its time for people to begin walking calmly to the exits of the mine shaft.

Re:Speculation

[neghvar1]

Of course there is no concrete evidence. If there was, those involved with Truecrypt would have been arrested and charged with violating 18 U.S.C. 2709(c) of the USA Patriot Act.

Re: Speculation

[spacepimp]

So we have an anonymous coward who is whining about other people feeling they have something to hide. You realize what a fool you look like by posting this comment as AC?

Re:Speculation

[Unordained]

And other people are trying to resurrect/fork it, trying to get all the legal ducks in a row to meet the requirements of the license.

I've been curious how the original anonymous developers would be able to enforce the terms of their previous license ... even if they had some means of proving in court that they really were who they claimed to be, and had the right to sue, they would lose their anonymity in the process, which is of some value to them.

The anonymity of the developers is a double-edged sword, in this kind of product. It temporarily makes it harder for intelligence agencies (or organized crime) to put pressure on them, but long-term, is it worthwhile? Either their identities will be found out and used against them, or their continued anonymity will be used against the project by at least casting down on the trustworthiness of the project. Ownership of crypto keys (software signing keys) is a pretty good stand-in for identity, except that our laws don't have the same respect for them as for other cases of identity-theft -- they're "just data", to be handed over, and possibly abused.

(Doubting the usefulness of anonymity in no way endorses the likes of Microsoft, and their line that having an established identity entrains reputation, and the desire to protect said reputation in turn guarantees trustable software. At least with TC we have source, and a hopefully independent audit, and that's perhaps the most important piece in the end.)

Re:Speculation

[plover]

So why the announcement? Because unsupported it IS less secure - eventually more holes and vulnerabilities will turn up and it might be fatal. Better to get everyone off it rather than believing their data is secure against unknown future attacks.

The problem is they didn't say it that way, instead they claimed it had unfixed security issues. Which is weird, because the audit has demonstrated the opposite.

However, I think we should all read what they wrote a bit more literally: "Warning: Using TrueCrypt is not secure." The key word we're all overlooking in all this paranoia is "using". TrueCrypt itself may be just fine as is, but according to Snowden's documents, virtually every single computing platform is susceptible to some form of software or hardware hacking that allow the NSA access. Keyloggers built into keyboards, motherboards, USB cables, hubs; the ability to wirelessly transmit logs up to 8 miles away; BIOS that allows remote control; routers with subverted access commands - it doesn't matter how secure the software is if the attackers already own the platform itself.

Re:Speculation

[Aighearach]

Claimed by who? Claimed by people outside the project. The main claim is from twitter from a person who hasn't talked to them since 2004, and is going by memory, and hasn't even clarified if they gave specific changes that would happen; though clearly not if it wasn't written down and that much time passed.

Re:Speculation

[MrNaz]

It must be comforting, living in a world of such naivete. At least, it will be until you wake up and realize where you are.

Re:Speculation

[ihtoit]

The difference between blogs and mass media:

The Chilcott Report, if it were posted on a blog, would be posted in its entirety. As it is, it is but a claim right now that it exists; we know a fuckload of public money was diverted and spent on the inquiry, and absent proof to the contrary, claims in MSM that the report implicates former Prime Minister Anthony Blair in war crimes, is itself grounds to issue a warrant for his arrest - at which point full public disclosure is an inevitability as it becomes evidence in a criminal trial. My question on that, is just who exactly originated that claim and have they actually read the Chilcott Report?

Blogs: are generally prepared to furnish evidence to claims made.
MSM: reports what Government tells them to, evidenced or not.

Re:Speculation

[lovejw2]

So it's Schrodinger's Canary?

Re:Nonsence

He is not making extraordinary claims, so reputation is irrelevant.

tc-play is a reimplementation of Truecrypt

Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play

Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.

Re:tc-play is a reimplementation of Truecrypt

[ysth]

You are behind the times.

The binary build was duplicated from the source.
The source has been audited.

Re:tc-play is a reimplementation of Truecrypt

[davydagger]

There is actually a code audit underway, and so far they've found nothing.

the concept of anonymitty means nothing, because we live in an age where reputation can be bought.

all that matters is if the source code can be inspected, and if the source code matches the binaries.

who actually makes it does not matter as long as its audited properly.

stop with the FUD.

Re:tc-play is a reimplementation of Truecrypt

[ysth]

The audit of the source is complete. The next phase of the audit is cryptanalysis.

Re:tc-play is a reimplementation of Truecrypt

[ysth]

I agree with your first part, but then you go off on a tangent ("By distributing the code...") that seems inapplicable??

Re:tc-play is a reimplementation of Truecrypt

[Atomic+Fro]

Open source or not, you can't trust anything even with code audits:
Dennis Ritchie's back door

Re:tc-play is a reimplementation of Truecrypt

[HuguesT]

Yes you can, if you can reproduce the binary from an audited compiler, which is exactly what has been done in the case of TrueCrypt. BTW this is Ken Thompson's backdoor, not DRR.

Re:tc-play is a reimplementation of Truecrypt

[fnj]

Yeah, right. And as a matter of fact I have no evidence that I am not the only sentient being actually alive on earth. In fact, is the earth even real? Everything I can possibly ever know or guess comes to me from my five senses, and there is no proof and cannot possibly ever be any proof that my five senses are connected to anything real.

In fact, how do I really know even *I* am sentient? Because I have self-awareness? What is that, anyway? What is self? Man, this must be a really far out acid trip.

You have to draw the line of doubt and second-guessing SOMEWHERE.

Re:tc-play is a reimplementation of Truecrypt

[philip.paradis]

Why not just link to the original work instead of some blog entry? Reflections on Trusting Trust

Re:tc-play is a reimplementation of Truecrypt

[kbg]

The binary on Windows is compiled from a Microsoft complier which most likely has NSA code which creates a backdoor in the TrueCrypt binary.

Re:tc-play is a reimplementation of Truecrypt

[sconeu]

I would suspect that VC 1.52 predates NSA backdoor-isms.

The source is being audited.
The binaries have been proven to be generated from the source.

The only backdoor I can see is a Thompson style compiler attack.

Re:tc-play is a reimplementation of Truecrypt

[T.E.D.]

Don't forget to audit the compilers too. And the compiler's compilers...

Re:tc-play is a reimplementation of Truecrypt

[Reziac]

I was just reading the bit on GRC.com, that exchange with 'David' and a couple things struck me:

'David' sounds like mainland Chinese in his use of English.

The NSA is not the only such agency in the world.

Re:tc-play is a reimplementation of Truecrypt

[ihtoit]

here's a line:
-----
We are all figments of a deranged imagination.

Who to believe?

There is also "confirmation" that the developers are simply tired of the project and don't want anyone else to work on it:
https://www.grc.com/misc/truecrypt/truecrypt.htm
Who do we believe?

Re:Who to believe?

[Aighearach]

I say we believe david@truecrypt

https://twitter.com/stevebarnh...

Re:Who to believe?

[Jane+Q.+Public]

There is also "confirmation" that the developers are simply tired of the project and don't want anyone else to work on it:
https://www.grc.com/misc/truec...

Gibson is generally a reliable source. He was very much right back in the day when he built the "Shields Up!" site and everybody else called him paranoid.

And his explanation also makes sense: they did change the license, and they did take the time and trouble to build 7.2 before the "sudden" announcement on their page.

Why would they want to kill the project? Who knows? People sometimes do perverse things.

But if that were actually their intent, they won't succeed. The group doing the audit said that if it passes, they plan to offer a fork build and continue the project.

Re:Who to believe?

[Shawndeisi]

You have to look at everything as one big picture:

1) You can't legally talk about being the subject of an NSL, or you probably do time in a PMITA prison.
2) The developers would really like to fight the NSL, but would really not like to do time in a PMITA prison
3) An NSL presumably cannot coerce you to keep doing what you're doing, only to not tell people that you were subject to one.

Therefore, it would seem prudent to tip everyone off in a covert way (e.g. replacing instances of "U.S." with "United States", reuploading your same signing keys, saying "not secure as", etc.) but have an overt reason to stop use of the product. It's a very fine line they're walking, and they risked a lot by doing what they did if they were subject to an NSL. In their shoes, I would also say that I lost interest after walking as close to the line as possible. They're gagged and already have at least some chance of having their lives ruined for the actions that they did take. It's not like they can say "Yep, I was NSL'd"

Re:Who to believe?

[fnj]

Has anyone in this group checked their postal mail lately? Any registered letters in there with NSLs inside? Where does it stop?

Re:Who to believe?

[Aighearach]

No, look up the law for National Security Letters. There are only civil penalties. And indeed, it is from the wrong branch of government to have anything else attached. They can sue you for an unlimited amount of money, they cannot imprison you. That threat is connected to traditional process that involves the Courts.

What else?

[NotInHere]

It has to be an NSL. What should be the other explanation? The truecrypt accounts hacked? I don't think so.
However, it is too early for a story "The Sudden Policy Change In Truecrypt Explained". There is no proof of this speculation yet.

Re:What else?

[rahvin112]

The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it. .

Re:What else?

[rahvin112]

They are anonymous, what do you expect them to conduct interviews? Doesn't fit the facts my ass, it's the most logical assumption.

Re:What else?

[dcollins117]

The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it.

Fine. The simplest way to do that is to put a clear and unambiguous message on their webpage staing that development is frozen at version 7.1a, and the project will no longer be maintained. Instead they gave no explanations, but very bizzare set of statements that raise more questions than they answer.

This has the flavor of a practical joke or an unstable mind. Certainly not someone you would trust to protect your data.

It's a shame. I really liked the application.

Re:What else?

[thegarbz]

Occam's Razor works both ways. You're correct. The project is closed, Occam's Razor would say that the developers didn't want any part of it.

