Security Experts Looking To Possibly Fork And Rescue TrueCrypt
from the not-a-surprise dept
People are still trying to figure out what the hell happened with TrueCrypt suddenly announcing that development had stopped and that the code was not secure. However, as people sort that out, the same folks who were leading the charge on the TrueCrypt audit have announced that they're looking into the possibility of picking up the TrueCrypt project and running with it themselves. The idea would be to complete the security audit, but then start managing a fork of the project themselves. They haven't fully committed to this, but it sounds like that's what they'd like to do. Yet another example of how open source projects are quite handy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, fork, security, security audit, truecrypt
Reader Comments
Subscribe: RSS
View by: Time | Thread
Interesting
[ link to this | view in chronology ]
Good encryption software should be available to all.
[ link to this | view in chronology ]
Re: oratio
[ link to this | view in chronology ]
You've misspelled hardy.
[ link to this | view in chronology ]
Because imply-development-is-really-hard-here. Or in this case, a new twist! "You don't need this software really, use Microsoft's"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Grain of salt
I'd note one interesting indirect attack: use methods that'll cause the most secure projects to declare themselves at risk without letting them say why, letting paranoia push users into switching to software maintained by less scrupulous companies who'll stay quiet about their software being compromised until forced by outside discovery of the compromise.
[ link to this | view in chronology ]
Re: Grain of salt
Even a small google search would have revealed that it's obviously a disinformation campaign by the NSA dirty tricks office.
Do you really think any real programmer would encourage you to migrate to a Microsoft product? THINK!
With that said, one thing that people haven't really addressed is that if you haven't committed a crime, then you cannot be parallel constructed into Jail.
Parallel Construction only works if you are breaking the law.
[ link to this | view in chronology ]
Re: Re: Grain of salt
[ link to this | view in chronology ]
Re: Re: Re: Grain of salt
[ link to this | view in chronology ]
Re: Re: Re: Re: Grain of salt
�Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power�
�The definition of fascism is The marriage of corporation and state �
"Fascism, the more it considers and observes the future and the development of humanity, quite apart from political considerations of the moment, believes neither in the possibility nor the utility of perpetual peace.�
[ link to this | view in chronology ]
Re: Grain of salt
Before I'd trust a fork, I'd want an idea of why the original developers or somebody impersonating them, said that they considered it insecure in the first place.
Because that is all we actually know.
[ link to this | view in chronology ]
Re: Re: Grain of salt
[ link to this | view in chronology ]
Re: Grain of salt
I would guess that (in part) the just-completed first part of the audit might have something to do with it.
There's a good summary of events and theories here: https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff
(UPDATE: now includes response from developer)
You can download the entire source tree (using "git clone") from here: https://github.com/DrWhax/truecrypt-archive
Steve Gibson summarizes here: http://steve.grc.com/2014/05/28/whither-truecrypt/
There's a how-to that explains how to check the signature here: http://www.akselvoll.net/2014/05/how-to-securely-download-truecrypt-71a.html
There's an interesting commentary here: http://bradkovach.com/2014/05/the-death-of-truecrypt-a-symptom-of-a-greater-problem/
Bill Cole (one of the most seasoned people on the 'net) has a terrific observation here: http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/comment-page-1/#commen t-255908
[ link to this | view in chronology ]
Re: Grain of salt
We don't know that they did. All we have is an anonymous statement signed by an old cert. We have no assurance that any of this came from the developers.
[ link to this | view in chronology ]
Re: Re: Grain of salt
[ link to this | view in chronology ]
Re: Re: Re: Grain of salt
Now come and get your retard hug. :)
[ link to this | view in chronology ]
Re: Spread love with assorted flower gifts
[ link to this | view in chronology ]
Re: Spread love with assorted flower gifts
[ link to this | view in chronology ]
Re: Spread love with assorted flower gifts
[ link to this | view in chronology ]
Re: Re: Spread love with assorted flower gifts
[ link to this | view in chronology ]
Dear Techdirt...
[ link to this | view in chronology ]
Re: Dear Techdirt...
I think it's one of the better ones I've seen in current use. About the only thing I could point to as unambiguously improvable about it is the fact that posting a new comment takes you to a different page, and you have to go "back" to continue reading from where you left off.
(There are of course quite a few of what I might call "ambiguously improvable" things, i.e., things which if changed in the way I have in mind might end up better, or worse, or even just different after all.)
[ link to this | view in chronology ]
Re: Re: Dear Techdirt...
Let's ignore the WHY of why my comment got posted THREE times and just deal with the consequences. There is no delete button for starters.
So their buggy code which causes that to occur in the first place, cannot even be manually corrected.
So that would my first complaint.
[ link to this | view in chronology ]
Is it even a question? Everyone knows who is behind this. It was the beloved Dictator, Commander in chief, Admiral, General, CEO, President of the Free Democratic Peoples Federal Republic of America.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
...The New Bush is Bush^Bush. (^ - to the power of)
[ link to this | view in chronology ]
TrueCrypt is a truly beautiful program. Small and very portable, cross platform, easy to use, good advise and powerful encryption features.
