TrueCrypt shuts down due to alleged 'security issues'


Recommended Posts

anything with TPM is not secure if physical access is acquired, and potentially remotely too. the key can be easily extracted(by those who know how to do it,like biggun).

An easier and cheaper way would be to add hardware to the device, like a physical keylogger.

I would trust BitLocker against random people trying to access my data, which to be honest is what I care about most, but I wouldn't trust it to be safe against the NSA/GCHQ/etc. as it has been shown that Microsoft work with these agencies so I have no doubt that they have some kind of master key or some other way to access the encrypted data with ease.

 

I am not sure what to believe regarding the TrueCrypt update though. At first I thought it was a server hack but as nobody has come forward to say "oh ###### we were hacked!" yet confuses me. Either way I still have trust in 7.1a but no way am I going to install 7.2.

bitlocker has an NSA backdoor built-in. Documents leaked to cryptome.org about 2yrs ago showed that law enforcement can unencrypt it.

. . . You mean this?

 

Really? All I've seen around it are the old NSAKey rumors/reports (before Bitlocker), some reports that if you can copy the RAM contents fast enough you can get the secret key out (which is a vulnerability that all encryption programs have, AFAIK), and a lot of reports saying that Microsoft consistently turned down law enforcement requests for backdoors in Bitlocker.

 

It's actually kind of weird that I haven't heard any legitimate rumors (rumors coming from someone who claims to be affiliated with the company/NSA) about a Bitlocker backdoor O.o

You must be referring to this? If so, I believe that Peter Biddle has written at least two articles which address this security issue. http://peternbiddle.wordpress.com/2008/02/23/threat-model-irony/ and (more importantly) http://peternbiddle.wordpress.com/2008/02/22/attack-isnt-news-and-there-are-mitigations/

 

The simple solution to this in BitLocker is to make sure that :

  • your machine is never left un-attended with the keys resident in memory ? you can do this using hibernate, which is what I do
  • you need to add something with crypto goodness to the boot process that stops the keys from loading into RAM without you ? in my case I use +PIN

So really, calm down. This isn?t news. There are some other features in BitLocker to address this as well (eg memory scrubbing), and in SP1 there will be +PIN and +USB at the same time, which makes it even harder. I call this ?the Thames feature?: if I toss my USB dongle into the Thames, sure you can waterboard the PIN out of me, but you?re going to be diving for my dongle?

Which brings us to this entertaining piece. http://peternbiddle.wordpress.com/2009/02/08/the-thames-river-scenario-and-xkcd/

 

anything with TPM is not secure if physical access is acquired, and potentially remotely too. the key can be easily extracted(by those who know how to do it,like biggun).

Physical attacks are obviously much more difficult because one has to have access to the machine. Also, as you mentioned, the attacker has to have the required knowledge and resources in order to be successful.

Physical attacks are obviously much more difficult because one has to have access to the machine. Also, as you mentioned, the attacker has to have the required knowledge and resources in order to be successful.

right,but once hackers dump one of these chips, they can analyze the code and find vulnerabilities. the TPM connects through the LPC bus,so by software alone,such as malware, they could make the chip spill its guts.

It`s all well and good TrueCrypt saying use Bitlocker but Bitlocker is only available to those using Pro and above. I`d imagine there`s a great many people using the program who will now be feeling a bit confused!

TrueCrypt was the de-facto standard and know all this comes out, remember peanut butter keeps dogs friendly to :)

If I had to guess, this isn't as straight forward as we're being led to think.  There's something else going on here.  Anonymous developers of a solid and reliable open source encryption solution all of a sudden start telling people to use an encryption method that has a known NSA accessibility bug?  If I had to guess, the feds are involved.

 

The auditors even said they didn't find any blaring bugs, and don't know much about what's going on.

If I had to guess, this isn't as straight forward as we're being led to think.  There's something else going on here.  Anonymous developers of a solid and reliable open source encryption solution all of a sudden start telling people to use an encryption method that has a known NSA accessibility bug?  If I had to guess, the feds are involved.

 

The auditors even said they didn't find any blaring bugs, and don't know much about what's going on.

 

Stop spreading this crap.

Just curious, in the grand scheme of things, what are you guys all hiding in your encrypted folders/disks that you are so worried about someone seeing? Short of personal info, medical info, financial/bill info. (Which can all be had through the internet or the vendor being hacked directly). If someone wants to get something, they can and will, even if it takes social engineering to do it. Which no level of encryption will protect.

