Slashdot Mirror
The Sudden Policy Change In Truecrypt Explained
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA."
Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
You're taking twitter posts too seriously. That's just speculation based on what appeared on their site the other day, followed by:
"Alyssa Rowan @AlyssaRowan
@munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"
Sorry, who the fuck are you?
There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.
Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play
Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.
U.S. changed to "United States" - "use bitlocker," "use any crypto package in Linux," when setting up an OS X disk image no encryption...
The message is clear what happened.
https://t.co/x1H2T6UtEv
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
According to this page - someone e-mailed a dev contact and claims they called it quits due to lack of interest
https://www.grc.com/misc/truec...
(Scroll to the bottom, the green box).
The only real "confirmation" we have is the info on the TrueCrypt page. It's over (no matter what the reason is), best to move on.
No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.
Some semi-random tweeter is reposted on some random blog? I don't think so.
It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?
No, no, you're not thinking; you're just being logical. --Niels Bohr
An anonymous coward in the last thread said that a known warrant canary was seen:
http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051
This is Slashdot. No one cares whether something is true or not as long as it is negative towards the government. Sad really, since it diminishes any sort of real discussion about actual concerns about the government rather than made up fantasy.
this is actually a link to an interesting article, not goatse. it's an editorial about how the most recent full version of true crypt (7.1a) is still as secure as it was last week, and there's no reason to stop using it. It also says they (who?) are working on an open license fork that will be released on a future date.
still doesn't answer the question on if it's like lava bit. true crypt may be just as secure as it was last week, but maybe it's also been owned by NSA from day one.
I never use cloud resources. Too many users have been severely inconvenienced if not outright burned by cloud services that have been hacked, suppressed by some government, gone out of business, or gone down for several hours. I keep all my data where I can access it, either on my PC or on a removable hard drive that I store remotely from my PC but easily reached.
I encrypt my most sensitive data. No, I do not rely on some corporation's declaration: "Trust us. We are good. We will protect you." Instead, I use an OpenPGP application that has been reviewed by outside experts and that I have installed on my PC. The data on my removable hard drive are encrypted. Some of my PC files are also encrypted. My pass-phrase, without which my private key is useless for decryption, exists only in my head and in an envelope in my safe deposit box at a bank. My private key is on my PC in a non-standard location. If somehow someone else were to access my private key, I have a much greater problem than the compromise of my sensitive data.
See my http://www.rossde.com/PGP
I can't comprehend the conspiracy theories flying around about this.
[TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.
The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).
If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.
Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.
If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.
"Don't use this anymore. It's not maintained, and should therefore be considered insecure".
Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"
''TrueCrypt is not secure,'' official SourceForge page abruptly warns
[Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]
You are so gonna get Dementia
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Haha. Frankly, usable crypto kits need security audits.
No, I think people are fine. It's governments and their poorly organized systems that cause things like this. Suggest you read "The Lucifer Effect". It's not just about prison guards. That same mentality has infiltrated the NSA and most other government offices.
The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it. .
There's nothing in TFA that hasn't been speculated in great detail already.
No explanation totally makes sense. Here's my working model of what happened (all speculation of course):
The project has been gradually disintegrating over the last few years -- developers leaving and not being replaced, remaining developers having less time to spend on the project for whatever reason, and the perceived reward for fixing increasingly difficult bugs is not enough to keep people interested. It's just not fun any more.
The to-do list has some really nasty bugs that are difficult to fix and could potentially compromise all TC containers. The remaining developers in the project have been grinding away at these bugs, but haven't made much progress for reasons outlined above. They realized that the project was going to fizzle out before they got anything fixed. A cursory look at the 7.2 code suggests that they had committed to some major rewriting of the code, and bit off more than they could chew.
At this point, what can they do? Reporting the vulnerabilities would be irresponsible since no fixes are forthcoming. Lives depend on some of the secrets their software keeps. Best to push people gently away from TC until the problems can be fixed, if ever, while keeping the details of the vulnerabilities as secret as possible, and giving people realistic expectations about the future of TC development (i.e. none).
They probably had a plan for creating a migration plan that actually made sense, but ran out of resources before finishing, and decided to go with what they had on hand. At this point they were probably down to one very part-time developer and maybe a few unreliable volunteers. ("Hey Jim, where's that page you were writing about Linux FDE? Jim? Hello? Anybody there?")
There was really no good way forward with the resources remaining, so they did the best they could.
Why didn't they find someone else to take over the project? I guess they tried, but couldn't find anyone in their immediate circle of trust who was willing and able. Perhaps they felt that expanding their circle of trust would jeopardize their anonymity.
On the other hand....
"WARNING: Using TrueCrypt is *not *secure *as ..."
I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up.
What would be the dollar cost to hire a team of developers to do it?
The signing keys you dolt.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Link because why in the world do people use URL shorteners?
Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you. What makes your personal life so relevant?
So because my private life is utterly uninteresting, you suggest that I shouldn't care about giving up my human rights?
The right to privacy is a human right...
One might as well ask, why you should care about fair trails or torture, if you're not a criminal then why should you care? After all why should anybody want to torture a confession out of you?
This is not about being personally targeted or affected, it's about basic human rights.
Governments are made up of people. People are always the problem.
It is a sad truth. NSA / USA government will only drive innovation underground or out of the country.