It would also say that the normal way to go about it is writing a post on their home page detailing how they are pulling out because they are bored and to wish everyone a good day and thank the community blah blah blah. Instead they have quit in an amazing dramatic way leaving a community confused with no information and recommending to abandon the use of Open Source software in favor of commercial alternatives. They gutted their webpage, no guides, no information, not even any kind of branding indicating what TrueCrypt was.

For such an exit the simplest explanation is that it was left under extreme duress or they were hacked, though the latter would have been resolved by now.

Re:What else?

[radarskiy]

The counter-example is Flappy Birds.

Re:What else?

[Euler]

The whole misdirection to Bitlocker is probably a sarcastic joke pointing to a company far more likely to adhere to NSL's.. Bitlocker isn't even provided on Home editions of Windows, so it really isn't such an obvious alternative. Their directions literally go through steps to change the Windows product key. I would assume to do this legally you pay Microsoft, is that correct? So you are telling me that TrueCrypt as a free alternative for home users isn't still worth developing by someone?

Re:What else?

[epyT-R]

Then why change the site? The old site was reasonably well written and organized. It would've been easier to post an update to that. Instead we get this bizarre layout with broken english and a half-assed release. It's far more likely that the half assed release was just the payloader to distribute the canary changes..

Re:What else?

[david_thornley]

On the other hand, anybody concerned with security has to account for the possibility that the project was shut down by the US government. It would be unsafe not to.

It is all pretty obvious

[hsmith]

U.S. changed to "United States" - "use bitlocker," "use any crypto package in Linux," when setting up an OS X disk image no encryption...

The message is clear what happened.

Re:It is all pretty obvious

[Jane+Q.+Public]

U.S. changed to "United States" - "use bitlocker," "use any crypto package in Linux," when setting up an OS X disk image no encryption...

The "no encryption on OS X" is clearly FUD. The picture did not show encryption, but the instructions clearly tell you to select an encryption scheme.

There are real questions about this... no need to go off into la-la land.

Re:It is all pretty obvious

The U.S. -> United States is an automatic VS change that occurred with an update. Take off your tinfoil hat for a moment.

Re:It is all pretty obvious

[loosescrews]

Do you have a source for that? I Googled it and I didn't find anything.

Re:It is all pretty obvious

[epyT-R]

What does the first change prove?

Re: people ruin everything

https://t.co/x1H2T6UtEv

Google's cache

[simplypeachy]

http://webcache.googleusercont...

Bottom Line

[msobkow]

The bottom line is that TrueCrypt was too good for "the man" to tolerate.

You will be spied upon.

You will be surveilled.

You will be monitored.

Refusing to let the government rape your data is going to be called "terrorism", and leave you locked up.

Sickening, isn't it? George Orwell was only wrong about the year...

Re:Bottom Line

[msobkow]

A fifty year old eigth grader?

Bwahahahhahahaha!

And you didn't even come up with a cliche, so you're one to talk! :P :P :P

TC developer used hidden message!!!

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

Re:TC developer used hidden message!!!

[ysth]

Yes, it seems pretty clear to me that this is a warrant canary.

It may still be that they triggered it (or let it self-trigger via inaction) out of lack of desire to continue the project.

In any case, the presumed goal of the canary - making sure that no one trusts any future TrueCrypt version released via the normal channel - has certainly been successful.

Re:TC developer used hidden message!!!

[Threni]

But the website says not to trust the previous (7.1a - the proper one) version, and to use 7.2 to decrypt only (stupid, because you can do that with 7.1a). The project will be forked and released by some other people. Do you trust them? Why? Or distrust them? Why? What's your criteria either way? Surely you trust the source code, and the audits thereof.

Re:TC developer used hidden message!!!

[Jane+Q.+Public]

WARNING: Using TrueCrypt is notsecure as it may contain unfixed security issues

But this raises many questions.

(1) If Truecrypt were secure in the first place, a National Security Letter would have been of no use: the developers would be no more help de-crypting something than anyone else. So in the usual context, a NSL has no point whatever.

(2) A demand for other records, say about the developers, would also not invalidate the CODE of Truecrypt in any way.

So that only leaves a couple of possibilities as legitimate reason for a canary: (3) Possible coercion by the government to somehow weaken their crypto.

(4) Discovery of some prior "backdoor" that had somehow been inserted in the past.

(5) Maybe some of the developers wanted to remain strictly anonymous and so any overtures made by the government at all created panic.

Since the people doing the security audit have announced that it will continue, if it turned out to be (4) it will be discovered soon. Which it seems to me leaves only (3) and (5) as any kind of government "threats" that make any sense.

Any other ideas?

Re:TC developer used hidden message!!!

[Shawndeisi]

I would guess that they were NSL'd for their signing keys; that would make it less secure in the future so the correct option is to burn the brand now. Reports said that both signing keys signed the new (crippled/canaried) executable, and that the keys had been re-uploaded with the same content on sourceforge. Their legit URL points to their sourceforge site. Instances of "U.S." in their source code were replaced with "United States".

It looks to me like they went through a lot of trouble to burn the brand down before any damage could be done with the NSA's new-found signing keys. It's a very, very bad sign that this happened to TrueCrypt. Good on them for being brave enough to inform us, despite the real risks they faced in doing so. If this project is forked, we can only hope the new maintainers are brave enough to do the same when the NSA goes after them. It also raises the question: how much other infrastructure has been compromised while the maintainers have stood silently by?

Re:TC developer used hidden message!!!

[Jane+Q.+Public]

I would guess that they were NSL'd for their signing keys; that would make it less secure in the future so the correct option is to burn the brand now.

I know that it sometimes doesn't mean much given today's Federal government, but an NSL would not cover this eventuality. A NSL only gives the government authority to grab information without a warrant that would otherwise be grabbable with a warrant.

Their signing keys do not qualify. There is no law in this country authorizing the seizure of this kind of information. It is a "trade secret", nothing else. The ONLY thing the government could want signing keys for is nefarious purposes.

Re:TC developer used hidden message!!!

[Shawndeisi]

I'm sure some contorted logic could qualify; subject X is using software Y, and we need to fool subject X into downloading our software Z... I agree with your initial sentiment though: "sometimes doesn't mean much given today's Federal government".

Re:TC developer used hidden message!!!

[fnj]

Mod up. This is exactly the explanation. There can be no doubt whatsoever. No proof, but no doubt. You can interpret the whole message of the suicide note to be the following, in the form of a veiled suggestion of course:

"We were NSL'ed and would face the vengeance of the grandaddy of all police states if we said that here, or if we told you in plain language to just keep using 7.1a as acquired cleanly before this thuggery, or henceforward compiled from source which you can convince yourself is a clean copy of 7.1a."

The proof that 7.1a remains effective is that the NSL was launched.

Re:TC developer used hidden message!!!

[timothy]

Your own line, or a running gag?

That would be the basis of a funny T-shirt design to sell at security conventions, or for speakers to weave casually into their talks about crypto ;)

Maybe under a nice image of Washington crossing the Delaware, or a Jefferson Wheel ...

Re:TC developer used hidden message!!!

[westlake]

The most interesting thing is that there are 2073 line additions and 10163 line deletions

7.2. is a one-way - decryption only - file recovery tool.

Re:TC developer used hidden message!!!

[AHuxley]

The gov gets the server, the staff to step away with a NSL and the ability to become the 'staff'.
At first you just get the build ability. Then a safe, expected build with the surrounding jargon and skill set is tried.
If the community did not notice the change to the staff or build or site then a project can be turned.
The new tame staff are slowly rolled out to the wider community with a full 'crypto' history on the web to be found.
If the community did not notice then a project can be altered to ensure the user gets full crypto but so do a few govs around the world and their friends have keys.
Its just building on the classic hardware and software methods the US and UK gov used in the 1940-80's - the NSL is a tool to get in, then the work starts on the project.
The NSL is just the first outer step. It shows the gov who will turn, who will turn but get a message 'out'. All the NSL might be about is a server, logs and all related access to every part of the project.
Then the offers start: Work with the gov, walk away but approve all changes/staff, walk away or .....
The NSL got the results of providing a way in, no outside changes if done right and over time the 'new' staff can shape the project in many different ways.
From just a honey trap to find/chat up/turn the helpers and experts who are hard to find but would be attracted to some types of projects.
To give a past, faces on ongoing staff that can be used for decades but need a turned project to build that lifestyle s they start out.
Later a project may get a classic trap/back door with extra keys for gov decryption or not - the staff go on building great code but provide decade of introductions to a wider community allowing 100% gov run front crypto efforts.
Why risk a back door in an existing project when in a few years you have a 100% gov crypto front with the blessing and 100% support of an older trusted project? Over time the older project gets more limited. People are attracted to the 'new' 100% gov crypto front project.
It can all start with a chat over a log under a NSL with results around people or the existing code or the next gen of code or a side project.
The interesting aspect is the wider public is now talking about the topics.

Re:TC developer used hidden message!!!

[AHuxley]

The "signing keys for is nefarious purposes" usually come with a set of people. The NSL lets the gov sit down and make offers before that middle class, trust fund or wealthy extended family security cleared legal team finds their way to the interview.

Re:TC developer used hidden message!!!

[LordKronos]

So let's say this is what happened. What would stop them from revoking the old keys and generating new ones?

So the NSA compelled you to hand over your old keys. Now you've generated new one. Gee, if only the NSA had some way to compel you to hand over those new signing keys, too.

I seriously can't believe you didn't think that one through

Re:TC developer used hidden message!!!

[Jason+Levine]

Let's assume that the government would be breaking the law by NSLing the signing keys. (As opposed to the law being so mucked up that such an action is entirely legal.)

1) What lawyer is going to be able to fight this battle against the US Government and win? Let me narrow that list down a bit. What lawyer that the TrueCrypt developers would hire would be able to fight this battle against the US Government and win?

2) Would the TrueCrypt developers even be allowed to see a trial or would they be arrested on "unrelated" charges and sent to prison? Or worse. (There is plenty that a power hungry governmental agency can do to someone that says "no" to them that makes "being arrested on unrelated charges" preferable.)

