TrueCrypt shuts down, the debacle ensues

Status
Not open for further replies.
T

ToyotaNSaturn

Joined
Apr 11, 2003
Messages
11,283
Location
Spring HIll
So the Snowden guy speaks that TrueCrypt isn't secure, then the True Crypt site shuts down:
http://www.forbes.com/sites/runasandvik/...tly-shuts-down/

Recently TrueCrypt was cleared of backdoors, (but only backdoors, not internal algorithms)
http://www.davescomputertips.com/audit-clears-truecrypt-of-nsa-backdoors/

And more
http://news.softpedia.com/news/Here-s-What-Users-Think-Happened-to-TrueCrypt-444386.shtml


Coincidence? Doubt it.

Moving to Microsoft's BitLocker isn't much of an option, one must have the upgraded Enterprise or Ultimate versions of Windows, not cheap as most computers come with Home or Pro versions.
 
There are a lot of rumors floating around, but many believe that TrueCrypt got a warrant or NSL for their master key. They are almost certainly under a gag order and hence the secrecy.
 
What does that leave for free encryption? I have Symantec PGP, but it was not free.

Any other free ones that do not create zip files of everything? I loved the encrypt volume on a hard disk feature that TC had (Symantec has it too, but not free)...
 
What about the encryption that is built into all the Linux OS distributions?
 
Originally Posted By: dishdude
What about the encryption that is built into all the Linux OS distributions?


You bet! There are more than one; I install ecryptfs-tools for directories I want to encrypt and GPG for emails, files, etc. and these are just a couple of examples.
 
Most Linux distributions let you encrypt the entire hard drive or your home directory. Those are all open source and secure. I also have experience with uc50ic4more's referenced gpg4win, at least for email encryption, and that works well, too. Generally speaking, Windows isn't that secure in the first place, and it's much easier to accomplish this in Linux.

2010_FX4: No, the Symantec stuff certainly isn't free. I haven't spoken to Phil Zimmerman since the early 2000s, but he guaranteed there were no backdoors in the products with which he was involved. If I recall correctly, only the first Symantec version was covered by that pledge.
 
Originally Posted By: ToyotaNSaturn
Coincidence? Doubt it.

Without getting into the politics of the matter, I think Snowden is a bit of an attention [censored]. And if he had half the skills he claims to have, he wouldn't be using Windows in the first place. Playing the security game on Windows is a bit like putting a sport suspension on an old Fleetwood - starting with the wrong platform.
 
Originally Posted By: Garak
And if he had half the skills he claims to have, he wouldn't be using Windows in the first place. Playing the security game on Windows is a bit like putting a sport suspension on an old Fleetwood - starting with the wrong platform.


I thought he (famously) used the TAILS Linux distro. (That is the distro of choice for those who require anonymity and privacy - https://tails.boum.org/.)
 
Originally Posted By: Garak
Originally Posted By: ToyotaNSaturn
Coincidence? Doubt it.

Without getting into the politics of the matter, I think Snowden is a bit of an attention [censored]. And if he had half the skills he claims to have, he wouldn't be using Windows in the first place. Playing the security game on Windows is a bit like putting a sport suspension on an old Fleetwood - starting with the wrong platform.

Highly skilled people would be able to use anything successfully. An insecure platform would be even better. Lets you feed misinformation to those looking at you more easily. Clearly he was skilled being able to mine thousands of documents out from under the most sophisticated tech agency known without them having a clue.
 
Originally Posted By: uc50ic4more
I thought he (famously) used the TAILS Linux distro. (That is the distro of choice for those who require anonymity and privacy - https://tails.boum.org/.)

I'm familiar with that, and he probably did while doing his whistle blowing. However, from other stuff I've read, he certainly used Windows at least part of the time. I don't know how much material he was dealing with, in megabytes, that is, but if it's a lot, and it were me, I'd lean towards storing on an encrypted partition and encrypting via GPG before doing any transmission and do it over clearnet. I wouldn't want to be sitting on a hot potato waiting for Tor for any lengthy period of time. But, if it were just small batches at a time and/or from and to strange locations, TAILS would absolutely be the way to go. But, we're never going to know the details of all this, at least not for a number of years, so that's just a lot of meaningless speculation.

Originally Posted By: hatt
Clearly he was skilled being able to mine thousands of documents out from under the most sophisticated tech agency known without them having a clue.

