The Mental Militia Forums

Please login or register.

Login with username, password and session length
Pages: [1]   Go Down

Author Topic: TrueCrypt compromised?  (Read 1601 times)

Silver

  • thrivalist
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3687
TrueCrypt compromised?
« on: May 29, 2014, 12:57:41 pm »

Via Bruce Schneier:  TrueCrypt WTF

The official SourceForge page warns that "TrueCrypt is not secure."

Ars Technica has a summary; not much known at this time.
Logged

Adventurer, Explorer, Inquiring Mind.

  • Given up.
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3222
Re: TrueCrypt compromised?
« Reply #1 on: May 30, 2014, 03:50:28 pm »

The ARS piece set off the shit storm.

It is a solid piece, if you consider the comments.

Conspiracies or no conspiracies, TC hadn't been regularly updated in awhile.  Given the amount of ciphers it supported, more regular updates or patches would have been the norm.

Either TC's website or signing key were compromised, or the devs have decided to call it a day awhile back and they decided to make it public by saying "hey, we ain't developin' this no more, give us a break with the screaming flames on fora... we quit last year, here's our two week's notice... 52 weeks late."  That sort of thing.

Happens all the time.
Logged
Understeer is when you hit the wall with the front of the car and oversteer is when you hit the wall with the rear of the car.
Horsepower is how fast you hit the wall, torque is how far you take the wall with you.

Silver

  • thrivalist
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3687
Re: TrueCrypt compromised?
« Reply #2 on: May 30, 2014, 06:59:27 pm »

GRC claims to have heard from the developers

Quote
And then the TrueCrypt developers were heard from . . .
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

    * TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
    * Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
    * Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
    * Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
    * TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
    * Quoting TrueCrypt Developer David: “There is no longer interest.”

If true, it suggests the developers acted like dicks.  It's fine if they didn't feel like working on this any more.  Ten years is a long time, it is thankless work, for no money.

But if this is really from the developers, then the 7.2 release is nothing more than a clumsy attempt to set fire to it.  They could have released it to the winds of the internet, and said goodbye.  Instead they tried to trash it.

If this communication is legit, I predict there will be an effort, perhaps multiple ones, to make the code truly open source.  Too many people rely on truecrypt.  Raising $70k in donations to do the code audit is powerful evidence that people want this product - inspectable code, audited strong crypto.  So the market will get that, despite any dog-in-the-manger antics by the original developers.

Peace,

Silver
Logged

Adventurer, Explorer, Inquiring Mind.

  • Given up.
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3222
Re: TrueCrypt compromised?
« Reply #3 on: May 30, 2014, 07:34:17 pm »

GRC claims to have heard from the developers

Quote
And then the TrueCrypt developers were heard from . . .
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

    * TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
    * Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
    * Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
    * Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
    * TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
    * Quoting TrueCrypt Developer David: “There is no longer interest.”

If true, it suggests the developers acted like dicks.  It's fine if they didn't feel like working on this any more.  Ten years is a long time, it is thankless work, for no money.

But if this is really from the developers, then the 7.2 release is nothing more than a clumsy attempt to set fire to it.  They could have released it to the winds of the internet, and said goodbye.  Instead they tried to trash it.

If this communication is legit, I predict there will be an effort, perhaps multiple ones, to make the code truly open source.  Too many people rely on truecrypt.  Raising $70k in donations to do the code audit is powerful evidence that people want this product - inspectable code, audited strong crypto.  So the market will get that, despite any dog-in-the-manger antics by the original developers.

Peace,

Silver

Yes, they had a remarkable project and got tired so they flushed it down the toilet.  They probably would have done better going commercial with it, and leaving the codebase auditable/open sourced.

Yeah, its funny how the only capitalists in America willing to pay for a good service (TC support, linux support, etc) is the government.  Private people want people to work for free and bitch when stuff doesn't work right rather than providing bug reports and helping out.  I can see why guys WOULD get pissed though.  Given the user base for TC, 70k isn't that much cash.  I am not much of a fan since I've run into interesting forks that make use of TC but permit it to boot from removable media, etc.  Guy didn't opensource his work and asks for money.  I'd pay, if the code were open.  For this sort of thing, auditability is king... given the beast with its nose under the tent flap.
« Last Edit: May 30, 2014, 07:35:51 pm by Destin Faruda »
Logged
Understeer is when you hit the wall with the front of the car and oversteer is when you hit the wall with the rear of the car.
Horsepower is how fast you hit the wall, torque is how far you take the wall with you.

Silver

  • thrivalist
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3687
Re: TrueCrypt compromised?
« Reply #4 on: May 31, 2014, 07:18:13 am »

I see no evidence in this case or elsewhere supporting the idea that only the government will pay for support.

The TrueCrypt developers never offered support.  I suspect there would have been a market for it, but they didn't care to do that task.  That is there choice, but their decision can't be used to tar the rest of the consumer marketplace with wanting only free support.

The $70k wasn't raised for the TrueCrypt developers; it was raised to fund an independent audit by genuine security experts.  The fact that $70k was raised for an audit suggests to me that there is intense market desire for a professionally reviewed, open source product.

I don't fault the TrueCrypt team for getting tired, but I do think the stunt with 7.2 was crass and stupid.  If they didn't want the code the didn't have to use FUD to make it harder for anyone who did feel like pitching in.

Peace,

Silver
Logged

Adventurer, Explorer, Inquiring Mind.

  • Given up.
  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 3222
Re: TrueCrypt compromised?
« Reply #5 on: May 31, 2014, 04:14:18 pm »

I see no evidence in this case or elsewhere supporting the idea that only the government will pay for support.

The TrueCrypt developers never offered support.  I suspect there would have been a market for it, but they didn't care to do that task.  That is there choice, but their decision can't be used to tar the rest of the consumer marketplace with wanting only free support.

The $70k wasn't raised for the TrueCrypt developers; it was raised to fund an independent audit by genuine security experts.  The fact that $70k was raised for an audit suggests to me that there is intense market desire for a professionally reviewed, open source product.

I don't fault the TrueCrypt team for getting tired, but I do think the stunt with 7.2 was crass and stupid.  If they didn't want the code the didn't have to use FUD to make it harder for anyone who did feel like pitching in.

Peace,

Silver

There's suggestions I've had for them for awhile for features which BELONG in a full medium/disk crypto product.  Maybe i should pick it up as a side project for my company and sell it to whoever's willing to pay for it and for support.  Course my devs are both flaky asshats too (and yes they know it, and call each other as such too... so its no secret, but I get what I can afford and what's willing to work), and I'm so swamped getting the bread and butter operations stable that I can't spend too much time on it.  Hell, I did all my posts in 10 min after lunch... or... 6... min?  Woah.  And now back to the road.
Logged
Understeer is when you hit the wall with the front of the car and oversteer is when you hit the wall with the rear of the car.
Horsepower is how fast you hit the wall, torque is how far you take the wall with you.
Pages: [1]   Go Up