"Using TrueCrypt is not secure..."

[Red Squirrel]

Yeah I still find this is very fishy. I have a feeling the government is involved somehow, and the devs' lives are at risk. They probably can't tell the truth about the situation.

 

[John Connor]

I have thought quit a bit if torture would make me release my password for my encrypted computers. I've come to the conclusion that I would probably die anyway so screw 'em! They won't get the password. Death doesn't scare me either as a man of faith. That's pretty powerful when you think about it. Most don't want to die, I on the other had can give a rats azz. One world to the next. But the point is if the bastard government told me to shut down the TC project or else well, you know what I would tell them where to go. Just like people who are threatened when they see crashed alien aircraft and hop on over to Area-51. I would tell the feds to suck on it.

 

[Fox5]

Bruce Schneier uses Truecrypt and for all we know he could be a Dev of TC. After all, he only helped make Blowfish and Twofish. I will monitor Bruce Schneier's blog and see what he recommends after TC's demise.

Schneier's recommendation is Symantec's encryption product.

But at that point, I'd say Apple or Microsoft is as trust worthy as Symantec.

For people who are so concerned about the unauditability of those solutions...well...why are you using Windows? Switch to Linux and use the native Linux encryption solution. Heck, Android and ChromeOS use it too.

 

[smakme7757]

Schneier's recommendation is Symantec's encryption product.

But at that point, I'd say Apple or Microsoft is as trust worthy as Symantec.

For people who are so concerned about the unauditability of those solutions...well...why are you using Windows? Switch to Linux and use the native Linux encryption solution. Heck, Android and ChromeOS use it too.

Symantec PGP is as far as i know open for audit as PGP is open source in nature.

However it's a little pricey at $100 a year for each device. Once your sub runs out your drive will be decrypted after 90 days. Your are paying for support and it's more geared towards business than personal/home use.

Currently I'm using DMCrypt/LUKS on my linux installs as i have always done. I'm still mulling over which product to use on my Windows machines.

 

[Mark R]

NSA national security letter to truecrypt developers confirmed?

Link

 

[Ken g6]

"Rage quit" confirmed?

Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
Quoting TrueCrypt Developer David: “There is no longer interest.”

If the "duress canary" was set up right, inaction would cause it to appear. So it would be the default result of a "rage quit". So maybe they were too sick of the project to bother with anything better?

 

[Mark R]

Thinking about things some more, I think that rage quit is probably close to the answer; perhaps, not so much "rage quit" as "boredom quit".

The market for encryption products is crowded, with many commercial products offering various certifications, support, etc. There are also other open source crypto systems, with better support options (truecrypt never offered support, and in general have not been willing to offer support even on a paid basis), albeit not as capable of truecrypt.

Further truecrypt is known to have relatively poor code quality (not so much as to significantly affect security, but enough to make it a serious problem to maintain); certainly, I once had a look through the code a while ago, and I found significant parts almost impenetrable. Further, it has a long list of known bugs, it may well be that these simply aren't feasibly fixable without a total rewrite.

So the problem then is, just who is using truecrypt? Business-oriented editions of windows support bitlocker, so corporate/govt customers will tend to be using a supported/certified system. The only people for whom truecrypt is indispensible is those who need a cross-platform encrypted container - a niche market indeed, when in most use cases an encrypted ZIP/RAR file is more easily handled. The other people using truecrypt will tend to be home users, who rarely are willing to donate for the cost of the software.

I suspect that the developers simply lost interest or found the bug fixes simply too hard - and without any money coming in via donations, they decided that it wasn't worth continuing.

 

[smakme7757]

Thinking about things some more, I think that rage quit is probably close to the answer; perhaps, not so much "rage quit" as "boredom quit".

The market for encryption products is crowded, with many commercial products offering various certifications, support, etc. There are also other open source crypto systems, with better support options (truecrypt never offered support, and in general have not been willing to offer support even on a paid basis), albeit not as capable of truecrypt.

Further truecrypt is known to have relatively poor code quality (not so much as to significantly affect security, but enough to make it a serious problem to maintain); certainly, I once had a look through the code a while ago, and I found significant parts almost impenetrable. Further, it has a long list of known bugs, it may well be that these simply aren't feasibly fixable without a total rewrite.

So the problem then is, just who is using truecrypt? Business-oriented editions of windows support bitlocker, so corporate/govt customers will tend to be using a supported/certified system. The only people for whom truecrypt is indispensible is those who need a cross-platform encrypted container - a niche market indeed, when in most use cases an encrypted ZIP/RAR file is more easily handled. The other people using truecrypt will tend to be home users, who rarely are willing to donate for the cost of the software.

I suspect that the developers simply lost interest or found the bug fixes simply too hard - and without any money coming in via donations, they decided that it wasn't worth continuing.

I'd say your spot on!

 

[owensdj]

Mark I wouldn't say that business-oriented versions of Windows support Bitlocker. The Pro version of Windows 7 does not, and that's a big percentage of the business desktop install base. Being able to standardize on one encryption software like TrueCrypt is also a big plus for organizations that support a mixed Windows, MacOS, and Linux environment.

 

[fleshconsumed]

Sure it is. The pen trap order was for a specific account. Lavabit refused to provide it, and then provided only encrypted information. So they got a warrant for the SSL key. Just because the key opens a bunch of other stuff too doesn't mean they are not allowed to use it to open stuff covered by the pen trap order. In applying for it they agreed it would only be used to access the information sought.