Re:TC developer used hidden message!!!

[ultranova]

If Truecrypt were secure in the first place, a National Security Letter would have been of no use: the developers would be no more help de-crypting something than anyone else. So in the usual context, a NSL has no point whatever.

TrueCrypt version n is secure. Version n + 1 stores your key in a location known to the NSA.

Re:TC developer used hidden message!!!

[michelcolman]

I would assume that, if the NSA had a back door in TrueCrypt, it would be in their best interest for people to keep using it. So in that case, they definitely would not want to have it taken down.

On the other hand, maybe someone discovered the back door, wanted to remove it, was told by the NSA not to, and then decided the project should be scrapped.

The most likely explanation, though, was that the NSA did not have a back door and therefore sent a letter to have it taken down.

Re:TC developer used hidden message!!!

[ray-auch]

Frankly, useless crypto kits backdoored entire time are.

FTFY
 

Re:TC developer used hidden message!!!

I dunno. Maybe the same reason you're posting AC?

Re:TC developer used hidden message!!!

[Wootery]

As if Yoda wasn't cryptic enough already.

Re:TC developer used hidden message!!!

[tlhIngan]

I would guess that they were NSL'd for their signing keys; that would make it less secure in the future so the correct option is to burn the brand now. Reports said that both signing keys signed the new (crippled/canaried) executable, and that the keys had been re-uploaded with the same content on sourceforge. Their legit URL points to their sourceforge site. Instances of "U.S." in their source code were replaced with "United States".

It looks to me like they went through a lot of trouble to burn the brand down before any damage could be done with the NSA's new-found signing keys. It's a very, very bad sign that this happened to TrueCrypt. Good on them for being brave enough to inform us, despite the real risks they faced in doing so. If this project is forked, we can only hope the new maintainers are brave enough to do the same when the NSA goes after them. It also raises the question: how much other infrastructure has been compromised while the maintainers have stood silently by?

The problem is, corrupted binaries would be found out really easily.

First of all, we know you can produce the exact same binaries of TrueCrypt from the source code. The audit proved that.

With that, if you have a set of binaries, signed or not, you should be able to reproduce that binary with the source code. If you can't, it means the binary you have was not built from the source code you have

I.e., that binary is not trustworthy - do not use it.

But if you can repro the binary from source, it means the source and binary match, which means if there is something inside the binary, it would be in the source. Which means all you need to do is diff the source code from the previous version.

Thus making the whole signing key thing completely pointless and a red herring as you can bet TrueCrypt binaries and source will be cross verified by many people to begin with.

The only way to get around this is if the compilers are compromised in the classic attack.

Binaries reproducible via source code is important, it's why the TrueCrypt audit did it as the first thing. Once you have that, it can be re-verified easily and continually, proving the binaries and source correlate. From there, you can diff the sources to verify backdoors.

And all a user has to do is wait a few days after release when all the people much smarter do their analysis.

Re:TC developer used hidden message!!!

[RockDoctor]

A NSL only gives the government authority to grab information without a warrant that would otherwise be grabbable with a warrant.

I see the relevance of that, if NSLs are in the least bit relevant.

Do you know (e.g., any previous public statement by Truecrypt developer(s) ) that NSLs are in the slightest bit relevant? It's a very common error of logic on Slashdot for most commentators to make the incorrect assumption that everyone in the world is an American Citizen living in America. And who is therefore subject to pressure from an NSL. Which sounds very silly to me, being a non-American, not resident in American and not likely to travel via or to America in the foreseeable future.

There is a faint rumour that the Truecrypt developer(s) are at least partly based in Eastern Europe. Where the subtlety of the previous security regimes is ... "legendary" is a good word. The arrival of an NSL is more likely to be accompanied by a sympathetic hand written note (or tape recorder with self-igniting tape) saying "The fucking Yankees know who you are. Kill it. Now. Or we'll let them have you, and then your friends."

Re:TC developer used hidden message!!!

[LordKronos]

Wow, again. I can't believe you didn't think this through. Generate a new key to sign each release? You've just totally missed the point of what a signing key is supposed to be for. You might as well just use an MD5 checksum, because that's all the per-release key is good for. What you've proposed is the equivalent of saying "I'm worried someone might forge my signature, so instead I'm going to sign my name differently every time, and then nobody can ever forge it". By changing it every time, nobody can authenticate that a signature was really YOUR signature. When the NSA comes along and says "oh hey, we're the Truecrypt guys, honest, and here's our latest release with our brand new signature", you have no way to know it's really the NSA.

still speculation

[tero]

According to this page - someone e-mailed a dev contact and claims they called it quits due to lack of interest

https://www.grc.com/misc/truec...

(Scroll to the bottom, the green box).

The only real "confirmation" we have is the info on the TrueCrypt page. It's over (no matter what the reason is), best to move on.

Re:still speculation

[MouseTheLuckyDog]

Rightr because everything that Steve Gibson does is completely accurate. Right?

Re:still speculation

[nurb432]

I tend to agree, we will never really know why . Even if someone comes up and clearly says 'hey i was with the team and we did it due to xyz', since the team was anonymous how can you be sure hes with the team, and even he was, if hes telling the truth?

No matter what the reason, or even if there is a legit reason the game is over and it really doesn't matter why, other than curiosity. The code ( or group ) can no longer be trusted, and who knows how far back this breach goes.

Time to move on to something else and not look back. And do it *today*..

Re:still speculation

[tero]

It's just his page, read the actual quote I referenced, it's nothing to do with Steve Gibson - he is just quoting two people on twitter.

Bottom line - we have no evidence of warrant canary or "dev rage quit".

Also: https://twitter.com/0xabad1dea...

Personally I'm more inclined to believe the devs calling it than any NSA scheme, but again.

No. Evidence.

Re:still speculation

[AmiMoJo]

Problem is that there's nothing else for Windows. BitLocker can't be trusted, FreeOTFE is dead too... All we can do is hope that the last good version of TrueCrypt remains secure for a long time yet, or that someone forks it.

Re:still speculation

[Ken_g6]

Actually it could be both. TFA doesn't say "warrant canary"; it says "duress canary". Duress could be anything from NSA to Russian Mob to simply getting sick of working on the project.

Furthermore, if the "duress canary" was set up right, inaction would cause it to appear. So it would be the default result of a "rage quit". And maybe they were too sick of the project to bother with anything better.

Re:still speculation

[tero]

Two guys - working working over a decade without funding etc.

Ennead was 29 in 2005 (http://www.wolfmanzbytes.com/windows/70-truecrypt-encryption.html) and they obviously developed it on their freetime.

Fast forward from that to today and you got couple of middle-aged devs, probably with more demading careers and perhaps even families and maybe with young kids.

They started it as a Windows project, when Windows was...a completely different beast than it is today.

It's no wonder TrueCrypt didn't get very many (any?) releases in the past couple of years.

It's certainly a very interesting way to exit stage.

Re:still speculation

[BitZtream]

Reality check: TrueCrypt for Windows could never be trusted, even if you aren't knowledgeable enough to understand that.

TrueCrypt was a nothing more than a block device driver for Windows, it was a kernel module. Any other kernel module or the kernel itself could hook into the chain between TrueCrypt and the rest of the system and read the clear text data.

Because of the reality of working with Windows, TrueCrypt is no more trustworthy than BitLocker on Windows. They don't need to back door the BitLocker system itself, they can just bypass it OR TrueCrypt.

Re:still speculation

[AmiMoJo]

TrueCrypt never claimed to protect you from a compromised system. The point of it was offline security. Once unmounted the contents of an encrypted container are inaccessible to anyone without the key.

Once you understand what TrueCrypt is for you can see why it is so valuable.

Re:Nonsence

[PPH]

Back door != Keys

The TC devs hold no keys, but could conceivably build a back door into future versions. Or perhaps there already is one, or a weakness overlooked. Its also possible that the NSA has known about the TC devs for some time, has possibly been leaning on one or more of them and this has only recently become evident to the entire team.

The project needs to be given away...

[Karmashock]

Literally give the source code and rights to continue development to anyone and everyone.

A new project will pick it up and continue development without breaking the law. And at that point its unlikely the NSA will be able to do anything to it.

Re:The project needs to be given away...

[Karmashock]

I don't see how it could... and even if it did... just leak it.

Re:The project needs to be given away...

[Jane+Q.+Public]

Literally give the source code and rights to continue development to anyone and everyone.

It's already underway. The auditors said they plan to fork the Truecrypt codebase if it passes the audit. Possibly even it if doesn't but any issues are fixable.

I Voted This Submission Down

[NotSanguine]

No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.

Some semi-random tweeter is reposted on some random blog? I don't think so.

It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?

Re:I Voted This Submission Down

[NotSanguine]

The reference to a "canary" is suspect, as it isn't discussed what that canary was.

The canary is the fact that the "explanation" of the EOL of XP is inconsistent with the stated goals and roadmap for the product as of recently.

If they'd wanted people to believe they'd gotten tired of the product, they'd have said "We're tired of working on this, we've changed our licensing terms, and releasing the code to everyone for future development."

If you can't say why you're taking the product down, you have two alternatives: either say nothing, fueling suspicion, or lie so poorly that everyone's suspicions are raised even higher.

The government can compel you to neither confirm nor deny any secret orders from any secret courts. (This also ought to be intolerable in a free society, but we're well past that tipping point.) What it cannot do is require that you be a sufficiently good liar that anyone believes your explanation. They can't charge you for not mentioning the secret court's secret letter because to do so would expose said letter's existence, which is precisely what the government wants hidden in the first place. Warrant canaries are a legal catch-22 of the government's own making.

Yes, it's suspicious. Yes, the suggestions make little or no sense to anyone with technical knowledge.

As I said, the report might be accurate.

However, extraordinary claims require extraordinary evidence. I see no evidence. At all. It's all supposition and guesswork. Present me with actual evidence, and I can be convinced. Until then, it's all noise and hand waving, IMHO.

