Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Encryption Government Your Rights Online

The Sudden Policy Change In Truecrypt Explained 475

Posted by timothy
from the maybe-your-canary-needs-a-canary dept.
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
This discussion has been archived. No new comments can be posted.

The Sudden Policy Change In Truecrypt Explained

Comments Filter:
  • That's not proof! (Score:5, Insightful)

    by Threni (635302) on Sunday June 01, 2014 @02:25PM (#47142457)

    You're taking twitter posts too seriously. That's just speculation based on what appeared on their site the other day, followed by:

    "Alyssa Rowan @AlyssaRowan
    @munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"

    Sorry, who the fuck are you?

  • by Anonymous Coward on Sunday June 01, 2014 @02:27PM (#47142473)

    ...isn't the very strange things happening enough proof?

  • Speculation (Score:5, Insightful)

    by borcharc (56372) * on Sunday June 01, 2014 @02:30PM (#47142491)

    There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.

  • Re:Nonsence (Score:0, Insightful)

    by Anonymous Coward on Sunday June 01, 2014 @02:30PM (#47142497)

    Who the fuck are you, anon? If reputation is important to you, where's your fucking reputation?

  • Re:Speculation (Score:2, Insightful)

    by Anonymous Coward on Sunday June 01, 2014 @02:38PM (#47142541)

    Ever since actual news stopped mattering and what everyone cares about is clicks (read as money).

  • Bottom Line (Score:1, Insightful)

    by msobkow (48369) on Sunday June 01, 2014 @02:46PM (#47142595) Homepage Journal

    The bottom line is that TrueCrypt was too good for "the man" to tolerate.

    You will be spied upon.

    You will be surveilled.

    You will be monitored.

    Refusing to let the government rape your data is going to be called "terrorism", and leave you locked up.

    Sickening, isn't it? George Orwell was only wrong about the year...

  • Re:Speculation (Score:5, Insightful)

    by Anonymous Coward on Sunday June 01, 2014 @02:50PM (#47142603)

    We do not need concrete information.
    When a major encryption project like this closes shop, without any explanation, duress should be assumed.
    The current climate requires it.

  • Speculation (Score:3, Insightful)

    by Anonymous Coward on Sunday June 01, 2014 @03:00PM (#47142675)

    This is Slashdot. No one cares whether something is true or not as long as it is negative towards the government. Sad really, since it diminishes any sort of real discussion about actual concerns about the government rather than made up fantasy.

  • by DERoss (1919496) on Sunday June 01, 2014 @03:10PM (#47142733)

    I never use cloud resources. Too many users have been severely inconvenienced if not outright burned by cloud services that have been hacked, suppressed by some government, gone out of business, or gone down for several hours. I keep all my data where I can access it, either on my PC or on a removable hard drive that I store remotely from my PC but easily reached.

    I encrypt my most sensitive data. No, I do not rely on some corporation's declaration: "Trust us. We are good. We will protect you." Instead, I use an OpenPGP application that has been reviewed by outside experts and that I have installed on my PC. The data on my removable hard drive are encrypted. Some of my PC files are also encrypted. My pass-phrase, without which my private key is useless for decryption, exists only in my head and in an envelope in my safe deposit box at a bank. My private key is on my PC in a non-standard location. If somehow someone else were to access my private key, I have a much greater problem than the compromise of my sensitive data.

    See my http://www.rossde.com/PGP [rossde.com]

  • Re:Speculation (Score:2, Insightful)

    by jopsen (885607) <jopsen@gmail.com> on Sunday June 01, 2014 @03:12PM (#47142741) Homepage

    There is no concrete information that the NSA or a national security letter was involved.

    Before Snowden we used to say the same thing about NSA messing with encryption standard bodies, or NSA conductive widespread warrant-less surveillance of everybody.

    We used to think people wasn't subjected to secret trails in the US. That's no longer the case, we now know by fact that the US doesn't honor basic human rights, not for it's citizens or anybody else.

    Do we really need more proof. This isn't the worst thing the NSA have attempted yet.

  • Re: Speculation (Score:3, Insightful)

    by Anonymous Coward on Sunday June 01, 2014 @03:24PM (#47142797)

    It's not necessarily the NSA you always want to protect things from. What if your laptop gets stolen, would you want the thieves to be able to look through the contents?

  • by tmosley (996283) on Sunday June 01, 2014 @03:28PM (#47142821)
    No, I think people are fine. It's governments and their poorly organized systems that cause things like this. Suggest you read "The Lucifer Effect". It's not just about prison guards. That same mentality has infiltrated the NSA and most other government offices.
  • by davydagger (2566757) on Sunday June 01, 2014 @03:50PM (#47142909)

    There is actually a code audit underway, and so far they've found nothing.

    the concept of anonymitty means nothing, because we live in an age where reputation can be bought.

    all that matters is if the source code can be inspected, and if the source code matches the binaries.

    who actually makes it does not matter as long as its audited properly.

    stop with the FUD.

