dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8446
share rss forum feed


sbconslt

join:2009-07-28
Los Angeles, CA
reply to antdude

Re: What happened to TrueCrypt.org? Hacked? Real?



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
Thanks for that link. From the source:
quote:
Based on the sum of the evidence that’s now filtered in, and in the consensus view of experts, the primary cause of the TrueCrypt crisis of the last few days was developer fatigue.
Yes, that seemed likely to me.

My read of the TrueCrypt announcement, was that they had worked hard over many years to have people routinely using crypto. And now it was happening with BitLocker in Windows and LUKS encryption in linux. So they had achieved their main goal. The use of encryption was now built-in to many systems.

If that is what it was, then I'll thank them for all of what they did. I'll note that my choice on linux was to use LUKS, rather than TrueCrypt, precisely because it is built-in. If I were a Windows user, I would probably go with BitLocker for the same reason, though with some concern because it is not opensource and we cannot tell if there are backdoors.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE 13.1; KDE 4.11.5; firefox 29.0.1


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

quote:
The fact that more money was raised to scrutinize TrueCrypt than was probably ever donated to them for their hard work had to hurt.
Yeah... that would have really frosted my cookies. I would be like... "How dare they! For years I wrote this software as open source and not once did I get a donation or two from any of you. And now they want to audit my code? You could fund that but you couldn't fund me? F*** you! I'm done!"
--
Tom
Tom's Tech Blog


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
Isn't it kinda hard to accept donations and still remain anonymous?
--
Oh, Opera, what have you done?


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
I don't think so, they could have had the money donated to a special fund at the Free Software Foundation and had them deliver the money through special channels.
--
Tom
Tom's Tech Blog


sbconslt

join:2009-07-28
Los Angeles, CA

1 edit
Concurrently with releasing 7.1a they added a prominent Paypal donation box on their web site and built into the end of the installer exe series of dialogs. The box was saying they had a fundraising goal of $150,000. At the time a lot of people were critical of their lack of explanation for what they wanted to use the money for. It is thought they raised a little from it but not near their goal but who knows.

In comparison, the audit project raised tens of thousands of dollars in like the first week alone.


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 edit
reply to trparky
Yeah ..... in life, "Lesson Learnd" & like always TNO { Trust No One } !!! SAD, but it is TRUE .... 'the depth an ocean, you can measure it , but the deep every heart NO one knows"


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

reply to sbconslt
said by sbconslt:

At the time a lot of people were critical of their lack of explanation for what they wanted to use the money for.

I have to laugh at this, I really have to. People expect quality software, I understand that. For the most part, people want it all for free. Free software, the ability to see the code and all, etc. But let's face something here, free open source software for the vast majority of projects does not put food on the table.

I understand that there are some very big projects like FireFox, Linux, and the GNU tools that are in fact very successful open source projects that pull in money like you wouldn't believe but that's only because they are such huge and highly visible projects. Unfortunately, the vast majority of open source projects aren't quite so lucky. You can see this by browsing the archives of sourceforge.net to see how many projects have died.

Another such project that, oh by the way... we all use from big to small, and also suffered from a complete lack of funding was OpenSSL. Heartbleed anyone?

Free open source software is a very grand concept and one a portion of me believes in but the cynical side of me knows that free open source software, except for the very few big name projects, will never put food on the table for their developers, never put a roof over their head, send their children to college, put gas in their car, etc. Let's face it, we live in a world dominated by money.
--
Tom
Tom's Tech Blog


sbconslt

join:2009-07-28
Los Angeles, CA
Yeah it was a contentious thing, people would post saying "I'm uncomfortable with this, what's it for" then come under fire from others saying some of the things you just said. The donation drive was mishandled by the TrueCrypt devs because in typical hardheaded fashion they really refused to give any information at all. People deserve to know at least something about where the money is going, are you investing it in development or just paying your personal expenses for hookers and coke or what.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

2 recommendations

I'd like to think that when developers ask for donations that money goes towards a worthy cause (paying of personal debts, buying food, etc.).

I agree, the donation drive was mishandled but that doesn't at all make the donation drive any less noble. We as a community that used the software should have donated, that is and always will be our obligation as users of free software. The only difference between free software and paid software is that paid software has a specific price tag on it, free software allows for you to donate as much or as little as you can afford to do so.
--
Tom
Tom's Tech Blog
Expand your moderator at work


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 edit
reply to trparky

Re: What happened to TrueCrypt.org? Hacked? Real?

WHO created Truecrypt ¿ ¿ ...... THIS is in RUSSIAN, but my chrome browser can translate in ENGLISH [ »news.softodrom.ru/ap/b19702.shtml ]
"Free software TrueCrypt is one of the most popular programs for data encryption by creating an encrypted container files. According to statistics on the official website TrueCrypt, the total number of downloads of the program exceeds 30 million, and that number continues to grow daily. TrueCrypt first version appeared February 2, 2004, ie more than ten years ago. The latest version at the moment is a version of TrueCrypt 7.1a, published February 7, 2012. This is still officially unknown, who is the developer of TrueCrypt, many of these developers, what country they live in, by whom and where they work, etc. About TrueCrypt developers do not know anything at all. fact that a large number of users trust their secrets encryption program developed by unknown and known for what purposes, has repeatedly been the subject of discussions on the discussion forums. In particular, repeatedly expressed the hypothesis that the development of TrueCrypt can stand intelligence agencies that have implemented a backdoor into the program code, through which they can gain access to the encrypted data of any of its member. This hypothesis has gained special relevance after June 2013 were published exposing Edward Snowden, revealed the extent of the activities of the NSA. extensive discussion of these issues has led to the fact that in October 2013 was launched to raise funds for an independent audit TrueCrypt code for the presence of it vulnerabilities and backdoors. In December 2013 it was announced that the audit will be carried out TrueCrypt company iSEC Partners. In mid April 2014 iSEC Partners has published results of the first phase of the audit TrueCrypt version 7.1a for Windows, according to which the program has not been found backdoors, although 11 vulnerabilities were detected, but none of them is critical. Nevertheless, the question of who is behind the development of TrueCrypt, remains open. Softodrom decided to conduct its own investigation, the results of which are presented below." end_quote !!


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to antdude
On subject of donations usage question.

What business of yours is it where they spend the bounty of their labor?

Does your employer require this of you before paying for your labor?

Don't confuse this with a charitable donation to a non profit from which you are not receiving anything in return. It is not the same thing. This is paying for a product for which you use. It just happens to be on a donation basis.

Shame on you freeloaders who did not support the project just because you didn't know how the money would be spent.

--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation

OZO
Premium
join:2003-01-17
kudos:2
reply to Parad0X787
I think if TC authors want to keep their names private, we should respect that...
--
Keep it simple, it'll become complex by itself...


Simba7
I Void Warranties

join:2003-03-24
Billings, MT
reply to antdude
»www.grc.com/misc/truecrypt/truecrypt.htm

So, TC is still quite safe to use.


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

1 recommendation

said by Simba7:

»www.grc.com/misc/truecrypt/truecrypt.htm

So, TC is still quite safe to use.

I'm not sure about the psych-analysis of why the TC developers acted as they did.

But the rest of that GRC report seems pretty much correct.
--
AT&T Uverse; 2Wire 3800-HGV router; openSuSE 13.1; KDE 4.11.5; firefox 29.0.1
Expand your moderator at work

DaveO

join:2001-09-05
Easley, SC
reply to antdude

Re: What happened to TrueCrypt.org? Hacked? Real?

I'd like to see the audit team use the money they still have left(about $30K) to set up a full open source project to re-implement TrueCrypt's functionality. They seemed to hint at this in their recent announcement.

jane025

join:2014-06-03
us

1 recommendation

reply to antdude
Is it true? I always use this encryption software. I don't want to change to a now one.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to DaveO
said by DaveO:

I'd like to see the audit team use the money they still have left(about $30K) to set up a full open source project to re-implement TrueCrypt's functionality. They seemed to hint at this in their recent announcement.

