Truecrypt

So the news dropped that the CIA has been selling encryption devices to state governments for the last 70 years. They did so using a front company based in Switzerland. This allowed them to intercept secret communications of any suckers that bought into it. (archive.today...)

This is a huge discussion worthy story, but not what I am thinking about.

This story, along with the steady march to force weaker encryption via legislation, and bribery to push faulty protocols into the standards (archive.ph...) lead me to a positive conclusion:

Encryption can work as advertised. There is no silver bullet to defeat it.

This is further evidenced in the take down of one of the modern day's most notorious pirates. Where the concern of full disk encryption led to them ambushing him in a library. (archive.today...)

The conspiracy I want to talk about today is with the pinnacle full disk encryption applications from a decade ago: TrueCrypt.

They have an interesting story. Edward Snowden's revelations led to an audit prompting the company to cease development citing something about Microsoft's support of Windows XP. But not really. They have since released updates using officially signed binaries. (archive.today...)

For the last 6 years the Truecrypt website has remained up with the same red warning: "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". (archive.today...)

That is some peculiar phrasing: "not secure as".

Already posted

originally posted by: schuyler
Already posted

Not really.

TrueCrypt isn't considered safe. Last I heard, VeraCrypt was the safe fork of it.

originally posted by: trollz
TrueCrypt isn't considered safe. Last I heard, VeraCrypt was the safe fork of it.

It's not as fun if I have to spell it out, but read the warning again with "not secure as" replaced with its acronym.

originally posted by: Templeton

originally posted by: trollz
TrueCrypt isn't considered safe. Last I heard, VeraCrypt was the safe fork of it.

It's not as fun if I have to spell it out, but read the warning again with "not secure as" replaced with its anagram.

I get it - NSA. I'm just letting people know about VeraCrypt in case they're interested in using encryption software.

a reply to: trollz

Right on, thanks!

Its hard to truely audit something without the complete build chain which means getting access to the operating system source code and even rebuild the build tools (compiler/linkers etc) yourself as you have to start from the assumption that the tools 'may' be slightly dodgy in some way.

XP has a lot of 3rd party licensed stuff from all sorts of companies for all sorts of things and giving that sort of access normally is reserved for spooks/law enforcement all around the world which is why any good back door will have to be very subtle so as to pass someone checking over the code.

It was said that the authors of TC were getting leaned on to make a few modifications to please the spooks but they decided to just give up the project.

a reply to: Maxatoria

I don't think they just gave up. They implemented the code to satisfy the spooks; then told everyone about it with this error message when they jumped ship.

I use encrypted communication every day, no idea what youre talking about. Is it some smartphone app or something? Yo mean the smart phone is for collecting info on you? My God!

Come on folks, there are bigger things to play dumb about..

NSA has the computer power to break any encryption over time and any product over 2 years old is likely broken.

NSA will likely never tell that they have broken any encryption.