TrueCrypt Page Says It's Not Secure, All Development Stopped
from the uh... dept
Last fall, we noted that the popular disk encryption software TrueCrypt was undergoing a security audit, inspired by the Snowden revelations. At issue: TrueCrypt is open source and widely used and promoted (hell, Snowden himself apparently taught people how to use it), but no one really knew who was behind it -- raising all sorts of questions. A little over a month ago, we noted that the first phase of the audit didn't find any backdoors, but did note a few (mostly) minor vulnerabilities.However, a little while ago, TrueCrypt's SourceForge page suddenly announced that " WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" and furthermore: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: development, disk encryption, encryption, privacy, security, truecrypt
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Apparently Steve Gibson, the host of Security Now is talking to the people who have been doing the audit and they have been trying to reach people at Trucrypt.org.
There is also a new executable that LaPorte said you should NOT download under any circumstances.
The best advice is wait for a few days for things to shake out. One of the possible clues was the recommendation to use Microsoft's Bitlocker which is a closed source application. (Obviously)
[ link to this | view in thread ]
[ link to this | view in thread ]
See https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Occam's Razor suggests...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Occam's Razor suggests...
Anyone using TrueCrypt should stand pat for the time being until more is known. Do not use the binary on the website. If you feel the need to migrate, then decrypt using your existing version of the software and don't migrate to BitLocker.
[ link to this | view in thread ]
Another possibility?
Let's hope this isn't lavabit 2.0
[ link to this | view in thread ]
Re: Re:
Bitlocker is not known to be compromised, the repository may have been hacked, and prior visions might still be effective. Also note that to use Bitlocker will require many home users to upgrade their operating system. Something about this smells worse than a skunk.
[ link to this | view in thread ]
Might be another Lavabit scenario
http://forums.theregister.co.uk/forum/1/2014/05/28/truecrypt_hack/#c_2200085
Seems as good of a speculative explanation as any. Why would someone compromising the dev key warn people away from the binary? Better just to sign a compromised one and say nothing....
And if you are going to hack a site like TrueCrypt for notoriety, you'd put up the typical 'I OWNZ UR ASS' hacker boasts....
[ link to this | view in thread ]
Re: Another possibility?
[ link to this | view in thread ]
Trusted Systems
Is trust temporary, until you know you can't or shouldn't?
Or is trust permanent, until it is taken away?
How does one know who or what to trust anymore?
Personally, I will lend $20 to almost anyone I have some relationship with. I learn a lot in how they handle it. If I get it back, it speaks to character. If I don't get it back, it speaks to character. I tend to trust, until I have reason not to.
But with systems, how does one determine trust? I have given trust to deal with things like banking online, Skype communications, several email accounts, etc. All of them now have serious trust issues. To some degree, I just continue, but I am far from comfortable.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Might be another Lavabit scenario
Killing a service like Lavabit is relatively easy. Killing off open-source code is hard.
[ link to this | view in thread ]
Re: Might be another Lavabit scenario
[ link to this | view in thread ]
I would not care to speculate what is going on when we can only await the hard facts and then kill whoever is responsible.
[ link to this | view in thread ]
Re:
Sounds pretty suspicious to me ;)
[ link to this | view in thread ]
Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Might be another Lavabit scenario
So that doesn't make any sense.
[ link to this | view in thread ]
Re: MS Fool
[ link to this | view in thread ]
Re: Re: Might be another Lavabit scenario
Why? Because if it became public knowledge that TrueCrypt was ordered to shut down, the first question would be "why?". And if the answer to that is "because we can't crack it and we'd really like to" then that immediately calls into question EVERY cryptographic implementation, because we must reason that any which haven't been ordered to shut down are, in fact, already compromised.
And I don't think anybody wants to go there.
[ link to this | view in thread ]
Re: Re: Trusted Systems
I do. This is being posted from my Linux Machine. I run Windows as well, but only because I need, I mean need, my Flight Simulator.
This does not help if SSL is broken. This does not help if any encryption that gets used is broken. This does not help if Skype is broken, and do to the folks on the other end, other choices are not reasonable. This does not help if my VPN's encryption is broken. This does not help if Tor is broken.
I have, and share a Tails torrent, which is open source, Tor enabled, Linux based, used to be anonymous, used by Ed Snowden and Bruce Schneir, but just exactly when do I use it? Everytime I visit my bank? When I want to send an email? Those are both online, and not particularly in my control.
