gohpep Posted May 29, 2014 Share Posted May 29, 2014 anything with TPM is not secure if physical access is acquired, and potentially remotely too. the key can be easily extracted(by those who know how to do it,like biggun).An easier and cheaper way would be to add hardware to the device, like a physical keylogger. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425415 Share on other sites More sharing options...
vcfan Posted May 29, 2014 Share Posted May 29, 2014 An easier and cheaper way would be to add hardware to the device, like a physical keylogger. lets say youve got some company secrets,and your hardware gets stolen. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425425 Share on other sites More sharing options...
FiB3R Posted May 29, 2014 Author Share Posted May 29, 2014 Is this new? If you use TrueCrypt on other platform than Windows, click here. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425443 Share on other sites More sharing options...
satysin Posted May 29, 2014 Share Posted May 29, 2014 I would trust BitLocker against random people trying to access my data, which to be honest is what I care about most, but I wouldn't trust it to be safe against the NSA/GCHQ/etc. as it has been shown that Microsoft work with these agencies so I have no doubt that they have some kind of master key or some other way to access the encrypted data with ease. I am not sure what to believe regarding the TrueCrypt update though. At first I thought it was a server hack but as nobody has come forward to say "oh ###### we were hacked!" yet confuses me. Either way I still have trust in 7.1a but no way am I going to install 7.2. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425445 Share on other sites More sharing options...
Ian W Posted May 29, 2014 Share Posted May 29, 2014 bitlocker has an NSA backdoor built-in. Documents leaked to cryptome.org about 2yrs ago showed that law enforcement can unencrypt it. . . . You mean this? Really? All I've seen around it are the old NSAKey rumors/reports (before Bitlocker), some reports that if you can copy the RAM contents fast enough you can get the secret key out (which is a vulnerability that all encryption programs have, AFAIK), and a lot of reports saying that Microsoft consistently turned down law enforcement requests for backdoors in Bitlocker. It's actually kind of weird that I haven't heard any legitimate rumors (rumors coming from someone who claims to be affiliated with the company/NSA) about a Bitlocker backdoor O.o You must be referring to this? If so, I believe that Peter Biddle has written at least two articles which address this security issue. http://peternbiddle.wordpress.com/2008/02/23/threat-model-irony/ and (more importantly) http://peternbiddle.wordpress.com/2008/02/22/attack-isnt-news-and-there-are-mitigations/ The simple solution to this in BitLocker is to make sure that : your machine is never left un-attended with the keys resident in memory ? you can do this using hibernate, which is what I do you need to add something with crypto goodness to the boot process that stops the keys from loading into RAM without you ? in my case I use +PIN So really, calm down. This isn?t news. There are some other features in BitLocker to address this as well (eg memory scrubbing), and in SP1 there will be +PIN and +USB at the same time, which makes it even harder. I call this ?the Thames feature?: if I toss my USB dongle into the Thames, sure you can waterboard the PIN out of me, but you?re going to be diving for my dongle? Which brings us to this entertaining piece. http://peternbiddle.wordpress.com/2009/02/08/the-thames-river-scenario-and-xkcd/ anything with TPM is not secure if physical access is acquired, and potentially remotely too. the key can be easily extracted(by those who know how to do it,like biggun). Physical attacks are obviously much more difficult because one has to have access to the machine. Also, as you mentioned, the attacker has to have the required knowledge and resources in order to be successful. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425469 Share on other sites More sharing options...
vcfan Posted May 29, 2014 Share Posted May 29, 2014 Physical attacks are obviously much more difficult because one has to have access to the machine. Also, as you mentioned, the attacker has to have the required knowledge and resources in order to be successful. right,but once hackers dump one of these chips, they can analyze the code and find vulnerabilities. the TPM connects through the LPC bus,so by software alone,such as malware, they could make the chip spill its guts. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425521 Share on other sites More sharing options...
Lord Method Man Posted May 29, 2014 Share Posted May 29, 2014 Meh, not really interesting since BitLocker works better anyway. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425539 Share on other sites More sharing options...
Riggers Posted May 29, 2014 Share Posted May 29, 2014 It`s all well and good TrueCrypt saying use Bitlocker but Bitlocker is only available to those using Pro and above. I`d imagine there`s a great many people using the program who will now be feeling a bit confused! TrueCrypt was the de-facto standard and know all this comes out, remember peanut butter keeps dogs friendly to :) Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425559 Share on other sites More sharing options...
