bit-tech.net

TrueCrypt downed by alleged insecurities

TrueCrypt downed by alleged insecurities

Popular open-source cross-platform cryptography application TrueCrypt has been shuttered, apparently by its developers, with claims of major insecurities.

Popular open-source encryption package TrueCrypt has been declared unsafe, with its developers apparently opting to erase the software from the face of the earth - despite a security audit having found no serious flaws.

TrueCrypt is a serious piece of software: open source and with binaries available for most popular computing platforms, the package allows the user to hide private data using a variety of strong encryption algorithms. Additional features that set it apart from its rivals including whole-disk support - allowing the entire operating system to reside on an encrypted volume - and its use of 'hidden volumes' for jurisdictions, like the UK, where decryption can be demanded under the threat of jail time; the throw-away outer volume can be offered up as a sacrifice, while the real private data remains unproveably present within the volume.

Following whistleblower Edward Snowden's claims that the US government - and, undoubtedly, those of other nations - had pressured companies to weaken their encryption products or insert back-door access, a crowd-funded security audit of TrueCrypt's source code was undertaken. The initial report highlighted zero high-severity issues, and while four medium- and a further four low-severity issues were found, none were considered to critically weaken the software's capabilities.

Last night, however, the TrueCrypt developers declared otherwise. The project's SourceForge page was modified to claim TrueCrypt was insecure, and all its past source code and binary files deleted from the repository. In their place, a special version of the software dubbed TrueCrypt 7.2 was release; this contains warnings against its own use, and removes all encryption capabilities in favour of allowing read-only access to existing TrueCrypt volumes in order for existing users to recover their data.

'WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,' the new version of the software warns users. 'The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.' This is echoed by a tutorial on the official website detailing how to migrate to Microsoft's BitLocker encryption platform.

The binary files and source code live on, as with any open source project, in personal archives and publicly-accessible sites like GitHub. The developers of the software, who have remained anonymous since its inception, are silent on exactly why the move to remove it from its official site has been made - but there are a handful of convincing theories that may explain the matter.

The most likely is that the project has received a National Security Letter demanding that back-door access be placed into the software, which likely came to the US government's attention following Snowden's recommendation it be used by anyone with secrets to hide. These letters contain a self-gag order preventing their disclosure; by cancelling the project entirely and warning that it is insecure, the developers will have been able to skirt the terms of this gag order while warning users that it is no longer to be trusted thanks to government interference.

Another theory is that the developers have discovered an existing back door, inserted into the code by a government agent pretending to be a valued contributor. How this would have been missed during the detailed security audit the software recently underwent, however, is unclear. A final theory is that the project has been hijacked: SourceForge recently suffered a security breach, and the issuance and near-immediate revocation of new signing keys for the TrueCrypt project hint that the original developers may no longer be in control.

One thing is clear: until a developer comes forward with more details, those who rely on TrueCrypt to protect their privacy would do well to make sure they add some additional layers to their defence strategy.

8 Comments

Discuss in the forums Reply
Umbra 29th May 2014, 11:34 Quote
Quote:
This is echoed by a tutorial on the official website detailing how to migrate to Microsoft's BitLocker encryption platform.

Bitlocker, that's real safe. no back-door access there
Gareth Halfacree 29th May 2014, 11:40 Quote
Quote:
Originally Posted by Umbra
Bitlocker, that's real safe. no back-door access there
That's one of the clues that might point to an NSL. "Hey, why not use this proprietary software which almost certainly has a back-door in it. IT'S DEFINITELY MORE SECURE THAN THIS ONE. Nudge nudge, wink wink, say no more."

There's a tactic which relies on a loophole in the law: post a message saying "WE HAVE NOT BEEN SUBJECT TO A NATIONAL SECURITY LETTER." If you get an NSL, take the message down. Technically you're not breaching the gag order: you haven't told anyone you've received an NSL. 'Course, it's not something I'd fancy trying myself - reckon a judge would probably find you've broken the spirit of the law, even if you've abided by its precise wording...
Umbra 29th May 2014, 12:21 Quote
It must be very hard to stand up against the likes of the NSA if they have made a multi-pronged attack on you, if the developers have discovered an existing back door, inserted into the code by a government agent pretending to be a valued contributor and the project has been hijacked and finally they received a NSL that's a lot to deal with, I'm only surprised it has not happened before or maybe they ignored previous threats and this time the NSA have ramped up the pressure, and as you say, the law would inevitably come down against you.
RTT 29th May 2014, 18:33 Quote
Quote:
Originally Posted by Gareth Halfacree
That's one of the clues that might point to an NSL. "Hey, why not use this proprietary software which almost certainly has a back-door in it. IT'S DEFINITELY MORE SECURE THAN THIS ONE. Nudge nudge, wink wink, say no more."

There's a tactic which relies on a loophole in the law: post a message saying "WE HAVE NOT BEEN SUBJECT TO A NATIONAL SECURITY LETTER." If you get an NSL, take the message down. Technically you're not breaching the gag order: you haven't told anyone you've received an NSL. 'Course, it's not something I'd fancy trying myself - reckon a judge would probably find you've broken the spirit of the law, even if you've abided by its precise wording...

Indeed, basically this. Those were my first thoughts too. :(
forum_user 30th May 2014, 06:19 Quote
It's ironic that an agency expected to provide people with security and safety is rendering the IT world insecure and unsafe.
Corky42 30th May 2014, 08:29 Quote
I'm not so sure about some secret government agency forcing them to shut up shop, it's not like someone couldn't fork TrueCrypt like these guys in Sweden.

TBH i just think the TrueCrypt guys got fed up with it after 10 years and decided to call it a day.

EDIT: Not sure how much to trust the source of the following...

And then the TrueCrypt developers were heard from!
https://www.grc.com/misc/truecrypt/truecrypt.htm
Quote:
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
Steven Barnhart: (Paraphrasing) Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
TrueCrypt Developer “David”: Said “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
Quoting TrueCrypt Developer David: “There is no longer interest.”
brave758 31st May 2014, 04:24 Quote
Tinfoil hat at the ready
Umbra 31st May 2014, 12:37 Quote
Time to panic?

No. The TrueCrypt development team's deliberately alarming and unexpected “goodbye and you'd better stop using TrueCrypt” posting stating that TrueCrypt is suddenly insecure (for no stated reason) appears only to mean that if any problems were to be subsequently found, they would no longer be fixed by the original TrueCrypt developer team . . . much like Windows XP after May of 2014. In other words, we're on our own.

But that's okay, since we now know that TrueCrypt is regarded as important enough (see tweets above from the Open Crypto Audit and Linux Foundation projects) to be kept alive by the Internet community as a whole.

So, thanks guys . . . we'll take it from here.


The original devs may not like it but it looks like the code will be forked, the current licensing restrictions removed, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won't allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.

There will be continuity . . . as an interesting new chapter of Internet lore is born.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums