Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Forbes)   Open-source encryption darling TrueCrypt has mysteriously gone out of development. Speculation on what happened to the right   (forbes.com) divider line 140
    More: Sad, TrueCrypt, open source, code base, OpenSSL, speculation, encryption, sourceforge, online banking  
•       •       •

2104 clicks; posted to Geek » on 29 May 2014 at 4:15 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



140 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2014-05-29 01:56:42 PM  
This is in nasty red letters on the TrueCrypt.sourceforge.net webpage:


WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.


Super. :-(
 
2014-05-29 01:59:29 PM  
It's weird that they included instructions to use close-sourced Microsoft Bitlocker instead.
 
2014-05-29 02:08:11 PM  

RexTalionis: It's weird that they included instructions to use close-sourced Microsoft Bitlocker instead.


Doctorow noticed that. On Boing-boing he wrote:

Microsoft itself has a deservedly poor reputation for standing up to government demands to weaken its products' security, but Peter Biddle, one of the architects of Trusted Computing and Bitlocker, has previously told me that he was repeatedly approached by frustrated federal agents who couldn't decrypt Bitlocker partitions, and I believe him, based on my personal knowledge of his character and work.

/Shrug
 
2014-05-29 02:11:43 PM  

RexTalionis: It's weird that they included instructions to use close-sourced Microsoft Bitlocker instead.


I found that very odd.
 
2014-05-29 02:36:56 PM  
The Truecrypt webpage is completely different now, and there are no longer any binaries to download except for 7.2. which I would NOT trust. The prevailing theory at Slashdot is that the authors got an NSA ultimatum to allow them to backdoor their software and rather than comply have chosen to shut down. I would never trust BitLocker to protect my stuff from the government.
 
2014-05-29 03:22:05 PM  
I'll give you a 3 letter guess.
 
2014-05-29 03:32:53 PM  

NutWrench: The Truecrypt webpage is completely different now, and there are no longer any binaries to download except for 7.2. which I would NOT trust. The prevailing theory at Slashdot is that the authors got an NSA ultimatum to allow them to backdoor their software and rather than comply have chosen to shut down. I would never trust BitLocker to protect my stuff from the government.


Ms. Angelou taught us why the caged bird sings, the diffs in this code - which cut out most of the product's encryption-related functionality with big friendly calls to AbortProcess ("INSECURE_APP"); -- teach us how the caged bird sings, especially if that caged bird were small and yellow like a canary.

Technically, the new release should comply with the requirements of any hypothesized request from the powers that be, and the proffered "explanation" about originally intending to support only XP is just as minimally truthful. If the hypothesis of a warrant canary is correct, General Clapper should be proud: they're merely following his moral lead in giving the least-dishonest answer.
 
2014-05-29 03:33:06 PM  
Back before you were allowed to export crypto out of the country, I set up an international VPN using German crypto software.  I'm not sure I'd trust any American made crypto at this point.
 
2014-05-29 04:05:13 PM  
Do we have a reasonable alternative at this point(besides Bitlocker)?
 
2014-05-29 04:15:17 PM  

InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?


It depends on your OS and needs.... GPG/PGP is always an option.

also you can check out this site for some alternatives.
 
2014-05-29 04:16:10 PM  

InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?


Symantec Endpoint Encryption, formerly GuardianEdge Encryption, is the officially supported product by the Information Technology department of the university where I am employed.

/I use BitLocker on the computers that I support.
 
2014-05-29 04:21:12 PM  

Walker: I'll give you a 3 letter guess.


NSA.

They did the same as Lavabit did. The dead canary.


We must assume Truecrypt 7.1a is safe. And thats the last version that will be released.

---

NSA can force people not to tell the truth, ie. Lavabit, however they can't force them to not just shut the whole thing down rather than complying with NSA.

Yeah, they stopped because Windows XP wasn't supported anymore. Nice sarcasm.
 
2014-05-29 04:21:46 PM  

InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?


ROT13. Or, if you're really paranoid, do a double ROT13.
 
2014-05-29 04:22:33 PM  

InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?


Truecrypt 7.1a is safe, as far as we know.

Its been audited, and is still audited.

Whatever preassure NSA is using on them happened after the release of that.
 
2014-05-29 04:23:58 PM  

spawn73: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

Truecrypt 7.1a is safe, as far as we know.

Its been audited, and is still audited.

