It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

TrueCrypt ending development

page: 1
4
<<   2 >>

log in

join
share:

posted on May, 28 2014 @ 03:10 PM
link   
Unsettling for anyone who is using TrueCrypt:


WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues



The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.


No details as to what happened if anything to prompt the warnings or as to why a group so obsessed with remaining open source is now advocating you use Microsofts BitLocker.

TrueCrypt Homepage

Folks seem to think the TrueCrypt page was hacked:

Hacker News
reddit
edit on 28-5-2014 by thisguyrighthere because: (no reason given)




posted on May, 28 2014 @ 03:19 PM
link   
a reply to: thisguyrighthere

probably the guy developing it uses XP as his base system for development and as such if the OS is no longer classed as secure it would be remiss of him to not warn you of the risks and can't be arsed to sort out the crap needed and has pointed users at a solution which at least is supported by OS updates



posted on May, 28 2014 @ 03:26 PM
link   
People should have two computers. One computer that *IS* connected to the internet, and a computer that *ISNT* connected to the internet.

Any kind of word processing, image manipulation/creation, programming, web design, ect should be done on that machine and it NEVER touches the interwebs.

You could use encrypted flash drives to move files back and forth, but make sure to scan them every time. Hell, in fact have a 3rd computer that simply acts as a virus/trojan detector between the internet connected computer and your offline computer. Only hook the intermediary computer to the net to download virus definitions...

Oh, and run something like Linux and build your own machine(s) yourself.

That, and put everything inside a huge faraday cage. Yes, they can read what is on your screen by translating the RF "static" that your monitor gives off.



posted on May, 28 2014 @ 03:33 PM
link   
One of the guys in charge of the security audit has no idea what's going on:



Matthew Green ‏@matthew_d_green

I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite


So it doesnt appear to be related to any found security flaw.



posted on May, 28 2014 @ 03:36 PM
link   
ah, having a look its probably that to access a truecrypt area you need the password and its always been held in memory when a system is running and now XP is EOL I bet that that they can't guarantee its security so its either all or nothing



posted on May, 28 2014 @ 03:39 PM
link   
a reply to: Maxatoria

It's a cross-platform program so the demise of XP being a reason to end development seeing as how it exists for Mac and Linux doenst make any sense.



posted on May, 28 2014 @ 04:06 PM
link   
Too lazy to read the source code but Truecrypt used random masking if the descryption is correct.



Besides this TrueCrypt also fills the volume with random data as is explained in the previous section. To create all these random data is the task of the random number generator which TrueCrypt implements. The random number generator of TrueCrypt is based on a paper written by Peter Gutmann in 19989. It makes use of mouse positions and times of events like mouse clicks or keyboard entries. These data are practically unpredictable. On a Linux system random values from the pseudo devices /dev/random and /dev/urandom are added to these data. To date there are no known attacks against this random number generator. But a paper by Kelsey, Schneier, Wagner and Hall10 where similar though simpler pseudo-random number generators were analyzed evinces that such

Linux used to use RTDSC instructions to gather memory heat noise across clock lines, but it was probably watered down.



posted on May, 29 2014 @ 09:10 AM
link   

originally posted by: thisguyrighthere
Folks seem to think the TrueCrypt page was hacked:
Or maybe it's never been as secure as some people think since some think it was a government run operation:

Open Source Crypto TrueCrypt Disappears With Suspicious Cloud Of Mystery

Jake Williams, SANS Instructor and Principle at Rendition InfoSec phrased this a little better than I, “ I’ve long suspected that a government was behind TrueCrypt . The code base is hugely complicated with lots of dependencies and is anything but easy to build, particularly for the Windows version. It’s a great way to obfuscate what is in the binary packages (which 99.9% of Windows users use) that may or may not be in the source code”. To further make the point the older versions of the code have been removed forcing people to the new version. Despite my feeling that this is an odd but genuine announcement I would not recommend downloading this version and would wait for clarity on the motives, changes and back out strategy.
I've never used truecrypt, though I've read about it. However while I was uncertain of government involvement in truecrypt, I'm pretty certain of government involvement with Microsoft, so I'm not sure I'd totally trust bitlocker either.

The site might have been hacked but I'm not sure; time will tell.


It's a cross-platform program so the demise of XP being a reason to end development seeing as how it exists for Mac and Linux doenst make any sense.
Agreed, and they don't really specify which application Linux users should switch to, like they specify bitlocker for Windows.

a reply to: MystikMushroom
Sounds like good advice for military grade security. Years ago I read about someone hacking into Microsoft source code, and that it was a big security problem for Microsoft. I was wondering why they had it on a computer connected to the internet. They should have followed your advice and kept it on a computer not connected to the internet.

The Faraday cage might be a bit much for home use but it's a good idea to have some security in place even at home. Then again some people put enough on their Facebook to make it pretty easy to guess their passwords (like pet names) or even steal their identity, so there's more to security than just running encryption software.



posted on May, 29 2014 @ 11:32 AM
link   


... supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.

Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people who spearheaded the TrueCrypt audit, told Ars he had no advance notice of the announcement. He said the announcement appears to be authentic, an observation he repeated on Twitter. He told Ars he has privately contacted the largely secretive TrueCrypt developers in an attempt to confirm the site or get more more details.

Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank.

Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.

Link


Something isn't right.
edit on 5/29/2014 by roadgravel because: format



posted on May, 29 2014 @ 11:46 AM
link   
Thinking out of the box.
IF truecrypt was genuinely secure, then there would obviously be agencies out their spreading bs to create distrust of truecrypt.

I dont use it myself. I have two pc's, one never on line, and the other thats goes on line is full of bs files that will keep THEM happy for many a month



posted on May, 29 2014 @ 12:23 PM
link   
a reply to: VoidHawk

Are the two machines on a network?

Wonder if this group was NSA from the start. They sure are not talking which should make long time users uncomfortable.



posted on May, 29 2014 @ 12:42 PM
link   

originally posted by: roadgravel
a reply to: VoidHawk

Are the two machines on a network?

Wonder if this group was NSA from the start. They sure are not talking which should make long time users uncomfortable.


No!
It can be quite awkward sometimes, like I recently installed Unity (game editor) and to get updates and addons requires allowing it to connect to unity's website. Took me a while to figure that one out



posted on May, 29 2014 @ 12:51 PM
link   
I think the NSA or foreign equivalent got to TC. The whole thing is just too odd for an average situation.



posted on May, 29 2014 @ 12:55 PM
link   
The NSA stopped fighting TrueCrypt at some point...with that, it destroyed the faith I had in that system being secure. They don't STOP fighting what they can't crack (PGP comes to mind)

After what we know NSA did to compromise other 'secure' systems (which WOULD have been secure, had they not had work arounds written into them) I don't trust anything for true comp security.

I heard a Government computer expert in the 90's say the only secure computer is one in a bank vault, underground, on independent power and with no one in the room with it ...and even that, may not be entirely secure. I think he was naively optimistic. lol...



posted on May, 29 2014 @ 01:22 PM
link   

originally posted by: roadgravel
I think the NSA or foreign equivalent got to TC. The whole thing is just too odd for an average situation.
One possibility that occurred to me, is that truecrypt developers might have been asked, pressured, coerced, or maybe even ordered to put in a backdoor, and rather than do this, they decided to end support. The reason I thought of this is I was reading the Freenet developer's blog saying that the UK was trying to pass a law that could have forced him to put a backdoor in Freenet and he would have also been given a gag order so he couldn't say anything about it.

He said that before he would put in a back door, he would just stop supporting it and the gag order couldn't prevent that. So when I look at the parallels, what Truecrypt just did looks a lot like what the Freenet developer said he'd do if he was forced to make it insecure. The UK law never passed as far as I know, but who knows what kind of secret orders could have come from some secret court that we don't even know much about? They don't even need orders, just look at how they destroyed the life of the Qwest CEO when he refused spy on customers illegally as the spies asked. All they really have to do is raise that type of threat.

So yeah, it's fishy and this idea is of course one possibility, assuming TC didn't already have a back door.


originally posted by: Wrabbit2000
The NSA stopped fighting TrueCrypt at some point...with that, it destroyed the faith I had in that system being secure. They don't STOP fighting what they can't crack (PGP comes to mind)
Interesting, because I noticed the same thing about PGP, and had the same suspicions about Truecrypt.
edit on 29-5-2014 by Arbitrageur because: clarification



posted on May, 29 2014 @ 02:01 PM
link   
It seems that TC is built using visual studio by MS for the windows version so who knows how many backdoors could be slipped in quite merrily at compile time and no one would notice especially as the functions used for this sort of thing are not going to be the most commonly used ones so a review of the code itself would be fine and pas muster via a peer review but without being able to check the source code for the libraries/compilers etc who knows what can slip in



posted on May, 29 2014 @ 02:06 PM
link   
a reply to: Maxatoria

It's incredibly unlikely that VS is inserting backdoors into compiled code as it would be trivial to detect and check.



posted on May, 29 2014 @ 02:39 PM
link   
Ken Thompson has written (1984) about the backdoor he put in the C compiler at one point.

By having the compiler insert the backdoor code into itself, the old binary of the compiler alters the recompile of the compiler. The change would not be reflected in the source code of the compiler.



posted on May, 29 2014 @ 02:49 PM
link   
a reply to: roadgravel

Disassembling the binary would, though.



posted on May, 29 2014 @ 02:52 PM
link   
a reply to: GetHyped

But the review the source code which so many audits do, wouldn't. Not quite as easy to hide in today's world.



new topics




 
4
<<   2 >>

log in

join