Did TrueCrypt call it quits?

TrueCrypt being open source and that it's a peice of software for data security there is usually going to be a compromise. It may have been compromised already and we may just have not know about it.

I'm not going to trust something that open source for data encryption.

The program was open sourced, and used an open type of security. Just because you know what security something uses, doesnt mean you can break it.

When you moved your mouse around (like the installer tells you to when you create a container) you are creating a random security key. The longer you do it, the more "randomized" it is. So not even Truecrypt knows what your security key will be.

It being open sourced means nothing for the security.

The beauty in open source is that it can be scrutinized for flaws.

I know how a door lock works mechanically, and this may give me clues on how to pick the lock.  Its the complexity of the key that keeps the door secure.

Open Source Crypto like TrueCrypt is the ONLY way to know whether or not your data is safe. Anything else is just full of unknowns whether it's backdoors or weak crypto that can be exploited. I wouldn't trust my data with anything else. That isn't a matter of opinion, it's factual. Just because you know how something works doesn't mean it's insecure. In fact that makes it more secure. Ignorance is not bliss...

 

I read the paper on the luks audit; seemed like it was solid. Keep an eye on the Bruce Schneier blog as he'll have some solid insight. Of course, this is so obscure, that there is probably some state sponsored misinformation around how secure or not secure various things are. Let's not forget most of Tor's funding comes from the US Gov, for example. 

 

Hate to throw oil on an already blazing fire, but the probelm is more than clear just by the simple fact that they tell people to migrate to BitLocker, which is not open source and therefore certainly not secure (nothing Microsoft is, you can be damn' sure of that if you know legalese and read the transcripts of the Microsoft security hearings in the EU Parliament, and the existence of the NSA backdoors in Windows has been positively proven a long time ago).

Another point that I've already mentioned on the forum a long time ago, is that TrueCrypt was always a mess. That's partly why RealCrypt was preferred in linux and not TrueCrypt.

In fact, RealCrypt is not really used either, LUKS is used, but not with the standard encryption system, because that has been proven unsecure also.

It's an arms race, the world against the fascist US corporate elite and it's lapdog government.

In the mean time, things to avoid: UEFI systems, CA's (use DANE!), all Intel hardware and AMD hardware made in the New York fab, IBM hardware (China has unveiled probably security backdoors in IBM server hardware last week), MS-Windows (China has outlawed Windows for government use because of the backdoors, Germany has outlawed Windows for government use because the security "cannot be proven", but hasn't yet enforced the ban), any closed source software made by US companies, US phones with locked firmware, routers and telecom hardware by US companies, services on US servers, communications through US owned service providers, etc, etc.

For encryption of data, a good solution is to use Samsung SSD's bought outside of the US, and to use them with native hardware encryption coupled to fully flashed open source BIOS.

Please don't think this. From a code perspective, it's easy to think this way. From a purely mathematical standpoint, this is not the case.

The math behind an algorithm like AES 256 is like a beautiful symphony, where you can hear the individual instruments working together; the smell of the wood and vibration as the sound reverberates. The program, as derived from the math, should be open. It makes it verifiable. Theoretically it also makes audits like these possible. Closed source software can be like a trojan horse -- it comes down to do you trust the authors. With open source, and especially encryption, there need not be only trust.There can be verification. Because the math to software translation is imperfect, it's possible to have a perfect symphony on paper, but listening to it, if a single member of the orchestra misses notes, it can ruin the whole thing. 

The math that powers this type of thing is astonishing and beautiful. Its juxtaposed simplistic harmonies and fractal complexities that unfurl into something so organic and overwhelming that to just see the equation you can not only see it, but you can hear and taste and smell it in your mind.

There is a second, lesser, reason it's important. If you're really paranoid, you can also slightly modify and build your own special version as well, which is likely to wreck many classes of exploits that may be present (intentionally or not) in the code. Also, on an active project, there could be many forks and derivitives. In a healthy ecosystem of forks and derivitives, one could mix and match pieces and add features. This not only provides more versions of programs to protect against exploits (consder that not all OpenSSL was vulnerable to heartbleed, for example, because there are 50 versions) but it also keeps us sharp and makes sure we have better tools than rocks and sticks for working on these types of problems. 

Were encryption all closed source, we would have little more advanced tools than rocks and sticks for building tools to maintain privacy.

 

 

The Bitlocker comment could be a nod to the reason that it is insecure, though. Anyone with half a brain would know not to use something so closed off and microsoft based.

i can see it as a nod to most of the people who are heavy users of encryption, but Truecrypt was becoming relatively mainstream.

Normal, non-sophisticated/non-technical, people like me were starting to look at using Truecrypt for their personal and sensitive business documents and such. Right now I just use the normal AES 256 encryption thats comes with my external hard drive. Would love to have a non-proprietary alternative.

I think this news is a big blow to privacy and personal encryption for normal people.

Yeah well the BitLocker thing is related to the fact that development was stopped after WinXP was retired, and they refer people to "encryption compatible with their platform", and as they are referring to Windows XP, they mention how to migrate to BitLocker on Windows. I think it's an act of civil disobedience without being disobedient.

We know how US based RPM distros were forced under the Patriot Act, and that we can't use the non-hashing Debian repos on US controlled servers. I'm curious when US based Debian devs are going to get their house foreclosed suddenly, their tyres slashed, brakeline cut, children inexplicably expelled from school, etc...

The whole thing is going waaaaay too far.

Is it possible MS acquired TrueCrypt devs... Mark Russinovich style?

There was something about this in the news a few years ago about truecrypt being not secure.

Source?

There has always been speculation about Truecrypt  http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/

Ya that's what I was trying to get across, they just can't get it working for Windows 8.

lavabitten

old article is old. did you see the prelim. findings of the kickstarter audit? (clean) and the audit team has said they are just as surprised to this as we are. ?

 

"We know how US based RPM distros were forced under the Patriot Act, and that we can't use the non-hashing Debian repos on US controlled servers. I'm curious when US based Debian devs are going to get their house foreclosed suddenly, their tyres slashed, brakeline cut, children inexplicably expelled from school, etc..."

Woah what? I hadn't heard about the RPM distros. I gotta agree though our government is doing everything they can to get rid of us being able to have a semblance of privacy. Can't say it'll be too long before they go after the devs, maybe 4 years or so tops. 

WHAT?!

I was just pointing out there has been wild speculation about them all along.I really sincerely hope its not a case of the government suppressing technologies.