Whatever preassure NSA is using on them happened after the release of that.


And if the pressure is "We can bypass 7.1a; don't fix this exploit that we are using?"
 
2014-05-29 04:24:33 PM  

NutWrench: The Truecrypt webpage is completely different now, and there are no longer any binaries to download except for 7.2. which I would NOT trust. The prevailing theory at Slashdot is that the authors got an NSA ultimatum to allow them to backdoor their software and rather than comply have chosen to shut down. I would never trust BitLocker to protect my stuff from the government.


7.2 doesn't matter, because it can't encrypt. It can only decrypt, so you can go to something "safe" like Bitlocker.

Which of course isn't available on OSX and Linux.

The sarcasm on the webpage is very strong. Its NSA.
 
2014-05-29 04:27:28 PM  

RexTalionis: It's weird that they included instructions to use close-sourced Microsoft Bitlocker instead.


Not really, because thats the worst advice possible. Given that OSX and Linux users can't use it.

Its inline with suggesting this is related to Microsoft not supporting Windows XP.

---

NSA has given them a gag order.

There's a reason why people keep mentioning the dead canary. This is the dead canary.

---

Myself, I'm encrypting everything with Truecrypt 7.1a, now that I know NSA is shiatting itself over it.
 
2014-05-29 04:31:10 PM  

NutWrench: The prevailing theory at Slashdot is that the authors got an NSA ultimatum to allow them to backdoor their software and rather than comply have chosen to shut down.


This is the most likely scenario, IMO. The whole announcement screams dead canary.
 
2014-05-29 04:32:12 PM  

sendtodave: spawn73: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

Truecrypt 7.1a is safe, as far as we know.

Its been audited, and is still audited.

Whatever preassure NSA is using on them happened after the release of that.

And if the pressure is "We can bypass 7.1a; don't fix this exploit that we are using?"


Well.

It has been audited. And is being audited again.

Encrypting with cascades is theoretically safe, as in, that can't be broken.

Anyways, I'm not a terrorist so I don't think it applies. But all the same, encryption is well understood. There's no theoretical backdoor to be found, especially not using cascades.
 
2014-05-29 04:36:01 PM  

cannotsuggestaname: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

It depends on your OS and needs.... GPG/PGP is always an option.

also you can check out this site for some alternatives.


The Feds have been able to crack PGP for at least 10 years.
 
2014-05-29 04:37:09 PM  
Shoulda read further down the thread before posting the dead canary redundancy.
 
2014-05-29 04:37:30 PM  

Marcus Aurelius: Back before you were allowed to export crypto out of the country, I set up an international VPN using German crypto software.  I'm not sure I'd trust any American made crypto at this point.


I'd trust it more than another in-house solution. The NSA is pretty excited about the Taliban moving to its own encryption system because it probably has numerous flaws to be exploited.
 
2014-05-29 04:39:30 PM  
lead developer gorroted by the NSA.

That's my guess.
 
2014-05-29 04:39:44 PM  

spawn73: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

Truecrypt 7.1a is safe, as far as we know.

Its been audited, and is still audited.

Whatever preassure NSA is using on them happened after the release of that.


It's been partially audited.  I believe they did a code review and found no major security concerns there, but it hadn't gone through cryptanalysis yet.  Apparently the audit is to continue, as it was funded via Kickstarter and they're still sitting on the ~30K or so raised.
 
2014-05-29 04:41:44 PM  
i.imgur.com
 
2014-05-29 04:42:42 PM  

ferretman: cannotsuggestaname: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

It depends on your OS and needs.... GPG/PGP is always an option.

also you can check out this site for some alternatives.

The Feds have been able to crack PGP for at least 10 years.


I hope they tell the NSA how they're able to do that, since they can't.

And we know for a fact that NSA can't decrypt PGP because of Snowden (and also because "we" understand how PGP works).
 
2014-05-29 04:43:52 PM  
So, if you can get a hold of an earlier version of TrueCrypt then it would be good to use, right?
 
2014-05-29 04:44:00 PM  

China White Tea: spawn73: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

Truecrypt 7.1a is safe, as far as we know.

Its been audited, and is still audited.

Whatever preassure NSA is using on them happened after the release of that.

It's been partially audited.  I believe they did a code review and found no major security concerns there, but it hadn't gone through cryptanalysis yet.  Apparently the audit is to continue, as it was funded via Kickstarter and they're still sitting on the ~30K or so raised.


