Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    The life and untimely demise of TrueCrypt




    TOP STORY


    The life and untimely demise of TrueCrypt


    By Susan Bradley

    The developers of TrueCrypt, a once highly respected, open-source encryption application, have apparently folded their tent and disappeared.

    Left behind are questions and paranoia and a message that users should migrate to other encryption platforms.

    The full text of this column is posted at http://windowssecrets.com/top-story/...-of-truecrypt/ (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Feb 2004
    Location
    Hertfordshire, England
    Posts
    22
    Thanks
    0
    Thanked 0 Times in 0 Posts
    A couple of issues on WS 436:

    The trouble with relying on 7zip file encryption is that as soon as you work on a file from a 7zip archive you'll start leaving sensitive bytes who knows where. Word and Excel, for example, create temporary files which are not securely deleted as far as I know. If Word crashes, on relaunching, it typically gives you an option of an intermediate version to recover, which I have to assume was stored unencrypted on your hard disk. And as soon as you print a file, a plaintext spool file will be created which certainly won't be encrypted, and I can't believe it'll be securely deleted either.

    In short, 7zip might stop a thief from stealing your personal data from your stolen laptop before selling the hardware on eBay. Might. But if I were a dissident living under a repressive regime, I wouldn't trust it an inch.

    Secondly, I believe Fred Langa is incorrect in saying that wiping the BIOS wipes a hard disk password (set through the BIOS). The hard disk password is managed by the hard disk itself, through the ATA interface and survives even if the drive is taken out and put in another machine. That said though, whilst I might trust it a bit more than 7zip, it is likely that hard disk manufacturers have ways of disabling it, which I would have to assume are known to national intelligence and law enforcement agencies, and potentially to criminal elements as well.

    Regards - Philip

  3. #3
    New Lounger
    Join Date
    Jun 2014
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I just thought of something: What if someone makes a computer virus that encrypts the data on a computer?
    Seems to me, 1) they could extort money for the key, or, 2) All one's storage would be nuked.

  4. #4
    Lounger
    Join Date
    May 2011
    Posts
    44
    Thanks
    2
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by SidSeven View Post
    I just thought of something: What if someone makes a computer virus that encrypts the data on a computer?
    Seems to me, 1) they could extort money for the key, or, 2) All one's storage would be nuked.
    I believe that is what CryptoLocker does

  5. #5
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Toronto
    Posts
    100
    Thanks
    7
    Thanked 2 Times in 2 Posts
    I'm surprised the article didn't mention what seems to me a very plausible explanation for events, namely, that the authors of TrueCrypt have been pressured by representative of the U.S. government to shut down support for the program, then post a phony warning that TrueCrypt may be insecure. That immediately undermines the public's trust in one of the most relied-upon security solutions anywhere. Maybe TrueCrypt is too good, and the NSA, not being able to crack it, instead wants to undermine reliance on it, and force everyone to move to less secure platforms. Advising everyone to move to a "native" form of encryption, in particular Microsoft's BitLocker, is just too much to accept at face value. Snowden has reveal that Microsoft and other major computer companies have given the keys to their products to the NSA in the past. Do you really trust that BitLocker is now impervious to the NSA? Would TrueCrypt staff, who for so long have taken security so seriously, willingly advise putting all your trust into the hand of corporate giants like Microsoft? I hope competent people investigate what's happened more thoroughly, but in the meantime switching from TrueCrypt to BitLocker, or any other corporate solution, does not seem to me to be a good move.
    Last edited by DavidToronto; 2014-06-12 at 07:51.

  6. #6
    New Lounger
    Join Date
    Jun 2014
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    But, as CryptoLocker is a program, that does what? Encrypt your data AND guard against attack? Sorry, I'm kinda busy commenting on 100 different news articles....
    I wrote a basic program 30 years ago that duplicated itself until the computer crashed, and I knew having only one computer, it better work.

  7. #7
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    New Hampshire USA
    Posts
    431
    Thanks
    12
    Thanked 37 Times in 34 Posts
    I'm puzzled why anyone would feel that they needed to replace TrueCrypt absent any indication whatsoever that it is more vulnerable to attack than (or even as vulnerable to attack as) the potential replacement. All its bits are just as good as they ever were and will remain so.

    The suggestion that closed-source code from the likes of our major corporations who have so recently been revealed to be unreasonably accommodating to our national security establishment might be more secure than open-source code that at least CAN be audited (and the last full version of TrueCrypt has been and will continue to be) seems ludicrous. Not to mention the fact that since it's open-source others can (and in fact already are) preparing to take up the reins and continue its development.

    Did the developers just get tired of receiving little save world-wide appreciation for their important work? Were they influenced by those who would prefer that less effective privacy solutions were all that was available? Were they so disgusted with the UEFI mess that Microsoft foisted upon the world by requiring its use in OEM Win 8 systems that they decided to not to bother supporting it (in which case there really was not all that much left to do: TrueCrypt is already near-perfect)? I'm curious but don't really care that much, nor need anyone else save those who would like to be able to use operating-system or whole-disk-encryption on their UEFI systems (there may be modest limitations on GPT disks as well, but nothing really crippling).

    Just for curiosity's sake I'd like to be able to review the change logs over the years and I'm sure that the forums would provide very interesting reading, but I've still got the v7.1a Windows and Linux installers and manuals whenever I may need to use them on a new system so I don't even need to scurry around trying to find them on line while they're still available somewhere.

    So TrueCrypt is dead, and long live TrueCrypt: good software never really dies unless it becomes unequivocally (rather than merely nominally) obsolete. And now I can stop worrying, at least until a new development organization gets up to speed, about whether it will stop supporting Win2K as it has been threatening to do since 2009.


    Edit: And BitLocker of all things as a suggested replacement? Puh-leaze! It's not available in consumer (less than 'Pro') versions of Win 8 (thus neither of our two Win 8 laptops supports it, laptops being prime candidates for encryption though thanks, again, to Microsoft we couldn't have used TrueCrypt on them either: one does support 'legacy' booting but I haven't yet investigated whether I can convert it to an MBR-style disk format and then restore and be able to boot its OS) and wasn't available even in Win 7 Pro (nor in whatever the Vista equivalent of that was, nor of course in those hundreds of millions of XP systems that so stubbornly won't go away).

    So I do look forward to Lincoln's promised article: with TrueCrypt I never felt any need to check out other available possibilities, and while I see little real need to do so even now I'm at least a bit more interested in such a survey.
    Last edited by - bill; 2014-06-12 at 11:10.

  8. The Following User Says Thank You to - bill For This Useful Post:

    atkinsod (2014-06-12)

  9. #8
    New Lounger
    Join Date
    Jun 2014
    Posts
    3
    Thanks
    1
    Thanked 1 Time in 1 Post
    I agree with Susan's statement, "We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it". However, this statement should be applied to all of our software, including commercial. How many commercial products have died, or commercial companies, for that matter? Susan's example of Symantec discontinuing the Norton Zone product is just one example of many where commercial products have ended suddenly, or companies disappear.

    As Bill suggested (above), TrueCrypt had proven itself in the marketplace over many years of use. Since it was so widely used, there were many people trying to figure out how to break it. As far as I know, the only successful hack was through a memory dump, and you had to have the physical laptop in your possession with the TrueCrypt volume mounted. While we are certainly sad that TrueCrypt is no longer being developed, there isn't much reason to think that it wasn't a good product to use.

  10. The Following User Says Thank You to atkinsod For This Useful Post:

    omd (2014-06-12)

  11. #9
    2 Star Lounger NTLS's Avatar
    Join Date
    Mar 2010
    Location
    Great LAND of TEXAS
    Posts
    122
    Thanks
    3
    Thanked 4 Times in 3 Posts
    This should be a very important WAKE-UP CALL to all that use Cloud Services especially those that are a business system. With the prices of some very large H/Ds being what they are makes some of those 'Cloud Services' a bit NOT reliable. Keeping this short and to the point, if anyone would like more information, PM me. NO am not advertising for any one, group or business. Just think these Cloud Services are nice but NOT very practical in the LONG RUN.

    This may KICK-OFF a different discussion, not my intention, just my opinion and that is all.

    P.S. Excuse me, please? Just an after thought, we should be HELPING one another and not just being critical. Being Critical is easy, but ; being there to HELP another is more important. That is what my objective is, not really knowledgable on these systems, my informtaion is from the School-of-HardKnocks and my length of experience goes back to 1985 on desktops . .
    Last edited by NTLS; 2014-06-12 at 12:49.
    TIA, CU L8R,
    NTxLS Win7 Pro 64bit SP1; FireFox v49.x, all with the latest updates

  12. #10
    Star Lounger
    Join Date
    Dec 2009
    Location
    Olympia, Washington
    Posts
    61
    Thanks
    6
    Thanked 5 Times in 4 Posts
    As for the "leftover" copy files, of which Microsoft is so very fond, I use the free "Secure Delete" http://technet.microsoft.com/en-us/s.../bb897443.aspx. Since it is just another Black Box from Microsoft, I think it absolutely certain to have a "back door" provided by MS for the use of our government snoopers. It will appear in your right-click context menu with a red "X", and the security free Windows "Delete" is still available to you. Of course, SD will only slow down the amateur snoops examining your discarded hard drive. "Secure" Delete runs a command line app which (purports to) overwrite the deleted file sectors. Of course, Windows delete just changes the first character of a handle in the File Allocation Table to "?", and nothing else is touched. This provides absolute zero security to a Windows user.

    If anyone in this forum knows of a real (read "open source") file sector overwrite app, please post it in this thread! Of course, our government "security" folks think that the U S Constitution has an amendment giving them the right to spend an infinity of our tax dollars to spy on anyone in the world to any extent they want. Only the Snowdens of the world allow us an occasional glimpse into the morass of illegal activities of those "protecting" us from ourselves. Good luck to all who are foolish enough to believe that we have any right to real privacy. Thanks, Uncle Sam!

  13. #11
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    New Hampshire USA
    Posts
    431
    Thanks
    12
    Thanked 37 Times in 34 Posts
    Coincidentally, TrueCrypt does a pretty good job of securely deleting free space if you simply allocate as large a file as you can as a TrueCrypt container and then initialize it (which fills it with random data, over-writing whatever used to be there; a single such random over-write will be sufficient to make data inaccessible on a modern drive via any save Herculean efforts such as microscopic scans). Doesn't work on SSDs, though, since their internal write-leveling features will revector the new writes to new locations, leaving the old data present for harvesting until the SSD gets around to 'cleaning' it to create new, reinitialized free blocks.

    I think I can recall seeing small applications that over-write a specific file but don't off-hand recall where (or whether they're open-source so that you can verify that they're doing what they claim to do). The SysInternals secure delete program from Microsoft is one such, and it would kind of surprise me if it were compromised (if only because of the ease with which this could be discovered and the resulting bad publicity if it were).

  14. #12
    Star Lounger
    Join Date
    Dec 2009
    Location
    Olympia, Washington
    Posts
    61
    Thanks
    6
    Thanked 5 Times in 4 Posts
    At one time PGP (Pretty Good Privacy) had the gov spooks wetting their pants. After a few years, the whole flap seemed to disappear from mass media attention. I found this to be a very interesting read http://www.cypherspace.org/adam/timeline/ Of course, if the infinitely funded spooks have likely broken it on a practical level, it is unlikely we will ever know, unless another Snowdenesque reveal occurs.

    The only certain route to genuine privacy is documented here http://www.pro-technix.com/informati...rnam_base.html The only secure key is a truly random one, which can never be generated by any algorithm. Fortunately, lots of real world electronic techniques exist to generate genuine randomness. Unfortunately, the randomly created key must be larger than the data to be encrypted. Fortunately, micro SD cards are now available in the 64GB size, and their tiny size makes concealment fairly easy. Unfortunately, only face to face key transmission guarantees security. It would be real neat if semiconductor chip manufacturers would fab hardware read once SD chips, where reading the chip contents would destroy its stored data. That would make non face to face key exchange more (but never completely) secure.

    I already have a computer which is never, ever connected to the internet. This is the only way to keep your data free of "phone home software" exploits. Of course, since the never-ending blizzard of Windows Updates demands a two way connection to the Black Box Boys of Redmond, this op sys is a non-starter Still missing is hardware having a Mission Impossible style self destruction feature built in. Any intrusion attempt (even x-ray imaging) would ignite the thermite. Any bets that such computing hardware will soon be declared illegal to own? Needless to say, US Spooks would be exempted. Stay tuned. . . .

  15. #13
    New Lounger
    Join Date
    Jan 2013
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    LOL....TC was formed by the NSA who also registered it in Poland as a way to convince people that it was done by a pseudo legit group.
    Someone found this out and gave the NSA T & C's for shutting it down before open disclosure of it being an NSA operation.

  16. #14
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Toronto
    Posts
    100
    Thanks
    7
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Warlockz View Post
    LOL....TC was formed by the NSA who also registered it in Poland as a way to convince people that it was done by a pseudo legit group.
    Someone found this out and gave the NSA T & C's for shutting it down before open disclosure of it being an NSA operation.
    A very important fact, it it is a fact. Do you have any evidence for the claim? When is this open disclosure coming?

    Starting such an alarming statement with LOL undermines your credibility a great deal.

    What are T & C's?

  17. #15
    New Lounger
    Join Date
    Jan 2013
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Term's & Conditions and this is just my 2 cents worth....for what it's worth ;>}

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •