Security Experts Looking To Possibly Fork And Rescue TrueCrypt

from the not-a-surprise dept

People are still trying to figure out what the hell happened with TrueCrypt suddenly announcing that development had stopped and that the code was not secure. However, as people sort that out, the same folks who were leading the charge on the TrueCrypt audit have announced that they're looking into the possibility of picking up the TrueCrypt project and running with it themselves. The idea would be to complete the security audit, but then start managing a fork of the project themselves. They haven't fully committed to this, but it sounds like that's what they'd like to do. Yet another example of how open source projects are quite handy.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    madasahatter (profile), May 29th, 2014 @ 9:14pm

    Interesting

    The greatest strength of OS code, someone else can fork the project and continue.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    David Dowdle (profile), May 29th, 2014 @ 9:14pm

    Words can't express how much I hope they do this.
    Good encryption software should be available to all.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, May 29th, 2014 @ 9:24pm

    Yet another example of how open source projects are quite handy.


    You've misspelled hardy.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 29th, 2014 @ 10:01pm

    SourceForge: Where projects go to live out their three-year lifespans, then die.

    Because imply-development-is-really-hard-here. Or in this case, a new twist! "You don't need this software really, use Microsoft's"

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Todd Knarr (profile), May 29th, 2014 @ 10:13pm

    Grain of salt

    Before I'd trust a fork, I'd want an idea of why the original developers considered it insecure in the first place. I'd think if they just didn't have the resources or interest to maintain it, they'd say they were ceasing to maintain it rather than make an ambiguous statement about security. And there's more than one security risk. If it were something like they were ordered to hand over copies of the private key used to sign binaries, rendering TrueCrypt vulnerable to government-created "official" versions, that can be dealt with in several ways. If it's a case of TrueCrypt being unable to protect the data against interception within Windows on it's way to the application, there's nothing anyone can do about that and it has to be mitigated against in other ways. And if finally there really is some obscure and fatal flaw in the basic design or coding of TrueCrypt that makes it inherently vulnerable, we'd need to know what it is so we know any new maintainers have in fact fixed it before we could trust the new fork.

    I'd note one interesting indirect attack: use methods that'll cause the most secure projects to declare themselves at risk without letting them say why, letting paranoia push users into switching to software maintained by less scrupulous companies who'll stay quiet about their software being compromised until forced by outside discovery of the compromise.

     

    reply to this | link to this | view in thread ]

  6. This comment has been flagged by the community. Click here to show it
     
    icon
    vancedecker (profile), May 29th, 2014 @ 10:24pm

    Re: Grain of salt

    Prior to posting this, did you do any research whatsoever?

    Even a small google search would have revealed that it's obviously a disinformation campaign by the NSA dirty tricks office.

    Do you really think any real programmer would encourage you to migrate to a Microsoft product? THINK!

    With that said, one thing that people haven't really addressed is that if you haven't committed a crime, then you cannot be parallel constructed into Jail.

    Parallel Construction only works if you are breaking the law.

     

    reply to this | link to this | view in thread ]

  7. This comment has been flagged by the community. Click here to show it
     
    icon
    vancedecker (profile), May 29th, 2014 @ 11:20pm

    Re: Spread love with assorted flower gifts

    I sent my girlfriend flowers from France, and now I am homeless.

     

    reply to this | link to this | view in thread ]

  8. This comment has been flagged by the community. Click here to show it
     
    icon
    vancedecker (profile), May 29th, 2014 @ 11:20pm

    Re: Spread love with assorted flower gifts

    I sent my girlfriend flowers from France, and now I am homeless.

     

    reply to this | link to this | view in thread ]

  9. This comment has been flagged by the community. Click here to show it
     
    icon
    vancedecker (profile), May 29th, 2014 @ 11:20pm

    Re: Spread love with assorted flower gifts

    I sent my girlfriend flowers from France, and now I am homeless.

     

    reply to this | link to this | view in thread ]

  10. This comment has been flagged by the community. Click here to show it
     
    icon
    vancedecker (profile), May 29th, 2014 @ 11:21pm

    Dear Techdirt...

    ...Please fix your antiquated commenting system.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 12:32am

    >suddenly announcing that development had stopped and that the code was not secure.
    Is it even a question? Everyone knows who is behind this. It was the beloved Dictator, Commander in chief, Admiral, General, CEO, President of the Free Democratic Peoples Federal Republic of America.

     

    reply to this | link to this | view in thread ]

  12. This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, May 30th, 2014 @ 12:40am

    Re: Re: Spread love with assorted flower gifts

    I sent my girlfriend to France with a homeless man, they sent me flowers.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 12:58am

    Re:

    There are potentially much more nefarious reasons why the TrueCrypt devteam have decided to do this, from NSA chicanery to simple developer drama llama ninjas.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Violated (profile), May 30th, 2014 @ 1:30am

    I hope this is true then when nothing helps TrueCrypt more than some encryption security experts.

