Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Thursday May 29 2014, @04:03AM   Printer-friendly
from the Another-one-bites-the-dust dept.

The TrueCrypt website has been changed it now has a big red warning stating "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". They recommend using BitLocker for Windows 7/8, FileVault for OS X, or (whatever) for Linux. So, what happened? The TrueCrypt site says:

This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Did the TrueCrypt devs (or SourceForge?) get a NSL? They are offering a "new" version (7.2), but apparently the signing key has changed and a source code diff seems to indicate a lot of the functionality has been stripped out. What's up?

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Rune of Doom on Thursday May 29 2014, @04:39AM

    by Rune of Doom (1392) on Thursday May 29 2014, @04:39AM (#48562)

    We don't know enough for any firm conclusions. That said, my guess is 'warrant canary'.

    http://en.wikipedia.org/wiki/Warrant_canary [wikipedia.org]
    (In case anyone isn't already familiar with the term.)

    Starting Score:    1  point
    Moderation   +4  
       Interesting=3, Underrated=1, Total=4
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by Reziac on Thursday May 29 2014, @04:51AM

    by Reziac (2489) on Thursday May 29 2014, @04:51AM (#48565) Homepage

    The tone is pretty odd, eh? You may be right.

  • (Score: 5, Insightful) by sgleysti on Thursday May 29 2014, @05:37AM

    by sgleysti (56) on Thursday May 29 2014, @05:37AM (#48580)
    Someone noticed that in the source code diff, all occurrences of "U.S." have been changed to "United States", perhaps as a subtle message.
     
    The encryption functionality was removed; decryption remains. This makes sense if they were required to surreptitiously weaken the encryption.
     
    The advice given for linux users is to search for any package with the word "crypt" or "encrypt" and follow its instructions. This is strange advice from security-conscious developers.
     
    I think the real devs did it for the following reasons:
     
    • One of the auditors found that the 7.2 (new, "unsafe") binary checks out against the published source. This rules out one kind of sneakiness.
    • Despite a re-uploading, the key used to sign the new code is the same key used to sign all of the older releases. They had access to the signing key, and yet:
    • They warn that the code is unsafe instead of secretly weakening it.
    • The DNS was redirected to point to the sourceforge page. They had access to DNS and didn't do something nefarious.
    • The license was changed: A clause requiring attribution was removed, making the code easier to use in a fork.

     
     
    One would expect truecrypt to attract more notice now that it is being audited. They just raised $16,000 to put it through serious auditing. This is a crazy time to nuke the project, unless they got an NSL.

    • (Score: 1, Funny) by Anonymous Coward on Thursday May 29 2014, @06:35AM

      by Anonymous Coward on Thursday May 29 2014, @06:35AM (#48593)

      The audit revealed the true encryption algorithm was ROT13. Further development was deemed impossible without breaking backward compatibility.

      • (Score: 2) by maxwell demon on Thursday May 29 2014, @07:28AM

        by maxwell demon (1608) Subscriber Badge on Thursday May 29 2014, @07:28AM (#48614) Journal

        The audit revealed the true encryption algorithm was ROT13. Further development was deemed impossible without breaking backward compatibility.

        Those were security people. They certainly knew that these days you need triple-rot13 to be truly secure.
        The problem the audit found was that the second step wasn't a decryption step, as triple-rot13 requires, but an additional encryption step.

        --
        The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 4, Interesting) by threedigits on Thursday May 29 2014, @09:41AM

      by threedigits (607) on Thursday May 29 2014, @09:41AM (#48647)

      The "U.S." to "United States" is more than probably an artifact of changing Visual Studio versions.

      You can see the same happening here, for example: https://chromium.googlesource.com/webm/webmdshow/+ /74379b419a791c5d81f1120c0f23e28d19cf03eb%5E!/ [googlesource.com]

    • (Score: 2) by zocalo on Thursday May 29 2014, @11:27AM

      by zocalo (302) on Thursday May 29 2014, @11:27AM (#48677)
      Or maybe *some* of the real devs did it.

