Main Area and Open Discussion > General Software Discussion
TrueCrypt alternative
wraith808:
I guess I take issue that the article portrays this as an 'open source' problem. It's not. The problem of determining whether or not you can trust the team behind a software project/product is largely independent of whether the software is open source or not.
I think that implying that this is a problem particular to open source software or even just that it's more of a problem for open source software is wrong.
-mwb1100 (June 12, 2014, 03:05 PM)
--- End quote ---
The problem that is endemic to OSS in this regard (and I know I'm guilty of it) is the transparency of whom is behind the project. I didn't even know, nor take the time to find out who was behind TrueCrypt. Nor many of the other OSS that I use. And I'm pretty on top of things... but having the source available makes a lot of that... just seem not to matter.
But it does.
IainB:
I would like to see a report on the still-ongoing project to audit TrueCrypt (which project website apparently also holds a full copy of all the software and code) before pronouncing it as "dead".
Presumably it was not for nothing that Amazon Web Services some time back mandated the use of only TrueCrypt for its encryption, if you wanted to use their secure storage services. That mandate would presumably have been made for solid business reasons, and they would not have entered into it lightly. That alone could spell more for TrueCrypt's longevity than any recent unexplained closure of the TrueCrypt website.
The best alternative to TrueCrypt could yet well be TrueCrypt.
Others more cynical than I might suggest that, if the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
It's all a matter of trust.
TaoPhoenix:
I would like to see a report on the still-ongoing project to audit TrueCrypt (which project website apparently also holds a full copy of all the software and code) before pronouncing it as "dead".
Presumably it was not for nothing that Amazon Web Services some time back mandated the use of only TrueCrypt for its encryption, if you wanted to use their secure storage services. That mandate would presumably have been made for solid business reasons, and they would not have entered into it lightly. That alone could spell more for TrueCrypt's longevity than any recent unexplained closure of the TrueCrypt website.
The best alternative to TrueCrypt could yet well be TrueCrypt.
Others more cynical than I might suggest that, if the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
It's all a matter of trust.
-IainB (June 12, 2014, 07:29 PM)
--- End quote ---
Another fascinating comment. I guess what's confusing me is to my knowledge encryption is "just an algorithm" so I'd think if you took "Iain B rulez!" it might spit out weflhjegehwgewig or whatever. But I'd think you ran the same process twice in exactly the same way (maybe even including timestamps), you're get the *same* gobledy gook, right?
So you'd think Amazon wouldn't mess around, and maybe at some conference they sent a rep to, he'd get to comparing notes and Google sez "Hey, your output in your test case is different from mine. What's up with that?"
So even if the NSA is putting back doors in there, aren't we back to that famous discussion of "security via obscurity"? That the NSA is gambling that the back doors it's putting in there can't be found by anyone else?
And I'm still not happy with "the devs got tired and bored so they dumped their product." How would you normally end-of-life a security encryption suite? I'd think Bruce Schneier's alarm bells and maybe connections must be as good as anyone else's, so I'm sure he's been reviewing TrueCrypt forever, so maybe prior versions *used* to be good and only a *new* NSA letter threatens future editions. And I'm also amazed how no one can "find" the developers to hear their side. With how tricky the non-reveal clauses are, if someone called the devs and gets hung up on, "no words are many words" just like the did to the website.
And then the community - let's say a backdoor is in there, I'd think they would be pissed that their entire collective study and review of the program would miss them.
Stoic Joker:
So even if the NSA is putting back doors in there, aren't we back to that famous discussion of "security via obscurity"? That the NSA is gambling that the back doors it's putting in there can't be found by anyone else?
-TaoPhoenix (June 12, 2014, 09:41 PM)
--- End quote ---
Yes.
IainB:
It would generally be easier to set and conceal backdoors in proprietary encryption software, and for it to remain "undiscovered" because the software would not usually be open to scrutiny/audit by third parties who would thus effectively need to trust/use the software on blind faith.
Let's be speculative:
* As above, maybe:
...the TrueCrypt takedown was the result of being nobbled by the NSA (e.g., like the two encrypted email services over the last 12 months), then the TrueCrypt developers may have been left little option but to shut down, rather than be obliged to leave TrueCrypt fitted full of NSA backdoors like Symantec and Microsoft encryption have been rumoured to be.
_______________________
--- End quote ---
* Or maybe that's not the case. Maybe the backdoors had already been established for some time in TrueCrypt, so the unknown developers pulled the plug realising that discovery could be imminent in the aforementioned TrueCrypt audit project.
* Maybe the developers and/or the auditors are effectively the NSA. Who knows? After what we have been allowed to learn or led to believe from the public dripfeed out of the SnowdenGate theatre (bring your own popcorn), anything's possible, but skepticism would seem to be recommended. One thing that was learned/perfected in WWII was that good military intelligence and the skilful dissemination of misinformation were essential ingredients to a winning strategy in a war, with the Nazis arguably setting the initial standards to be met. Out of this sprung our modern-day advertising, marketing and PR - even the terminology used employs military terms. And be in no doubt that we are involved in some kind of a war - a war in which every citizen is apparently a potential enemy and thus not to be trusted, so surveillance and the manipulation of public perceptions by whatever means deemed necessary would be mandatory (QED). This was where Mao's Revolution was so successful. Maybe the book "1984" does form an authoritative set of rules and guiding principles for the kind of increasingly totalitarian states that we seem to be finding ourselves inhabiting.
I had always been a fan of PGP (Pretty Good Privacy) encryption methods, but lost interest when PGP was acquired by Norton/Symantec as I figured it was thereby probably irretrievably lost as a definitively secure/trustworthy encryption approach/software - I mean, how would one know?
However, in the interesting case of Ramona Fricosu (January 2012) in Peyton, Colo., USA, Fricosu had been charged with conducting a fraud (a mortgage scam) and it was deemed necessary to access her Toshiba laptop to discover details about the fraud and her associates - but the laptop was secured using PGP Desktop Professional | Symantec, which the FBI apparently claimed to be unable to unlock.
So a federal judge ruled that she had to:
...decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.
Refer: Judge: Americans can be forced to decrypt their laptops | Privacy Inc. - CNET News
--- End quote ---
(Out of this came the use of a legal defence concept of "Plausible deniability".)
This was a civilian matter, not a defence matter. Maybe the FBI did have the ability to crack the encryption key, but were not about to reveal that potentially strategically and militarily important fact if it did not have to be revealed, and so forced the issue (apparently successfully) through the judicial system.
Maybe this started people looking with increasing interest at the backdoored Symantec PGP product, or maybe it wasn't backdoored. Either way, it wouldn't matter, because the public perception set by this display was that Symantec PGP is unhackable, and maybe that was desirable/necessary/intentional.
So the alternatives to TrueCrypt could be:
* TrueCrypt software - presumed to be unhackable.
* Symantec PGP software - "proven" to be unhackable.
* Microsoft BitLocker software + hardware - presumed to be unhackable.
So maybe the NSA or other SS (Secret Service) cannot hack these things. Then again, maybe they can, or have already done so some time ago.
And don't forget that it has apparently already been established that the NSA would seem to have already nobbled the so-called "random" keys used in PKE (Public Key Encryption).
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version