Well even if the audit team does a fixed ver (IE correct the minor issues found) to keep it going they'd have to add GPT and secure boot support.

BTW is this type of software in any way related to on drive encryption like hard drive makers advertise? (IE FIPS)

thus what's the point of FIPS?
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


sbconslt

join:2009-07-28
Los Angeles, CA

2 edits
said by DarkLogix:

BTW is this type of software in any way related to on drive encryption like hard drive makers advertise?

Hardware FDE accomplishes the same thing but it's done by the controller chip (e.g. firmware) in the drive, and generally latches on to the BIOS hard drive password through an API. That key decrypts a master key that decrypts the rest of the drive contents, similarly to TrueCrypt's model. You can also "securely erase" the drive by rescrambling the master key using a manufacturer supplied tool - it doesn't actually erase anything but it irrecoverrably throws out the prior master key.

These features are standard issue on SSDs nowadays with AES-256 as the cipher. They're part of a set of standards called OPAL. Mechanical HDDs will not have it unless you buy some fancypants model. But if you have hardware FDE support, by all means use it instead of software.

Learn more here: »en.wikipedia.org/wiki/Hardware-b···cryption

--
Scott Brown Consulting, Los Angeles Computer Security & IT Services


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

2 recommendations

reply to propcgamer
said by avze:

And not to mention that there audit report had a dozen bugs revealed.

said by propcgamer:

Proof?
From what others have said, nothing was uncovered yet from the audit.

First pass of the audit is complete, and the "dozen bugs" were minor, providing no evidence of either intentional bad behavior, or even of sloppy coding.

Saying that software had 12 bugs provides no actionable information to anybody considering using that software.
--
Stephen J. Friedl | Unix Wizard | Security Consultant | KA8CMY | Southern California USA | my web site


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to sbconslt
Ok interesting
so with such a drive its kinda locked to the bios
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv

nony
Premium
join:2012-11-17
New York, NY
reply to antdude

TrueCrypt WTF

»www.schneier.com/blog/archives/2···wtf.html (interesting comments)

-nony


TheTechGuru

join:2004-03-25
TEXAS
kudos:2
Reviews:
·HughesNet Satell..
·WesTex Connect

1 edit
reply to antdude

Re: What happened to TrueCrypt.org? Hacked? Real?

This should be informative.

»twit.tv/show/security-now/458

TrueCrypt: WTH?
June 3 2014

Hosts: Steve Gibson with Leo Laporte

Steve and Leo look back upon and analyze the past seven days of insanity which followed the startling surprise "self-takedown" of the long standing TrueCrypt.org website, and of TrueCrypt itself.

Running time: 1:38:56

Edit Add: TrueCrypt discussion starts at 0:55:35 (55 Min + 35 Seconds).


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
Short ver, the devs are calling it quits and don't want their product's name developed by others so they did it to get people to stop using it.

BTW Leo really annoys me in that bit, they said "May contain bugs that will not be fixed"

It doesn't mean that its insecure but that if something is found that shows it to be they won't fix it.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable
reply to antdude
»www.symantec.com/connect/blogs/t···-desktop

Heh, companies are taking advantage of this. Too bad, this one doesn't do Linux and portability like TC. I still haven't found any that can too.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

1 recommendation

Well lets hope after the audit some good people make a fork of truecrypt (if they can with the license) and do the following.

1. apply fixes pointed out in the audit
2. add GPT support
3. add secure boot support.
4. get another audit to see if mistakes have been made in the additional supported features

5. wait and see if anyone comes up with an flaw or a new tech that needs to be supported.
--
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv


WillRegSoon

@74.89.72.x

-1 recommendation

6. All while keeping it multi-platform.


trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2
reply to antdude
Neowin.net: VeraCrypt
VeraCrypt is a free disk encryption software based on TrueCrypt.
--
Tom
Tom's Tech Blog