It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
TrueCrypt ending development
page: 1share:
Unsettling for anyone who is using TrueCrypt:
No details as to what happened if anything to prompt the warnings or as to why a group so obsessed with remaining open source is now advocating you use Microsofts BitLocker.
TrueCrypt Homepage
Folks seem to think the TrueCrypt page was hacked:
Hacker News
reddit
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.
No details as to what happened if anything to prompt the warnings or as to why a group so obsessed with remaining open source is now advocating you use Microsofts BitLocker.
TrueCrypt Homepage
Folks seem to think the TrueCrypt page was hacked:
Hacker News
edit on 28-5-2014 by
thisguyrighthere because: (no reason given)
a reply to: thisguyrighthere
probably the guy developing it uses XP as his base system for development and as such if the OS is no longer classed as secure it would be remiss of him to not warn you of the risks and can't be arsed to sort out the crap needed and has pointed users at a solution which at least is supported by OS updates
probably the guy developing it uses XP as his base system for development and as such if the OS is no longer classed as secure it would be remiss of him to not warn you of the risks and can't be arsed to sort out the crap needed and has pointed users at a solution which at least is supported by OS updates
People should have two computers. One computer that *IS* connected to the internet, and a computer that *ISNT* connected to the internet.
Any kind of word processing, image manipulation/creation, programming, web design, ect should be done on that machine and it NEVER touches the interwebs.
You could use encrypted flash drives to move files back and forth, but make sure to scan them every time. Hell, in fact have a 3rd computer that simply acts as a virus/trojan detector between the internet connected computer and your offline computer. Only hook the intermediary computer to the net to download virus definitions...
Oh, and run something like Linux and build your own machine(s) yourself.
That, and put everything inside a huge faraday cage. Yes, they can read what is on your screen by translating the RF "static" that your monitor gives off.
Any kind of word processing, image manipulation/creation, programming, web design, ect should be done on that machine and it NEVER touches the interwebs.
You could use encrypted flash drives to move files back and forth, but make sure to scan them every time. Hell, in fact have a 3rd computer that simply acts as a virus/trojan detector between the internet connected computer and your offline computer. Only hook the intermediary computer to the net to download virus definitions...
Oh, and run something like Linux and build your own machine(s) yourself.
That, and put everything inside a huge faraday cage. Yes, they can read what is on your screen by translating the RF "static" that your monitor gives off.
One of the guys in charge of the security audit has no idea what's going on:
So it doesnt appear to be related to any found security flaw.
Matthew Green @matthew_d_green
I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite
So it doesnt appear to be related to any found security flaw.
ah, having a look its probably that to access a truecrypt area you need the password and its always been held in memory when a system is running and
now XP is EOL I bet that that they can't guarantee its security so its either all or nothing
Too lazy to read the source code but Truecrypt used random masking if the descryption is correct.
Linux used to use RTDSC instructions to gather memory heat noise across clock lines, but it was probably watered down.
Besides this TrueCrypt also fills the volume with random data as is explained in the previous section. To create all these random data is the task of the random number generator which TrueCrypt implements. The random number generator of TrueCrypt is based on a paper written by Peter Gutmann in 19989. It makes use of mouse positions and times of events like mouse clicks or keyboard entries. These data are practically unpredictable. On a Linux system random values from the pseudo devices /dev/random and /dev/urandom are added to these data. To date there are no known attacks against this random number generator. But a paper by Kelsey, Schneier, Wagner and Hall10 where similar though simpler pseudo-random number generators were analyzed evinces that such
Linux used to use RTDSC instructions to gather memory heat noise across clock lines, but it was probably watered down.
Or maybe it's never been as secure as some people think since some think it was a government run operation:
originally posted by: thisguyrighthere
Folks seem to think the TrueCrypt page was hacked:
Open Source Crypto TrueCrypt Disappears With Suspicious Cloud Of Mystery
I've never used truecrypt, though I've read about it. However while I was uncertain of government involvement in truecrypt, I'm pretty certain of government involvement with Microsoft, so I'm not sure I'd totally trust bitlocker either.