Hopefully this will make people kick in some money.
 
2014-05-29 04:44:19 PM  
img.fark.net

With everyone and their brother releasing internal NSA documents at this point, if the team was threatened by the NSA, why wouldn't they just go public with it? It's already a juicy news story as it is, so you might as well blow the whistle.
 
2014-05-29 04:45:27 PM  
They ran out of bananas.
 
2014-05-29 04:46:15 PM  

ferretman: cannotsuggestaname: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

It depends on your OS and needs.... GPG/PGP is always an option.

also you can check out this site for some alternatives.

The Feds have been able to crack PGP for at least 10 years.


Got a citation for that?  Zimmerman doesn't think they have, and as far as crypto expertise is concerned, I'm at least vaguely inclined to trust him over a random Farker.
 
2014-05-29 04:47:39 PM  

Mad_Radhu: if the team was threatened by the NSA, why wouldn't they just go public with it?


Because being in federal prison sucks?
 
2014-05-29 04:47:42 PM  

Destructor: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.


Three letters at the beginning of three words gives a good clue.

InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?


On Linux, there's LUKS and tc-player. Some distros (CentOS, Ubuntu, and Fedora in particular) make it easy to set up LUKS encrypted disks during installation.
 
2014-05-29 04:48:49 PM  
Since it is open source someone will probably just fork it.
 
2014-05-29 04:50:34 PM  

Hand Banana: Mad_Radhu: if the team was threatened by the NSA, why wouldn't they just go public with it?

Because being in federal prison sucks?


For what crime?
 
2014-05-29 04:51:21 PM  

China White Tea: ferretman: cannotsuggestaname: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

It depends on your OS and needs.... GPG/PGP is always an option.

also you can check out this site for some alternatives.

The Feds have been able to crack PGP for at least 10 years.

Got a citation for that?  Zimmerman doesn't think they have, and as far as crypto expertise is concerned, I'm at least vaguely inclined to trust him over a random Farker.


I think he's thinking of RSA. PGP is still secure.

http://en.wikipedia.org/wiki/RSA_BSAFE
 
2014-05-29 04:52:16 PM  

Fubegra: Destructor: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

Three letters at the beginning of three words gives a good clue.


That is the dumbest idea and biggest stretch I have ever seen on fark.
 
2014-05-29 04:53:47 PM  

China White Tea: ferretman: cannotsuggestaname: InterruptingQuirk: Do we have a reasonable alternative at this point(besides Bitlocker)?

It depends on your OS and needs.... GPG/PGP is always an option.

also you can check out this site for some alternatives.

The Feds have been able to crack PGP for at least 10 years.

Got a citation for that?  Zimmerman doesn't think they have, and as far as crypto expertise is concerned, I'm at least vaguely inclined to trust him over a random Farker.


In 2003-04 a Secret Service agent told me.
 
2014-05-29 04:54:33 PM  

Mad_Radhu: Hand Banana: Mad_Radhu: if the team was threatened by the NSA, why wouldn't they just go public with it?

Because being in federal prison sucks?

For what crime?


Ever hear of a gag order or secret subpoena? There is a reason the Warrant Canary exists. If they order you not to disclose something and you do, you're farked.
 
2014-05-29 04:56:45 PM  
Anyone got a good link to a 7.1a they'd be willing to put up?
 
2014-05-29 04:57:28 PM  

Mad_Radhu: With everyone and their brother releasing internal NSA documents at this point, if the team was threatened by the NSA, why wouldn't they just go public with it? It's already a juicy news story as it is, so you might as well blow the whistle.


A little thing called the National Security Letter. It prevents you from going public of what the NSA demands from you. You can't even speak to your lawyer about it let alone the public. See the Lavabit shut down for reference.
 
2014-05-29 04:59:01 PM  

Mad_Radhu: Hand Banana: Mad_Radhu: if the team was threatened by the NSA, why wouldn't they just go public with it?

Because being in federal prison sucks?

For what crime?


Under the terms of a national security letter, you can't disclose it.  A few companies are big enough to tell them to shove it, but most can't.  Thanks Patriot Act.
 