Re:I Voted This Submission Down

[NotSanguine]

Don't worry man, you obviously don't need secure volume protection from anyone more hostile than the guy next door.

This is not an extraordinary claim. It is the most plausible explanation. This is simply someone posting their observation to bring a little light to people with their heads too buried in the sand to realize.

For the rest of us, an NSL was pretty obvious from the start. And a good reason to toss the last version and move on to something else.

My requirements are irrelevant. And, as I've said twice now (I guess reading comprehension isn't required for ACs?), the claim about an NSL or some other sort of government involvement is certainly possible. However, I'm not going to go off half-cocked without actual, verifiable information.

You'll note that I most certainly did not say "Oh, everything is perfectly fine. Nothing to see here. Go on about your business, citizen.

Given the product involved and the current environment, some paranoia is certainly justified. And just because some of us (me included) are paranoid, doesn't mean that "they" aren't out to get us.

All that said, if by some freak occurrence, if you actually read what I wrote, I merely pointed out that the claims made on the site linked to by TFS were unsubstantiated by any real evidence.

[Rant]Why is it that some people have such a hard time understanding simple English on an English language website? Sheesh![/Rant]

Re:I Voted This Submission Down

[fustakrakich]

When it comes to authority, the mere suspicion of abuse should be sufficient to start an investigation. People in power must always be treated as suspect in an adversarial manner. In other words, always treat those with power as a hostile witness. History is full of events that justify action against them.

Re:I Voted This Submission Down

[NotSanguine]

When it comes to authority, the mere suspicion of abuse should be sufficient to start an investigation. People in power must always be treated as suspect in an adversarial manner. In other words, always treat those with power as a hostile witness. History is full of events that justify action against them.

An excellent point. I'd love to find out what really happened. I suppose I could write my congressman. That always works. :( :( :(

Re:I Voted This Submission Down

[fustakrakich]

Getting anything from a congress person requires a subpoena at least. They only get away with this crap because the population is so submissive.

Re:I Voted This Submission Down

[NotSanguine]

Getting anything from a congress person requires a subpoena at least. They only get away with this crap because the population is so submissive.

Do you actually have a suggestion? Or are you just tilting at windmills?

Perhaps we should buy a US Attorney. I've got a jar full of silver change. A pretty big one too.

Re:I Voted This Submission Down

[fustakrakich]

Do you actually have a suggestion?

No, only observation..

Wait, yes, stop reelecting crooks.

Re:I Voted This Submission Down

[Prune]

In fact, Alyssa Rowan (quoted in TFA and a known persona in the crypto community) detailed the canary in the previous ./ article, posting as an AC: http://it.slashdot.org/comment...

Re:I Voted This Submission Down

[Prune]

Sheesh, what's with people offering opinion on /. without having done a modicum of research? The canary was posted already on http://it.slashdot.org/comment... (it's pretty obvious the AC referenced is Alyssa Rowan from TFA, a known persona in the crypto community).

Re:I Voted This Submission Down

[NotSanguine]

In fact, Alyssa Rowan (quoted in TFA and a known persona in the crypto community) detailed the canary in the previous ./ article, posting as an AC: http://it.slashdot.org/comment...

Mayhap it is, and mayhap it isn't. Either way, TrueCrypt is dead. Anything else, without documentary evidence (and that means independently verifiable evidence, not mysterious tweets and AC posts) is just speculation, IMHO. Feel free to disagree with me, I don't mind.

Re:I Voted This Submission Down

[NotSanguine]

(it's pretty obvious the AC referenced is Alyssa Rowan from TFA, a known persona in the crypto community).

Really? And you have documentary evidence supporting this contention? What is your evidence based upon? Did you see this "person" type the message? Did you view /.'s logs and trace back the IP address used by that particular AC and confirm that it is the "persona" (you can't even confirm who "Alyssa Rowan" is, let alone whether or not that was the person who posted that comment as AC.) you think it is.

You have no documentary evidence. Therefore your assertions are also just opinion. Sigh.

Okay. I'll say it a fourth time. Maybe it's true and maybe it isn't. We don't know for sure. Anything else is speculation.

Re:I Voted This Submission Down

[Kalriath]

How is some giant government conspiracy the most plausible explanation? I bet you believe that commercial jetliners spray mind control chemicals when they take off as... fuck it, I'm off to go buy more shares in a tin foil manufacturer.

Re:I Voted This Submission Down

[Bucky24]

That can be difficult when we don't get to choose the choices we make.

Re:I Voted This Submission Down

[fustakrakich]

Yes, we do. Every person on the ballot was chosen by the voters.

AC in last thread mentioned a warranty canary

An anonymous coward in the last thread said that a known warrant canary was seen:

http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051

Re:AC in last thread mentioned a warranty canary

[GrumpySteen]

And you can trust everything an AC says, right?

BTW, you owe me $500 for that bet you made with me the last time you were blackout drunk. You probably don't remember it, but you can trust me. I would never make shit up.

Re:AC in last thread mentioned a warranty canary

[CmdrTamale]

A canary that is *widely* known is kind of dangerous to know, if you know what we mean.

There is No Simple Alternative.
--
I didn't really want to moderate anyway.

Re:The FBI is mostly entirely comprised of Mormons

[wordsnyc]

Yeah, absurdly non-true today. OTOH, Hoover did prefer Mormons in his inner circle, and the FBI agents I had occasion to meet in the 60s & 70s definitely came across as uptight and straitlaced Mormon types. Fun Fact: in the 60s, FBI agents helpfully drove AMC/Rambler sedans as undercover cars and used sturdy but crappy Beseler Topcon 35 mm cameras.

Speculation

This is Slashdot. No one cares whether something is true or not as long as it is negative towards the government. Sad really, since it diminishes any sort of real discussion about actual concerns about the government rather than made up fantasy.

It has to be true!

[MouseTheLuckyDog]

Not only is this mercurial and virtually unknown Alyssa Rowan spotted a canaryu, but so has PeeWee Herman! He just tweeted.

Re: people ruin everything

[Noah+Haders]

this is actually a link to an interesting article, not goatse. it's an editorial about how the most recent full version of true crypt (7.1a) is still as secure as it was last week, and there's no reason to stop using it. It also says they (who?) are working on an open license fork that will be released on a future date.

still doesn't answer the question on if it's like lava bit. true crypt may be just as secure as it was last week, but maybe it's also been owned by NSA from day one.

If It Is Private, Keep It Private

[DERoss]

I never use cloud resources. Too many users have been severely inconvenienced if not outright burned by cloud services that have been hacked, suppressed by some government, gone out of business, or gone down for several hours. I keep all my data where I can access it, either on my PC or on a removable hard drive that I store remotely from my PC but easily reached.

I encrypt my most sensitive data. No, I do not rely on some corporation's declaration: "Trust us. We are good. We will protect you." Instead, I use an OpenPGP application that has been reviewed by outside experts and that I have installed on my PC. The data on my removable hard drive are encrypted. Some of my PC files are also encrypted. My pass-phrase, without which my private key is useless for decryption, exists only in my head and in an envelope in my safe deposit box at a bank. My private key is on my PC in a non-standard location. If somehow someone else were to access my private key, I have a much greater problem than the compromise of my sensitive data.

See my http://www.rossde.com/PGP

Re:If It Is Private, Keep It Private

[SuperTechnoNerd]

Interesting:

envelope in my safe deposit box at a bank

That the government can legally get a search warrant for.
However the one your head it's protected by the 5th amendment.

Think about it.

Re:If It Is Private, Keep It Private

[epyT-R]

So would less ad hominem and more critical thinking. If people of your sort hadn't elected the past two administrations into power, we wouldn't have this problem in the first place.

Re:If It Is Private, Keep It Private

[dave420]

That was not an ad-hominem, as it was pertinent to the discussion. If he'd said he was wrong because his trousers were green, you'd have a point. I'm not entirely surprised a racist misogynist like yourself has difficulty using these concepts accurately, as you clearly prefer to operate outside of logic, in order to preserve your twisted world-view.

Ars Scholae Palatinae

[westlake]

There is nothing I think worth adding to "Marlor's" post to Ars:

I can't comprehend the conspiracy theories flying around about this.

[TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.

The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).

If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.

Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.

If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.

"Don't use this anymore. It's not maintained, and should therefore be considered insecure".

Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"

''TrueCrypt is not secure,'' official SourceForge page abruptly warns

[Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]

Re:Ars Scholae Palatinae

[duke_cheetah2003]

This all makes sense to me, until you add in a few strange parts:

1) Why did they nuke all previous versions of the software? The disclaimer is there. There's was no need to nuke the old versions.
2) Why neuter v7.2 so it can't encrypt? Heck, why even release a neutered version? The disclaimer is there. If I was ending my work on a project, I wouldn't end it on 'here's a broken version, and I erased all the good versions.'
2) Why the unprofessional webpage, with screen shots? Screen shots take time to get, so if they spent time on this, why not spent a few extra minutes to make the page look nice as well?
3) Why nuke the TC forum on SourceForge? That makes ZERO sense.. I can't even begin to guess why ANYONE wanted the forum obliterated.

I personally don't know what to make of TrueCrypt's state... There's a lot of conflicting information and it's proving very hard to decide which parts are true and which are fabrications or speculations.

FWIW, I'm inclined to buy into the devs threw in the towel because they're just sick of dealing with it. But even that isn't a sure thing in my mind, it's just highest probability. Sick of it explains the abruptness of the site's change, as well. Doesn't really explain the other anomalies though.

But a close second is they the devs were some how coerced into removing their product from public availability. I'm not sure to what end, because obviously there's mirrors of the software, and already lots of talk about forking or developing something to do the same thing. TrueCrypt is currently the ONLY cross platform encryption solution that works so delightfully transparently on entire devices, or on file containers. TrueCrypt is also still the only crypto package with the built in 'plausible deniability' feature of hidden volumes. Yeah I know it's been shown to be fairly easy to prove the existence of a hidden volume, but you have to know to look and how to look. These features do make it uniquely positioned in the crypto software sphere.