Jake Williams, SANS Instructor and Principle at Rendition InfoSec phrased this a little better than I, “ I’ve long suspected that a government was behind TrueCrypt . The code base is hugely complicated with lots of dependencies and is anything but easy to build, particularly for the Windows version. It’s a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code”. To further make the point the older versions of the code have been removed forcing people to the new version. Despite my feeling that this is an odd but genuine announcement I would not recommend downloading this version and would wait for clarity on the motives, changes and back out strategy.
The site might have been hacked but I'm not sure; time will tell.
Agreed, and they don't really specify which application Linux users should switch to, like they specify bitlocker for Windows.
It's a cross-platform program so the demise of XP being a reason to end development seeing as how it exists for Mac and Linux doenst make any sense.
a reply to: MystikMushroom
Sounds like good advice for military grade security. Years ago I read about someone hacking into Microsoft source code, and that it was a big security problem for Microsoft. I was wondering why they had it on a computer connected to the internet. They should have followed your advice and kept it on a computer not connected to the internet.
The Faraday cage might be a bit much for home use but it's a good idea to have some security in place even at home. Then again some people put enough on their Facebook to make it pretty easy to guess their passwords (like pet names) or even steal their identity, so there's more to security than just running encryption software.
... supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.
Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people who spearheaded the TrueCrypt audit, told Ars he had no advance notice of the announcement. He said the announcement appears to be authentic, an observation he repeated on Twitter. He told Ars he has privately contacted the largely secretive TrueCrypt developers in an attempt to confirm the site or get more more details.
Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank.
Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.
Link
Something isn't right.
edit on 5/29/2014 by roadgravel because: format
Thinking out of the box.
IF truecrypt was genuinely secure, then there would obviously be agencies out their spreading bs to create distrust of truecrypt.
I dont use it myself. I have two pc's, one never on line, and the other thats goes on line is full of bs files that will keep THEM happy for many a month
IF truecrypt was genuinely secure, then there would obviously be agencies out their spreading bs to create distrust of truecrypt.
I dont use it myself. I have two pc's, one never on line, and the other thats goes on line is full of bs files that will keep THEM happy for many a month
originally posted by: roadgravel
a reply to: VoidHawk
Are the two machines on a network?
Wonder if this group was NSA from the start. They sure are not talking which should make long time users uncomfortable.
No!
It can be quite awkward sometimes, like I recently installed Unity (game editor) and to get updates and addons requires allowing it to connect to unity's website. Took me a while to figure that one out
I think the NSA or foreign equivalent got to TC. The whole thing is just too odd for an average situation.
The NSA stopped fighting TrueCrypt at some point...with that, it destroyed the faith I had in that system being secure. They don't STOP fighting what
they can't crack (PGP comes to mind)
After what we know NSA did to compromise other 'secure' systems (which WOULD have been secure, had they not had work arounds written into them) I don't trust anything for true comp security.
I heard a Government computer expert in the 90's say the only secure computer is one in a bank vault, underground, on independent power and with no one in the room with it ...and even that, may not be entirely secure. I think he was naively optimistic. lol...
After what we know NSA did to compromise other 'secure' systems (which WOULD have been secure, had they not had work arounds written into them) I don't trust anything for true comp security.
I heard a Government computer expert in the 90's say the only secure computer is one in a bank vault, underground, on independent power and with no one in the room with it ...and even that, may not be entirely secure. I think he was naively optimistic. lol...
One possibility that occurred to me, is that truecrypt developers might have been asked, pressured, coerced, or maybe even ordered to put in a backdoor, and rather than do this, they decided to end support. The reason I thought of this is I was reading the Freenet developer's blog saying that the UK was trying to pass a law that could have forced him to put a backdoor in Freenet and he would have also been given a gag order so he couldn't say anything about it.
originally posted by: roadgravel
I think the NSA or foreign equivalent got to TC. The whole thing is just too odd for an average situation.
He said that before he would put in a back door, he would just stop supporting it and the gag order couldn't prevent that. So when I look at the parallels, what Truecrypt just did looks a lot like what the Freenet developer said he'd do if he was forced to make it insecure. The UK law never passed as far as I know, but who knows what kind of secret orders could have come from some secret court that we don't even know much about? They don't even need orders, just look at how they destroyed the life of the Qwest CEO when he refused spy on customers illegally as the spies asked. All they really have to do is raise that type of threat.
