Main Area and Open Discussion > Living Room
TrueCrypt is Now Abandonware?!
CWuestefeld:
I'm not very excited about any of the alternatives offered by ghacks. I'm looking for an encrypted container, and only a couple do that. And BestCrypt is very expensive, and the other one gives too few details to trust.
There'a a wikipedia article offering a Comparison of disk encryption softwarew that might be a better place to start looking. There are a whole pile of programs considered, with comparison for OS supported and a bunch of features.
TaoPhoenix:
Okay, here's a new angle.
From a "medium layperson" point of view, what's with this explosion of tools that aren't valid/supported anymore? Maybe MS's notes on the slow death of XP vaguely filtered to me, but I didn't see any articles ever of this current rash of stuff breaking.
Heartbleed, barely a one time shot (but shouldn't really), but truecrypt devs just getting "bored"/other and quitting bothering to update? What is it about May 2014 that takes one of the top contenders in encryption out of the game forever!?
(Rant)
What is with these .Gov depts claiming to spend *Billions* on "Cybersecurity" and then the next story out of Slashdot is "OpenSSL" (that basically the entire Internet uses) "gets two developers". So lemme do the math on my seven dollar calculator. A software routine that counts for like $555 Million in software security security services experiences the greatest hack ever in twenty years, and some foundation assigns Joe and Ted to fix it?!
Slashdot has a sharp eye for Security Theater but where's even the theater?! You see these weird proposals now and then for fancy new initiatives, but how about just funding five guys and a supply of pizza? Nope. Can't do that. It might even break six figures.
:mad:
40hz:
At this point I'd put my money on CU's earlier suggestion:
The developer just wants to move on, and is taking an opportunity to make a political statement by stepping out in this way (like the Reichstag fire – cause the damage yourself, but make it look like your enemy caused it)
--- End quote ---
-or-
They were told to stop (i.e. threatened).
-or-
They decided to roll up their mat - and bug out. Which is also plausible considering the abrupt nature of the cessation. Perhaps it was reaching the point where their identities risked being exposed. And being identified would have resulted in serious consequences for them. (It'd be a riot if these guys were NSA contractors who put TC together just to put a fly in the ointment.)
Whatever. I doubt we'll ever really know for sure. :huh:
TaoPhoenix:
I just can't see that the means of announcing this is in character for this project. It just doesn't make sense to recommend BitLocker (given suspicion of MS being sympathetic to gov't surveillance), or to completely ignore Unix and Mac users. I think there's something more than meets the eye.
I’m giving equal odds between:
* Warrant canaryw (“we’re not saying that we’re being forced to introduce a vulnerability, but we have reason to believe that users of this program may be in danger”). While difficult to add an actual backdoor, it may be that they're being pressured to put a flaw into their PRG code or something subtle like that.
* The developer(s) is in a snit, maybe because of the trouble of the audit, and just wants to burn it all down
* The developer just wants to move on, and is taking an opportunity to make a political statement by stepping out in this way (like the Reichstag fire – cause the damage yourself, but make it look like your enemy caused it)-CWuestefeld (May 30, 2014, 01:00 PM)
--- End quote ---
I just want to drift a little off topic to add exposure to a concept that I barely could reference before.
Warrant Canary/Canary Server/____
https://en.wikipedia.org/wiki/Warrant_canary
I think this will become an undersold concept in security concepts. It runs like this:
"Today I was not arrested for ____".
While it is horribly vulnerable to slackards like me, for someone really on the front line of a top level issue, it's a way to send a negative signal that trouble is brewing. I'd seen it described once before a long ways back, but this thread produced a fresh new reference that I just had to echo.
I think it adds a (rather desperate) new level to "you have the right to remain silent".
J-Mac:
Steve Gibson wrote earlier about some tweets between Steven Barnhart and his "contact" at TrueCrypt, someone named "David". As follows:
And then the TrueCrypt developers were heard from . . .
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):
TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
Quoting TrueCrypt Developer David: “There is no longer interest.”
--- End quote ---
I don’t know if he's making it up (as he sometimes does) or if this is real info.
Page is at: https://www.grc.com/misc/truecrypt/truecrypt.htm
Jim
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version