Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Sudden Policy Change In Truecrypt Explained

timothy posted about 5 months ago | from the maybe-your-canary-needs-a-canary dept.

Encryption 475

X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?

Sorry! There are no comments related to the filter you selected.

people ruin everything (0)

Anonymous Coward | about 5 months ago | (#47142453)

If you want a project to survive, don't share it with people. People are scum, pure and simple.

Re: people ruin everything (2, Informative)

Anonymous Coward | about 5 months ago | (#47142577)

https://t.co/x1H2T6UtEv

Re: people ruin everything (5, Interesting)

Noah Haders (3621429) | about 5 months ago | (#47142701)

this is actually a link to an interesting article, not goatse. it's an editorial about how the most recent full version of true crypt (7.1a) is still as secure as it was last week, and there's no reason to stop using it. It also says they (who?) are working on an open license fork that will be released on a future date.

still doesn't answer the question on if it's like lava bit. true crypt may be just as secure as it was last week, but maybe it's also been owned by NSA from day one.

Re: people ruin everything (0)

Anonymous Coward | about 5 months ago | (#47142783)

That doesn't make sense. TrueCrypt has been open source, and I've been looking at it for a long, long time.

Just Google for Truecrypt Source 7.1a before the NSA whack it off Google. Also, remember to periodically download versions of software such as Tor and other related utilities. Maintain a radio transmitter as well. It may actually help during the day of the apocalypse.

Re: people ruin everything (5, Informative)

Anonymous Coward | about 5 months ago | (#47143017)

Link [grc.com] because why in the world do people use URL shorteners?

Re:people ruin everything (2)

MrL0G1C (867445) | about 5 months ago | (#47142771)

You are so gonna get Dementia [slashdot.org]

Re:people ruin everything (1)

hackus (159037) | about 5 months ago | (#47142899)

I would rather get dementia than tell lies and live like it is OK with whats going on in this country.

Re: people ruin everything (-1)

Anonymous Coward | about 5 months ago | (#47142981)

By the sound of it, you're already half way there. Keep up the good work kiddo, fighting that "good fight" that only exists in your head. There's a difference between recording all communications and actually LISTENING to all of them; the latter would be practically impossible due to sheer volume. So things are sifted out by key words, phrases, vocal characteristics...that profile photo you uploaded to Facebook.

Your arrogance is your assumption that you have anything to say worth recording, let alone even listening to you. What makes your personal life so relevant? You think you're being targeted because you speak out on...Slashdot? The NSA doesn't have the resources to personally monitor every paranoid schizophrenic in the world, even if they wanted to. That's why you see them out wandering the streets, whereas anyone who actually poses a threat is either at large...or housed in some cozy CIA black site. The government doesn't care about the mentally ill like yourself, they care about financial and military strategic advantage. You are not relevant to either.

Sometimes I think Americans enjoy being spied upon. God's not watching, but at least someone is. That gives them someone to blame for their troubles besides themselves.

Re:people ruin everything (0)

Anonymous Coward | about 5 months ago | (#47142997)

Pfft like I believe that.

Re:people ruin everything (5, Insightful)

tmosley (996283) | about 5 months ago | (#47142821)

No, I think people are fine. It's governments and their poorly organized systems that cause things like this. Suggest you read "The Lucifer Effect". It's not just about prison guards. That same mentality has infiltrated the NSA and most other government offices.

That's not proof! (5, Insightful)

Threni (635302) | about 5 months ago | (#47142457)

You're taking twitter posts too seriously. That's just speculation based on what appeared on their site the other day, followed by:

"Alyssa Rowan @AlyssaRowan
@munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"

Sorry, who the fuck are you?

Re:That's not proof! (1, Interesting)

mmell (832646) | about 5 months ago | (#47142493)

Wow, they implemented the canary on their website? That by itself is major league cool!

I am however very sorry to hear that TrueCrypt may be going away. I personally use LUKS (being a Linux user), but this is still bad news for end users in the computing community.

Re:That's not proof! (1)

arglebargle_xiv (2212710) | about 5 months ago | (#47142545)

"Alyssa Rowan @AlyssaRowan @munin @0xabad1dea @puellavulnerata I can confirm presence of TrueCrypt duress canary as per 2004 conversation"

Sorry, who the fuck are you?

If it's the real Alyssa Rowan tweeting that then it's a pretty reliable source.

Re:That's not proof! (1)

jbmartin6 (1232050) | about 5 months ago | (#47142657)

Could you clarify? Who is Alyssa Rowan to TrueCrypt? Sorry for my ignorance, I tried Googling a bit and just got links to this article.