Using Tails rather than punching the browser button is a tremendous inconvenience, as at the very least it requires two reboots, one to use it, and another to get back to normal. Is banking the break point? Or do I need a nefarious intent to invoke it? While I have nothing to hide, I have nothing I want seen.
[ link to this | view in thread ]
Re: Re: Re: Might be another Lavabit scenario
Again, theory, I want evidence. It could be that they found out that the NSA has some way to decrypt anything Trucrypt created without a backdoor, so they jumped ship. It could also be that the site was hacked as has been suggested. Or any number of other things.
One thing I can say is that I'm not plugging in my encrypted hard drive until I get more information.
[ link to this | view in thread ]
Re: Occam's Razor suggests...
They're anonymous and have never been identified. How will you know whether to trust what "they" say?
[ link to this | view in thread ]
Re: Re: MS Fool
[ link to this | view in thread ]
Re: Occam's Razor suggests...
..or was it the NSA? Hmmmm.
[ link to this | view in thread ]
Re: Another possibility?
New page layout hastily created, bullshit reason, an open source developer recommending a closed source product, "Microsoft", newly generated encryption key, pointing out 'compromised' despite a clean audit, then lastly migration to avoid a possible NSA compromised product.
If that does not scream out NSL then I don't know what does when naturally anyone who receives an NSL is forbidden from saying that they have.
[ link to this | view in thread ]
LUKS
Best of all, the Linux cryptsetup program supports both these and truecrypt. For windows you can use a program called FreeOTFE.
Unfortunately, while LUKS is the standard way to do full disk encryption in Linux it doesn't do the fancy pre boot stuff so it can't encrypt your main windows drive.
[ link to this | view in thread ]
National Security Letter
[ link to this | view in thread ]
Re: Re: MS Fool
[ link to this | view in thread ]
Re: Trusted Systems
Trust is always temporary and conditional. This has been true for all security systems going back as far as security systems have existed.
When you think about it, it's true in all of life as well.
[ link to this | view in thread ]
Re: Re: Re: Trusted Systems
I assume you are learning how to land too?
[ link to this | view in thread ]
Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
[ link to this | view in thread ]
So yeah, I think the team either fell on their swords or this is a clumsy attempt to undermine trust, and that both scenarios point towards older versions being trustworthy. I certainly won't be downloading newer versions, that's for double-dog sure.
[ link to this | view in thread ]
Re: Re: Trusted Systems
Is not a situation where someone is selling trust a bit different? Does not the seller need to exhibit some form of character to get that trust? Should not such trust, thus displayed, be able to be counted upon? Should there be a statute of limitations on such trust? I know, better not ask a banker, or an insurance company executive, or certain ebook providers, or gaming system manufacturers, etc.
I am not arguing that such trust exists. The government has failed our trust. Banks have failed our trust. Numerous other companies and individuals have failed our trust. There is a lot not to trust out there.
I am arguing that we should be able to count on some things. I am arguing that the government should not be in the business of conflating that trust. I am arguing that short of criminal behavior, we should be able to trust.
Look, I am a realist. I know we cannot fully trust our current understanding of physics, simply because we don't know it all yet, and current 'facts' may change. Yet I fully trust that if I jump up in the air, that part of physics that defines gravity will again earn my trust and hurtle me back to the ground. If that kind of trust can be developed in nature, what is so damn difficult about it for us humanoids?
I guess my question might better be expressed as how can we get to trust systems? Given what we now know.
[ link to this | view in thread ]
Re: Re: Re:
1. Truecrypt has received a Security Letter from an American or other agency (we don't know where they are) to build in a backdoor. They are not allowed to announce having received the letter, but they can simply rip out the encryption part of their software and make a general announcement like this one.
2. Were hacked but regained control. But why weren't they more specific in their warning, then?
[ link to this | view in thread ]
Re: Re: Re: Re:
3. the encryption itself may have been hacked or back doored due to it's reliance on windows code, particularly older functions traced back to Windows XP. Possibly the NSA knew and used it. Possibly hackers new it and used it. Possibly both.
No matter which answer you go with, the product is compromised, any data stored with this product should be considered at risk, and potentially that it has already been obtained illegally by third parties. It should also not be considered a good way to encode drives to cross the border, as an example.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Either way, it's not good for traditional cryptographic protection schema.