That's as much a physical security issue as it is a computer security issue. Nonetheless, as I've said here before, government techs are some of the most clueless people I've ever met. Obviously, there are some gifted people in the NSA (or any big organization). But, security is only as strong as the weakest link. All it takes - and I've seen this - is some dunderhead hooking up the internet to a computer that is supposed to be intranet only due to classified materials or, even more perplexingly, hooking up a dialup modem to such a system.

Aside from that, there are the physical security issues of USB sticks and misuse of fax machines. People in a secure environment obviously have to be trusted to follow procedures properly, let alone do something intentionally totally contrary to policy or legislation. But, when someone trusted does so, a lot of damage can follow. There's enough danger from incompetence, let alone malevolence.
wink.gif
 
Wasn't one of Snowden's points the incompetence of NSA employees? If a kid who just got the job could do all that what is China and Russia doing to the NSA and all that info?
 
I think we basically can't trust any information to the internet. I said a long time ago I believe in local backup and not backup to the 'cloud' and I think the chickens are starting to come home to roost (or maybe roast!).

I have heard (I don't know if it is true or not) that many years ago the FBI tried to obtain a backdoor for OpenBSD. OpenBSD is considered to be the most secure type of server. If this was being done many years ago, even before the NSA went so crazy, what else might have been going on?

For all we know the NSA or FBI might have had backdoors for TrueCrypt all of this time. That is possible.

For sure you have to realize that anything you do on the internet is insecure. Now I am not worried too much because I am not doing anything wrong. But any email, any data that a person stores on the internet, has to be considered insecure. Regardless if it is encrypted or not. And if some powerful governmental agency decided to go after somebody they would get them. Even if they had to fabricate stuff to do it. Even if the government was not collecting metadata and all of that (and for all we know recording every email and transaction on the internet, data size regardless), if somebody was suspected of doing something wrong they would just go to the ISP and the ISP would turn over the information.

I am not too worried because I am not doing anything wrong. But I store my information on external hard drives. The NSA and other governmental agencies can have any deals they want to have with companies that have data centers and store information from individuals and companies. And maybe those data centers are required to turn over stored information, encrypted or not, to the NSA.
 
Originally Posted By: Mystic
For all we know the NSA or FBI might have had backdoors for TrueCrypt all of this time. That is possible.


It was, but Truecrypt underwent an independent code audit recently. Phase 1 if this audit determined there were no outright back doors that allowed anyone access. Thus is not to say that the code is entirely secure and invulnerable; just that back doors were not put in place.

Linus Torvalds has said the NSA asked him to insert a back door into the Linux kernel. These dimwits have a lot to learn about open source software.
 
If they asked Linus Torvalds that maybe that story about the FBI and OpenBSD is true. And it was supposed to be several OpenBSD versions back that they asked. Nobody even knows today if they did have a backdoor for a while in OpenBSD.

I consider anything I do on the internet to be insecure. If a person thinks that all the time they will be unlikely to put anything on the internet in the first place they don't want to have stay there and possibly be checked out by whoever.

I think it is a ounce wise and a pound foolish for companies to get rid of their IT staffs and have all company data in the 'cloud' thinking they are going to save some money. I for one will keep my information on external hard drives or Blu-Ray discs.

And aside from NSA spying on everybody and all of that the federal government is so incompetent they could not store everybody's information safely on the internet in any case. They are talking about storing all Social Security Numbers, medical information, etc., in government computers. They might as well just give that data right now to whoever wants it-the Chinese or hackers or whoever. And whoever is in power can 'accidentally' release information if they don't like a certain individual or group.

The county I worked for rented the floor of a building at the old state hospital for a while. I worked on that floor for a while. I talked to the lieutenant in charge of security there and he told me all patient records were stored in old fashioned folders and kept in locked file cabinets to insure patient confidentiality. No patient information was stored in computers.
 
Originally Posted By: Mystic
Nobody even knows today if they did have a backdoor for a while in OpenBSD.


Good heavens, no. Theo De Raadt, the main OpenBSD developer, is a staunch proponent of privacy and security. OpenBSD is by a long shot the most audited and meticulously (read: pathologically) developed OS's on the planet. Theo is also, by all accounts, nowhere near very friendly and I cannot imagine some soulless police-state suit from the NSA having his attention for too long without being unceremoniously shown the door. OpenBSD is also Canadian so they are not under the authority of the U.S. government.