 

One example in my case is my moms off site backup drive. I take it to her house on sunday when I go out for breakfast and backup her computer onto it. At first it wasn't encrypted with truecrypt but then one time I lost the drive for a few weeks and I couldn't find it. Ended up being between my seats in my car. Once I found it I immediatly encrypted it with whole drive encryption with truecypt. That's just one example. I'd give you another example but it's against the rules of this site :D

Just FYI regarding getting keys from TPM chips, easy? No, it's not easy, I doubt the majority of people here could do it.

Possible? Yes. How? You etch away the plastic from the chip package (usually using nitric acid), then you get a very good microscope and look through all the parts of the chip, and you can work out what each part of the silicon does, and using this knowledge you can work out where they private key is stored and just scribble it down.

Now, that'd take days to do, maybe weeks, and some very expensive equipment. Of course, there's companies that'll do it for you for a lot of money, and that's excluding the possibility that there's a backdoor in the chip that'd allow you to just read the key off (and chances are very high that such a feature exists)

I think at this point, since the website is still the same, it's probably safe to assume that it's NOT defacement but actually legit. Which raises some difficult questions... Do all old versions have a critical vulnerability or is this a Lavabit against outside pressure?

I remember reading something a few years ago also about bitlocker being unsafe due to secret keys or something like that

 

 

All encrypted drives that store the key in memory can be hacked with a cold boot and the right tools. if you store the key on a memory stick or some other secure option this can't be done, and no NSA doesn't have a backdoor, thorrenttief is just regurgitating the age old NSAkey BS scare.

This guy hints at it I think. There's definitely a presentation about it where he says that Microsoft have a Top Secret way to work with Law Enforcement. 

 

it's stupid, you can't have a secret key to unlock files.

 

it's patently impossible to encrypt files in a way that they can be decoded with two different keys. so the whole backdoor thing is a pointless idea to start with. You need the actual key they where encoded with, so any backdoor would have to store this in a way that they could find, with the scrutiny put into these programs by hackers and security experts, they would find such obvious code without the source code by simple reverse engineering and seeing what the code actually does when it's working. 

Shame I used TrueCrypt to encrypt a file and burn it to a CD and gave it to a mate to look after, I told him to look after it incase I ever needed it again  :shiftyninja:

 

you decided to give up porn but needed an escape clause ? there are easier ways :p

If I had to guess, this isn't as straight forward as we're being led to think.  There's something else going on here.  Anonymous developers of a solid and reliable open source encryption solution all of a sudden start telling people to use an encryption method that has a known NSA accessibility bug?  If I had to guess, the feds are involved.

 

The auditors even said they didn't find any blaring bugs, and don't know much about what's going on.

 

Solid and reliable that until few months ago it was never tested. And they DID find lots of bugs during the first audit.

 

OSS != solid and reliable by default

Just FYI regarding getting keys from TPM chips, easy? No, it's not easy, I doubt the majority of people here could do it.

Possible? Yes. How? You etch away the plastic from the chip package (usually using nitric acid), then you get a very good microscope and look through all the parts of the chip, and you can work out what each part of the silicon does, and using this knowledge you can work out where they private key is stored and just scribble it down.

Now, that'd take days to do, maybe weeks, and some very expensive equipment. Of course, there's companies that'll do it for you for a lot of money, and that's excluding the possibility that there's a backdoor in the chip that'd allow you to just read the key off (and chances are very high that such a feature exists)

 

Well you'd need an electron microscope and you can't really just scribble them down.  

 

of course the key on the chip is useless without your key as well. so...

 

as for a backdoor, no. NSA would't want a backdoor on the very same equipment they use themselves.  kind of a backfire scenario. and as you so smartly pointed out, by reading what the chip does, other people (foreign elint for example) could find this backdoor. 

I think at this point, since the website is still the same, it's probably safe to assume that it's NOT defacement but actually legit. Which raises some difficult questions... Do all old versions have a critical vulnerability or is this a Lavabit against outside pressure?

I'm with ya.  It just seems really sudden.  I mean if there was an unpatched security hole, wouldn't they just patch the hole instead of ceasing development altogether?  That's why I think they're getting pressured from somewhere.

I'm with ya.  It just seems really sudden.  I mean if there was an unpatched security hole, wouldn't they just patch the hole instead of ceasing development altogether?  That's why I think they're getting pressured from somewhere.

 

Either way, it's really really scary. Either governments have been compromising security for much longer than we thought, or they've started waging open war against the security community. Neither is good news. I'm hoping that this is a canary and 7.1a has proven so secure that they've resorted to pressuring the project, at least there's hopes of forks if that's the case. If there's an undisclosed and fatal vulnerability then it doesn't bode well for the future of security software.

Solid and reliable that until few months ago it was never tested. And they DID find lots of bugs during the first audit.

 

OSS != solid and reliable by default

 

From the article:

 

Despite early rumors, Green denies that the audit he led has anything to do with the shut down

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.