[ link to this | view in thread ]
Re: Re: Another possibility?
[ link to this | view in thread ]
TrueCrypt 7.1a
installation binaries, source, signing key and signatures plus PDF of iSec audit
torrent: https://dl.dropboxusercontent.com/u/1797250/TrueCrypt-7.1a.torrent
Seeding will continue for the forseeable future.
[ link to this | view in thread ]
Re: Re: Re: Re: Might be another Lavabit scenario
[ link to this | view in thread ]
Re: National Security Letter
Had he only wanted to quit then why say Truecrypt is insecure?
If he believes Truecrypt is insecure then why not state the faults?
Had Truecrypt really been insecure then why do all on-going audits say that no serious flaw has been found?
Clearly much more is going on here than meets the eye.
[ link to this | view in thread ]
Re: Re: Trusted Systems
Heartbleed.
[ link to this | view in thread ]
What Do You Seek
Risk Assessment 101:
- Who are you hiding data from? The government, your wife or your mom?
- How much of your data really needs to be encrypted? It'll be a small subset of all the bytes you own. In which case you can probably concoct your own disguise for it.
[ link to this | view in thread ]
Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Another possibility?
But otherwise, yeah, I'd rather have that happen than have a totally compromised host.
[ link to this | view in thread ]
Re: Re: Might be another Lavabit scenario
[ link to this | view in thread ]
Why a Three Letter Agency must be involved
TLA = Three Letter Agency
TPLA = Three Plus Letter Agency
* This is nothing but a hoax
* This is nothing but a defacement
If that were the case, then the authors would come out and say so.
The newly released code containing the "hoax" was signed with the authentic signing key.
So a hoax seems unlikely.
If this is a hoax or defacement, then someone went to an awful lot of work to build a new software release -- and obtain the capability to sign it!
If someone had obtained the secret signing keys, then there are lot more valuable things that could be done with them than a mere hoax / defacement.
* Mabye the authors just want to retire from long work on this program
Then why not just come out and say so?
Why not pass the torch to others to continue to work?
Why use the excuse of discontinuing it because of discontinued support for Windows XP, which is so lame of an excuse as to be unbelievable. (Hint: not to be believed.)
* A security vulnerability was discovered
* The program was hacked by the NSA, Chinese, Aliens, etc
* A weakness was discovered in the encryption
If this were the case, then why wouldn't the authors just come out and say so? The only reason would be if they were constrained from saying so by a secret order from a secret court under the authority of a secret interpretation of a secret law, or something like that.
Consider that the newly released program, authentic according to its digital signature, has the warnings embedded. So the warnings must be genuine. Yet the same release with the warnings also removes the encryption capability the retains the decryption capability. This would imply that the author's motives are to allow you continue to decrypt previously encrypted data, and would imply that the authors believe it currently is and will continue to be secure -- but that *encryption* will not continue to be secure in the future.
* Maybe the authors merely lost control of their credentials, signing key, etc.
The same arguments apply.
* Why wouldn't authors just say so?
* Why then release a new version with warnings, and removing future encryption capability, but keeping decryption capability?
This argument would imply that the authors still care about your security but were merely hacked or lost control of their key. If the authors continue to care about your security, then why suggest switching to BitLocker which is (a) closed source, (b) cannot be analyzed for vulnerabilities or back doors, and (c) is from Microsoft.
* This situatiion is nothing like LavaBit's poor choice of response strategy
Nobody is arguing that it is similar. I am only arguing that the authors forced to compromise *future* security, and not disclose this, had no other choice but to find a way to get people to stop using the program.
My conclusion.
The only thing that seems to fit all of the facts is that a TLA/TPLA ordered them to hand over their digital signing keys and keep this fact a secret.
* This would mean that the authors have lost control of their keys
* The authors may have been forced to suggest switching to BitLocker, also for the benefit of TLAs/TPLAs.
* The authors cannot disclose this fact
* The TLAs/TPLAs want to make new insecure releases, that are digitally signed as authentic -- even if only intended for release to selected parties.
* The authors still care about your security
* The authors still control their website and can still make new software releases
* The authors are not forbidden from abandoning the project or saying that it is now insecure
* The authors know that the past security of the program is not compromised, only the future security
* Therefore authors remove encryption but retian decryption capability, and then fall on their sword to protect everyone. Similar motives to Lavabit response, but not similar in other ways.