Re:That's not proof! (5, Interesting)

arglebargle_xiv (2212710) | about 5 months ago | (#47142777)

Could you clarify? Who is Alyssa Rowan to TrueCrypt? Sorry for my ignorance, I tried Googling a bit and just got links to this article.

It's someone who has been active in the crypto/security community for awhile now. Personal details are pretty scarce (i.e. it could be a front for the NSA for all anyone knows), but the persona has been active in crypto. If you want something to Google on try "alyssa rowan cryptography".

The explanation. (-1)

Anonymous Coward | about 5 months ago | (#47142967)

it could be a front for the NSA for all anyone knows

Or, it could be a NSA front, pretending to be a legitimate crypto developer, pretending to be a NSA front.

But, if the legitimate crypto developer would only outsmart the NSA by claiming to be a legitimate dev pretending to be a front for the NSA pretending to be a legitimate dev, then the NSA would probably ignore him/her in a complete bureaucratic fuck up.

Unless, thats what they want us to believe.

Then again, it may actually be the Illumaniti pretending to be CIA operatives acting like NSA people.

See?

But we all know, that there is a rogue element in the Mormon church pretending to be Catholic Cardinals pretending to be CIA operatives in the NSA.

Of course, let's not forget Costco's part in all this - obviously!

Shit, where did I put my pills? I gotta go....

Re:That's not proof! (1)

rogoshen1 (2922505) | about 5 months ago | (#47142785)

clearly the name is an anagram that you aren't Robert Langdon enough to suss out.

Re:That's not proof! (0)

Anonymous Coward | about 5 months ago | (#47142961)

Anal Was Rosy.

TC developer used hidden message!!! (4, Interesting)

Anonymous Coward | about 5 months ago | (#47142617)

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

Re:TC developer used hidden message!!! (2)

ysth (1368415) | about 5 months ago | (#47142731)

Yes, it seems pretty clear to me that this is a warrant canary.

It may still be that they triggered it (or let it self-trigger via inaction) out of lack of desire to continue the project.

In any case, the presumed goal of the canary - making sure that no one trusts any future TrueCrypt version released via the normal channel - has certainly been successful.

TC developer used hidden message!!! (5, Funny)

Anonymous Coward | about 5 months ago | (#47142803)

Haha. Frankly, usable crypto kits need security audits.

Nonsence (-1)

Anonymous Coward | about 5 months ago | (#47142465)

This is a load of nonsense. Can a NSL force injection of backdoors into software? No!

The TC devs hold no keys, nothing to seize/request.

Who exactly is Alyssa Rowan? Other than sporadic contributions to an open IETF RG I can see no reputation.

Re:Nonsence (0, Insightful)

Anonymous Coward | about 5 months ago | (#47142497)

Who the fuck are you, anon? If reputation is important to you, where's your fucking reputation?

Re:Nonsence (1)

Anonymous Coward | about 5 months ago | (#47142509)

He is not making extraordinary claims, so reputation is irrelevant.

Re:Nonsence (-1)

Anonymous Coward | about 5 months ago | (#47142527)

reputation is irrelevant.

LOL, fucker.

Re:Nonsence (0)

Anonymous Coward | about 5 months ago | (#47142553)

That neuron must be feeling lonely by now, doesn't it?

Re:Nonsence (0)

Anonymous Coward | about 5 months ago | (#47142579)

Nope, it's loaded with neurotransmitters, oh yeah.

Re:Nonsence (1)

PPH (736903) | about 5 months ago | (#47142621)

Back door != Keys

The TC devs hold no keys, but could conceivably build a back door into future versions. Or perhaps there already is one, or a weakness overlooked. Its also possible that the NSA has known about the TC devs for some time, has possibly been leaning on one or more of them and this has only recently become evident to the entire team.

Re:Nonsence (0)

Anonymous Coward | about 5 months ago | (#47142919)

Not likely. The NSA has tried and failed to break into truecrypt volumes in the past. Now, whether or not they were giving it their all is up for speculation, but that was after the 7.1 version was released. So, it's unlikely that there was a backdoor or other weakness at that point.

7.2 is a different matter, that's a much more recent version and it's probably technically possible that it's been compromised.

Re:Nonsence (2)

TechyImmigrant (175943) | about 5 months ago | (#47142953)

The signing keys you dolt.

Without any evidence (0, Insightful)

Anonymous Coward | about 5 months ago | (#47142473)

...isn't the very strange things happening enough proof?

