Story 2014-05-30 3N8 TrueCrypt Project Problems

TrueCrypt Project Problems

by
Anonymous Coward
in security on (#3N8)
story imageFinally, a story for resident conspiracy theorists that has truth behind it, an impact on the world, and may actually mean something.

TrueCrypt, the standout semi-open source multiplatform full-disk-encryption software package, has acted all squirrelly and more or less shut the the project down, blaming it, somewhat hilariously, on the end of Microsoft's Windows XP support. All this while a paid (and long awaited) audit of TrueCrypt has been nearing completion.

Discussed at lots of places including lifehacker , Slashdot , SoylentNews , and reddit .

This is really troubling for lots of reasons. The audit was deemed necessary because TC's authorship and operation were shrouded in mystery. (the two main developers are anonymous and go by the pseudonyms "ennead" and "syncon") This doesn't help any in that regard. What happened? Loss of control of the domain? Website defacement? Warrant canary?
Reply 15 comments

TrueCrypt: Is The Party Really Over? (Score: 1, Interesting)

by Anonymous Coward on 2014-05-30 11:22 (#1YX)

By: Anon | 05/2014

Fiction: Do you remember the scene near the end of the movie Scarface where the group of criminals conspired in an attempt to remove an individual speaking out against them before he spoke at the UN? (UN - IIRC)

Reality: Do you remember the individual who died just shortly prior to speaking out about pacemakers (and possibly other technology) and how they are vulnerable to hacker attacks?

Possibility: Sn0wd3n and/or others about to deliver a speech which mentions the useful tool TrueCrypt to a wider audience - TrueCrypt project dies.

I'm interested in the results of the complete TC code audit, but give this comparison some thought.

However, I was concerned about the project when releases ceased after 7.1a. There were steady releases up until that time and I'm curious if 7.1a was released as low hanging fruit with a backdoor and the site was allowed to operate for a few years before closing shop when the hunger for enough interesting people who downloaded/used TC was satisfied.

TrueCrypt WTF @ Bruce Schneier blog
https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html

Also contains TC posts:
https://www.schneier.com/blog/archives/2014/05/friday_squid_bl_426.html

Re: TrueCrypt: Is The Party Really Over? (Score: 1, Informative)

by Anonymous Coward on 2014-05-30 12:43 (#1Z3)

Best comment there:

"sls • May 29, 2014 11:05 AM
"WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues"
Did nobody else pick up on this?"

Never used TrueCrypt (Score: 0)

by Anonymous Coward on 2014-05-30 12:28 (#1YZ)

But this is an interesting story...

I still wonder whether the philosophies of privacy versus power and the distribution of autonomy in society is workable or whether Animal Farm/1984/Brave New World scenarios are inevitable after any post-revolution period of time. TrueCrypt was a tool for those interested in securing some privacy for data? I can imagine many legitimate personal, political and business use cases, as well as, more nefarious intentions. Nonetheless, I hope that we can devise a system/laws that allow such tools to have an accessible, operational and audited presence in the Computer Age. Basically, I feel it is important that power (for privacy or anything else) be distributed and this is a basic principle of democracy. Many of the possible explanations for TrueCrypt's demise appear linked to the lack of enough money to justify continued development though, which begs the question of how an interested community could best fund key programs like OpenSSH, TrueCrypt, etc, and how they might handle key developers moving on?

Not Accurate to Say Warrant Canary? (Score: 0)

by Anonymous Coward on 2014-05-30 16:46 (#1Z9)

I think perhaps people are misapplying that term in this case (not Pipedot specifically, everywhere).

Isn't it supposed to be something noticeable by its absence, BEFORE a secret warrant turns up? At best what we have here is a warning or sad cry for help, after the fact. There should be a different catchy term for this. Maybe "dead canary".

Re: Not Accurate to Say Warrant Canary? (Score: 1, Insightful)

by Anonymous Coward on 2014-05-30 17:08 (#1ZA)

Isn't it supposed to be something noticeable by its absence, BEFORE a secret warrant turns up?
Not necessarily. I would define it as any sort of signal that a warrant was involved. Since they didn't have any scheme predefined, so they may be doing the best they can. It is still entirely speculation, though.

Re: Not Accurate to Say Warrant Canary? (Score: 2, Interesting)

by billshooterofbul@pipedot.org on 2014-06-03 05:53 (#20E)

Some random twitter personality claims there was a secret predetermined warrent cannary, which was activated recently. But its so super secret that only a few people are in the know, and they can't tell us what it was for reasons unexplainable. Eithere they're afraid of a rubber hose style differential cryptoanalysis, or they need to have their medication levels checked.

LUKS was a better alternative anyway (Score: 1)

by bryan@pipedot.org on 2014-05-30 22:42 (#1ZE)

LUKS encrypted file systems have been natively supported in most Linux distros for 5+ years. These encrypted file systems can be easily created on the command line or with a GUI tool like "gnome-disks". If you, for example, insert a thumb drive formated as a LUKS, the desktop environment pops up a password dialog to automatically mount the file system for you.

TrueCrypt mainly catered to Windows users. Also, the TrueCrypt license was incompatible with both the free-software and the Open Source Initiative philosophies.

Re: LUKS was a better alternative anyway (Score: 0)

by Anonymous Coward on 2014-05-30 23:22 (#1ZF)

TrueCrypt mainly catered to Windows users.
I would say it catered to multiplatform users just as much. With TC I could have files in containers on a NAS and still be able to use them from any machine. And while I like the OSI direction, featureset comes first.

Re: LUKS was a better alternative anyway (Score: 3, Informative)

by fnj@pipedot.org on 2014-05-31 06:40 (#1ZK)

What LUKS doesn't give you is HIDDEN, deniable containers.

Re: LUKS was a better alternative anyway (Score: 0)

by Anonymous Coward on 2014-06-01 12:19 (#1ZS)

From what I read, the alleged "plausible deniability" of "hidden" containers was pretty weak anyway.

Re: LUKS was a better alternative anyway (Score: 3, Insightful)

by fatphil@pipedot.org on 2014-06-01 23:05 (#202)

Any system which is designed to give you plausible deniability is guaranteed to give you no plausibible deniability at all.

You show them one thing, they say "yeah, yeah, you're running something which permits you to have multiple views - now show us the other one", and get out a bigger wrench.

possible (Score: 3, Informative)

by tdk@pipedot.org on 2014-06-01 13:19 (#1ZV)

stlth is a project that supposedly gives you deniable containers on Linux. Hopefully it uses plain dm-crypt for inner containers because LUKS has a distinctive header. FreeOTFE can create inner containers on LUKS volumes, but only runs on Windows

Huh, Flawed After All? (Score: 1, Informative)

by Anonymous Coward on 2014-05-31 02:11 (#1ZH)

http://soylentnews.org/article.pl?sid=14/05/30/1318243

German dude says there's a vulnerability.

Still hardly a reason to dump rather than fix the project...

Re: Huh, Flawed After All? (Score: 0)

by Anonymous Coward on 2014-05-31 03:11 (#1ZJ)

I haven't seen anything to substantiate that claim. He can speculate all he likes, but I won't believe it until there are a lot more details.

Linux? Switch to tc-play (Score: 1, Informative)

by Anonymous Coward on 2014-06-01 12:25 (#1ZT)

This is an alternative, compatible implementation of truecrypt. I'm surprised it is not more widely known and supported.

https://github.com/bwalex/tc-play

Also, cryptsetup-LUKS can now mount truecrypt containers.