[ link to this | view in thread ]
Re: Re: Re: Trusted Systems
Now distribution of the fix, on the other hand . . .
. . . that may take some time. But not necessarily for software systems (like OSes and some applications) that have an automatic self-update capability.
[ link to this | view in thread ]
Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Why a Three Letter Agency must be involved
That sounds like something a TLA would do.
GitHub source code comparison:
https://github.com/warewolf/truecrypt/compare/master...7.2
[ link to this | view in thread ]
Re: Re: Re: Re: Trusted Systems
After disclosure.
[ link to this | view in thread ]
Re: Why a Three Letter Agency must be involved
* But the authors gave a reason to stop using TrueCrypt -- because of the removal of Windows XP support
TrueCrypt is (was) a cross platform program. So why would removal of XP support (even if that excuse were believable) have any effect on other platforms?
Why wouldn't the authors simply discontinue the Windows version of TrueCrypt? Or simply discontinue it only in XP but continue working on TrueCrypt on Windows 7, 8, etc.?
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Also, you saying they pulled their product due to flaws in windows code, and then they recommend you move to... Windows bitlocker?
[ link to this | view in thread ]
Duh!
Need I say more..
[ link to this | view in thread ]
Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
My 2 Cents....
In the code...this line was removed....
Donate now...
A hacker would have left that in, because that's just another way hacker could scam people....by nabbing money along the way!
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
What if
Wouldn't it be possible to reverse engineer an older release or two and compare it to a reversed engineered of the newest release to see what if anything has changed to see see if there is a backdoor or anything like that?
From what i've read, the govt, mainly the NSA has stated they couldn't crack True Crypt. So in theory, from some of these comments, how possible is it, they were forced to back door it? Then did the honorable thing and shut down?
Just curiosity and questions here.
Also, from my knowledge, Bit Locker is not Linux compatible. TC comes installed on BT5, though that support has ended and has been replaced by Kali. But BT5 is still available.
[ link to this | view in thread ]
Re: Re: Re: Trusted Systems
And my answer is that if you're looking for some kind of permanent trust, that's impossible. It doesn't matter if you're talking about trusting technology or people. It's just a fact of existence -- things change, so trust must be temporary.
However, my personal take on trust issues is this: nothing and nobody is 100% trustworthy, so absolute trust is a foolish goal. When I say I "trust" something, what I mean is that I feel I have a good idea of the predictability of it. I have a reasonable handle on what circumstances I can or cannot rely on it.
[ link to this | view in thread ]
No need for reverse engineering, both the old and the new source code are available. However as a check the new source should produce the same binary as the new binary when compiled for the same target using the same version of the compiler.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: National Security Letter
[ link to this | view in thread ]
Re: Why a Three Letter Agency must be involved
Another possibility suggests itself.
A TLA (three letter agency) has managed to gain COMPLETE control of the project and its signing keys.
This also fits available facts. Lame excuse for ending project. Lack of any response by actual authors discrediting idea of a hack, hoax, defacement, or discovered vulnerability. This also fits with the U.S. being changed to United States. Some TLA button-down necktie programmer would do that.
Motive? If TrueCrypt is really secure, as all past evidence suggests, then TLAs would not want people using it. Thus they be sure to remove all previous versions so you cannot download and use them.
Why not a peep from the authors? I've read that the authors are anonymous and have never before spoken to the press. If that is the case, loss of their signing credentials makes it impossible for them to verify that they are who they claim to be. You, or I could claim to be the author of TrueCrypt, but would equally have no way to prove it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Might be another Lavabit scenario
[ link to this | view in thread ]
Re: Re: Why a Three Letter Agency must be involved
Which because it was a git project fails because there will be hundreds of copies out their already, including one torrent referenced in this thread. As well as in every Linux repo of Distros that offered it.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: What Do You Seek
It isn't about "hiding" anything. It's about privacy, and knowing your data is safe.
I have backups of my financial records (and other related personal items) on a thumbdrive, and it's with me at all times. It's my "backup of last resort" in case all my other backups are lost. (Due to fire, flooding, etc., all of which have affected me in the past.) If everything else fails, I always know I'll have a backup of my most irreplaceable records with me.