BitLocker (0)

Anonymous Coward | about 5 months ago | (#47142485)

BitLocker? You mean the closed source "encryption" software, made by Microsoft?

Sure, be my guess.

No (0)

Anonymous Coward | about 5 months ago | (#47142489)

It is pretty much agreed that the devs just got tired of doing the work and decided they wanted to get on with their lives and do other things. That has been much more "confirmed" than an NSL...

Speculation (5, Insightful)

borcharc (56372) | about 5 months ago | (#47142491)

There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.

Re: Speculation (1)

Anonymous Psychopath (18031) | about 5 months ago | (#47142539)

That's probably where they got this anyway.

Re:Speculation (2, Insightful)

Anonymous Coward | about 5 months ago | (#47142541)

Ever since actual news stopped mattering and what everyone cares about is clicks (read as money).

Re:Speculation (5, Insightful)

Anonymous Coward | about 5 months ago | (#47142603)

We do not need concrete information.
When a major encryption project like this closes shop, without any explanation, duress should be assumed.
The current climate requires it.

Re:Speculation (5, Funny)

aaaaaaargh! (1150173) | about 5 months ago | (#47142781)

That's exactly what I thought first. But then it came to my mind that Bitlocker is much more secure than Truecrypt, because it has been developed and carefully audited by a corporation with a proven track record in cyber security. That fact makes it practically 100% certain that the developers of Truecrypt just thought "nah, fuck it, we now have Bitlocker, which uses military-grade encryption against all kinds of criminals and cyber-threads, and there are minor to medium potential problems with our code, so we just throw the towel and give up all the work on Truecrypt."

That's obvious, right?

Re:Speculation (-1)

Anonymous Coward | about 5 months ago | (#47142993)

That's no reason to spend time gutting the code, releasing an ineffective product, and removing previous working releases. If you're stopping development to save time, you don't spend extra time destroying something that was already established and working. It would have taken less time to simply say the already released 7.1a is the final version. Good bye.

Your theory doesn't hold enough weight to be plausible.

Speculation (3, Insightful)

Anonymous Coward | about 5 months ago | (#47142675)

This is Slashdot. No one cares whether something is true or not as long as it is negative towards the government. Sad really, since it diminishes any sort of real discussion about actual concerns about the government rather than made up fantasy.

Re: Speculation (1)

Anonymous Coward | about 5 months ago | (#47142711)

Exactly. When people get all antsy about this stuff I have to wonder what the fuck they are encrypting to begin with that they feel isn't available already to any agency that wants it. Financial records? The NSA can access those at any time through any number of sources. Secret plans? About what? If you have secret plans that the government should be interested in, then I want them to find out about it - because unless you are planning terrorist activity, there is no reason to fear so much. It's mostly just folks who are paranoid and/or filled will delusions that they have any "secret" information to hide anyway. There is nothing an individual has on their computers that requires such measures, and if you don't want something public, you don't send it out over the Internet period, encrypted or not.

Re: Speculation (3, Insightful)

Anonymous Coward | about 5 months ago | (#47142797)

It's not necessarily the NSA you always want to protect things from. What if your laptop gets stolen, would you want the thieves to be able to look through the contents?

Re: Speculation (1)

Anonymous Coward | about 5 months ago | (#47142907)

I'm comfortable that some random prick pinching my machine from a pub won't be able to access (or even identify) my old TrueCrypt files, thanks. Come to that, since the reason to swipe my machine would be to either use it or sell it, I'm comfortable they wouldn't even bother. Same goes if I had my stuff in FileVault or BitLocker, or anything.

Re: Speculation (0)

Anonymous Coward | about 5 months ago | (#47142873)

We've seen plenty of recent evidence that the government cannot be trusted with this sort of access to private information. Whether it's an individual like Snowden with access to it or a FISA judge who believes he doesn't have adequate visibility to provide the kind of oversight that our existing laws require. Here are a few solid examples to ease your inane sense of wonder:

-political activism
-investigative journalism
-whistleblow collection and planning
-cryptography research
-microbiology research

Re:Speculation (2, Insightful)

jopsen (885607) | about 5 months ago | (#47142741)

There is no concrete information that the NSA or a national security letter was involved.

Before Snowden we used to say the same thing about NSA messing with encryption standard bodies, or NSA conductive widespread warrant-less surveillance of everybody.

We used to think people wasn't subjected to secret trails in the US. That's no longer the case, we now know by fact that the US doesn't honor basic human rights, not for it's citizens or anybody else.