The BSD family of OS's are also developed in a much more tightly integrated manner than Linux. Linux-based OS's are cobbled-together projects with a kernel (Linux), userland tools (usually from GNU) and user applications from a variety of developers. How they are cobbled together by the enormously large number of distributions and organizations producing them is anarchic and highly chaotic; some are secure and stable, others are bleeding-edge and crashy. The BSD's, in contrast, are an entire OS (kernel + userland utilities) with the applications running atop it. There is a lot more auditing, a lot more consistency and standardization of the code base and fewer developers.
 
Originally Posted By: uc50ic4more
Linus Torvalds has said the NSA asked him to insert a back door into the Linux kernel. These dimwits have a lot to learn about open source software.

Yep, and it's sad that even technical people in the government don't get this.

Mystic: A proper sized GPG/PGP can accomplish a lot with respect to security. The real weakness is physical security. It's well documented in law enforcement literature, case law, and computer security literature how encryption is dealt with. The FBI tried years ago to crack PGP encrypted stuff, handing it over to the NSA, without success. What they do, instead, is get a warrant to use a keystroke recorder. Once they have your private key and passphrase, you're finished. Even brute forcing the passphrase is much simpler than fighting with the encryption itself. Naturally, to brute force the passphrase, the private key would have to be present. Other countries that have less respect for human rights simply use rubber hose cryptanalysis.

Zimmerman and I were discussing the math and security aspects of the algorithms back in the early 2000s. I had the mixed blessing of our discussion spanning pre-9/11 times to post-9/11. Considerable pressure was placed on him after 9/11, including a lot of guilt trips and anonymous threats, which were completely unwarranted.
 
If people start using any open source encryption technology the code needs to be checked out big time. Is is silly however for even government computer security experts to think they can put a back door into any Linux software. Because it could be discovered by anybody examining the code. That is why it is called open source software. The government security experts can't figure that out? We must prevent these people from having everybody's information, like SSNs and health information, online in government computers. They don't need a Snowden to compromise that information. The federal government is too incompetent to store people's information online.
 
Yep, that's my point, Mystic. Some of the people who administer technology in government are clueless, let alone those who simply use it. It's not much better in a lot of private sector companies, either.

The Canadian banks spent $10,000,000 a number of years ago trying to figure out how to electronically clear cheques in a secure fashion. They got absolutely nowhere. PGP/GPG could have handled that essentially for free, assuming they had competent people using the computer systems. In the end, they decided it wasn't feasible, so the money was flushed down the toilet. Since then, they seem to have mastered electronic cheque clearing. Any banking executive who thought that electronic cheque clearing would be difficult, particularly compared to clearing houses, should have been put out to pasture long ago. Keep in mind that this study occurred when online banking was quite common. This wasn't thirty years ago or anything.

And you're right, guys like Snowden aren't the issue. There's far more incompetence than malevolence. Even up here, it's a regular news story for a government laptop with private, unencrypted data to be left in a vehicle, only to be stolen later.

A number of years ago, I bought a used PII desktop from one of those used computer places. I was using it for my first experimentation with Linux and FreeDOS, and I still have the thing. It turned out it was from our Crown corporation bus line, and was never wiped. I didn't even bother looking, since some sausage fingered government employees had rendered its Windows 95 virtually unusable, which didn't matter anyway, given my purpose. But, what if it had a bunch of credit card information?
 
It is a long story and I am not going to go into all of the details, but I have a friend who knows a computer security expert. This guy is supposed to be an expert on security. So the friend let me get in touch with this security expert because of a maintenance issue I was having, not a security problem.

To make a long story short that guy's laptop computer WAS FULL OF MALWARE! I was stunned. I can do a better job defending my computers from malware than that guy. And he was supposed to be an expert!

Sometimes I think I know more about computers and computer technology than some of these guys who have Computer Science degrees from college.

Another example: A guy I worked with was going to college part-time getting a degree in Computer Science. His wife had an Apple Computer. He had NO CLUE whatsoever how to turn on the firewall on her computer. I had to tell him how to do it. Apple Computers at least in the past did not have the firewalls turned on by default. My recent iMac did have the firewall already turned on but they did a little work on it at the store and I think they had already turned it on. They transferred some files from my old computer and so forth. Now admittedly the guy was probably learning mostly about Windows computers in college but I was very surprised he could not figure out how to turn the firewall on for an Apple Computer.
 
Status
Not open for further replies.

Similar threads

S
  • Locked
Kicking the Microsoft Habit
Replies
15
Views
3K
ToyotaNSaturn
Back
Top