- Sep 15, 2008
- 5,056
- 199
- 116
TrueCrypt doesn't contain NSA backdoors
- Thread starter Chiefcrowe
- Start date
I do hope this is true but suspect the government will either find a way to shut it down or get the back door they would prefer.
Brian
Brian
blackangst1
Lifer
- Feb 23, 2005
- 22,902
- 2,359
- 126
What does this even mean? If Ive got TC 7.1 currently on my PC how will the government "shut it down"? And if there's no back door now, how would there be in the future? You realize that the TC team is no longer developing it, right?
Anyways, this is great news.
There have been a number of crypto based communication outfits that have been shut down by the government so the idea this could happen is hardly hypothetical. The way it's happened before is that the outfit is investigated by the government and then sometime later they announce they are ceasing operation and are not permitted to say why.
Beyond that, it would be impossible for mere mortals to know for sure there is no backdoors.
Brian
blackangst1
Lifer
- Feb 23, 2005
- 22,902
- 2,359
- 126
Thats true. But that doesnt invalidate TC 7.1. Its widely available if you want it. There are many many people who have looked for an alternative, but for most people, its the best solution. Mostly because its usable across all OS platforms.
As to your second paragraph, mere mortals dont even know what encryption IS. Good thing mere mortals arent the ones investigating it. And I feel confidant if a backdoor DID exist, it wouldve been used by now, and publicized. Remember the case of the guy several years ago who was busted at the Canadian border who allegedly had child porn on his laptop and it was confiscated? His TC container still to this day hasnt been cracked. And here is another case where a TC container wasnt cracked http://www.techworld.com/news/security/fbi-hackers-fail-to-crack-truecrypt-3228701/
Why would our lettered agencies spend literally years trying to crack it if a backdoor was available?
http://www.techworld.com/news/security/fbi-hackers-fail-to-crack-truecrypt-3228701/
Last edited:
Which is a completely moot point, because the TrueCrypt developers *already* shut down. "The man" can't shut down an organization that's already shut down...
The fact that the child porn guys encrypted computer hasn't been decrypted doesn't prove very much. Let's say for argument sake that the NSA does have a backdoor and can read the guys computer -- would they let the world know they have this capability to prosecute a single scumbag? If they did it would eliminate there ability to track others they're more interested in.
Now, if the NSA has a backdoor they want to keep secret then the FBI would spin there wheels OR pretend to spin there wheels.
The fact that some child porn guys computer hasn't been decrypted proves nothing!
Brian
Why is TrueCrypt shut down? Who was behind shutting it down? "The man" can't shutdown what they've already shut down.
So, in summary, it's impossible to know if there is any backdoors into TC but, if they do have one it's likely it would not be used to prosecute a pedestrian pedophile no matter how much of a scum bag he is.
Brian
It doesn't matter who shut down the project, or why, in fact it wouldn't matter if the NSA actually wrote TC in the first place. The source code for TrueCrypt 7.1 exists. It is an immutable fact. There is no such thing as "invisible ASCII ink." Vetted properly it certainly can be known whether there are backdoors are not. Whether any particular TC executable you download is necessarily free from backdoors is a different story.
Last edited:
blackangst1
Lifer
- Feb 23, 2005
- 22,902
- 2,359
- 126
PS: I don't like mass governmental surveillance any more than the next civil libertarian, but the NSA is, after all, a spy agency. If they do in fact have a backdoor no one else has found and that they also reserve for situations "more important" than convicting "mere" pedophiles, what in God's name are you so worried about anyway? If that were the case, it seems to me they might be doing something right for a change... (Not that I don't want pedophiles convicted, of course, but hopefully you got my drift...)
Last edited:
WTF are you babbling about? I'm merely stating the fact that the average Joe, even a smart coder, would not necessarily be able to detect a back door. And, it is standard spy craft to pretend you don't know something even if it means a pedestrian BG isn't prosecuted -- nothing novel or new there.
I'm not engaged in an nefarious activities, but the widespread government surveillance on EVERYBODY should be troubling to EVERYBODY.
I don't think M$ intends to leave holes in there OS or programs but there are a shit tone of them and it is well know that various spy agencies look for zero day openings and they don't always tell anyone about them as they seek to exploit them for the spying activities. That is one thing, however the NSA isn't the only out there looking for holes -- there's a world of hackers out there that are also looking for zero day exploits and they to aren't giving M$ a heads up.
When there's a hole, either an accidental one that's discovered (zero day) or a back door planted or mandated, the spy agency may feel justified in doing so for there spying job but that still leave's us exposed to hackers who are also looking to exploit them.
Grow the fuck up would you!
Brian
I normally don't descend to such depths in public, but all I can say is: You're accusing me of babbling?
:whiste:
:biggrin:Yes, I'm accusing you of babbling and here's why.
We have several voices on the issue of government spying and encryption.
On one hand you have the tin foil hat types, you know, the 9/11 truther types, the see the dark hand of the government everywhere. This group does not apply logic and they are unmoved by facts.