Do we really need more proof. This isn't the worst thing the NSA have attempted yet.

Re:Speculation (0)

AmiMoJo (196126) | about 5 months ago | (#47142895)

To be fair it might not be the NSA, it could be GCHQ or any number of other government agencies. Some people seem to think that the Truecrypt authors are from eastern Europe. Maybe some eastern European government knocked on their door.

The only thing that is really certain is that this appears to be a case of duress.

Re:Speculation (0)

AmiMoJo (196126) | about 5 months ago | (#47142941)

Replying to myself, lame...

Having speculated all that, the fact that U.S. was changed to United States is a pretty big hint. I just hope whoever did it isn't rotting in Guantanamo now, because I doubt that the NSA took kindly to that.

Re:Speculation (0)

Anonymous Coward | about 5 months ago | (#47142787)

There is no concrete information that the NSA or a national security letter was involved. When did we start linking to random blogs for speculation presented as fact? May as well just posted a link to reddit thread about this.

Did you forget what site you're on?

Re:Speculation (0, Flamebait)

marcello_dl (667940) | about 5 months ago | (#47142877)

Is it a fact that they said "use bitlocker instead, it's safe"?
If it is, your BS detector should be blaring at full volume.

What you call speculation is only the most obvious explanation. It might not be the correct one, and the bloggers you refer to could all be al qaeda operatives on russian mafia hardware, but it still is the most obvious explanation, with a string of documented precedents. So you should come up with some other interpretation, or your doubt is not very productive, IMHO.

Re:Speculation (0)

Anonymous Coward | about 5 months ago | (#47142947)

What are you doing with your computer that BitLocker doesn't count as safe?

Let's drop the hyperbole -- the NSA don't actually give a shit about your stash of porn, some accounts and a little collection of passwords, and neither does the government. They can get all of that in other ways if they have to, but they actually don't give a shit about you, either. The idea that any of us are protecting things from the governments of this world is laughable. At best we're deluding ourselves of our importance, and at worst we're deluding ourselves that any information we lock away isn't available elsewhere for the expenditure of a lot less effort than cracking a file on someone's computer.

This caveat does not include journalists who are lucky enough to get a sudden massive scoop but there are very, very few of those even in relation to the number of journalists in the world, let alone everyone else -- and I doubt you're one of them.

So let us conclude that nothing you have on your computer is of importance to your government, or that if any of it somehow was, they could get it elsewhere. So why else are we encrypting things on our machines -- as I am myself with TrueCrypt 7.1a? Simple: other people. And I have no doubt that those people would struggle to get into a TrueCrypt file, or even identify it, if they got onto my machine, be there backdoors or not. Almost anyone using this computer will have stolen it to sell it on or, in an extreme, use it themselves. Sure, they'd be happy to rip out credit card information and sell it off but none of it is in the clear, and I think the chances of someone stealing my machine *and* caring to look for credit card numbers *and* having the ability to identify my TrueCrypt files *and* to be able to hack them are so near to zero that I don't care.

Thing is, exactly the same would be true if I were using FileVault (or, on my Windows machine, BitLocker. The kicker there is that since my Windows machine runs Vista I can't use BitLocker. Thanks, Microsoft, you fucking pricks.) Governments could still get onto my drives, practically no-one else would bother unless the security hole was so gaping that it was widely known how to access it, but not widely known enough that neither I nor Apple/Microsoft had patched against it.

Re:Speculation (0)

Anonymous Coward | about 5 months ago | (#47142889)

There is no concrete information that the NSA or a national security letter was involved.

Even if it was concrete information; a NSL "ordering" to implant a backdoor is implausible, as it's obviously an unlawful order, and the right response is for the developers to publish and simply avail themselves of their 1st amendment rights, including whistleblower protections.

tc-play is a reimplementation of Truecrypt (5, Informative)

Anonymous Coward | about 5 months ago | (#47142529)

Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play

Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.

Re:tc-play is a reimplementation of Truecrypt (4, Informative)

ysth (1368415) | about 5 months ago | (#47142653)

You are behind the times.

The binary build was duplicated from the source.
The source has been audited.

Re:tc-play is a reimplementation of Truecrypt (4, Insightful)

davydagger (2566757) | about 5 months ago | (#47142909)

There is actually a code audit underway, and so far they've found nothing.

the concept of anonymitty means nothing, because we live in an age where reputation can be bought.

all that matters is if the source code can be inspected, and if the source code matches the binaries.

who actually makes it does not matter as long as its audited properly.

stop with the FUD.