Gerowen Posted May 29, 2014 Share Posted May 29, 2014 If I had to guess, this isn't as straight forward as we're being led to think. There's something else going on here. Anonymous developers of a solid and reliable open source encryption solution all of a sudden start telling people to use an encryption method that has a known NSA accessibility bug? If I had to guess, the feds are involved. The auditors even said they didn't find any blaring bugs, and don't know much about what's going on. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425597 Share on other sites More sharing options...
+Elі Subscriber² Posted May 29, 2014 Subscriber² Share Posted May 29, 2014 Anyone here uses DataProtecto? http://www.dataprotecto.com/ I have been using it for a few months and it seems pretty good. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425603 Share on other sites More sharing options...
Lord Method Man Posted May 29, 2014 Share Posted May 29, 2014 If I had to guess, this isn't as straight forward as we're being led to think. There's something else going on here. Anonymous developers of a solid and reliable open source encryption solution all of a sudden start telling people to use an encryption method that has a known NSA accessibility bug? If I had to guess, the feds are involved. The auditors even said they didn't find any blaring bugs, and don't know much about what's going on. Stop spreading this crap. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425605 Share on other sites More sharing options...
Rigby Posted May 29, 2014 Share Posted May 29, 2014 Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425625 Share on other sites More sharing options...
+Warwagon MVC Posted May 29, 2014 MVC Share Posted May 29, 2014 Just curious, in the grand scheme of things, what are you guys all hiding in your encrypted folders/disks that you are so worried about someone seeing? Short of personal info, medical info, financial/bill info. (Which can all be had through the internet or the vendor being hacked directly). If someone wants to get something, they can and will, even if it takes social engineering to do it. Which no level of encryption will protect. One example in my case is my moms off site backup drive. I take it to her house on sunday when I go out for breakfast and backup her computer onto it. At first it wasn't encrypted with truecrypt but then one time I lost the drive for a few weeks and I couldn't find it. Ended up being between my seats in my car. Once I found it I immediatly encrypted it with whole drive encryption with truecypt. That's just one example. I'd give you another example but it's against the rules of this site :D Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425635 Share on other sites More sharing options...
n_K Posted May 29, 2014 Share Posted May 29, 2014 Just FYI regarding getting keys from TPM chips, easy? No, it's not easy, I doubt the majority of people here could do it. Possible? Yes. How? You etch away the plastic from the chip package (usually using nitric acid), then you get a very good microscope and look through all the parts of the chip, and you can work out what each part of the silicon does, and using this knowledge you can work out where they private key is stored and just scribble it down. Now, that'd take days to do, maybe weeks, and some very expensive equipment. Of course, there's companies that'll do it for you for a lot of money, and that's excluding the possibility that there's a backdoor in the chip that'd allow you to just read the key off (and chances are very high that such a feature exists) Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425679 Share on other sites More sharing options...
primexx Posted May 29, 2014 Share Posted May 29, 2014 I think at this point, since the website is still the same, it's probably safe to assume that it's NOT defacement but actually legit. Which raises some difficult questions... Do all old versions have a critical vulnerability or is this a Lavabit against outside pressure? Gerowen 1 Share Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425773 Share on other sites More sharing options...
HawkMan Posted May 29, 2014 Share Posted May 29, 2014 I remember reading something a few years ago also about bitlocker being unsafe due to secret keys or something like that All encrypted drives that store the key in memory can be hacked with a cold boot and the right tools. if you store the key on a memory stick or some other secure option this can't be done, and no NSA doesn't have a backdoor, thorrenttief is just regurgitating the age old NSAkey BS scare. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425903 Share on other sites More sharing options...
HawkMan Posted May 29, 2014 Share Posted May 29, 2014 This guy hints at it I think. There's definitely a presentation about it where he says that Microsoft have a Top Secret way to work with Law Enforcement. it's stupid, you can't have a secret key to unlock files. it's patently impossible to encrypt files in a way that they can be decoded with two different keys. so the whole backdoor thing is a pointless idea to start with. You need the actual key they where encoded with, so any backdoor would have to store this in a way that they could find, with the scrutiny put into these programs by hackers and security experts, they would find such obvious code without the source code by simple reverse engineering and seeing what the code actually does when it's working. Shame I used TrueCrypt to encrypt a file and burn it to a CD and gave it to a mate to look after, I told him to look after it incase I ever needed it again :shiftyninja: you decided to give up porn but needed an escape clause ? there are easier ways :p Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425915 Share on other sites More sharing options...