  • by NotSanguine (1917456) on Sunday June 01, 2014 @03:52PM (#47142925) Journal

    The reference to a "canary" is suspect, as it isn't discussed what that canary was.

    The canary is the fact that the "explanation" of the EOL of XP is inconsistent with the stated goals and roadmap for the product as of recently.

    If they'd wanted people to believe they'd gotten tired of the product, they'd have said "We're tired of working on this, we've changed our licensing terms, and releasing the code to everyone for future development."

    If you can't say why you're taking the product down, you have two alternatives: either say nothing, fueling suspicion, or lie so poorly that everyone's suspicions are raised even higher.

    The government can compel you to neither confirm nor deny any secret orders from any secret courts. (This also ought to be intolerable in a free society, but we're well past that tipping point.) What it cannot do is require that you be a sufficiently good liar that anyone believes your explanation. They can't charge you for not mentioning the secret court's secret letter because to do so would expose said letter's existence, which is precisely what the government wants hidden in the first place. Warrant canaries are a legal catch-22 of the government's own making.

    Yes, it's suspicious. Yes, the suggestions make little or no sense to anyone with technical knowledge.

    As I said, the report might be accurate.

    However, extraordinary claims require extraordinary evidence. I see no evidence. At all. It's all supposition and guesswork. Present me with actual evidence, and I can be convinced. Until then, it's all noise and hand waving, IMHO.

  • by jopsen (885607) <jopsen@gmail.com> on Sunday June 01, 2014 @04:22PM (#47143091) Homepage

    Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you. What makes your personal life so relevant?

    So because my private life is utterly uninteresting, you suggest that I shouldn't care about giving up my human rights?

    The right to privacy is a human right...

    One might as well ask, why you should care about fair trails or torture, if you're not a criminal then why should you care? After all why should anybody want to torture a confession out of you?
    This is not about being personally targeted or affected, it's about basic human rights.

  • Re:Speculation (Score:5, Insightful)

    by sysrammer (446839) on Sunday June 01, 2014 @04:38PM (#47143165) Homepage

    It must be sad living in a world of such heightened paranoia.

    ...sez the AC.

  • Steve Gibson (Score:4, Insightful)

    by Anonymous Coward on Sunday June 01, 2014 @04:46PM (#47143189)

    Because nobody on Slashdot would intentionally visit a link to grc.com. If you want us to visit the land of raw sockets and falling skies, you're going to have to mask the destination.

  • by Jane Q. Public (1010737) on Sunday June 01, 2014 @04:57PM (#47143243)

    WARNING: Using TrueCrypt is notsecure as it may contain unfixed security issues

    But this raises many questions.

    (1) If Truecrypt were secure in the first place, a National Security Letter would have been of no use: the developers would be no more help de-crypting something than anyone else. So in the usual context, a NSL has no point whatever.

    (2) A demand for other records, say about the developers, would also not invalidate the CODE of Truecrypt in any way.

    So that only leaves a couple of possibilities as legitimate reason for a canary: (3) Possible coercion by the government to somehow weaken their crypto.

    (4) Discovery of some prior "backdoor" that had somehow been inserted in the past.

    (5) Maybe some of the developers wanted to remain strictly anonymous and so any overtures made by the government at all created panic.

    Since the people doing the security audit have announced that it will continue, if it turned out to be (4) it will be discovered soon. Which it seems to me leaves only (3) and (5) as any kind of government "threats" that make any sense.

    Any other ideas?

  • Re:What else? (Score:4, Insightful)

    by dcollins117 (1267462) on Sunday June 01, 2014 @05:12PM (#47143347)

    The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it.

    Fine. The simplest way to do that is to put a clear and unambiguous message on their webpage staing that development is frozen at version 7.1a, and the project will no longer be maintained. Instead they gave no explanations, but very bizzare set of statements that raise more questions than they answer.

    This has the flavor of a practical joke or an unstable mind. Certainly not someone you would trust to protect your data.

    It's a shame. I really liked the application.

  • by Shawndeisi (839070) on Sunday June 01, 2014 @05:16PM (#47143363)

    I would guess that they were NSL'd for their signing keys; that would make it less secure in the future so the correct option is to burn the brand now. Reports said that both signing keys signed the new (crippled/canaried) executable, and that the keys had been re-uploaded with the same content on sourceforge. Their legit URL points to their sourceforge site. Instances of "U.S." in their source code were replaced with "United States".

    It looks to me like they went through a lot of trouble to burn the brand down before any damage could be done with the NSA's new-found signing keys. It's a very, very bad sign that this happened to TrueCrypt. Good on them for being brave enough to inform us, despite the real risks they faced in doing so. If this project is forked, we can only hope the new maintainers are brave enough to do the same when the NSA goes after them. It also raises the question: how much other infrastructure has been compromised while the maintainers have stood silently by?