Re:Ars Scholae Palatinae

[epyT-R]

Considering the current political and social climate is ruled by politicians that clueless fucktards like this 'marlor' voted for, it's best practice to assume an NSL compromise.

Re:people ruin everything

[MrL0G1C]

You are so gonna get Dementia

TC developer used hidden message!!!

Haha. Frankly, usable crypto kits need security audits.

COUNTERMEASURE

Take

1.) small Atmel/ATMega CPU
2.) LCD display
3.) a small keyboard (26 keys suffice) suitable for said CPU
4.) three 1.2V rechargeable batteries
5.) symmetric Cipher of your choice that fits into 4K of RAM. E.g. 3DES, GOST,...

Then implement
A) ENIGMA/SIGABA-style cipher machine on said hardware using said ciphers
B) Publish pcbs and source code via strongly anon means, sign using gpg if needed.

This machine can be used via ANY crap comms channel from NSAbook to NSAdroid phones. Or POTS, CB radio, shortwave links. Machine should in later releases not be bigger than a cigarette box. Carry it everywhere.

Re:COUNTERMEASURE

[plover]

The Mooltipass http://hackaday.io/project/86-... meets almost all of your requirements. You'll have to supply your own code mods.

Re:people ruin everything

[tmosley]

No, I think people are fine. It's governments and their poorly organized systems that cause things like this. Suggest you read "The Lucifer Effect". It's not just about prison guards. That same mentality has infiltrated the NSA and most other government offices.

Any *good* recommendations?

DiskCryptor seems fine, but doesn't seem like it supports mounting a virtual hard disk (correct me if I'm wrong); only actual full disk encryption.

Re:Any *good* recommendations?

[Hypotensive]

Since with loopback you can make any file into a virtual block device, there's no reason you can't use LUKS/cryptsetup with files.

More speculation

[Lost+Race]

There's nothing in TFA that hasn't been speculated in great detail already.

No explanation totally makes sense. Here's my working model of what happened (all speculation of course):

The project has been gradually disintegrating over the last few years -- developers leaving and not being replaced, remaining developers having less time to spend on the project for whatever reason, and the perceived reward for fixing increasingly difficult bugs is not enough to keep people interested. It's just not fun any more.

The to-do list has some really nasty bugs that are difficult to fix and could potentially compromise all TC containers. The remaining developers in the project have been grinding away at these bugs, but haven't made much progress for reasons outlined above. They realized that the project was going to fizzle out before they got anything fixed. A cursory look at the 7.2 code suggests that they had committed to some major rewriting of the code, and bit off more than they could chew.

At this point, what can they do? Reporting the vulnerabilities would be irresponsible since no fixes are forthcoming. Lives depend on some of the secrets their software keeps. Best to push people gently away from TC until the problems can be fixed, if ever, while keeping the details of the vulnerabilities as secret as possible, and giving people realistic expectations about the future of TC development (i.e. none).

They probably had a plan for creating a migration plan that actually made sense, but ran out of resources before finishing, and decided to go with what they had on hand. At this point they were probably down to one very part-time developer and maybe a few unreliable volunteers. ("Hey Jim, where's that page you were writing about Linux FDE? Jim? Hello? Anybody there?")

There was really no good way forward with the resources remaining, so they did the best they could.

Why didn't they find someone else to take over the project? I guess they tried, but couldn't find anyone in their immediate circle of trust who was willing and able. Perhaps they felt that expanding their circle of trust would jeopardize their anonymity.

On the other hand....

"WARNING: Using TrueCrypt is *not *secure *as ..."

Re:More speculation

Eh.. if what you said is true, why don't they just say they will shut it down due to lack of interest and state that people should just find alternatives because of the bugs, etc., etc. Its not like they have a reputation to uphold given they're anonymous. Whats the point of an ambiguous warning without much explanation, if they care enough like you suggested, they should care enough to give a good and simple explanation.

Btw, are you a govie shill? Just checking.

Re:people ruin everything

[hackus]

I would rather get dementia than tell lies and live like it is OK with whats going on in this country.

Continued development

[ArchieBunker]

If the last current build is secure why should we need continued development? The tool is out there and it works. I don't see that as a problem.

Re:Continued development

[fnj]

In the long run at a minimum there needs to be security patch maintenance. Buffer overflow discoveries, etc.

Re:Continued development

[myowntrueself]

If the last current build is secure why should we need continued development? The tool is out there and it works. I don't see that as a problem.

Possibly some service pack for windows will make truecrypt stop working on that platform. This could easily be engineered and 'requested' in an NSL to MS.

For Linux, less likely but perhaps some changes to the kernel could do it, less likely to be from an NSL though.

Where is the Kickstarter to re-implement it?

[swb]

I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up.

What would be the dollar cost to hire a team of developers to do it?

Re:Where is the Kickstarter to re-implement it?

[fnj]

How do you propose that donations work when the thugs come down on Visa, Mastercard and PayPal to stop payments?

I'm actually serious. This is a matter that does need to be dealt with in general.

Re:Where is the Kickstarter to re-implement it?

[swb]

I think it would be great for the EFF and the ACLU to sponsor it. It would immediately cause problems for someone to get ham-handed about it.

Re:Where is the Kickstarter to re-implement it?

[epyT-R]

Yes. It would be started by the NSA and use a few bought developers as a honey pot to draw 'open participation.' Who would know?

Re:Where is the Kickstarter to re-implement it?

[westlake]

I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up. What would be the dollar cost to hire a team of developers to do it?

We know the cost of the audit:

Since September 2013, a handful of cryptographers have been discussing new problems and alternatives to the popular security application. By February 2014, the Open Crypto Audit Project---a new organization based in North Carolina that seeks formal 501(c)3 non-profit status---raised around $80,000 toward this goal on various online fundraising sites.

TrueCrypt audit finds ''no evidence of backdoorsâ or malicious code.''

It's reasonable to assume that any attempt to resurrect TrueCrypt would fail without an independent audit on the same scale.

We don't know the size of the TrueCrypt team or the man-hours invested in its development, but we do know it took ten calendar years to take TrueCrypt to version 7.1,

Re:Where is the Kickstarter to re-implement it?

[Charliemopps]

I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up.

What would be the dollar cost to hire a team of developers to do it?

Hundreds of thousands at least. This stuff doesn't seem expensive until you actually get started. I once had a very small project that did nothing more than produce a single line of (rather clever) SQL code. It only took the developer 10min to write but all the testing, meetings, etc... involved made the project hit $25k pretty quickly.

Re:Nonsence

[TechyImmigrant]

The signing keys you dolt.

So...

[ledow]

Ignoring the rumour-based article with zero facts:

What we really need then is a distributed, peer-to-peer, anonymised source-control system.

Publish a hash and that hash corresponds to a certain "official" branch of the code and can't be retracted. Do it right and any fork can publish their hash and maintain their own branch even if the original project goes under. Source-code verification - that's no harder than today, but you could set up code verification of, say, the most popular hash the same way you do TrueCrypt audits.

However, before that, we really need a bunch of people to be pushing out patches to TC and be shown to still be developing it, anonymous or not. I don't particularly care about TC being taken down - to me that just proves it's usefulness and effectiveness, if that's true. What I care about is, whether the project died or was taken down, we need people to develop on it - and at least start adding UEFI etc. support.

Re: people ruin everything

Link because why in the world do people use URL shorteners?

Maybe the developers took a paying job...

[bhlowe]

Or the devs were encouraged to take a paid vacation from coding... Courtesy of the NSA or Microsoft. My guess the link to www.truecrypt.org/donations/ was not often visited.

Re: people ruin everything

[jopsen]

Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you. What makes your personal life so relevant?

So because my private life is utterly uninteresting, you suggest that I shouldn't care about giving up my human rights?

The right to privacy is a human right...

One might as well ask, why you should care about fair trails or torture, if you're not a criminal then why should you care? After all why should anybody want to torture a confession out of you?
This is not about being personally targeted or affected, it's about basic human rights.

Re:people ruin everything

[Fjandr]

Governments are made up of people. People are always the problem.

Re: people ruin everything

Quite naieve... if information is captured for any one purpose, nothing prevents it from being used for more nefarious purposes down the road.

Tomorrow's world could be a theocracy or meglaburo or kleptocracy or plutarchy... you never know, and the people who sieze power will abuse it. Hey, just look at Putin who came up thru the ranks of the KGB when Borris tried to make him a puppet governor.

Heck... look at our own history and the government oppression (at various points) of Indians, Blacks, Japanese, suffragettes, pot smokers, birth control advocates, civil right leaders, and people who just wanted a drink.

If the government was just dragnetting me, that would be one thing; instead, they have laid the infrastructure for an evil regime, and the damage it can do far outweighs any potential good it might bring.

The soverighty of the people has been trampled by a rouge internal force.

Sad

[beefoot]

It is a sad truth. NSA / USA government will only drive innovation underground or out of the country.

Re:people ruin everything

[fustakrakich]

No, I think people are fine. It's governments and their poorly organized systems that cause things like this.

That's a fascinating concept. Are governments and their poorly organized systems comprised of something other than people? Aliens from another universe perhaps?

Steve Gibson

Because nobody on Slashdot would intentionally visit a link to grc.com. If you want us to visit the land of raw sockets and falling skies, you're going to have to mask the destination.

Re: Steve Gibson

[bill_mcgonigle]

If you ever tried listening to one of his podcasts you could make some informed comments. I dare you to go listen to the two recent ones on certificate revocation protocols and not come away better informed. But an informed commenter on Slashdot? My goodness that would be like the bad old days.

Re: Steve Gibson

[MouseTheLuckyDog]

Yep. THey are right up thjere with Lucy's podcasts on how to kick a football.

