Forgot your password?
typodupeerror
Encryption Government Your Rights Online

The Sudden Policy Change In Truecrypt Explained 475

Posted by timothy
from the maybe-your-canary-needs-a-canary dept.
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
This discussion has been archived. No new comments can be posted.

The Sudden Policy Change In Truecrypt Explained

Comments Filter:
  • Re:That's not proof! (Score:2, Interesting)

    by mmell (832646) <mike.mell@gmail.com> on Sunday June 01, 2014 @02:30PM (#47142493)
    Wow, they implemented the canary on their website? That by itself is major league cool!

    I am however very sorry to hear that TrueCrypt may be going away. I personally use LUKS (being a Linux user), but this is still bad news for end users in the computing community.

  • by hsmith (818216) on Sunday June 01, 2014 @02:43PM (#47142569)
    U.S. changed to "United States" - "use bitlocker," "use any crypto package in Linux," when setting up an OS X disk image no encryption...

    The message is clear what happened.
  • by Anonymous Coward on Sunday June 01, 2014 @02:52PM (#47142617)

    "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

  • by NotSanguine (1917456) on Sunday June 01, 2014 @02:55PM (#47142641) Journal

    No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.

    Some semi-random tweeter is reposted on some random blog? I don't think so.

    It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?

  • by Noah Haders (3621429) on Sunday June 01, 2014 @03:07PM (#47142701)
    this is actually a link to an interesting article, not goatse. it's an editorial about how the most recent full version of true crypt (7.1a) is still as secure as it was last week, and there's no reason to stop using it. It also says they (who?) are working on an open license fork that will be released on a future date.

    still doesn't answer the question on if it's like lava bit. true crypt may be just as secure as it was last week, but maybe it's also been owned by NSA from day one.
  • Re:That's not proof! (Score:5, Interesting)

    by arglebargle_xiv (2212710) on Sunday June 01, 2014 @03:19PM (#47142777)

    Could you clarify? Who is Alyssa Rowan to TrueCrypt? Sorry for my ignorance, I tried Googling a bit and just got links to this article.

    It's someone who has been active in the crypto/security community for awhile now. Personal details are pretty scarce (i.e. it could be a front for the NSA for all anyone knows), but the persona has been active in crypto. If you want something to Google on try "alyssa rowan cryptography".

  • More speculation (Score:4, Interesting)

    by Lost Race (681080) on Sunday June 01, 2014 @03:42PM (#47142881)

    There's nothing in TFA that hasn't been speculated in great detail already.

    No explanation totally makes sense. Here's my working model of what happened (all speculation of course):

    The project has been gradually disintegrating over the last few years -- developers leaving and not being replaced, remaining developers having less time to spend on the project for whatever reason, and the perceived reward for fixing increasingly difficult bugs is not enough to keep people interested. It's just not fun any more.

    The to-do list has some really nasty bugs that are difficult to fix and could potentially compromise all TC containers. The remaining developers in the project have been grinding away at these bugs, but haven't made much progress for reasons outlined above. They realized that the project was going to fizzle out before they got anything fixed. A cursory look at the 7.2 code suggests that they had committed to some major rewriting of the code, and bit off more than they could chew.

    At this point, what can they do? Reporting the vulnerabilities would be irresponsible since no fixes are forthcoming. Lives depend on some of the secrets their software keeps. Best to push people gently away from TC until the problems can be fixed, if ever, while keeping the details of the vulnerabilities as secret as possible, and giving people realistic expectations about the future of TC development (i.e. none).

    They probably had a plan for creating a migration plan that actually made sense, but ran out of resources before finishing, and decided to go with what they had on hand. At this point they were probably down to one very part-time developer and maybe a few unreliable volunteers. ("Hey Jim, where's that page you were writing about Linux FDE? Jim? Hello? Anybody there?")

    There was really no good way forward with the resources remaining, so they did the best they could.

    Why didn't they find someone else to take over the project? I guess they tried, but couldn't find anyone in their immediate circle of trust who was willing and able. Perhaps they felt that expanding their circle of trust would jeopardize their anonymity.

    On the other hand....

    "WARNING: Using TrueCrypt is *not *secure *as ..."

  • by swb (14022) on Sunday June 01, 2014 @03:52PM (#47142927)

    I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up.

    What would be the dollar cost to hire a team of developers to do it?

  • Re:still speculation (Score:5, Interesting)

    by tero (39203) on Sunday June 01, 2014 @04:29PM (#47143119)

    Two guys - working working over a decade without funding etc.

    Ennead was 29 in 2005 (http://www.wolfmanzbytes.com/windows/70-truecrypt-encryption.html) and they obviously developed it on their freetime.