      What if TrueCrypt was backdoored as the result of an NSL some time ago - say pre-v7.1a, which is when development basically stalled and could be the reason for that stall? One likely outcome of that might be a difference of opinion between the devs, ending development and culminating in a difference of opinion wherein one or more of them basically decided to blow the whistle against the wishes of the rest. If the whistleblower(s) were the coders rather than the web admin, then it's conceivable they might not have access to SourceForge but would have the code signing keys, which would explain the hacky nature of the "reveal".
      --
      UNIX? They're not even circumcised! Savages!
    • (Score: 2) by forsythe on Thursday May 29 2014, @01:59PM

      by forsythe (831) on Thursday May 29 2014, @01:59PM (#48735)

      I was actually going to mention the U.S. -> United States thing, but thought I would come off as being overly silly.

      So here's something else: Towards the beginning of the diff, some options of a dialog box got changed (that didn't seem obviously related to the neutering), and the option to choose `No' was removed.

      • (Score: 1) by eieken on Thursday May 29 2014, @04:03PM

        by eieken (4322) on Thursday May 29 2014, @04:03PM (#48806)

        Secretly communicating what happened via the No seems like something to do, bothersome that I really liked TrueCrypt. :(

  • (Score: 5, Interesting) by c0lo on Thursday May 29 2014, @06:26AM

    by c0lo (156) on Thursday May 29 2014, @06:26AM (#48590) Journal

    Technicality only: it's not a "Warrant canary" (which, if not updated, means something went wrong) but rather a "scorched-earth trap" (step on it and everything blows, nobody gets nothing, not even the attacker).
    The "warrant canary" is effective because, to send the signal, you just obey an order to do nothing (I suspect, for US, there may be an amendment which protect innocent citizens against forced labor - e.g. work to introduce a backdoor against my will).
    The TrueCrupt crippling is a destructive step that requires an action, there may be some "contempt of court" issues if so.

    In any way, one cannot dismiss a Lavabit 2.0 scenario in progress.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0
    • (Score: 5, Interesting) by bradley13 on Thursday May 29 2014, @07:06AM

      by bradley13 (3053) Subscriber Badge on Thursday May 29 2014, @07:06AM (#48604) Homepage Journal

      I have to agree - it seems to me that the most likely scenario is LavaBit all over again:

      • The developers got an NSA demanding that they build a backdoor into their software.
      • The only way they can refuse is by ending the project entirely.
      • The nonsense about XP and BitLocker is a fig leaf to mitigate contempt charges.

       

      Truecrypt has been a hugely valuable tool for millions of people. It is cross-platform and it is absolutely easy to use. I've tried other solutions out there, and no other platform independent solution is nearly as good on the usability front - and usability is critical to security applications or else people won't bother with them...

      We need Truecrypt, or an equivalent replacement...

      --
      Everyone is somebody else's weirdo.
      • (Score: 1) by WillR on Thursday May 29 2014, @02:11PM

        by WillR (2012) on Thursday May 29 2014, @02:11PM (#48739)
        My bet is that the NSA (or GCHQ or whoever) demanded TrueCrypt's signing key so they could distribute backdoored versions of TC with valid signatures to their targets.

        There's less likelihood of the backdoor being found by an audit if it's only sent to a few entities, and that fits with other NSA activities that have come to light like intercepting and backdooring some Cisco routers in transit instead of backdooring IOS. So the TrueCrypt devs decided to play along just enough to avoid jail, then burn the key by using it to sign an update with giant flashing red "TrueCrypt is insecure!!!" warnings all over it.
    • (Score: 2) by keplr on Thursday May 29 2014, @04:47PM

      by keplr (2104) on Thursday May 29 2014, @04:47PM (#48828) Journal

      What is stopping the government's secret, already illegal, orders from including the requirement to keep the "canary" in place. They just show up, root your servers, and tell you to act like nothing happened and do NOT take down the canary notice.

      --
      I don't respond to ACs.
      • (Score: 0) by Anonymous Coward on Thursday May 29 2014, @08:20PM

        by Anonymous Coward on Thursday May 29 2014, @08:20PM (#48906)

        The point of the canary is that if it isn't updated frequently one should assume that something is wrong.