Re:Steve Gibson

[duke_cheetah2003]

Steve has made some mistakes in the past and over-hyped some things, but all in the all, the man means well and is genuinely interested in the welfare of computer users. If you write him off just because he's made a few poor judgments in the past, well, that's your loss. He does have generally useful information and it's presented in a non-nerdy fashion so any bonehead can make sense of it. Usually.

Re:Steve Gibson

[hubie]

What is his track record? Whether one chooses to write him off depends upon how often he has cried wolf before, and the details of his mistakes (were they due to fundamental lack of understanding of a technical topic, or something more benign?). It has been many, many years since I've gone to his web site, and I do not doubt that he cares about computer security in general, but (back then, at least) I recall his site being very self-promotional in the sense that he'd warn you of the security issues you (may) have, and sell you a solution. That might be what the parent comment was referring to.

Re:Steve Gibson

[cant_get_a_good_nick]

The raw sockets deal - Windows added raw sockets, or more simply said the ability to manipulate Internet packets at a very low level. Mr Gibson acted as if the entire Internet was about to collapse. In theory it was a bit easier to make fake packets and try to mess with other computers, in practice malware that is embedded in the kernel could already do this, and the bad machines could only mess with poorly configured machines anyway. If you know networking, fake packets don't help TCP that much anyway, mostly fun to mess with UDP. There is a lot of damage you can do without raw sockets.

The knock against Steve on this wasn't so much the initial panic about raw sockets, but that he stuck to his guns once people explained how this wasn't a big deal. Either he Just Didn't Get It, or he wanted to fearmonger, or both. He sounded a bit chicken little here, and never really seemed to get why he was wrong.

Winders XP Steve hates 8, fine, we all do. But instead of going to 7, for a long time he wanted to stick with XP. His reasoning, i don't go to any bad websites, i have a firewall, etc. This is shortsighted. Malware advertising on random ad networks is a big deal now, can Steve vet EVERY ad that he sees on the net? Can he vet that every website that he visit has never been pwned and had malware inserted? Can he vet that every machine on his LAN is clean? The worse thing is that he keeps talking about how he runs XP over and over on his podcast. He kind of implies "this is safe for me to do" but never really says "nobody else in their right mind should do this".

Assembly for a long time he was crazy about assembly, kind of showing how cool he was by using it. I learned assembly/machine code from a book when i was in 7th grade or so. I think it's cool in theory to write some assembly code now. in practice I'd never use it for a real app. Why not? Partially because of time; most libraries and tools are for C or other higher-than-assembly-level languages - you'd need to reinvent a lot of wheels and hope you did them right. And partially for static checking tools which would have a much harder time with assembly checks.

Mr Gibson's podcast has some good factual info, but his opinions are occasionally off and sometimes even dangerous. It's like the story of the broken watch - a broken watch is right twice a day, but you'd need another watch to tell you when. Steve's right a lot of times, but you need to know enough already to know when he's not right, and when he's not right RUN.

Re:Steve Gibson

[duke_cheetah2003]

Well, off the top of my head, I know there was the raw sockets in Windows thing. My brain wants to say something about documents and Microsoft embedding something in them, or something like that, the memory of this is a bit foggy. It was a long time ago. It was also rather silly.

I do find it a little goofy he's still pushing Spinrite so much. It's not that it's a bad piece of software, many a year ago, it was pretty darn useful.. today though, using this thing is probably an epic waste of time with current drive technology.

That's all I can recall that is questionable about the guy. I think he's published a lot of useful utilities over the years and seems to be interested in spreading useful information. I certainly have no problem with him. I think others bash on him a little too hard over a few mistakes / overhype.

Re:Steve Gibson

[MrNiceguy_KS]

Steve has made some mistakes in the past and over-hyped some things...

Kind of interesting, since the linked article is basically the exact opposite of over-hype. I think the really relevant point is this:

TrueCrypt's formal code audit will continue as planned. Then the code will be forked, the product's license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won't allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.

If we assume that the TrueCrypt announcement is a NSL warrant canary, then the question is "Why now?" "Why?" is a stupid question - of course the government would like a backdoor into TrueCrypt. But why the NSL now?

Option A is that, since the TC developers are anonymous, their identities have only recently been discovered by the government agencies that issued the warrant. I'll admit this is possible, but it seems unlikely.

Option B: Version 7.1a of TrueCrypt has a flaw that is known to government agencies, but has not yet been discovered by the community. The government is worried that the ongoing code audit will discover and remove this flaw, and they issued a NSL requiring that if the flaw is discovered, the updated version include a government-approved backdoor. TC devs made the warrant canary announcement rather than agree to comply.

Option C: At some point after the release of Version 7.1a, the TrueCrypt devs received a NSL requiring a backdoor in the next released version. TC dev team technically complied by not releasing a new version, since there were no known weaknesses in 7.1a. The code audit has uncovered a flaw and informed dev team, leading dev team to shut down the project and invoke warrant canary.

It will be interesting to see what happens with the code audit. Hopefully the audit team had the foresight to set up a warrant canary themselves. At any rate, Steve Gibson does have a point - the code is out there, and the audit will continue. TrueCrypt will be forked, and work will continue.

Re:The explanation.

[Gibgezr]

The Judean People's Front crack suicide squad would like a word with you.

Re:Nonsence

[cheater512]

Correct, they have no keys.

However 7.2 doesn't encrypt at all. Does that not qualify?
If they got a valid legal letter saying they must release a version that can be read by law enforcement then they have complied.

Re: people ruin everything

[Nehmo]

...

Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you...they care about financial and military strategic advantage. You are not relevant to either.

That reasoning fails on two points.

• The government is frequently not logical. For example, many people naively assumed that although there were anti-pot laws, the state would never expend the resources to attack a little 'ol nobody like themselves. Thus, they concluded they were safe. Some people who had that attitude are now growing grey behind walls.
• Sometimes the motivation to attack somebody are the financial concerns of particular people in the government working under tangled rules. Because of the way funding laws are arranged, particular people in the government may get money if they prey on a particular nobody. So there really isn't a valid reason to target that someone. They just happen to be in the cross-hairs, and someone is getting paid to pull the trigger.

You don't have to be truly important or truly threatening for the state to persecute you. Indeed, if we could rely on the state always being correct in whom they attack, we wouldn't need individual rights.

Old code still available

[mysidia]

It appears grc has created page where the last final version of TrueCrypt and all source code could be downloaded.

My hope would be that someone will fork the project and continue development for Linux, and Windows XP/2003, at least, AND preferably work on new Version of Windows.

Bitlocker is REALLY not good enough, for most users won't have access to it -- since it is only in the ENTERPRISE version of Windows 7; in particular... Windows 7 Standard and Professional do not have the feature.

Re:Old code still available

[OhPlz]

Windows 7 Ultimate has it as well.

Re:Old code still available

[mysidia]

Windows 7 Ultimate has it as well.

So it does, but at $240 a pop, and unlike Enterprise Ultimate is not restricted to Volume license customers; however, ultimate is 'for enthusiasts' and actually more expensive per unit than Enterprise.

Most home users either have the $60 Home premium edition, OR perhaps they got Pro bundled with their $500 PC, and the retail upgrade edition is $300..... in other words, cheaper to go buy Ultimate OEM bundled with a $1 piece of hardware.

The value proposition of 'switch to Bitlocker' is nothing like "Download truecrypt to use for free with your Windows XP system".

Re:Old code still available

[petermgreen]

Bitlocker is REALLY not good enough, for most users won't have access to it -- since it is only in the ENTERPRISE version of Windows 7; in particular... Windows 7 Standard and Professional do not have the feature. .

It's also in the ultimate edition.

Re:Old code still available

[v1]

I don't understand the confidence in bitlocker. If you assume TC got NSL'd, how would MS react in the same situation? Do you honestly believe that MS hasn't already been handed several NSL's over the years? And it's not open source, anything could be in there, including a back door. If you're paranoid about security, a closed-source product run by a big company based in the USA is the last place you'd be looking for a security product.

I don't think an NSL can (legally) require you to actively DO anything besides turn over property or information. (in addition to the obligitory gag) If MS put a back door in bitlocker, the NSL could demand the keys. I don't think they'd be legally able to either demand such a back door be put in, or be left in though. But then again, this is MS and they'd have good reason to think twice about trying to drag an NSL through the legal mud. An NSL with "it would be nice if you woud..." followed by vague suggestions of consequences could be enough to get more out of them than is legally required.

This isn't just to bash MS. Mac OS X is no different. Most of it is closed-source, and there's no chance of them releasing the source to their security API. There are already know back doors. if you have a fat wallet and a badge you can buy software to read the entire contents of an unlocked keychain on a mac, without knowing the user's password. Same for getting around a password-locked or disabled iphone. This is just the stuff we know about. You have to assume there's more with any company that has to comply with the insane national security laws of late.

What it ALL boils down to is that you simply cannot trust any company (or group, or individual) that operates in the jurristiction of a government that has "secret laws". If I could add one ammendment to our constitution, that'd be it. Three words. No Secret Laws.

Re:Old code still available

[dave420]

Don't assume just because something is open source that it doesn't have backdoors. That is terrible logic.

Re:Old code still available

[ray-auch]

It's in Pro edition as of Windows 8.

Re:Old code still available

[v1]

Don't assume just because something is open source that it doesn't have backdoors. That is terrible logic.

I never spoke in such absolutes. It's been shown with great regularity however that open source products have far fewer security holes in them. The common phrase used is "many eyes make for shallow bugs". This is of course NOT always the case. The recent heartbleed bug is a good example of how a bug can remain hiding in plain sight for a long time. In instances like that, it's not a case of the code not getting audited, it's a case of the code being so old that it's expected to be bug-free simply due to the number of years it's been auditable.