On the other hand we have those that deny the long arm of government spying and the method of choice is to attack those that question it by saying "what are you afraid of". That is, either accept government spying on everyone or be known as an evil doer with bad intent. Your comment about me "what in God's name are you so worried about anyway" fits this type. When you imply that being concerned about government spying suggests I have something to hide I get a little pissed about that!
Look, the question about the potential back door in TC was just a statement. You appear to claim that we KNOW TC has no back door but I contend that the average Joe can't know that. And, as you yourself point out, the file you download may not be the file you thought you downloaded which is to say, that downloading TC may actually result in a redirection so you actually wind up downloading something that is compromised. You make my point for me.
We have legitimate needs to spy on others and there is nothing new about that. During WWII we broke the Enigma code but we kept that fact a secret even when it resulted in the death of many American's. We uncovered certain information about German movements that if we'd done something about it, if we'd have warned our troops, we would have revealed our knowledge of Enigma. There is some that believe this secret cost more than a thousand lives. I would not like to have the burden of that decision on my hands but I do understand how and why it might have been done -- the greater good. In light of this fact the idea that the FBI and/or NSA would hide there ability to read TC is hardly a stretch.
Brian
We have several voices on the issue of government spying and encryption.
On one hand you have the tin foil hat types, you know, the 9/11 truther types, the see the dark hand of the government everywhere. This group does not apply logic and they are unmoved by facts.
On the other hand we have those that deny the long arm of government spying and the method of choice is to attack those that question it by saying "what are you afraid of". That is, either accept government spying on everyone or be known as an evil doer with bad intent. Your comment about me "what in God's name are you so worried about anyway" fits this type. When you imply that being concerned about government spying suggests I have something to hide I get a little pissed about that!
Look, the question about the potential back door in TC was just a statement. You appear to claim that we KNOW TC has no back door but I contend that the average Joe can't know that. And, as you yourself point out, the file you download may not be the file you thought you downloaded which is to say, that downloading TC may actually result in a redirection so you actually wind up downloading something that is compromised. You make my point for me.
We have legitimate needs to spy on others and there is nothing new about that. During WWII we broke the Enigma code but we kept that fact a secret even when it resulted in the death of many American's. We uncovered certain information about German movements that if we'd done something about it, if we'd have warned our troops, we would have revealed our knowledge of Enigma. There is some that believe this secret cost more than a thousand lives. I would not like to have the burden of that decision on my hands but I do understand how and why it might have been done -- the greater good. In light of this fact the idea that the FBI and/or NSA would hide there ability to read TC is hardly a stretch.
Brian
mikeymikec
Lifer
- May 19, 2011
- 21,007
- 16,259
- 136
Guys, do you realise that the point of the audit was to inspect the source code for a product whose source code was freely available?
Also, consider the objectives of a spy agency and therefore the techniques they're likely to use. eg. Would they try to make a completely covert attempt against it (ie. none of the TC developers know of the attempt)?
Targeting a specific machine's compiler is pointless, as the code can be (and likely was by the developers in its lifetime) compiled on other machines (though at least it has the merit of greater subtlety and makes some sense in a completely covert attempt against an open-source-style project).
Or would they try to coerce a developer into adding 'compromise code' into the project? If you have to coerce someone who is obviously quite principled (participating in an open source encryption project, what else do you expect them to be?), do you honestly expect them to do an amazing job in covering up the compromise code? Furthermore, is it reasonable to assume that a theoretically really subtle compromise could be done by your average developer with (probably) no experience in writing malicious code that has to pass for normal code when others read and contribute to it?
Or would they introduce their own developer into the project who is skilled at writing malicious yet subtle code that has to pass for normal code when others read and contribute to it? What happens when someone spots what appears to be superfluous code in a module that they know has a bug in? What happens when the malicious code is causing a bug and someone else spots it?
Next, what would be the objective of the code? AFAIK TC probably has very little code with networking functions, so some kind of network broadcast every time a new volume is created would surely be easy to spot in a code audit (as well as being easy to spot by someone watching the network stack of a client running TC). The only way that I can think of that is remotely subtle would be to try and introduce a flaw in the encryption that results in some element being easily predictable, thereby either making it very short work to brute force or at least to shorten the time by an order of magnitude. While IMO this is the most likely objective, consider that the encryption element of TC is the 'bread and butter' of the project, therefore it would be the most actively developed part of the project and therefore the most likely area for hostile code to be spotted (or again, apparently superfluous code to be spotted).
One other small point, would a spy agency want to just target a specific part of the project, let's say code that will only end up in Windows systems, or would they want to go for all platforms the project caters for? Going for the Windows one would make most sense, probably because the Windows-specific code wouldn't get as much attention as the code in the main project yet it would still probably target 80% of clients.
Another small point - a project that's being worked on by a group of developers is likely to be fairly liberally commented to make it easier to come back to. Even for my own projects (for which I'm the only contributor) I comment code that I consider to be vaguely complex with additional explanations of why I did <something unusual> so I reduce the 'WTF' factor when I come back to it later. So the commented explanations for seemingly odd code would need to make sense to another person contributing to the code.