    Fast forward from that to today and you got couple of middle-aged devs, probably with more demading careers and perhaps even families and maybe with young kids.

    They started it as a Windows project, when Windows was...a completely different beast than it is today.

    It's no wonder TrueCrypt didn't get very many (any?) releases in the past couple of years.

    It's certainly a very interesting way to exit stage.

  • Re:Speculation (Score:5, Interesting)

    by Aighearach (97333) on Sunday June 01, 2014 @04:36PM (#47143157) Homepage

    Not really, when the project used an incompatible license all along and while marginally "open source," they were clearly taking a hostile stance towards other FLOSS projects, as nobody could integrate their work with anything else.

    In that context their explanation makes perfect sense; they didn't do it for love of FLOSS, they did it because there was no other portable options that included support for all windows versions. Without XP, that ceases being true.

    As a supporter of Free Software that reasoning might sound lame to me, but it is very consistent. And if their whole point was to provide an option for windows users, then recommending bitlocker is actually consistent. Having different values doesn't imply he's lying about his.

    As far as canaries go, you have to have the live bird before going into the mine, and then have the dead bird. In this case there was no live bird in advance, and there is dead bird afterwards. Not only have we not been warned by a canary, nobody actually even claims to have seen one, dead or alive.

    The name of the person who registered a non-profit and for-profit for TrueCrypt in the US was David Morgan. That person has already verified the posted information from an email address @truecrypt, so this other person not known to be associated with TrueCrypt should be ignored.

  • by symbolset (646467) * on Sunday June 01, 2014 @05:22PM (#47143401) Journal
    The former CEO of USWest was sent to prison based on secret NSA data that could not be independently confirmed - or even discussed. That this happened shortly after he refused to cooperate with illegal NSA data collection is completely coincidental.
  • by swb (14022) on Sunday June 01, 2014 @07:22PM (#47143955)

    I think it would be great for the EFF and the ACLU to sponsor it. It would immediately cause problems for someone to get ham-handed about it.

  • Re:still speculation (Score:3, Interesting)

    by BitZtream (692029) on Sunday June 01, 2014 @08:12PM (#47144171)

    Reality check: TrueCrypt for Windows could never be trusted, even if you aren't knowledgeable enough to understand that.

    TrueCrypt was a nothing more than a block device driver for Windows, it was a kernel module. Any other kernel module or the kernel itself could hook into the chain between TrueCrypt and the rest of the system and read the clear text data.

    Because of the reality of working with Windows, TrueCrypt is no more trustworthy than BitLocker on Windows. They don't need to back door the BitLocker system itself, they can just bypass it OR TrueCrypt.

  • by Zelucifer (740431) on Sunday June 01, 2014 @08:57PM (#47144315)

    Is there any proof that the contributors are even in the US and thus subject to a NSL? At least one of them seems to be from the Czech Republic (David Tesaík).

  • by duke_cheetah2003 (862933) on Sunday June 01, 2014 @09:09PM (#47144363) Homepage

    Given the anonymous nature of the TrueCrypt developers, would we even believe someone who claimed to be a dev and gave us an explanation?

    Not sure I would. I've read a lot of different articles and comments about this ordeal and I'm frankly not sure what to believe. I'm not sure if I'd believe someone if they said they were a dev.

    I know we'd all laugh if the NSA came out publicly and said "we had nothing to do with it."

  • by Jason Levine (196982) on Sunday June 01, 2014 @10:47PM (#47144695)

    Let's assume that the government would be breaking the law by NSLing the signing keys. (As opposed to the law being so mucked up that such an action is entirely legal.)

    1) What lawyer is going to be able to fight this battle against the US Government and win? Let me narrow that list down a bit. What lawyer that the TrueCrypt developers would hire would be able to fight this battle against the US Government and win?

    2) Would the TrueCrypt developers even be allowed to see a trial or would they be arrested on "unrelated" charges and sent to prison? Or worse. (There is plenty that a power hungry governmental agency can do to someone that says "no" to them that makes "being arrested on unrelated charges" preferable.)

  • Re:Steve Gibson (Score:5, Interesting)

    by duke_cheetah2003 (862933) on Monday June 02, 2014 @01:15AM (#47145083) Homepage

    Steve has made some mistakes in the past and over-hyped some things, but all in the all, the man means well and is genuinely interested in the welfare of computer users. If you write him off just because he's made a few poor judgments in the past, well, that's your loss. He does have generally useful information and it's presented in a non-nerdy fashion so any bonehead can make sense of it. Usually.

"If that makes any sense to you, you have a big problem." -- C. Durance, Computer Science 234

Working...