Guest Posted May 29, 2014 Share Posted May 29, 2014 If I had to guess, this isn't as straight forward as we're being led to think. There's something else going on here. Anonymous developers of a solid and reliable open source encryption solution all of a sudden start telling people to use an encryption method that has a known NSA accessibility bug? If I had to guess, the feds are involved. The auditors even said they didn't find any blaring bugs, and don't know much about what's going on. Solid and reliable that until few months ago it was never tested. And they DID find lots of bugs during the first audit. OSS != solid and reliable by default Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425935 Share on other sites More sharing options...
HawkMan Posted May 30, 2014 Share Posted May 30, 2014 Just FYI regarding getting keys from TPM chips, easy? No, it's not easy, I doubt the majority of people here could do it. Possible? Yes. How? You etch away the plastic from the chip package (usually using nitric acid), then you get a very good microscope and look through all the parts of the chip, and you can work out what each part of the silicon does, and using this knowledge you can work out where they private key is stored and just scribble it down. Now, that'd take days to do, maybe weeks, and some very expensive equipment. Of course, there's companies that'll do it for you for a lot of money, and that's excluding the possibility that there's a backdoor in the chip that'd allow you to just read the key off (and chances are very high that such a feature exists) Well you'd need an electron microscope and you can't really just scribble them down. of course the key on the chip is useless without your key as well. so... as for a backdoor, no. NSA would't want a backdoor on the very same equipment they use themselves. kind of a backfire scenario. and as you so smartly pointed out, by reading what the chip does, other people (foreign elint for example) could find this backdoor. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425945 Share on other sites More sharing options...
Gerowen Posted May 30, 2014 Share Posted May 30, 2014 I think at this point, since the website is still the same, it's probably safe to assume that it's NOT defacement but actually legit. Which raises some difficult questions... Do all old versions have a critical vulnerability or is this a Lavabit against outside pressure? I'm with ya. It just seems really sudden. I mean if there was an unpatched security hole, wouldn't they just patch the hole instead of ceasing development altogether? That's why I think they're getting pressured from somewhere. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596425981 Share on other sites More sharing options...
primexx Posted May 30, 2014 Share Posted May 30, 2014 I'm with ya. It just seems really sudden. I mean if there was an unpatched security hole, wouldn't they just patch the hole instead of ceasing development altogether? That's why I think they're getting pressured from somewhere. Either way, it's really really scary. Either governments have been compromising security for much longer than we thought, or they've started waging open war against the security community. Neither is good news. I'm hoping that this is a canary and 7.1a has proven so secure that they've resorted to pressuring the project, at least there's hopes of forks if that's the case. If there's an undisclosed and fatal vulnerability then it doesn't bode well for the future of security software. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596426017 Share on other sites More sharing options...
Thomas the Tank Engine Posted May 30, 2014 Share Posted May 30, 2014 Solid and reliable that until few months ago it was never tested. And they DID find lots of bugs during the first audit. OSS != solid and reliable by default From the article: Despite early rumors, Green denies that the audit he led has anything to do with the shut down Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596426069 Share on other sites More sharing options...
neufuse Veteran Posted May 30, 2014 Veteran Share Posted May 30, 2014 I'm starting to think the dev's just gave up... I mean comon, it's been how long since 7.1a came out? a few years? and no updates Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596426085 Share on other sites More sharing options...
primexx Posted May 30, 2014 Share Posted May 30, 2014 I'm starting to think the dev's just gave up... I mean comon, it's been how long since 7.1a came out? a few years? and no updates feb 2012. but they've always been slow at new releases. Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596426091 Share on other sites More sharing options...
simonlang Posted May 30, 2014 Share Posted May 30, 2014 http://truecrypt.ch :) Brandon H 1 Share Link to comment https://www.neowin.net/forum/topic/1215495-truecrypt-shuts-down-due-to-alleged-security-issues/page/3/#findComment-596426917 Share on other sites More sharing options...
Recommended Posts