But I'll take open-source security over closed-source any day. Back doors are very hard to disguise in open source. The best you can do is what the NSA did recently with getting those weak crypto methods put into a standard. And look how fast that got noticed. Or put in an exploitable bug (like heartbleed) that wasn't obvious, that didn't necessarily just give access away, but that made breaking it much easier to do. The real beauty of heartbleed is that attacks didn't get logged. Someone could beat on your server for weeks if necessary to get lucky and fish out something useful, and all the while nothing would show up on the logs. And if you found youd been hacked, you'd have nothing useful (from the initial compromise anyway) to help you.

Re:Nonsence

[gweihir]

Dead wrong. They hold the release signing keys.

Re: people ruin everything

[symbolset]

The former CEO of USWest was sent to prison based on secret NSA data that could not be independently confirmed - or even discussed. That this happened shortly after he refused to cooperate with illegal NSA data collection is completely coincidental.

Their code, their rules

[jphamlore]

For those complaining that the TrueCrypt developers did not release the code under some other license such as the GPL: Their code, their rules. Given that some want to fork the code, obviously there is some expertise that was poured into the code that is not easily replicable. If they don't want to give away their expertise for free, it's their right.

Re:Nonsence

[fnj]

Mod parent up. Grandparent AC is a moron. It's the signing keys, not some nonexistant master decrypt key.

If the thugs have the signing keys, they could have a couple of months from now themselves brought out a new "improved" (but completely compromised) 7.3 masquerading as an improved, updated, security patched TrueCrypt.

Re:Nonsence

[fnj]

Pssst, the keys they have are the SIGNING keys, not some nonexistant master decrypt key.

Re:Nonsence

[The+Snowman]

7.2 is a different matter, that's a much more recent version and it's probably technically possible that it's been compromised.

lolwut? Version 7.2 cannot encrypt anymore. I would say that is "compromised" even if the TrueCrypt developers did it themselves.

Re:No

[fnj]

It is pretty much agreed that the devs just got tired of doing the work and decided they wanted to get on with their lives and do other things. That has been much more "confirmed" than an NSL...

Bullshit, idiot. If that were the case, they just would have publically turned over development to whoever would like to take it over. They certainly wouldn't have set off bombs to destroy the source code repo and all trace of it in the archive wayback machine.

Re:Nonsence

[AHuxley]

Yes the NSL gets them a/the trusted build server and web connections and allows the gov to become the 'project' with their own tame/turned staff over time.
Over time the next tame builds have the classic trapdoor/key/backdoor. The applications still looks the same, all the sites look the same, no 3rd party can get to your data just one extra entity will have a way in too. The new feature over the life of a project after a NSL is the control of the site, server, code, staff and later an extra US/UK gov key is built in over an expected update cycle.

Re:Nonsence

[cheater512]

That is what I meant when I said they had no keys.

Interesting...

[Kythe]

...that everyone seems to assume the Truecrypt developer(s) were in the U.S.

Re:Interesting...

[Shatrat]

If they were in the UK, France, or Israel their local cloak and dagger types would be just as likely to try and sneak something into the binaries. The NSA have plenty of contemporaries.

Re:Nonsence

[TechyImmigrant]

With FIPS140-2 4.9.2, SP800-90 10.3, Limiting the block size of AES to 128 bits, limiting the rounds of AES to 10, while misdirecting people to think key size was the important thing, along with effectively blocking progress on DNS security, IP security and other security tracks, the NSA has shown itself able to limit security and put backdoors out there which persist in the wild for many years before discovery.

We should not think they couldn't slip a back door into Truecrypt without being caught. It just requires some crypto knowledge they have which we don't and they employ more cryptographers than the private sector and universities do.

The recent string of results against DLP in prime power fields is an example of knowledge they may well have known before we did. what else is there that they are leaving the public at risk by keeping it a secret?

Re:people ruin everything

[Rob+the+Bold]

I would rather get dementia than tell lies and live like it is OK with whats going on in this country.

If 'dementia' means what I think it means, you can actually do both.

Re: people ruin everything

[bmo]

My point wasn't that privacy is not important. My point is that YOU are not important...and I'm right. You're not.

Which is entirely beside the point.

You are irrelevant to The Man until you become a "problem" and all this data gathering is for instant dossiers on people who become a "problem." To nail the head that sticks up.

Privacy is a human right because without it people are unable to effect change - they remain powerless. There is nobody on the planet without a skeleton in the closet, and exposing that skeleton is what this is all really about. It's national-level Borking, to remove any kind of power from people who would oppose a police-state.

That's why.

You, sir, are a short-sighted douchebag and, through your apathy, an enemy to everyone on this planet.

Ta Ta.

--
BMO

Re:Nonsence

[philip.paradis]

The TC devs hold no keys

They hold signing keys. Are you aware of the purpose of those keys?

Re:Nonsence

[philip.paradis]

Although you have acknowledged the existence of signing keys, you have still failed to express understanding of the utility of those keys.

Re: people ruin everything

[WyldPhyr]

As well as food, and ammunition

NSA

[countach]

It doesn't seem likely that even the NSA could get a court order, when there doesn't actually exist any "master key" that would benefit them. This isn't like other cases where some central authority has the power to decrypt stuff if only they are willing to hand over the master key. Maybe I'm naive, but I don't think the court would order them to deliberately break the distributed code for the NSA's benefit.

Re: people ruin everything

[Xolvix]

Not only that, but the trolling poster also made the assumption that you're not important, which is bullshit for the simple reason that we're ALL important to the people who love and care about us. We're important to someone - I'm important to my wife for example, and soon I'll be important to my newborn. Just because I'm not a politician or celebrity and hence known to thousands/millions of people doesn't mean I'm not important. It's all about spheres of influence - some are larger than others, but they still all matter.

If the trolling poster honestly believes with such passion that you aren't important, it stands to reason they probably don't feel they are important either. If they can't find at least one person in their life who considers them important in some way... then I find that truly sad for the AC.

Please upmod parent.

[hitchhacker]

Trying to bring attention to this thread whether it turns out true or false.

-metric

Truecrypt - Based in the US?

[Zelucifer]

Is there any proof that the contributors are even in the US and thus subject to a NSL? At least one of them seems to be from the Czech Republic (David Tesaík).

Re: people ruin everything

[Richy_T]

We need guns. Lots of guns.

Is the truth even possible?

[duke_cheetah2003]

Given the anonymous nature of the TrueCrypt developers, would we even believe someone who claimed to be a dev and gave us an explanation?

Not sure I would. I've read a lot of different articles and comments about this ordeal and I'm frankly not sure what to believe. I'm not sure if I'd believe someone if they said they were a dev.

I know we'd all laugh if the NSA came out publicly and said "we had nothing to do with it."

Re: people ruin everything

[fractoid]

I don't understand why they never just asked Tank for a tank.

Re: people ruin everything

[Noah+Haders]

Just Google for Truecrypt Source 7.1a before the NSA whack it off Google.

would NSA have to fill out the "right to be forgotten" form?

Re:Retards

[philip.paradis]

Typically, the FBI or Secret Service send NSLs. It should be noted that such letters may be generated based on cooperation with other agencies, however.

Re:people ruin everything

[tmosley]

Read the book. Bad organizations will inevitably turn good people bad, unless you are inoculated against the effect with knowledge.

No master key

[Todd+Knarr]

Unlike with Lavabit, there's no single master key for TrueCrypt that can be gotten from the developers that'll decrypt any TC partition. The best the NSA could get is the ability to create their own signed binary package with their own modifications and have it appear as the official package on TC's site. The problem with that is that the TC code's open so anybody can build from source and compare with the official build and see that they aren't the same. And any compromise of the source (eg. weakening the cryptography) would be instantly revealed in the diffs. The whole NSL thing sounds dodgy, and doesn't quite fit. It seems more likely that, with Win7 and later moving to supporting only GPT disks, the TC developers found they can't add that support and decided to throw in the towel.

In any case, the version of TC from before this change is still available and as far as anyone can tell is still secure. I'd be leery of switching to other encryption software that's known to be less secure until someone comes up with a definitive vulnerability in 0.71.

Re: people ruin everything

[houstonbofh]

As well as food, and ammunition

If you have ammunition, you can get food.

Kennedy's words seem apt

[MrKaos]

"Those who make peaceful revolution impossible will make violent revolution inevitable." - John F. Kennedy

Re: people ruin everything

[pslytely+psycho]

Weed, lots of weed.
And good beer too.
Any other intoxicant that floats your boat.

Hey, what better reason to party than the Apocalypse?

Re:Nonsence

[wonkey_monkey]

Not likely. The NSA has tried and failed to break into truecrypt volumes in the past.

Which you know for a fact, because if they had succeeded, they'd definitely tell us. Right?

Re: people ruin everything

[Number42]

Don't forget to download some more RAM too, just in case.

Re: people ruin everything

[smylingsam]

http://downloadmoreram.com/

You're Welcome!

P.S. OB sarcasm tag ^_^

The solution

[bl968]

The question is why should truecrypt or anyone else hold a master encryption key to your data. The software should generate a signing key on installation, and that key should be then used for signing. It could then be sent to the provider for them to store in case the original is lost. But truecrypt would not have a master key that automatically unlocks all of their customers data if subpoenaed by the government. Your key will unlock only your data and no one elses.

Re: people ruin everything

[Tom]

It's 2014, not 1914.

If you want to fight your government - the government that spends more money on the military then everyone else in the top 5 military spending countries combined, you don't need guns. You need stealth fighters, tanks and ICBMs.

Good luck with your "honest people defending the country against the government" fantasy.

Re:The explanation.

[TheCarp]

Splitters!

(would slashdot make Brian Himself wait this long to his submit?)

Re: people ruin everything

[ZeRu]

this is actually a link to an interesting article, not goatse.

What a shame, I would actually applaud a webmaster willing to pay for an SSL certificate just to trick more people to see goatse

Re: people ruin everything

[MrKaos]

Mod Parent up - very well said, totally insightful.

Re: people ruin everything

[Gavagai80]

In fact, sufficiently large non-violent protests would bring down the government -- if it can work in non-democracies like Egypt and Tunisia, it would certainly work in the USA. Guns would just provide the government with an excuse for terrorism charges.