    TrueCrypt is a truly beautiful program. Small and very portable, cross platform, easy to use, good advise and powerful encryption features.

    As long as TrueCrypt lives on I would never use another.

     

    reply to this | link to this | view in thread ]

  15. This comment has been flagged by the community. Click here to show it
     
    icon
    vancedecker (profile), May 30th, 2014 @ 1:56am

    Re:

    Bush hasn't been president for years!

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    vancedecker (profile), May 30th, 2014 @ 1:58am

    Re:

    Well don't download any recent versions, they have been subverted. I would hold on to any copies you have now and wait for things to possibly get sorted out.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Richard (profile), May 30th, 2014 @ 2:44am

    Re: Grain of salt

    Before I'd trust a fork, I'd want an idea of why the original developers considered it insecure in the first place.

    Before I'd trust a fork, I'd want an idea of why the original developers or somebody impersonating them, said that they considered it insecure in the first place.

    Because that is all we actually know.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    andre, May 30th, 2014 @ 2:47am

    TrueCrypt 7.1a download + Komplettes Archiv mit SourceCode und informationen

    For all looking for the current secure release + older versions and sources and some additional information, i recently made website about the whole events with a data archive. all files with hashes for download.

    visit http://www.truecrypt71a.com for further information

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 3:00am

    Re: Re: Grain of salt

    But everyone in America is breaking the law all the time courtesy of overcriminalization. Mass surveillance is really dangerous in a climate of overcriminalization.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Rich Kulawiec, May 30th, 2014 @ 3:32am

    Re: Grain of salt

    "Before I'd trust a fork, I'd want an idea of why the original developers considered it insecure in the first place."

    I would guess that (in part) the just-completed first part of the audit might have something to do with it.

    There's a good summary of events and theories here: https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff
    (UPDATE: now includes response from developer)

    You can download the entire source tree (using "git clone") from here: https://github.com/DrWhax/truecrypt-archive

    Steve Gibson summarizes here: http://steve.grc.com/2014/05/28/whither-truecrypt/

    There's a how-to that explains how to check the signature here: http://www.akselvoll.net/2014/05/how-to-securely-download-truecrypt-71a.html

    There's an interesting commentary here: http://bradkovach.com/2014/05/the-death-of-truecrypt-a-symptom-of-a-greater-problem/

    Bill Cole (one of the most seasoned people on the 'net) has a terrific observation here: http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/comment-page-1/#commen t-255908

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    doug, May 30th, 2014 @ 4:08am

    Gibson's new summary & links page

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Rich Kulawiec, May 30th, 2014 @ 4:42am

    Re: Gibson's new summary & links page

    Well, the developers are certainly correct about Bitlocker: nobody who's serious about security would even consider using Windows, so for those people who insist on doing so anyway...let them use Bitlocker, it's only the second-worst decision they've made.

    I do hope the neo-Truecrypt project takes that to heart and excises all support for Windows. Supporting an inferior operating system is a lot of work, and takes away resources that could be better spent elsewhere. The focus should be entirely on 'nix-based systems.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 5:11am

    Re: Re: Re: Grain of salt

    It's actually one of the hallmarks of a pre-fascist state.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 5:20am

    fix license issue first

    TrueCrypt is not FOSS. They'll need to fix the license issue first. I'm guessing they'll have to deal with removing and replacing the contended E4M derived code before they can be in the clear abut forking it. This assuming the current developers want to allow forking the original portions of the code.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    alternatives(), May 30th, 2014 @ 5:46am

    Re: Re: Re: Re: Grain of salt

    Pre-fascist? Benito had the following to say:

    “Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power”

    “The definition of fascism is The marriage of corporation and state ”

    "Fascism, the more it considers and observes the future and the development of humanity, quite apart from political considerations of the moment, believes neither in the possibility nor the utility of perpetual peace.”

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 5:58am

    "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
    .............................^N..^S.....^A.........

    Hidden message?

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    doug, May 30th, 2014 @ 6:06am

    Re: fix license issue first

    There is a forked version already. I don't know all the details of the license issues.

    "The realcrypt application in the RPM Fusion repo is an encryption application based on truecrypt, freely available at http://www.truecrypt.org/. It differs from truecrypt in only the following ways:

    "- The name truecrypt is changed to realcrypt throughout the application, as requested by the truecrypt License:

    " -All original graphics are replaced with entirely original new ones, as requested by the truecrypt License:"

    -more-

    "It does not differ from truecrypt in any other respect; in particular, no code relating to actual encryption or decryption is modified. Nevertheless, the truecrypt License requires that we ask you to report any and all bugs you find to [https://bugzilla.rpmfusion.org/ RPM Fusion's Bugzilla] and not to the truecrypt project."