Because nobody on Slashdot would intentionally visit a link to grc.com. If you want us to visit the land of raw sockets and falling skies, you're going to have to mask the destination.
...
Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you...they care about financial and military strategic advantage. You are not relevant to either.
That reasoning fails on two points.
You don't have to be truly important or truly threatening for the state to persecute you. Indeed, if we could rely on the state always being correct in whom they attack, we wouldn't need individual rights.
(||) Nehmo (||)
It appears grc has created page where the last final version of TrueCrypt and all source code could be downloaded.
My hope would be that someone will fork the project and continue development for Linux, and Windows XP/2003, at least, AND preferably work on new Version of Windows.
Bitlocker is REALLY not good enough, for most users won't have access to it -- since it is only in the ENTERPRISE version of Windows 7; in particular... Windows 7 Standard and Professional do not have the feature.
The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it.
Fine. The simplest way to do that is to put a clear and unambiguous message on their webpage staing that development is frozen at version 7.1a, and the project will no longer be maintained. Instead they gave no explanations, but very bizzare set of statements that raise more questions than they answer.
This has the flavor of a practical joke or an unstable mind. Certainly not someone you would trust to protect your data.
It's a shame. I really liked the application.
The former CEO of USWest was sent to prison based on secret NSA data that could not be independently confirmed - or even discussed. That this happened shortly after he refused to cooperate with illegal NSA data collection is completely coincidental.
Help stamp out iliturcy.
Mod parent up. Grandparent AC is a moron. It's the signing keys, not some nonexistant master decrypt key.
If the thugs have the signing keys, they could have a couple of months from now themselves brought out a new "improved" (but completely compromised) 7.3 masquerading as an improved, updated, security patched TrueCrypt.
...that everyone seems to assume the Truecrypt developer(s) were in the U.S.
Kythe
I would rather get dementia than tell lies and live like it is OK with whats going on in this country.
If 'dementia' means what I think it means, you can actually do both.
I am not a crackpot.
My point wasn't that privacy is not important. My point is that YOU are not important...and I'm right. You're not.
Which is entirely beside the point.
You are irrelevant to The Man until you become a "problem" and all this data gathering is for instant dossiers on people who become a "problem." To nail the head that sticks up.
Privacy is a human right because without it people are unable to effect change - they remain powerless. There is nobody on the planet without a skeleton in the closet, and exposing that skeleton is what this is all really about. It's national-level Borking, to remove any kind of power from people who would oppose a police-state.
That's why.
You, sir, are a short-sighted douchebag and, through your apathy, an enemy to everyone on this planet.
Ta Ta.
--
BMO
Not only that, but the trolling poster also made the assumption that you're not important, which is bullshit for the simple reason that we're ALL important to the people who love and care about us. We're important to someone - I'm important to my wife for example, and soon I'll be important to my newborn. Just because I'm not a politician or celebrity and hence known to thousands/millions of people doesn't mean I'm not important. It's all about spheres of influence - some are larger than others, but they still all matter.
If the trolling poster honestly believes with such passion that you aren't important, it stands to reason they probably don't feel they are important either. If they can't find at least one person in their life who considers them important in some way... then I find that truly sad for the AC.
Trying to bring attention to this thread whether it turns out true or false.
-metric
Is there any proof that the contributors are even in the US and thus subject to a NSL? At least one of them seems to be from the Czech Republic (David Tesaík).
The corner of a round room
Given the anonymous nature of the TrueCrypt developers, would we even believe someone who claimed to be a dev and gave us an explanation?
Not sure I would. I've read a lot of different articles and comments about this ordeal and I'm frankly not sure what to believe. I'm not sure if I'd believe someone if they said they were a dev.
I know we'd all laugh if the NSA came out publicly and said "we had nothing to do with it."
Unlike with Lavabit, there's no single master key for TrueCrypt that can be gotten from the developers that'll decrypt any TC partition. The best the NSA could get is the ability to create their own signed binary package with their own modifications and have it appear as the official package on TC's site. The problem with that is that the TC code's open so anybody can build from source and compare with the official build and see that they aren't the same. And any compromise of the source (eg. weakening the cryptography) would be instantly revealed in the diffs. The whole NSL thing sounds dodgy, and doesn't quite fit. It seems more likely that, with Win7 and later moving to supporting only GPT disks, the TC developers found they can't add that support and decided to throw in the towel.
In any case, the version of TC from before this change is still available and as far as anyone can tell is still secure. I'd be leery of switching to other encryption software that's known to be less secure until someone comes up with a definitive vulnerability in 0.71.
As well as food, and ammunition
If you have ammunition, you can get food.
It's 2014, not 1914.
If you want to fight your government - the government that spends more money on the military then everyone else in the top 5 military spending countries combined, you don't need guns. You need stealth fighters, tanks and ICBMs.
Good luck with your "honest people defending the country against the government" fantasy.
Assorted stuff I do sometimes: Lemuria.org
In fact, sufficiently large non-violent protests would bring down the government -- if it can work in non-democracies like Egypt and Tunisia, it would certainly work in the USA. Guns would just provide the government with an excuse for terrorism charges.
This space intentionally left blank
That was a foreign power attacking people at home.
This would be the people rising up against their government.
Two different scenarios. The US government doesn't have to eradicate americans to win, it just needs to stay put exactly where it is.
Assorted stuff I do sometimes: Lemuria.org