As long as TrueCrypt lives on I would never use another.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
TrueCrypt 7.1a download + Komplettes Archiv mit SourceCode und informationen
visit http://www.truecrypt71a.com for further information
[ link to this | view in chronology ]
Re: TrueCrypt 7.1a download + Komplettes Archiv mit SourceCode und informationen
http://www.oldversion.com/windows/truecrypt/
http://filehippo.com/download_truecrypt/
[ link to this | view in chronology ]
Gibson's new summary & links page
[ link to this | view in chronology ]
Re: Gibson's new summary & links page
I do hope the neo-Truecrypt project takes that to heart and excises all support for Windows. Supporting an inferior operating system is a lot of work, and takes away resources that could be better spent elsewhere. The focus should be entirely on 'nix-based systems.
[ link to this | view in chronology ]
Re: Re: Gibson's new summary & links page
[ link to this | view in chronology ]
Re: Re: Re: Gibson's new summary & links page
Yes. It is. People who care about security and privacy do not use Windows (a) because it's a maldesigned piece of junk with an enormous and still-growing litany of baked-in security problems and (b) it's closed-source, which means if it's backdoored -- and I think there's a fair chance that it is -- that it will be very difficult to discover that.
If you want at least a modicum of security, then make a better choice in OS. But please, let's not even put "Windows" and "security" in the same room together.
[ link to this | view in chronology ]
Re: Re: Re: Re: Gibson's new summary & links page
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Gibson's new summary & links page
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Gibson's new summary & links page
[ link to this | view in chronology ]
Re: Re: Gibson's new summary & links page
Bruce Schneier uses Windows on a regular basis (Google it), so your statement is incorrect.
[ link to this | view in chronology ]
Re: Re: Gibson's new summary & links page
That was sarcasm, and you sir are an elitist snob.
We should support good encryption EVERYWHERE and let people make their choice regardless of what OS they use.
[ link to this | view in chronology ]
fix license issue first
[ link to this | view in chronology ]
Re: fix license issue first
"The realcrypt application in the RPM Fusion repo is an encryption application based on truecrypt, freely available at http://www.truecrypt.org/. It differs from truecrypt in only the following ways:
"- The name truecrypt is changed to realcrypt throughout the application, as requested by the truecrypt License:
" -All original graphics are replaced with entirely original new ones, as requested by the truecrypt License:"
-more-
"It does not differ from truecrypt in any other respect; in particular, no code relating to actual encryption or decryption is modified. Nevertheless, the truecrypt License requires that we ask you to report any and all bugs you find to [https://bugzilla.rpmfusion.org/ RPM Fusion's Bugzilla] and not to the truecrypt project."
Source -- http://rpmfusion.org/Package/realcrypt
[ link to this | view in chronology ]
.............................^N..^S.....^A.........
Hidden message?
[ link to this | view in chronology ]
It would be
[ link to this | view in chronology ]
Peazip for encryption
Peazip is open source and quite widely used.
[ link to this | view in chronology ]
Backdoors can be anywhere including open source s/w
Any toolchain in use can be compromised without the source code being compromised. All it takes is to generate a single compiler that inserts the backdoor into any system in a specific manner and all compilers and all applications generated thereafter can be compromised.
When we look at something like *ix systems, at some point we need to use a binary to compile the source code of the compilers we use. All it takes is a single infestation into a distribution to propagate that infection.
To get around this, it requires knowing the provenance of all code within the system, including any binaries that are in use.
Of course, it goes without saying that to do this requires real skill, foresight and knowledge. This is not necessarily the domain of any of our security forces/organisations.
[ link to this | view in chronology ]
Re: Backdoors can be anywhere including open source s/w
I presume you are referring the the Ken Thompson hack. All such hacks are liable to discovery as a system evolves, and better debugging tools become available. Also they are liable to failure when the underlying system changes. Such hacks have to be targeted to very specific routines, and have to assume that neither the routine name, or required actions change. Relying on any external code introduces another point of failure. All code that is not maintained will fail due to external changes at some point in time.
Note one extreme weakness of such hacks, they cannot keep their insertions hidden from a reverse assembler, as it is always possible to write a reverse assembler and compile it without the hack being able to detect it, never mind change it. Similarly, with open source, it is always possible to add logging code to the kernel that the hack cannot detect and bypass. Code that did not exist prior to the hack being implemented, or never available to the person carrying out the hack cannot be modified by the hack.
[ link to this | view in chronology ]
Re: Re: Backdoors can be anywhere including open source s/w
Any part of the toolchain can be compromised accordingly for this kind of purpose up to and including the linkers and loaders.
We see enough problems with source code having errors, let alone trying to determine what is actually happening with the object code generated.
The problem is that most people "trust" that the tools they are using are okay and don't go that extra 100 miles to check the binary code generated.
I know that in my youth I would set aside time to examine the binary code produced particularly if strange errors were being obtained. But these days, for the kind of stuff I do, I don't put in such time as I have other things that need to be done.
All I am saying is that backdoors can be put in without any changes being made to the source code.
[ link to this | view in chronology ]
Audit guys are backpeddling a bit but..
https://twitter.com/matthew_d_green/
His original tweet was:
"We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build."
But later followed up with:
"Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."
Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....
[ link to this | view in chronology ]
[ link to this | view in chronology ]
IDEAL Homes
Thanks for you Share This Amazing Post,
Click Here, http://idealhomeinterior.com/
[ link to this | view in chronology ]
shhh itty bitty soft fascism
[ link to this | view in chronology ]