Who to believe? (1)

Anonymous Coward | about 5 months ago | (#47142551)

There is also "confirmation" that the developers are simply tired of the project and don't want anyone else to work on it:
https://www.grc.com/misc/truecrypt/truecrypt.htm
Who do we believe?

What else? (1)

NotInHere (3654617) | about 5 months ago | (#47142563)

It has to be an NSL. What should be the other explanation? The truecrypt accounts hacked? I don't think so.
However, it is too early for a story "The Sudden Policy Change In Truecrypt Explained". There is no proof of this speculation yet.

Re:What else? (5, Informative)

rahvin112 (446269) | about 5 months ago | (#47142841)

The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it. .

Re:What else? (0)

Anonymous Coward | about 5 months ago | (#47142885)

On the other hand, would a NSL letter do? A lot of Americans are pissed and awake due to Snowden. Seeing TrueCrypt being taken down by a NSL just means that TrueCrypt goes from the average 4-chan guy stashing his bronie picture collection, to the average person seeing that "hmm, TC is so good the gub'mint shut it down", and starts using a previous version.

Of course, it means that TrueCrypt code ends up moving offshore. If the bad guys know that it is good enough to be shut down, then someone in Elbonia will copy the source code and work on it, well out of reach of the US government. Even China would gain propaganda abilities by making this (and not having it available to their citizens.)

Don't forget the more pedestrian cause. SecurStar took the E4M devs (the guys who made the base code for TC), demanded they cease work on E4M, and has alleged on other forums of IP violations. It could be that SecurStar managed to get their way and get the TC project shut down. All it would take is a DMCA takedown notice. I have not have had good experiences with SecurStar in the past. For example, their (IMHO) Draconian license manager. (in my experience, reinstalling a system without de-registering the key usually means a support call, or just re-buying the product.)

It is all pretty obvious (2, Interesting)

hsmith (818216) | about 5 months ago | (#47142569)

U.S. changed to "United States" - "use bitlocker," "use any crypto package in Linux," when setting up an OS X disk image no encryption...

The message is clear what happened.

The FBI is mostly entirely comprised of Mormons (-1)

Anonymous Coward | about 5 months ago | (#47142571)

I bet you didn't know that did you?

Re:The FBI is mostly entirely comprised of Mormons (0)

Anonymous Coward | about 5 months ago | (#47142591)

Because that is a lie.

Re:The FBI is mostly entirely comprised of Mormons (1)

wordsnyc (956034) | about 5 months ago | (#47142663)

Yeah, absurdly non-true today. OTOH, Hoover did prefer Mormons in his inner circle, and the FBI agents I had occasion to meet in the 60s & 70s definitely came across as uptight and straitlaced Mormon types. Fun Fact: in the 60s, FBI agents helpfully drove AMC/Rambler sedans as undercover cars and used sturdy but crappy Beseler Topcon 35 mm cameras.

No Way (-1)

Anonymous Coward | about 5 months ago | (#47142583)

PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?

No way. MS is about as anti-encryption, anti-privacy as you can get. http://yro.slashdot.org/story/13/07/11/2041244/ms-handed-nsa-access-to-encrypted-chat-email

Bottom Line (1, Insightful)

msobkow (48369) | about 5 months ago | (#47142595)

The bottom line is that TrueCrypt was too good for "the man" to tolerate.

You will be spied upon.

You will be surveilled.

You will be monitored.

Refusing to let the government rape your data is going to be called "terrorism", and leave you locked up.

Sickening, isn't it? George Orwell was only wrong about the year...

Re:Bottom Line (0)

Anonymous Coward | about 5 months ago | (#47142725)

Either that or it was developed by the Chinese government as a spy tool, and "the man" was just shutting them down.

Re:Bottom Line (0)

Anonymous Coward | about 5 months ago | (#47142791)

The article was bad enough, but this comment is insightful? It's just some 8th grader spouting random cliches he doesn't really understand.

Re:Bottom Line (0)

Anonymous Coward | about 5 months ago | (#47142867)

Agree.

I was actually shocked, after reading the entire comment, to see that there wasn't any l33t spelling or poor grammar in it anywhere. I would expect someone like that to be "hax0ring teh gibson" every chance he got and be incapable of a coherent post.

Of course, he could have just copied/pasted it from somewhere...