    Source -- http://rpmfusion.org/Package/realcrypt

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    The Wanderer (profile), May 30th, 2014 @ 7:08am

    Re: Dear Techdirt...

    This sort of bare comment isn't really helpful. What exactly about the Techdirt comment system do you see as antiquated, or otherwise problematic?

    I think it's one of the better ones I've seen in current use. About the only thing I could point to as unambiguously improvable about it is the fact that posting a new comment takes you to a different page, and you have to go "back" to continue reading from where you left off.

    (There are of course quite a few of what I might call "ambiguously improvable" things, i.e., things which if changed in the way I have in mind might end up better, or worse, or even just different after all.)

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    John Fenderson (profile), May 30th, 2014 @ 8:16am

    Re: Grain of salt

    "I'd want an idea of why the original developers considered it insecure in the first place."

    We don't know that they did. All we have is an anonymous statement signed by an old cert. We have no assurance that any of this came from the developers.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    John Fenderson (profile), May 30th, 2014 @ 8:20am

    Re: Re: Gibson's new summary & links page

    The problem with BitLocker isn't that it runs on Windows, it's that it uses the Windows crypto API. It's certainly possible to have strong encryption in Windows. Just not using BitLocker.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 8:52am

    Re: Re:

    I believe it is in reference to the New Bush...

    ...The New Bush is Bush^Bush. (^ - to the power of)

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Rich Kulawiec, May 30th, 2014 @ 9:11am

    Re: Re: Re: Gibson's new summary & links page

    "The problem with BitLocker isn't that it runs on Windows [...]"

    Yes. It is. People who care about security and privacy do not use Windows (a) because it's a maldesigned piece of junk with an enormous and still-growing litany of baked-in security problems and (b) it's closed-source, which means if it's backdoored -- and I think there's a fair chance that it is -- that it will be very difficult to discover that.

    If you want at least a modicum of security, then make a better choice in OS. But please, let's not even put "Windows" and "security" in the same room together.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    weneedhelp (profile), May 30th, 2014 @ 9:25am

    It would be

    one kickstarter project I would actually support.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    John Fenderson (profile), May 30th, 2014 @ 9:27am

    Re: Re: Re: Re: Gibson's new summary & links page

    I don't disagree, basically (although it is certainly possible to run a secure Windows installation, it takes more work and skill than most people are willing to invest. It's easier just to use a more secure OS from the start.) But we're talking about two different things. I'm talking about the security of the crypto, not the OS.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, May 30th, 2014 @ 10:44am

    Re: Re: Gibson's new summary & links page

    "... nobody who's serious about security would even consider using Window ..."

    Bruce Schneier uses Windows on a regular basis (Google it), so your statement is incorrect.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    weneedhelp (profile), May 30th, 2014 @ 11:19am

    Re: Re: Grain of salt

    Dont trust the fork... he ran away with the spoon. Devilish bastard.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    vancedecker (profile), May 30th, 2014 @ 12:28pm

    Re: Re: Grain of salt

    People are really dense here.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    vancedecker (profile), May 30th, 2014 @ 12:30pm

    Re: Re: Dear Techdirt...

    Scroll up.

    Let's ignore the WHY of why my comment got posted THREE times and just deal with the consequences. There is no delete button for starters.

    So their buggy code which causes that to occur in the first place, cannot even be manually corrected.

    So that would my first complaint.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, May 31st, 2014 @ 2:12am

    Re: Re:

    Thanks for your advice. We'd all be lost without you.

     

    reply to this | link to this | view in thread ]

  40.  
    identicon
    Anonymous Coward, May 31st, 2014 @ 2:15am

    Re: TrueCrypt 7.1a download + Komplettes Archiv mit SourceCode und informationen

    Just to put this out there, you can get older versions from:

    http://www.oldversion.com/windows/truecrypt/

    http://filehippo.com/download_truecrypt/

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Anonymous Coward, May 31st, 2014 @ 2:16am

    Re: Re: Re: Re: Re: Gibson's new summary & links page

    You're referring to the security of the implementation, not the crypto itself (AES).

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    John Fenderson (profile), May 31st, 2014 @ 12:06pm

    Re: Re: Re: Re: Re: Re: Gibson's new summary & links page

    Yes, I was talking in shorthand.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Not Paranoid at All, May 31st, 2014 @ 6:44pm

    Peazip for encryption

    Is there anything fundamentally wrong with using PeaZip for AES 256 bit encryption? Just for containers.

    Peazip is open source and quite widely used.

     

    reply to this | link to this | view in thread ]

  44.  
    identicon
    Anonymous Coward, May 31st, 2014 @ 8:01pm

    Backdoors can be anywhere including open source s/w

    The problem for s/w developers today is that all systems can be "backdoored" without the backdoor existing in the source code of the application you are compiling.