So yeah, it's fishy and this idea is of course one possibility, assuming TC didn't already have a back door.
Interesting, because I noticed the same thing about PGP, and had the same suspicions about Truecrypt.
originally posted by: Wrabbit2000
The NSA stopped fighting TrueCrypt at some point...with that, it destroyed the faith I had in that system being secure. They don't STOP fighting what they can't crack (PGP comes to mind)
edit on 29-5-2014 by Arbitrageur because: clarification
It seems that TC is built using visual studio by MS for the windows version so who knows how many backdoors could be slipped in quite merrily at
compile time and no one would notice especially as the functions used for this sort of thing are not going to be the most commonly used ones so a
review of the code itself would be fine and pas muster via a peer review but without being able to check the source code for the libraries/compilers
etc who knows what can slip in
Ken Thompson has written (1984) about the backdoor he put in the C compiler at one point.
By having the compiler insert the backdoor code into itself, the old binary of the compiler alters the recompile of the compiler. The change would not be reflected in the source code of the compiler.
By having the compiler insert the backdoor code into itself, the old binary of the compiler alters the recompile of the compiler. The change would not be reflected in the source code of the compiler.
new topics
-
Supreme Court Oral Arguments 4.25.2024 - Are PRESIDENTS IMMUNE From Later Being Prosecuted.
Above Politics: 23 minutes ago -
Krystalnacht on today's most elite Universities?
Social Issues and Civil Unrest: 32 minutes ago -
Chris Christie Wishes Death Upon Trump and Ramaswamy
Politicians & People: 59 minutes ago -
University of Texas Instantly Shuts Down Anti Israel Protests
Education and Media: 3 hours ago -
Any one suspicious of fever promotions events, major investor Goldman Sachs card only.
The Gray Area: 5 hours ago -
God's Righteousness is Greater than Our Wrath
Religion, Faith, And Theology: 9 hours ago
top topics
-
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 14 hours ago, 11 flags -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 15 hours ago, 5 flags -
Sunak spinning the sickness figures
Other Current Events: 14 hours ago, 5 flags -
Electrical tricks for saving money
Education and Media: 12 hours ago, 4 flags -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 16 hours ago, 3 flags -
Krystalnacht on today's most elite Universities?
Social Issues and Civil Unrest: 32 minutes ago, 3 flags -
Any one suspicious of fever promotions events, major investor Goldman Sachs card only.
The Gray Area: 5 hours ago, 2 flags -
University of Texas Instantly Shuts Down Anti Israel Protests
Education and Media: 3 hours ago, 2 flags -
Supreme Court Oral Arguments 4.25.2024 - Are PRESIDENTS IMMUNE From Later Being Prosecuted.
Above Politics: 23 minutes ago, 1 flags -
Chris Christie Wishes Death Upon Trump and Ramaswamy
Politicians & People: 59 minutes ago, 0 flags
active topics
-
University of Texas Instantly Shuts Down Anti Israel Protests
Education and Media • 45 • : CriticalStinker -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues • 67 • : Consvoli -
Truth Social goes public, be careful not to lose your money
Mainstream News • 129 • : matafuchs -
Krystalnacht on today's most elite Universities?
Social Issues and Civil Unrest • 2 • : marg6043 -
Remember These Attacks When President Trump 2.0 Retribution-Justice Commences.
2024 Elections • 56 • : WeMustCare -
Candidate TRUMP Now Has Crazy Judge JUAN MERCHAN After Him - The Stormy Daniels Hush-Money Case.
Political Conspiracies • 743 • : WeMustCare -
British TV Presenter Refuses To Use Guest's Preferred Pronouns
Education and Media • 148 • : Consvoli -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News • 44 • : ByeByeAmericanPie -
New whistleblower Jason Sands speaks on Twitter Spaces last night.
Aliens and UFOs • 59 • : baablacksheep1 -
1980s Arcade
General Chit Chat • 27 • : alwaysbeenhere2