Re:Bottom Line (0)

Anonymous Coward | about 5 months ago | (#47142989)

Welcome to Slashdot :(

still speculation (4, Informative)

tero (39203) | about 5 months ago | (#47142619)

According to this page - someone e-mailed a dev contact and claims they called it quits due to lack of interest

https://www.grc.com/misc/truec... [grc.com]

(Scroll to the bottom, the green box).

The only real "confirmation" we have is the info on the TrueCrypt page. It's over (no matter what the reason is), best to move on.

Re:still speculation (2, Funny)

MouseTheLuckyDog (2752443) | about 5 months ago | (#47142683)

Rightr because everything that Steve Gibson does is completely accurate. Right?

Re:still speculation (1)

tero (39203) | about 5 months ago | (#47142915)

It's just his page, read the actual quote I referenced, it's nothing to do with Steve Gibson - he is just quoting two people on twitter.

Bottom line - we have no evidence of warrant canary or "dev rage quit".

Also: https://twitter.com/0xabad1dea... [twitter.com]

Personally I'm more inclined to believe the devs calling it than any NSA scheme, but again.

No. Evidence.

Re:still speculation (1)

nurb432 (527695) | about 5 months ago | (#47142691)

I tend to agree, we will never really know why . Even if someone comes up and clearly says 'hey i was with the team and we did it due to xyz', since the team was anonymous how can you be sure hes with the team, and even he was, if hes telling the truth?

No matter what the reason, or even if there is a legit reason the game is over and it really doesn't matter why, other than curiosity. The code ( or group ) can no longer be trusted, and who knows how far back this breach goes.

Time to move on to something else and not look back. And do it *today*..

Re:still speculation (1)

AmiMoJo (196126) | about 5 months ago | (#47142991)

Problem is that there's nothing else for Windows. BitLocker can't be trusted, FreeOTFE is dead too... All we can do is hope that the last good version of TrueCrypt remains secure for a long time yet, or that someone forks it.

The project needs to be given away... (1)

Karmashock (2415832) | about 5 months ago | (#47142633)

Literally give the source code and rights to continue development to anyone and everyone.

A new project will pick it up and continue development without breaking the law. And at that point its unlikely the NSA will be able to do anything to it.

The project needs to be given away... (0)

Anonymous Coward | about 5 months ago | (#47142727)

Maybe the NS Letter already prohibits what you envision.

Re:The project needs to be given away... (1)

Karmashock (2415832) | about 5 months ago | (#47142859)

I don't see how it could... and even if it did... just leak it.

Re:The project needs to be given away... (0)

Anonymous Coward | about 5 months ago | (#47142861)

Maybe someone's computer should get "hacked" and source stolen and distributed on the net.

I Voted This Submission Down (5, Interesting)

NotSanguine (1917456) | about 5 months ago | (#47142641)

No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.

Some semi-random tweeter is reposted on some random blog? I don't think so.

It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?

Re:I Voted This Submission Down (0)

Anonymous Coward | about 5 months ago | (#47142839)

The reference to a "canary" is suspect, as it isn't discussed what that canary was.

The canary is the fact that the "explanation" of the EOL of XP is inconsistent with the stated goals and roadmap for the product as of recently.

If they'd wanted people to believe they'd gotten tired of the product, they'd have said "We're tired of working on this, we've changed our licensing terms, and releasing the code to everyone for future development."

If you can't say why you're taking the product down, you have two alternatives: either say nothing, fueling suspicion, or lie so poorly that everyone's suspicions are raised even higher.

The government can compel you to neither confirm nor deny any secret orders from any secret courts. (This also ought to be intolerable in a free society, but we're well past that tipping point.) What it cannot do is require that you be a sufficiently good liar that anyone believes your explanation. They can't charge you for not mentioning the secret court's secret letter because to do so would expose said letter's existence, which is precisely what the government wants hidden in the first place. Warrant canaries are a legal catch-22 of the government's own making.

Re:I Voted This Submission Down (3, Insightful)

NotSanguine (1917456) | about 5 months ago | (#47142925)

The reference to a "canary" is suspect, as it isn't discussed what that canary was.

The canary is the fact that the "explanation" of the EOL of XP is inconsistent with the stated goals and roadmap for the product as of recently.

If they'd wanted people to believe they'd gotten tired of the product, they'd have said "We're tired of working on this, we've changed our licensing terms, and releasing the code to everyone for future development."

If you can't say why you're taking the product down, you have two alternatives: either say nothing, fueling suspicion, or lie so poorly that everyone's suspicions are raised even higher.

