Truecrypt

[jim]

It is, but getting hold of the source code may be tricky now, and this article indicates why that might not be a panacea!

http://www.forbes.com/sites/jameslyn...ud-of-mystery/

That does make sense. I had been wondering why no-one had mentioned forking.

What does surprise me is that the writer seems to be considering the Bitlocker suggestion to be a sensible decision / conclusion to the project - I'd taken it to be sarcastic, bordering on whimsical. Looking at his description of the Linux "guide" (I haven't read it from a primary source but presuming it's true), I'm still inclined to think that.

It smells very strongly of a gagging, to me at least.

[Saracen]

....

It smells very strongly of a gagging, to me at least.

Not just to you. I mean, obviously, I don't know, and it could be something entirely different. But it does smell of either gagging, or legal issues. Or both.

In particular, if it's "not secure", it'd be helpful to know, in broad brush terms at least, HOW it's not secure. Is it actively hosting malware? Unlikely, IMHO. Is it hosting a decryption backdoor, if an "intelligence service", wherever based, chooses to snoop? Have they discovered that encryption believed to be secure, isn't? If so, I can quite understand a court order precluding them from saying so, if the 'crack' is government-based.

I think what makes me most suspicious is the way this has been done, and the absolute radio silence from the team, other than that cryptic site change.

[ed^chigliak]

TC 7.1a archive including source code.
Quoting TrueCrypt Developer David: “There is no longer interest.”
https://www.grc.com/misc/truecrypt/truecrypt.htm

[Agent]

TC 7.1a archive including source code.
Quoting TrueCrypt Developer David: “There is no longer interest.”
https://www.grc.com/misc/truecrypt/truecrypt.htm

Gibson.....While I'm sure the links are okay, I'd ignore everything else on there.

[ed^chigliak]

I suspect the developer was a robot who disassembled himself. Every other theory seems far fetched. I have found No Suitable Alternative to Truecrypt.

[peterb]

I suspect the developer was a robot who disassembled himself. Every other theory seems far fetched. I have found No Suitable Alternative to Truecrypt.

Certainly few free ones - although BeCrypt is OK - but not multi-platform. It could be that the introduction of Bitlocker and other built in encryption systems on other platforms reduced the incentive to continue TrueCrypt development.

Maybe there will be a fork of TrueCrypt. I hope so, but as it is, 7.1a is still available for use.

But I doubt that any publicly available crypto system is totally invulnerable if enough resources are thrown at it. It then becomes a problem (for the attacker) whether the return justifies the deployment of those resources.

[Moby-Dick]

Gibson.....While I'm sure the links are okay, I'd ignore everything else on there.

Like the Daily Mail of InfoSec

[peterb]

Like the Daily Mail of InfoSec

Harsh - but fair!

[scaryjim]

But I doubt that any publicly available crypto system is totally invulnerable if enough resources are thrown at it. It then becomes a problem (for the attacker) whether the return justifies the deployment of those resources.

This, tbh. Why go to the effort of hacking TrueCrypt when a simple trojan or code execution attack will circumvent the need to hack it anyway? User idiocy is always going to be the number one cause of security breaches - encryption is much like a bike lock: there to persuade 99.9999% of potential criminals that it's simply not worth the effort. For the 1 in a million situation where someone really wants to get your data, they'll find a way (in much the same way as a professional bike theif who really wants to get your bike will find a way even if it's secured with a sold secure gold-rated lock - but I may be venting on a personal frustration now... ).

And, of course, an obligatory xkcd reference: http://xkcd.com/538/

[Agent]

Like the Daily Mail of InfoSec

I'm not even sure the Daily Mail deserves that level of an insult.

[wasabi]

Still using the old version I downloaded over a year ago. Not likely to pay for / move to something else unless hard evidence one way or the other as to what really happened. But then I'm a private individual and just keep things of no massive value.

[watercooled]

It could be that the introduction of Bitlocker and other built in encryption systems on other platforms reduced the incentive to continue TrueCrypt development.

That's just the thing though - not all versions of Windows include Bitlocker, and nor does it replace a lot of TC's functionality. Another hole in that explanation is the fact XP also had EFS in certain versions. I'm not sure how the two compare in terms of security, but they're both very much proprietary and closed-source.

Their Linux advice is even worse, and pretty much translates to 'just find something with 'crypt' in the name - should be k'.

[Saracen]

I'm not even sure the Daily Mail deserves that level of an insult.

Sitting on the fence again, re: SG, I see.

[Saracen]

Still using the old version I downloaded over a year ago. Not likely to pay for / move to something else unless hard evidence one way or the other as to what really happened. But then I'm a private individual and just keep things of no massive value.

That, pretty much.

I do have a lot of data of value, to me at least, though. But, as I don't rely solely on TC, but also on a rigid air-gap, I'm not unduly worried. Yet.

[peterb]

That's just the thing though - not all versions of Windows include Bitlocker, and nor does it replace a lot of TC's functionality. Another hole in that explanation is the fact XP also had EFS in certain versions. I'm not sure how the two compare in terms of security, but they're both very much proprietary and closed-source.

Their Linux advice is even worse, and pretty much translates to 'just find something with 'crypt' in the name - should be k'.

True, and iirc, bitlocker only does partition encryption for data-at-rest 9I may be wrong, never used it). TC does that as well, of course, but for me the best feature was being able to create an encrypted sparse file, which could then be stored on any device or transmitted electronically to any other user, or cloud store.

There are other utilities that will do that GPG or PG for example, but TC did it so well with a good user interface. crypto ththat is hard to use either won't get used, or get used badly, which is worse than having nothing at all.

[peterb]

This, tbh. Why go to the effort of hacking TrueCrypt when a simple trojan or code execution attack will circumvent the need to hack it anyway? User idiocy is always going to be the number one cause of security breaches - encryption is much like a bike lock: there to persuade 99.9999% of potential criminals that it's simply not worth the effort. For the 1 in a million situation where someone really wants to get your data, they'll find a way (in much the same way as a professional bike theif who really wants to get your bike will find a way even if it's secured with a sold secure gold-rated lock - but I may be venting on a personal frustration now... ).

And, of course, an obligatory xkcd reference: http://xkcd.com/538/

Which is why failing to reveal a key or password when lawfully required by a law enforcement officer (in the UK) carries a potential 2 year custodial sentence. It then becomes a question for the accused to decide whether the data, if revealed, is likely to result in a more severe penalty.