And I encrypt it. Heavily. Not because I'm trying to "hide" it, but because it's personal. Yes, I want to keep it out of the hands of any who would try to use it for nefarious purposes, but I also just want to know that a stranger can't peruse my personal information if they get their hands on the drive. If the drive is lost or stolen, I don't want to give a second thought to the information on it; I know it's encrypted far beyond the point of practical recovery.
Not only that, but it's also protected from situations we see more of these days, where any random traffic stop is "cause" to try to pry through every digital device in or near your control. I'd probably be perfectly willing to provide the password to law enforcement---upon receipt of a valid, narrow, and properly executed warrant (and after speaking with my lawyer)---but I rest easier knowing I have at least that level of control.
Again, it's not secret, it's private, and that's a distinction that doesn't get as much notice as it deserves. Even a person with "nothing to hide" has things they'd prefer to keep private. Different things for different people, to be sure, but taking steps to safeguard ones privacy in the modern digital world is something that each person should be able to do in a way they feel is appropriate.
Locks may only keep out honest people, but I still use them. And I prefer to use the best ones I can.
[ link to this | view in thread ]
Re: Re: Re: Re: Trusted Systems
You can have motivated open-source developers and lazy ones too which is also true for proprietary software.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
So the AC above was comparing apples to oranges. Comparing the speed by which a non-critical vulnerability gets fix after it is made vs the speed with which a critical vulnerability gets fixed from the time of disclosure to the developers is not a fair comparison.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Why a Three Letter Agency must be involved
Then why has the TrueCrypt team not stated this?
You are looking at this the wrong way when spies are not good spies being so public. The US Administration runs on ultra secrecy mode when they won't send in the hackers but the ultra secret court orders.
[ link to this | view in thread ]
Re: Re: Why a Three Letter Agency must be involved
People should be cautious looking for shapes in tea leaves.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
True, but the advantage of OSS is that anyone can fix it. Heartbleed is case in point. The original patch for it came from Google. So, while proprietary software can only be fixed by small pool of developers, OSS software can be fixed by anyone in a much, much larger pool.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re: Might be another Lavabit scenario
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Trusted Systems
Just as with proprietary software.
[ link to this | view in thread ]
Re: Anonymous Coward
[ link to this | view in thread ]
Re:
Producing a reliably deterministic build is still possible, but there's no guarantee that any given project has gone to the trouble to ensure it.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Trusted Systems
His point is that software being open source doesn't guarantee anything about not having vulnerabilities, which is an attitude many people seemed to have pre-heartbleed.
[ link to this | view in thread ]
Re: Re: Re: Why a Three Letter Agency must be involved
How would they do that?
Random person: "Hi internet, I'm one of the authors of TrueCrypt."
The internet: "Prove it."
Random person: "Um... trust me?"
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Trusted Systems
Interesting. I've seen many comments accusing others of thinking that OSS is some guarantee that there is no vulnerability, but I've not actually seen large numbers of people who actually think that, so it's more than a bit of a straw man.
What I have seen a lot of is people misunderstanding the arguments that OSS is better than closed source in this matter and thinking that the argument is that OSS is inherently safe. It's pretty near indisputable that OSS really is the safer choice, and often I wonder if the misunderstanding of the argument is deliberate.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: LUKS
[ link to this | view in thread ]
Re: Re: Re: Trusted Systems
You use it when you want anonymity online, which is not the same as encryption. You should use a VPN for banking and email, not Tails or tor, and you should only trust that VPN up to the TLA point, and not beyond that. These tools can do a lot but it is critical that people understand what they do and do not do.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Trusted Systems
A pointless point...
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Trusted Systems
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: What Do You Seek
- Who are you hiding data from? The government, your wife or your mom?"
The first question is valid as it addresses use-case. The allusion to authority figures and the desire to hide things from aforementioned authority figures has already been well addressed.
- How much of your data really needs to be encrypted?"
All of it, if any of it.
[ link to this | view in thread ]
Re: Why a Three Letter Agency must be involved
[ link to this | view in thread ]
Re: My 2 Cents....
[ link to this | view in thread ]
Re: What if
[ link to this | view in thread ]
Re: LUKS
Suddenly the developer of FreeOTFE decided to abandon the project in June 2013. This takes on a different light in view of what happened to Lavabit...
[ link to this | view in thread ]
Encryption and open source
[ link to this | view in thread ]
Encryption issues
[ link to this | view in thread ]