The government can compel you to neither confirm nor deny any secret orders from any secret courts. (This also ought to be intolerable in a free society, but we're well past that tipping point.) What it cannot do is require that you be a sufficiently good liar that anyone believes your explanation. They can't charge you for not mentioning the secret court's secret letter because to do so would expose said letter's existence, which is precisely what the government wants hidden in the first place. Warrant canaries are a legal catch-22 of the government's own making.

Yes, it's suspicious. Yes, the suggestions make little or no sense to anyone with technical knowledge.

As I said, the report might be accurate.

However, extraordinary claims require extraordinary evidence. I see no evidence. At all. It's all supposition and guesswork. Present me with actual evidence, and I can be convinced. Until then, it's all noise and hand waving, IMHO.

Seems the answer is self evident (0)

Anonymous Coward | about 5 months ago | (#47142647)

Go with BL. What have you got to lose? Information, yours included, wants to be FREE! Set it FREE!

AC in last thread mentioned a warranty canary (5, Informative)

Anonymous Coward | about 5 months ago | (#47142649)

An anonymous coward in the last thread said that a known warrant canary was seen:

http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051

It has to be true! (1)

MouseTheLuckyDog (2752443) | about 5 months ago | (#47142699)

Not only is this mercurial and virtually unknown Alyssa Rowan spotted a canaryu, but so has PeeWee Herman! He just tweeted.

Re:It has to be true! (0)

Anonymous Coward | about 5 months ago | (#47142761)

Courtney Love confirms.

Doesn't add up (0)

Anonymous Coward | about 5 months ago | (#47142703)

Truecrypt.sourceforge.net doesn't host confidential data. Therefore receipt of a letter from the government seems not only irrelevant but implausible. On the other hand, if the site or source were hacked, that would be cause for posting an explicit notice--with no need for a canary system.

If It Is Private, Keep It Private (2, Insightful)

DERoss (1919496) | about 5 months ago | (#47142733)

I never use cloud resources. Too many users have been severely inconvenienced if not outright burned by cloud services that have been hacked, suppressed by some government, gone out of business, or gone down for several hours. I keep all my data where I can access it, either on my PC or on a removable hard drive that I store remotely from my PC but easily reached.

I encrypt my most sensitive data. No, I do not rely on some corporation's declaration: "Trust us. We are good. We will protect you." Instead, I use an OpenPGP application that has been reviewed by outside experts and that I have installed on my PC. The data on my removable hard drive are encrypted. Some of my PC files are also encrypted. My pass-phrase, without which my private key is useless for decryption, exists only in my head and in an envelope in my safe deposit box at a bank. My private key is on my PC in a non-standard location. If somehow someone else were to access my private key, I have a much greater problem than the compromise of my sensitive data.

See my http://www.rossde.com/PGP [rossde.com]

Re:If It Is Private, Keep It Private (0)

Anonymous Coward | about 5 months ago | (#47142773)

Therapy would be a hell of a lot less complicated.

Re:If It Is Private, Keep It Private (0)

Anonymous Coward | about 5 months ago | (#47142921)

> burned by cloud services

This! Last week I had a Debian upgrade fail on my vm at DreamHost. When I contacted support, they erased all of my files. I guess that's the punishment I get for expecting to be able to login to my own damn server. I should have been suspicious when adding new users to the vm took over two weeks. They aren't competent enough to automate even simple tasks like adding users.

Ars Scholae Palatinae (5, Informative)

westlake (615356) | about 5 months ago | (#47142757)

There is nothing I think worth adding to "Marlor's" post to Ars:

I can't comprehend the conspiracy theories flying around about this.

[TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.

The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).

If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.

Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.

If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.

"Don't use this anymore. It's not maintained, and should therefore be considered insecure".

Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"

''TrueCrypt is not secure,'' official SourceForge page abruptly warns [arstechnica.com]

[Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]

COUNTERMEASURE (1)

Anonymous Coward | about 5 months ago | (#47142819)

Take

1.) small Atmel/ATMega CPU
2.) LCD display
3.) a small keyboard (26 keys suffice) suitable for said CPU
4.) three 1.2V rechargeable batteries
5.) symmetric Cipher of your choice that fits into 4K of RAM. E.g. 3DES, GOST,...

Then implement
A) ENIGMA/SIGABA-style cipher machine on said hardware using said ciphers
B) Publish pcbs and source code via strongly anon means, sign using gpg if needed.

This machine can be used via ANY crap comms channel from NSAbook to NSAdroid phones. Or POTS, CB radio, shortwave links. Machine should in later releases not be bigger than a cigarette box. Carry it everywhere.