Re: people ruin everything

[DigiShaman]

Right to bear nukes!?? Yeah, that would explain Fermi's paradox.

Re: people ruin everything

[Richy_T]

Actually, it's 2199. You just haven't unplugged yet.

Re:people ruin everything

[dark_requiem]

A government's just a body of people. Usually, notably ungoverned.

Re: people ruin everything

It is sad how one bends facts so that they support what one is pre-disposed to believe. Nacchio challenged FISA and ended up not getting a big NSA contract (allegedly he was "punished", but even that is stated without any proof). He went to jail for "massive" insider trading (netting him and his cronies $3B!). However, I'm sure the NSA cooked it all up and deposited millions and millions of dollars into his and five other people's accounts without them knowing about it.

It is even more sad that your outright lies get modded up so high.

Rooftop Voting! Coming soon!

[TrentTheThief]

"As nightfall does not come all at once, neither does oppression. In both instances, there is a twilight when everything remains seemingly unchanged. And it is in such twilight that we all must be most aware of change in the air — however slight — lest we become unwitting victims of the darkness."

This sure sounds like the scenario that Justice Douglas was talking about.

Maybe it's about time to dig up the rifles?

Re:Nonsence

[dunkindave]

I understand that if they acquired the signing keys they could sign their own package and, presuming the loss of the signing keys was not known, have people accept the new packages as legit. But can possession of the keys allow them to create a fake and apparently correctly signed version 7.1a? If so, then the reason for wanting the keys seems obvious to me, to create a fake version which they can send to targeted people/entities, either through a trojaned download site, or by playing man-in-the-middle and changing what is sent from a legitimate mirror. The target gets the fake version and it passes all the tests so uses it, and the government now has their backdoor in place.

I haven't studied how packages are signed, and am too busy at the moment to go read up on it, so maybe I am just naive. (I am sure there are plenty of posters on Slashdot that will let me know if I am :).

Re: people ruin everything

[Tom]

That was a foreign power attacking people at home.

This would be the people rising up against their government.

Two different scenarios. The US government doesn't have to eradicate americans to win, it just needs to stay put exactly where it is.

Re:people ruin everything

[plover]

Governments are not just made of people. They are made of people, laws, and processes. A bad process (or law) encourages people who prosper by it to leave it unchanged This means that people do the wrong thing in order to keep their jobs. A person who is only trying to do what they were hired to do may do something morally wrong because that's what they were told was correct. A really really bad set of processes in a secret organization can lead to secrecy for secrecy's sake, and that leads to what we saw here.

Re: people ruin everything

[Optali]

Well, they will do whatever the PAYING 1% tells them to do ;)

Re: people ruin everything

[Tom]

Yeah, I definitely want my country to look more like theirs.

Re: people ruin everything

[Richy_T]

Heh, game of thrones quote coming up...

"In a room sit three great men, a king, a priest, and a rich man with his gold. Between them stands a sellsword, a little man of common birth and no great mind. Each of the great ones bids him slay the other two. 'Do it,' says the king, 'for I am your lawful ruler.' 'Do it,' says the priest, 'for I command you in the names of the gods.' 'Do it,' says the rich man, 'and all this gold shall be yours.' So tell me- who lives and who dies?"

The US govt is just a bunch of men in suits. It's the loyalty and goodwill of those that serve under them that makes them anything more.

Re: people ruin everything

[Aaden42]

Where on earth did you get the idea that the 1% actually pays for government operations?

http://www.cnsnews.com/news/ar...

Re: people ruin everything

[CmdrTamale]

If you have ammunition, you can get food.

Only if THERE IS FOOD.
--
The program isn't debugged until the last user is dead. Can I help you with your debugging? *cracks knuckles*

Re: people ruin everything

[jxander]

If only there was a modern day precedent for the US military having a hard time dealing with some low tech insurgents.

Re:Nonsence

[PPH]

You mean app signing keys? If TC has been compromised by an insider, or may be in the future, that signature will mean nothing.

Re:people ruin everything

[MrKaos]

No, I think people are fine. It's governments and their poorly organized systems that cause things like this.

That's a fascinating concept. Are governments and their poorly organized systems comprised of something other than people? Aliens from another universe perhaps?

In a word, Processes. People are just the components it's the processes and procedural rules that determine the behavior orf the system - poorly organized or not.

Re:people ruin everything

[fustakrakich]

Okay, then who or what created the laws and processes? I don't understand how you can separate any of that from people.

Re:people ruin everything

[fustakrakich]

People are just the components it's the processes...

Say whaaa? Were the processes created by aliens then? I find this very intriguing.

Re:people ruin everything

[MrKaos]

People are just the components it's the processes...

Say whaaa? Were the processes created by aliens then? I find this very intriguing.

Stop being a fucking pedantic idiot. You asked:

Are governments and their poorly organized systems comprised of something other than people?

I answered processes. They're also comprised of legislation, mandates, buildings and chairs. All of these things were made by people however that is not what you asked. Under such ridiculous pedantry I could answer atoms, quarks and energy which would give you an accurate answer, just not a particularly useful one based on a reasonable supposition of what is meant by 'what a government department is comprised of'.

Re:people ruin everything

[fustakrakich]

...that is not what you asked.

It is precisely what I asked. And you people continue to pass the blame for our problems on some nonresistant ethereal entity called a "process". It's a bunch of hogwash. The problem is people, period. They create the government. They create the process. They are the process. And you're just spouting a bunch of gibberish like some preacher yelling that it's "God's will!". Save it for the believers.

Re:people ruin everything

[MrKaos]

You said: Are governments and their poorly organized systems comprised of something other than people?

...that is not what you asked.

It is precisely what I asked.

atoms, quarks and energy

...that is not what you asked.

It is precisely what I asked.

legislation, mandates, buildings and chairs, cars, carpet, leasing agreements, legal departments, policy review boards. Snakes and snails and puppy dogs tails

And you people continue to pass the blame for our problems on some nonresistant ethereal entity called a "process". It's a bunch of hogwash.

It's fairly obvious that you are one of "those people" who haven't held any position that was responsible for anything other than themselves. If you ever work hard enough to understand higher levels of an organization, either in the business or government world, you will understand that the reporting and functional processes are as real as the dumb look on your face when you look in the mirror. That "nonresistant ethereal entity" controls much of your life.

Now go back to flipping burgers.

The problem is people, period. They create the government. They create the process.

True, but also outside the scope of your question as they don't "comprise governments poorly organized systems".

They are the process.

Duuuuuuuuuuuuuuuuuuuuuuuuh.

It doesn't make the process any less of a component, it's just "something other than people".

And you're just spouting a bunch of gibberish

When a person is in a government organization they have effectively zero lattitude to change it, they are a functional component that are either a tool that can be used or a problem that has to be solved all the way up the management chain to the executive. And even the executive has to make a government department function according to the articles of law that enacted it. Even the one person left who can change it, government minister or congresscritter, *still* has to act within the legal functional requirements of the Department. This covers the entire scope of your question.

A government department is a legal entity as much as a corporation is a legal entity as much as a person is a legal entity. If you choose to have a simpletons view of the world, that's fine. It won't change because you don't understand it.

like some preacher yelling that it's "God's will!". Save it for the believers.

Are you even vaugely serious. Have you ever read a peice of legislation longer than 10 pages in its entirety? The entire legal system is made up of words that can have you executed in some places. That's real, there is a legal process that dictates people to behave as functional components in an organization and act in a specific role.

"...a system based on corrupt practice cannot be saved merely by tinkering with it"

Look, I only answered your question because I though your sig was fairly on the mark. However even government departments form components of the "system" you are describing.

Your mindset blames the people who need a job not the people that can resolve the functional issues of government. By all respects you should get this and I fucking truley regret trying to gently answer your question in a way that didn't make you look like a complete fucking idiot.

From the moderation, it suggests that pretty much the rest of slashdot gets this but I'll correct you grammar and answer it in the closed narrow way you need it answered:

Are government's and their poorly organized systems, comprised of something other than people?

Yes.

Re:people ruin everything

[fustakrakich]

That certainly was a long winded piece of... baloney... How do you learn to be so helpless?

NSA

[koan]

The message on TrueCrypt's new website got me thinking:
        Using TrueCrypt is not secure as it may contain unfixed security issues

        Let's isolate the first letter of each word:
        (U)sing (T)rueCrypt (i)s (n)ot (s)ecure (a)s (i)t (m)ay (c)ontain (u)nfixed (s)ecurity (i)ssues

        Result?
        utinsaimcusi

        Let's spread that!
        uti nsa im cu si

        That is latin for
        "If I wish to use the NSA"

        Stay away from future Truecrypt releases. This is clearly a warning from the developers.

Re:Nonsence

[philip.paradis]

The concern isn't compromise of TC by an insider. The concern is forced conveyance of signing keys to an intelligence agency. Are you aware of the consequences of such a scenario? I suspect you're feigning ignorance at this point in an attempt to minimize perceived risk. Why would you do that?

Re:people ruin everything

[MrKaos]

That certainly was a long winded piece of... baloney... How do you learn to be so helpless?

Mainly from people like yourself who are so hoplessly inferior to the rest of the normal thinking population I would be need 3/4 of my brain removed to have double your wit. Obviously you are unable to explain whatever point you have to make, even when given an opportunity to do so. I can only gather that you are pointless. So back to 4chan, b/tard/.

Now get the fuck off my lawn.

Re:people ruin everything

[fustakrakich]

:-) I pity you, completely unable to break the circle. A good servant you are, blaming others for your own misfortunes, but still pitiful.

Re:people ruin everything

[MrKaos]

:-) I pity you, completely unable to break the circle. A good servant you are, blaming others for your own misfortunes, but still pitiful.

Pity yourself, it's an excellent summary of what you are doing now :-)

Re:Nonsence

[philip.paradis]

Why haven't you replied to my last question?