Let's say that a completely covert attempt had been successful then was spotted by the developers, wouldn't they announce it, and welcome an audit but say that TC is offline until the audit was complete?
IMO it would be difficult to actively maintain a compromised open-source-style project. The most likely objective of this whole debacle was to stop people using TrueCrypt, and to do that IMO an agency would lean on key developers in such a way that they felt that they either have to co-operate or kill the project, so they did the latter.
Also, consider the objectives of a spy agency and therefore the techniques they're likely to use. eg. Would they try to make a completely covert attempt against it (ie. none of the TC developers know of the attempt)?
Targeting a specific machine's compiler is pointless, as the code can be (and likely was by the developers in its lifetime) compiled on other machines (though at least it has the merit of greater subtlety and makes some sense in a completely covert attempt against an open-source-style project).
Or would they try to coerce a developer into adding 'compromise code' into the project? If you have to coerce someone who is obviously quite principled (participating in an open source encryption project, what else do you expect them to be?), do you honestly expect them to do an amazing job in covering up the compromise code? Furthermore, is it reasonable to assume that a theoretically really subtle compromise could be done by your average developer with (probably) no experience in writing malicious code that has to pass for normal code when others read and contribute to it?
Or would they introduce their own developer into the project who is skilled at writing malicious yet subtle code that has to pass for normal code when others read and contribute to it? What happens when someone spots what appears to be superfluous code in a module that they know has a bug in? What happens when the malicious code is causing a bug and someone else spots it?
Next, what would be the objective of the code? AFAIK TC probably has very little code with networking functions, so some kind of network broadcast every time a new volume is created would surely be easy to spot in a code audit (as well as being easy to spot by someone watching the network stack of a client running TC). The only way that I can think of that is remotely subtle would be to try and introduce a flaw in the encryption that results in some element being easily predictable, thereby either making it very short work to brute force or at least to shorten the time by an order of magnitude. While IMO this is the most likely objective, consider that the encryption element of TC is the 'bread and butter' of the project, therefore it would be the most actively developed part of the project and therefore the most likely area for hostile code to be spotted (or again, apparently superfluous code to be spotted).
One other small point, would a spy agency want to just target a specific part of the project, let's say code that will only end up in Windows systems, or would they want to go for all platforms the project caters for? Going for the Windows one would make most sense, probably because the Windows-specific code wouldn't get as much attention as the code in the main project yet it would still probably target 80% of clients.
Another small point - a project that's being worked on by a group of developers is likely to be fairly liberally commented to make it easier to come back to. Even for my own projects (for which I'm the only contributor) I comment code that I consider to be vaguely complex with additional explanations of why I did <something unusual> so I reduce the 'WTF' factor when I come back to it later. So the commented explanations for seemingly odd code would need to make sense to another person contributing to the code.
Let's say that a completely covert attempt had been successful then was spotted by the developers, wouldn't they announce it, and welcome an audit but say that TC is offline until the audit was complete?
IMO it would be difficult to actively maintain a compromised open-source-style project. The most likely objective of this whole debacle was to stop people using TrueCrypt, and to do that IMO an agency would lean on key developers in such a way that they felt that they either have to co-operate or kill the project, so they did the latter.
Last edited:
John Connor
Lifer
- Nov 30, 2012
- 22,757
- 619
- 121
This is good news! I use Truecrypt on all my computers and on the laptops I even utilize the ATA password so you have two passwords. I also use the recommended 20 digit or more password length. I have been following the audit and a few months ago I watched a DEF CON presentation with the guys who audited TC that their next project was SSL. I can't wait for that audit. That would be something. I hope it forces ebay and paypal to use better encryption. Now ebay uses 3DES, but sometimes it goes back to crap RC4. PayPal uses AES now, but they too sometimes use RC4. Maybe it's because I allow RC4 in my browser Pale Moon with Pale Moon Commander? Even so the Cert should not downgrade. Hell! My own site uses better encryption. Boggles the mind a multimillion dollar company can't use better SSL encryption and just use AES 256.
Anyway. Here is the write up. http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
Anyway. Here is the write up. http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
John Connor
Lifer
- Nov 30, 2012
- 22,757
- 619
- 121
I never trusted TOR from the jump and to think people pay for premium. Fools! I just use a VPN with XOR AES 256 bit encryption. Looks like SSL to my ISP. I block TOR on my website. LOL!
- Sep 15, 2008
- 5,056
- 199
- 116
It also boggles my mind that big companies still support weak encryption protocols. I have tested some major sites and a few of them still support ssl 3!
John Connor
Lifer
- Nov 30, 2012
- 22,757
- 619
- 121
Yeah, I was testing my bank with ssllabs.com and they scored an F! I complained and now they are a B. My own crap website scores an A FFS! LOL! You would think a company that makes a ton of money with interest from mortgages could use better encryption.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
-
Facebook
Twitter