Truecrypt guys actually can receive NSA letters? (0)

Anonymous Coward | about 5 months ago | (#47142825)

I thought that you need to be a USA citizen with a business. And IIRC the truecrypt guys are very secretive about their identities, so much that in the past people have speculated about who they actually are (kind of like with satoshi from bitcoin). Isn't it jumping too far from "random unknown people on the internet" to "USA citizens known by the NSA?" just to justify the recent website changes?

Re:Truecrypt guys actually can receive NSA letters (0)

Anonymous Coward | about 5 months ago | (#47142853)

There's no real anonymity on the internet. If they operate their own website for downloads, then the authorities just go after their host and registrar to find out who they are. If they instead use something like GitHub, they just go after GitHub.

Who knows. Maybe the leader of the project, whoever he or she may be, was from the US, and that's why an NSL was able to shut them down.

Any *good* recommendations? (1)

Anonymous Coward | about 5 months ago | (#47142833)

DiskCryptor seems fine, but doesn't seem like it supports mounting a virtual hard disk (correct me if I'm wrong); only actual full disk encryption.

More speculation (3, Interesting)

Lost Race (681080) | about 5 months ago | (#47142881)

There's nothing in TFA that hasn't been speculated in great detail already.

No explanation totally makes sense. Here's my working model of what happened (all speculation of course):

The project has been gradually disintegrating over the last few years -- developers leaving and not being replaced, remaining developers having less time to spend on the project for whatever reason, and the perceived reward for fixing increasingly difficult bugs is not enough to keep people interested. It's just not fun any more.

The to-do list has some really nasty bugs that are difficult to fix and could potentially compromise all TC containers. The remaining developers in the project have been grinding away at these bugs, but haven't made much progress for reasons outlined above. They realized that the project was going to fizzle out before they got anything fixed. A cursory look at the 7.2 code suggests that they had committed to some major rewriting of the code, and bit off more than they could chew.

At this point, what can they do? Reporting the vulnerabilities would be irresponsible since no fixes are forthcoming. Lives depend on some of the secrets their software keeps. Best to push people gently away from TC until the problems can be fixed, if ever, while keeping the details of the vulnerabilities as secret as possible, and giving people realistic expectations about the future of TC development (i.e. none).

They probably had a plan for creating a migration plan that actually made sense, but ran out of resources before finishing, and decided to go with what they had on hand. At this point they were probably down to one very part-time developer and maybe a few unreliable volunteers. ("Hey Jim, where's that page you were writing about Linux FDE? Jim? Hello? Anybody there?")

There was really no good way forward with the resources remaining, so they did the best they could.

Why didn't they find someone else to take over the project? I guess they tried, but couldn't find anyone in their immediate circle of trust who was willing and able. Perhaps they felt that expanding their circle of trust would jeopardize their anonymity.

On the other hand....

"WARNING: Using TrueCrypt is *not *secure *as ..."

Continued development (1)

ArchieBunker (132337) | about 5 months ago | (#47142923)

If the last current build is secure why should we need continued development? The tool is out there and it works. I don't see that as a problem.

Where is the Kickstarter to re-implement it? (3, Interesting)

swb (14022) | about 5 months ago | (#47142927)

I'm surprised there hasn't been a Kickstarter setup to re-implement TrueCrypt from the ground up.

What would be the dollar cost to hire a team of developers to do it?

Hello (0)

Anonymous Coward | about 5 months ago | (#47142929)

Let me tank you a lot
http://playgame02.blogspot.com

It was a government takeover (0)

jigawatt (1232228) | about 5 months ago | (#47142939)

The new site was clearly designed by the Obamacare people.

So... (1)

ledow (319597) | about 5 months ago | (#47142985)

Ignoring the rumour-based article with zero facts:

What we really need then is a distributed, peer-to-peer, anonymised source-control system.

Publish a hash and that hash corresponds to a certain "official" branch of the code and can't be retracted. Do it right and any fork can publish their hash and maintain their own branch even if the original project goes under. Source-code verification - that's no harder than today, but you could set up code verification of, say, the most popular hash the same way you do TrueCrypt audits.

However, before that, we really need a bunch of people to be pushing out patches to TC and be shown to still be developing it, anonymous or not. I don't particularly care about TC being taken down - to me that just proves it's usefulness and effectiveness, if that's true. What I care about is, whether the project died or was taken down, we need people to develop on it - and at least start adding UEFI etc. support.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?