Slashdot Mirror
The Sudden Policy Change In Truecrypt Explained
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA."
Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
You're taking twitter posts too seriously. That's just speculation based on what appeared on their site the other day, followed by:
"Alyssa Rowan @AlyssaRowan
@munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"
Sorry, who the fuck are you?
There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.
Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play
Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.
No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.
Some semi-random tweeter is reposted on some random blog? I don't think so.
It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?
No, no, you're not thinking; you're just being logical. --Niels Bohr
An anonymous coward in the last thread said that a known warrant canary was seen:
http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051
this is actually a link to an interesting article, not goatse. it's an editorial about how the most recent full version of true crypt (7.1a) is still as secure as it was last week, and there's no reason to stop using it. It also says they (who?) are working on an open license fork that will be released on a future date.
still doesn't answer the question on if it's like lava bit. true crypt may be just as secure as it was last week, but maybe it's also been owned by NSA from day one.
I can't comprehend the conspiracy theories flying around about this.
[TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.
The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).
If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.
Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.
If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.
"Don't use this anymore. It's not maintained, and should therefore be considered insecure".
Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"
''TrueCrypt is not secure,'' official SourceForge page abruptly warns
[Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]
Haha. Frankly, usable crypto kits need security audits.
No, I think people are fine. It's governments and their poorly organized systems that cause things like this. Suggest you read "The Lucifer Effect". It's not just about prison guards. That same mentality has infiltrated the NSA and most other government offices.
The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it. .
Link because why in the world do people use URL shorteners?
Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you. What makes your personal life so relevant?
So because my private life is utterly uninteresting, you suggest that I shouldn't care about giving up my human rights?
The right to privacy is a human right...
One might as well ask, why you should care about fair trails or torture, if you're not a criminal then why should you care? After all why should anybody want to torture a confession out of you?
This is not about being personally targeted or affected, it's about basic human rights.
Two guys - working working over a decade without funding etc.
Ennead was 29 in 2005 (http://www.wolfmanzbytes.com/windows/70-truecrypt-encryption.html) and they obviously developed it on their freetime.
Fast forward from that to today and you got couple of middle-aged devs, probably with more demading careers and perhaps even families and maybe with young kids.
They started it as a Windows project, when Windows was...a completely different beast than it is today.
It's no wonder TrueCrypt didn't get very many (any?) releases in the past couple of years.
It's certainly a very interesting way to exit stage.
WARNING: Using TrueCrypt is notsecure as it may contain unfixed security issues
But this raises many questions.
(1) If Truecrypt were secure in the first place, a National Security Letter would have been of no use: the developers would be no more help de-crypting something than anyone else. So in the usual context, a NSL has no point whatever.
(2) A demand for other records, say about the developers, would also not invalidate the CODE of Truecrypt in any way.
So that only leaves a couple of possibilities as legitimate reason for a canary: (3) Possible coercion by the government to somehow weaken their crypto.
(4) Discovery of some prior "backdoor" that had somehow been inserted in the past.
(5) Maybe some of the developers wanted to remain strictly anonymous and so any overtures made by the government at all created panic.
Since the people doing the security audit have announced that it will continue, if it turned out to be (4) it will be discovered soon. Which it seems to me leaves only (3) and (5) as any kind of government "threats" that make any sense.
Any other ideas?
I would guess that they were NSL'd for their signing keys; that would make it less secure in the future so the correct option is to burn the brand now. Reports said that both signing keys signed the new (crippled/canaried) executable, and that the keys had been re-uploaded with the same content on sourceforge. Their legit URL points to their sourceforge site. Instances of "U.S." in their source code were replaced with "United States".
It looks to me like they went through a lot of trouble to burn the brand down before any damage could be done with the NSA's new-found signing keys. It's a very, very bad sign that this happened to TrueCrypt. Good on them for being brave enough to inform us, despite the real risks they faced in doing so. If this project is forked, we can only hope the new maintainers are brave enough to do the same when the NSA goes after them. It also raises the question: how much other infrastructure has been compromised while the maintainers have stood silently by?
Not only that, but the trolling poster also made the assumption that you're not important, which is bullshit for the simple reason that we're ALL important to the people who love and care about us. We're important to someone - I'm important to my wife for example, and soon I'll be important to my newborn. Just because I'm not a politician or celebrity and hence known to thousands/millions of people doesn't mean I'm not important. It's all about spheres of influence - some are larger than others, but they still all matter.
If the trolling poster honestly believes with such passion that you aren't important, it stands to reason they probably don't feel they are important either. If they can't find at least one person in their life who considers them important in some way... then I find that truly sad for the AC.
TrueCrypt never claimed to protect you from a compromised system. The point of it was offline security. Once unmounted the contents of an encrypted container are inaccessible to anyone without the key.
Once you understand what TrueCrypt is for you can see why it is so valuable.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC