Slashdot Mirror

← Back to Stories (view on slashdot.org)

Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt

Posted by timothy on from the turning-a-ship-takes-a-while dept.

An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future. Infrastructure can be complex to upgrade; how long is reasonable?

15 of 75 comments (clear)

  1. If it ain't broke? by Anonymous Coward · · Score: 5, Insightful

    Why not use it until you HAVE to find an alternative. I mean the audit of 7.1a is not even done yet.

    software != fruit

    1. Re:If it ain't broke? by Jane+Q.+Public · · Score: 3, Interesting

      OP is wrong anyway. The only thing that "melted down" was the original working group.

      The group currently doing the security audit announced their full intent to continue the project. So it hasn't "melted down" any more than MySQL did. Just somebody else taking the reins.

      (Just to clarify, I meant MariaDB. I don't count Oracle as "taking the reins". That was more like a stampede over a cliff.)

  2. AWS Email by darkain · · Score: 5, Informative

    13 hours ago, Amazon / AWS sent out the following email:

    Dear Amazon S3 Customer,

    Amazon S3 now supports server side encryption with customer-provided keys (SSE-C), a new encryption option for Amazon S3. When using SSE-C, Amazon S3 encrypts your objects with the custom encryption keys that you provide. Since Amazon S3 performs the encryption for you, you get the benefits of using your encryption keys without the cost of writing or executing your own encryption code.

    Until now, in order to use your own encryption keys, you needed to encrypt your data client-side prior to uploading them to Amazon S3. With SSE-C, you now have the option to securely store your data using keys that you manage, without having to build client-side encryption infrastructure.

    To use SSE-C, simply include your custom encryption key in your upload request, and Amazon S3 encrypts the object using that key and securely stores the encrypted data at rest. Similarly, to retrieve an encrypted object, provide your custom encryption key, and Amazon S3 decrypts the object as part of the retrieval. Amazon S3 doesn't store your encryption key anywhere; the key is immediately discarded after S3 completes your requests.

    You can learn how to use SSE-C today by visiting "Using SSE with Customer-provided Keys" in the Amazon S3 Developer Guide.

    Sincerely,
    The Amazon S3 Team

    1. Re:AWS Email by jcochran · · Score: 3, Insightful

      Gee. Send the data in the clear along with an encryption key so it's stored at the remote site in an encrypted form. There's no way that a NLS will allow for the interception and disclosure of the key is there?

      Frankly, that "solution" is a rather poor one at best and far too likely to give the customer a sense of security while in reality their data is totally accessible.

    2. Re:AWS Email by tehlinux · · Score: 2

      So, as the email said, just "encrypt your data client-side prior to uploading them to Amazon S3"

      --
      Most linux users don't know this, but the man pages were named after Chuck Norris. Chuck Norris fsck'ing hates noobs!
    3. Re:AWS Email by sasparillascott · · Score: 2

      The NSA thinks it makes sense.

    4. Re:AWS Email by Em+Adespoton · · Score: 5, Interesting

      With truecrypt images, you give them your public key and have authorized their private key to decrypt. With this situation, you send them cleartext data and a private key; they encrypt your private key against theirs, and then encrypt your data against your private key.

      So with the first setup, you've got a chain of reputation, segmentation of authority, and only encrypted data going over the wire. In the second setup, you've got no chain of reputation, only a partial segmentation of authority, credentials in memory on the public system, and cleartext on the wire.

      So this isn't about the data being decrypted as much as it is about the security of the data in transit, and the security of the credentials used to secure the data.

      Think of it this way: in both cases, in order to publish data the publisher needs access to the private key. In one case, that private key is held in private by the author. In the other case, it is held on a public system, and is accessible by anyone able to scrape memory or by anyone with access to the AWS corporate key.

  3. Why should one move from truecrypt 7.1a? by Anonymous Coward · · Score: 2, Insightful

    Truecrypt code remains available and currently available 7.1a online exactly matches ones I downloaded over past 2-3 years now and then. It is still good (tho the "7.2" version that was recently put out is crippled and should be ignored.)
    It can be obtained at https://www.grc.com/misc/truecrypt/truecrypt.htm
    and matches exactly the ones downloaded over time.

    The code is being formally reviewed (still) and is likely to be picked up by others. Unfortunately one does not make money
    sellig cryptodisk software (I tried when I published some back in 1979) but the capability is nevertheless useful,
    and using code for which sources are published is far safer than some commercial product, which could be
    surreptitiously broken and back-doored at commands of spy agencies whether the authors like it or not. With closed
    source programs you are stuck. Also one can use truecrypt on windows or linux; the replacement the authors seem
    to steer for is windows only.

  4. Sorry, not gonna move to a MS solution by rolfwind · · Score: 2

    Yeah, sure, use bitlocker as sourceforge says.... because MS totally doesn't open backdoors for the NSA that makes goatse jealous. *snort*

    http://truecrypt.ch/

  5. More NSA sponsored anti-Truecrypt FUD by Anonymous Coward · · Score: 5, Interesting

    Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now. Truecrypt implements encryption in the ONLY way that makes sense- known state-of-the-art mathematical algorithms used against the simplest file system driver emulation, allowing encrypted data to simply exists in monolithic data blocks. No different from Ram Disk and zip-folder technologies, with an encryption front-end. A NIGHTMARE for the full surveillance programs of the NSA/GCHQ.

    Remember, Truecrypt is of no consequence for TARGETED victims of the security apparatus. If you are a true, named, subject of State surveillance, covert cameras, keyloggers, and other simple, cheap hardware solutions will be used to disable your attempts at encryption in the first place. The 'problem' with Truecrypt is that as its use spreads, large amounts of online data go 'DARK' for the security apparatus. The use of Truecrypt is like refusing to connect the NSA designed Kinect2 spy platform to your Xbox One console.

    But, you argue, even so the numbers of Truecrypt users were never going to be THAT significant? Well, while this is kind of true, the reaction to Snowden's revelations was an ever growing general concern about the visibility of private data. Sheeple were rightly learning to absolutely distrust all solutions from corporations- and pressure was growing to create more publicly friendly equivalents to systems like Truecrypt. To consider a parallel, take Ad-Block. Large numbers of people ONLY began using Ad-Block, because the online ad business, even on the largest web-sites, adopted the most abusive, anti-user practices imaginable. Of late, the most mainstream sites have all been responsible for using browser exploits to deliver illegal trojan code package to unsuspecting users. And when people complain, these disgusting companies all say "don't blame us, blame the ad-serving services we use".

    The consequence of the 'Wild West' of online ads is more people want to block the whole damned industry (and rightfully so). And the same now applies to encryption. More and more people want to fight back against the obscenity of the FULL SURVEILLANCE society. And the NSA wants these people to fight with 'weapons' the NSA has already ensured are useless.

    It does NOT matter that Truecrypt 'could' have minor, unusual 'vulnerabilities'. All software falls into that category. What matters is that Truecrypt protected files are the greatest pain-in-the-ass for the NSA. Do not let Slashdot's NSA sponsored content tell you otherwise.

    1. Re:More NSA sponsored anti-Truecrypt FUD by Anonymous Coward · · Score: 3, Funny

      The problem with Person of Interest is that after two seasons, it turned out to be true. How awkward. The writers handled it well, I have to admit.

  6. Re:And the problem is? by BitZtream · · Score: 4, Interesting

    If you're using AWS, your data is unencrypted on their end ANYWAY. Or at least, they have to hold the decryption keys in a way that lets them decrypt it, so its irrelevant to encrypt it unless you just enjoy wasting CPU cycles.

    The truecrypt container is only useful when transferring data between your end and the Amazon servers if you're not using an encrypted channel to start with for the transfer.

    Considering the situation with truecrypt, ... well, theres nothing really useful to discuss since the only thing known is they stopped maintaining it in a OMGDRAMA sort of way.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  7. Amazon's continued use is a good sign ... by perpenso · · Score: 3, Interesting

    Because there are probably known vulnerabilities actively being exploited by government agencies that they were told not to fix.

    The TrueCrypt project is not dead, it is open source. It merely has lost its original developers.

    An audit of the source code is underway. They are using the source for the last full featured create/read/write version released prior to the current read-only version. I believe they have confirmed the source matches the public binaries and that there are no backdoors. They are currently studying it for vulnerabilities and exploits. When they are finished this audited source code will provide that basis for continued work on the project.

    Amazon's continued use is a good sign. Perhaps Amazon and other interested commercial entities will support future work on the project. Much like various commercial entities support the majority of the work on the Linux kernel.

  8. Corporations have needed crypto too ... by perpenso · · Score: 2

    Was it needed in 1979?, only ones I could guess who needed that kind of cryptodisk software would have been governments at most?

    Corporations need it too. Especially larger ones. Keep in mind that the famous Enigma machines of WW2 were derived from commercial crypto hardware developed for the commercial market, so that corporate headquarters could have secure communications with regional offices, people negotiating contracts at remote locations, etc.

    A lot of espionage is industrial in nature.

  9. What is the alternative? by Tolvor · · Score: 3

    TrueCrypt was trusted because the source code is/was open source, the binaries could be checked, it used respected algorithms, and had few flaws. Yes, there was minor fixes that could be done to make it more secure, and there are methods to defeat the keys (Flash freezing the ram chips in the computer to preserve the stored keys is one). But TrueCrypt reigned supreme with the cost-reputation-cryptostrength score.

    Of course, according the (canary) Truecrypt homepage it recommends BitLocker by Microsoft, which few people take seriously. Microsoft recently peeked at its employees private hotmail account, and is known to include features in its OS to make NSA happy as well as copyright holders.

    What alternative is there to TrueCrypt?