    Any toolchain in use can be compromised without the source code being compromised. All it takes is to generate a single compiler that inserts the backdoor into any system in a specific manner and all compilers and all applications generated thereafter can be compromised.

    When we look at something like *ix systems, at some point we need to use a binary to compile the source code of the compilers we use. All it takes is a single infestation into a distribution to propagate that infection.

    To get around this, it requires knowing the provenance of all code within the system, including any binaries that are in use.

    Of course, it goes without saying that to do this requires real skill, foresight and knowledge. This is not necessarily the domain of any of our security forces/organisations.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    BeeAitch (profile), May 31st, 2014 @ 8:23pm

    Re: Re: Re: Grain of salt

    It's OK vancedecker, everyone's a winner.

    Now come and get your retard hug. :)

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, May 31st, 2014 @ 10:36pm

    Re: Re: Gibson's new summary & links page

    Great - lets only allow protection to the informed and clever and leave the unwashed masses without any.

    That was sarcasm, and you sir are an elitist snob.

    We should support good encryption EVERYWHERE and let people make their choice regardless of what OS they use.

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous Coward, Jun 1st, 2014 @ 5:21am

    Re: Backdoors can be anywhere including open source s/w

    Any toolchain in use can be compromised without the source code being compromised. All it takes is to generate a single compiler that inserts the backdoor into any system in a specific manner and all compilers and all applications generated thereafter can be compromised.

    I presume you are referring the the Ken Thompson hack. All such hacks are liable to discovery as a system evolves, and better debugging tools become available. Also they are liable to failure when the underlying system changes. Such hacks have to be targeted to very specific routines, and have to assume that neither the routine name, or required actions change. Relying on any external code introduces another point of failure. All code that is not maintained will fail due to external changes at some point in time.
    Note one extreme weakness of such hacks, they cannot keep their insertions hidden from a reverse assembler, as it is always possible to write a reverse assembler and compile it without the hack being able to detect it, never mind change it. Similarly, with open source, it is always possible to add logging code to the kernel that the hack cannot detect and bypass. Code that did not exist prior to the hack being implemented, or never available to the person carrying out the hack cannot be modified by the hack.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Anonymous Coward, Jun 1st, 2014 @ 8:39am

    Re: Re: Backdoors can be anywhere including open source s/w

    Agreed, they are not completely hidden (particularly with reverse assemblers), but the ting here is that with the various optimisations that compilers do do, various signatures in the object code can be recognised to place the compromised object code accordingly.

    Any part of the toolchain can be compromised accordingly for this kind of purpose up to and including the linkers and loaders.

    We see enough problems with source code having errors, let alone trying to determine what is actually happening with the object code generated.

    The problem is that most people "trust" that the tools they are using are okay and don't go that extra 100 miles to check the binary code generated.

    I know that in my youth I would set aside time to examine the binary code produced particularly if strange errors were being obtained. But these days, for the kind of stuff I do, I don't put in such time as I have other things that need to be done.

    All I am saying is that backdoors can be put in without any changes being made to the source code.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    DaveHowe (profile), Jun 2nd, 2014 @ 4:51am

    Audit guys are backpeddling a bit but..

    Or at least this guy:
    https://twitter.com/matthew_d_green/

    His original tweet was:
    "We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build."
    But later followed up with:
    "Just for the record, we are not 'forking Truecrypt'. We plan to audit it and perhaps organize (financial) support around such an effort."

    Now, there IS a fork in the process of creation over at http://truecrypt.ch/ but as it is in the early stages of the process, and the Audit guys have yet to complete the rest of their study of the app crypto, it would be better to leave this on the back-burner until we know what bugs need to be fixed....

     

    reply to this | link to this | view in thread ]

  50.  
    icon
    vancedecker (profile), Jun 7th, 2014 @ 2:25am

    Re: Re: Re:

    If you were depending on me, then you would still be home.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    T (profile), Jul 4th, 2014 @ 5:05am

    Has it not occurred to people that they may very well have said it wasn't secure *because* they were no longer going to maintain it—not because they were aware of any flaws?

     

    reply to this | link to this | view in thread ]

  52.  
    identicon
    cool bed covers, Dec 4th, 2014 @ 11:00pm

    IDEAL Homes

    I love your well-written Post,your article help me to get some ideas
    Thanks for you Share This Amazing Post,
    Click Here, http://idealhomeinterior.com/

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Frok, Dec 18th, 2014 @ 11:38pm

    Re: oratio

    Can money express it? Have you considered putting this where that is in the form of a bounty?

     

    reply to this | link to this | view in thread ]

  54.  
    icon
    Frok (profile), Dec 18th, 2014 @ 11:45pm

    shhh itty bitty soft fascism

    Gag orders are [redacted]

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.