  • Re:Speculation (Score:5, Insightful)

    by dcollins117 (1267462) on Sunday June 01, 2014 @05:27PM (#47143429)

    What are you doing with your computer that BitLocker doesn't count as safe?

    That's none of your concern. That being said, you're kinda missing the point of privacy. The use of encryption in no way implies that you are doing anything wrong. Just the opposite - you've taken steps to insure your data is not accessed by an unauthorized person. So in fact, you're doing something right.

  • Re:Nonsence (Score:4, Insightful)

    by fnj (64210) on Sunday June 01, 2014 @05:55PM (#47143529)

    Mod parent up. Grandparent AC is a moron. It's the signing keys, not some nonexistant master decrypt key.

    If the thugs have the signing keys, they could have a couple of months from now themselves brought out a new "improved" (but completely compromised) 7.3 masquerading as an improved, updated, security patched TrueCrypt.

  • Interesting... (Score:4, Insightful)

    by Kythe (4779) on Sunday June 01, 2014 @06:33PM (#47143687)
    ...that everyone seems to assume the Truecrypt developer(s) were in the U.S.
  • by fnj (64210) on Sunday June 01, 2014 @07:35PM (#47144001)

    It's a good step, no doubt about it, although given recent caving [rt.com] of Swiss entities to US bullying I do not feel as ebullient as I want to.

  • Re: Speculation (Score:3, Insightful)

    by jelIomizer (3670957) on Sunday June 01, 2014 @08:09PM (#47144157)

    Secret plans? About what? If you have secret plans that the government should be interested in, then I want them to find out about it - because unless you are planning terrorist activity, there is no reason to fear so much.

    Wow. Did you seriously just use "Nothing to hide, nothing to fear"... seriously? Are you retarded, or do I have to point out that hundreds of millions of people were abused and/or murdered by governments--including the US government--throughout history? If you knew, then why do you seem so confident that people who wants to keep their plans secret must be doing something immoral? History just isn't on your side, fool.

  • by Xolvix (3649657) on Sunday June 01, 2014 @08:21PM (#47144207)

    Not only that, but the trolling poster also made the assumption that you're not important, which is bullshit for the simple reason that we're ALL important to the people who love and care about us. We're important to someone - I'm important to my wife for example, and soon I'll be important to my newborn. Just because I'm not a politician or celebrity and hence known to thousands/millions of people doesn't mean I'm not important. It's all about spheres of influence - some are larger than others, but they still all matter.

    If the trolling poster honestly believes with such passion that you aren't important, it stands to reason they probably don't feel they are important either. If they can't find at least one person in their life who considers them important in some way... then I find that truly sad for the AC.

  • by Richy_T (111409) on Sunday June 01, 2014 @09:08PM (#47144355) Homepage

    We need guns. Lots of guns.

  • Re: Speculation (Score:5, Insightful)

    by Euler (31942) on Sunday June 01, 2014 @09:36PM (#47144449) Journal

    Ah, yes... "If you aren't doing anything wrong, then what do you have to worry about"
    Except there are plenty of cases of persecution if you happen to be:
      - Gay,
      - A former member of the communist party,
      - Union organizer,
      - Whistle blower,
      - Protester, objector, not in line with corporate America,
      - Catholic, Jewish, Japanese, or anything else not favorable at the time...
    None of these people are terrorists, but clearly lost their liberties, reputation, or assets when they were "outed"

  • by AmiMoJo (196126) * <[ten.3dlrow] [ta] [ojom]> on Monday June 02, 2014 @02:47AM (#47145267) Homepage

    TrueCrypt never claimed to protect you from a compromised system. The point of it was offline security. Once unmounted the contents of an encrypted container are inaccessible to anyone without the key.

    Once you understand what TrueCrypt is for you can see why it is so valuable.

  • by ray-auch (454705) on Monday June 02, 2014 @05:49AM (#47145611)

    Frankly, useless crypto kits backdoored entire time are.

    FTFY
     

  • by Tom (822) on Monday June 02, 2014 @06:30AM (#47145697) Homepage Journal

    It's 2014, not 1914.

    If you want to fight your government - the government that spends more money on the military then everyone else in the top 5 military spending countries combined, you don't need guns. You need stealth fighters, tanks and ICBMs.

    Good luck with your "honest people defending the country against the government" fantasy.

  • by Gavagai80 (1275204) on Monday June 02, 2014 @09:19AM (#47146483) Homepage
    In fact, sufficiently large non-violent protests would bring down the government -- if it can work in non-democracies like Egypt and Tunisia, it would certainly work in the USA. Guns would just provide the government with an excuse for terrorism charges.
  • by Anonymous Coward on Monday June 02, 2014 @10:00AM (#47146795)
    ICBMs, tanks, and stealth fighters... Totally useful in the US military's complete eradication of the Taliban, right? Asymmetric warfare is incredibly tough. You're on the enemy's home turf. You can't find them, and you're heavily outnumbered.

Real Users find the one combination of bizarre input values that shuts down the system for days.

Working...