2014-05-29 05:01:14 PM  

shda5582: Anyone got a good link to a 7.1a they'd be willing to put up?


https://dl.dropboxusercontent.com/u/6166579/TrueCrypt%20Setup%207.1a. e xe
 
2014-05-29 05:02:36 PM  
 
2014-05-29 05:03:42 PM  

mediablitz: NutWrench: The prevailing theory at Slashdot is that the authors got an NSA ultimatum to allow them to backdoor their software and rather than comply have chosen to shut down.

This is the most likely scenario, IMO. The whole announcement screams dead canary.


Except the developers in the "TrueCrypt Foundation" are 100% anonymous and only maintain a chain of trust through their keys. There is evidence that at least 1 of the developers was/is in the Czech Republic as a trademark for TrueCrypt was taken out there.

Yeah, TrueCrypt is 'open source' but the driving group behind development is completely unknown to the outside world, they have a bizarre license that might prevent forks of the existing code, and they've shut everything down just as the TrueCrypt audit is moving to the actual cryptographic code (the audit started with the boot loader)

The NSL/dead canary theory is all well and good, but it ignores the possibilities the developers behind TrueCrypt very well might:
A) not be US citizens at all and so not subject to an NSL
B) might have been the NSA or another state actor all along, and TrueCrypt was backdoored from the very beginning, and they're shutting down just as the audit is poised to discover this.

There's also the fact that there hasn't been an update to the project since 2012 and the builds apparently required software that only runs on XP, so it might just be the developers pulling the plug on a moribund project.

One thing is for sure: the chain of trust with TrueCrypt is broken and will never be regained. Even 7.1a should be considered highly suspect until the code audit is finished (Matthew Green has said they are going to go ahead and finish the audit anyway since they have the money).

As it is - anonymous developers and all - we will probably never know why they pulled the plug in such a bizarre manner. Hopefully the audit will prove conclusively one way or another if TrueCrypt was an honest effort or a baited trap, but it won't be done for months yet.
 
2014-05-29 05:05:58 PM  

CtrlAltDestroy: So, if you can get a hold of an earlier version of TrueCrypt then it would be good to use, right?


That's what I am thinking. You can still get 7.1a from various download services.
 
2014-05-29 05:07:14 PM  

Hand Banana: shda5582: Anyone got a good link to a 7.1a they'd be willing to put up?

https://dl.dropboxusercontent.com/u/6166579/TrueCrypt%20Setup%207.1a. e xe


Thanks.  Wasn't sure if I had a copy at home or not.
 
2014-05-29 05:10:04 PM  

shda5582: Anyone got a good link to a 7.1a they'd be willing to put up?


http://download.cnet.com/TrueCrypt/3000-2092_4-10527243.html

Sure, everyones still hosting it. :)

Cnet put a warning up, but its still there.
 
2014-05-29 05:14:56 PM  
Elegy:

The NSL/dead canary theory is all well and good, but it ignores the possibilities the developers behind TrueCrypt very well might:
A) not be US citizens at all and so not subject to an NSL
B) might have been the NSA or another state actor all along, and TrueCrypt was backdoored from the very beginning, and they're shutting down just as the audit is poised to discover this.

The reach of NSA goes, especially, into Eastern-Europe.

There's also the fact that there hasn't been an update to the project since 2012 and the builds apparently required software that only runs on XP, so it might just be the developers pulling the plug on a moribund project.

Yeah, and since we have the source code. Nope.
 
2014-05-29 05:17:30 PM  

BlackKaiser: Mad_Radhu: With everyone and their brother releasing internal NSA documents at this point, if the team was threatened by the NSA, why wouldn't they just go public with it? It's already a juicy news story as it is, so you might as well blow the whistle.

A little thing called the National Security Letter. It prevents you from going public of what the NSA demands from you. You can't even speak to your lawyer about it let alone the public. See the Lavabit shut down for reference.


Yes, but there are supposedly limits to what can be obtained by an NSL. They can only obtain non-content information like metadata on users, so it can't just be used for anything nefarious without violating the letter of the law. If they came forward with the NSA making threats, it could create a HUGE media circus on top of what Snowden has released, and would create a much thornier situation for the NSA/FBI because publicly prosecuting them would open a huge can of congressional hearing worms that they probably don't want to deal with. If the NSA can't legally force Microsoft to give out the metadata of an Office 365 user, I'm not sure they could shut down something like TrueCrypt without a huge legal fight breaking out.
 
Displayed 50 of 140 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report