Look, I get that lots of people don't like it. But the law is actually pretty clear here. With probable cause for a warrant an email provider can be required to provide the contents of an account. If the contents are encrypted they can be required to decrypt it. And just because Lavabit setup their system so that the only way they could comply was by handing over the SSL key doesn't mean they don't still have to comply.

https://s3.amazonaws.com/s3.documentcloud.org/documents/1114251/lavabit-usca4-op.pdf

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

I guess it depends on who do you believe more. Feds say they only wanted metadata and only for specific person. Levison says they wanted access to all customer data from the get go. Given the past history I wouldn't trust NSA/feds on this matter.

 

[ringtail]

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

I guess it depends on who do you believe more. Feds say they only wanted metadata and only for specific person. Levison says they wanted access to all customer data from the get go. Given the past history I wouldn't trust NSA/feds on this matter.

I think they collect it ALL, and save it forever, then data mine the archive for specific people when they want to.

===================================
Rincon in the foreground and the Santa Barbara coast

 

[John Connor]

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

That is insane! F the feds Fers!

 

[PrincessFrosty]

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

I guess it depends on who do you believe more. Feds say they only wanted metadata and only for specific person. Levison says they wanted access to all customer data from the get go. Given the past history I wouldn't trust NSA/feds on this matter.

"Can't view that content in your region"

HAHAHAHA!

 

[owensdj]

It looks like this will be the rally point for those who want to possibly fork TrueCrypt into a full OSS project. Two guys in Switzerland are organizing this.

http://truecrypt.ch/

 

[PliotronX]

It looks like this will be the rally point for those who want to possibly fork TrueCrypt into a full OSS project. Two guys in Switzerland are organizing this.

http://truecrypt.ch/

Shoot, this is the problem with forks and splinters, some dork on tcNext (Truecrypt.ch) forums already declares that he is going to bring GeekCrypt forth. I expect the tree to look like Linux pretty quick:

 

[seepy83]

I expect the tree to look like Linux pretty quick

Maybe not quite that bad. But, I agree, if it is decided/accepted (or maybe even not) that the TC license allows for the source to be modified/re-used by anyone other than the TrueCrypt Foundation, then we will most likely see many more forks than are necessary. Also, there are a limited number of developers that even have the ability to comprehend the code, let alone maintain it...so stability, usability, and longevity may be a serious problem

 

[owensdj]

I think people will support what looks like, over time, the best fork, the same as with most Open Source projects.

 

[PokerGuy]

Any updates on this story? I find it fascinating. The simplest solution (the developers just being done with it) sounds fine but it doesn't explain recommending bitlocker (which is closed source and almost certainly compromised) or any other closed source product. It would have made much more sense to just say "look, we've taken this as far as we want to, we're done, and be advised that there could be issues with security of this product since it's not being maintained anymore". That would have made perfect sense. Pushing bitlocker or some other (likely) compromised product smells like a warrant canary, but that's just pure speculation.

I will continue to use tc 7.1a unless anything significant is found in the audit. I don't mind paying for a product either, but only if it is open source -- I don't think it makes sense to trust anyone with encryption unless it's transparent (open).

 

[John Connor]

I'm still using TC and won't stop using it either!

 

[smakme7757]

Any updates on this story? I find it fascinating. The simplest solution (the developers just being done with it) sounds fine but it doesn't explain recommending bitlocker (which is closed source and almost certainly compromised) or any other closed source product. It would have made much more sense to just say "look, we've taken this as far as we want to, we're done, and be advised that there could be issues with security of this product since it's not being maintained anymore". That would have made perfect sense. Pushing bitlocker or some other (likely) compromised product smells like a warrant canary, but that's just pure speculation.

I will continue to use tc 7.1a unless anything significant is found in the audit. I don't mind paying for a product either, but only if it is open source -- I don't think it makes sense to trust anyone with encryption unless it's transparent (open).

Bitlocker is a fine choice for most people. It's not a bad recommendation. It's going to keep almost anyone out of your stuff. If you have something to hide or are breaking the law, then it might not be the best choice in case it does have a backdoor.

I would also argue that you would have to have done something horrendous to get Microsoft to unlock your BitLocker locked drive. Like something against US national security or something that can indirectly affect it or enough that you government would pay Microsoft/NSA a lot of money for them to open it up.

Once the cat is out of the bag the product is dead. It would also demolish Microsoft reputation. They would loose billions.

 

[WelshBloke]

Bitlockers a bit lacking to me.

How do I relock a drive after unlocking it?

 

[smakme7757]

Bitlockers a bit lacking to me.

How do I relock a drive after unlocking it?

You would use manage-bde, the command line tool. No idea why it's not included in the GUI.

So for example:
manage-bde -lock d:

You can also get info on the drive as well.
manage-bde -status

Normally used on Server-Core installs, but works in Windows 7/8 aswell.

 

[readymix]

Bitlockers a bit lacking to me.

How do I relock a drive after unlocking it?

Best if you have a tpm module present. but, what sort of drive, a flash drive? external hdd? simply disconnect it and it's locked.

 

[WelshBloke]

You would use manage-bde, the command line tool. No idea why it's not included in the GUI.

So for example:
manage-bde -lock d:

You can also get info on the drive as well.
manage-bde -status

Normally used on Server-Core installs, but works in Windows 7/8 aswell.

Yeah it's astoundingly unuserfriendly for a Microsoft product.

Best if you have a tpm module present. but, what sort of drive, a flash drive? external hdd? simply disconnect it and it's locked.

Just one particular internal HDD.

 

[readymix]

Yeah it's astoundingly unuserfriendly for a Microsoft product.

Just one particular internal HDD.

depends how you implement bitlocker, fully or partially. or to say, tied to the system drive and operated in concert with or independent of the system drive. or not tied to the system drive.

an example of the hard way after encryption:
BitlockerOn(off).bat
run as administrator> c:windows\system32\manage-bde -protectors -(enable)(-disable) d: