Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Truecrypt development stopped. Recommend changing to Bitlocker.

2

Comments

  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    The problems with technology, is there always someone/organization with better technology. So it would be naïve to think you are secure against everyone. Even in the pipe is secure, it has to enter and leave it at some point. Even if that through social engineering, or a person. A Maginot Line as it were. "strategically ineffective".

    Most people concerned about such things don't commit any data to electronic means at all.

    For most people their data they are sending isn't sensitive anyway.

    It's a much greater act of naivete to believe you've nothing to hide, therefore never need to worry about it, indeed it's one of the more common fallacies when it comes to security.

    Also I don't see the fact that 100% security isn't always achievable to be a reason to conclude that the only way to maintain your privacy is to go live in a cave and use finger painting to communicate.

    Even a well resourced adversary has to be able to distinguish only your traffic - this is why the Maginot line is such a poor basis of comparison as it was obvious to any fool where it was - a better analogy might be one letter amongst millions at the post office - which has to be found before any cryptanalysis can begin. This is why the article on the Tor website doesn't bother me that much - it tells us very little we didn't know before and isn't practical for surveillance purposes, at least on this scale.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Creation of a target-rich environment? It makes sense to get all your suspects into the one place so you can concentrate your efforts.

    I've seen the guys heading up the Tor project on Youtube, you really think they're government stooges? Must be a pretty good disguise...! :-D


  • Registered Users, Registered Users 2 Posts: 3,131 ✭✭✭Dermot Illogical


    I've seen the guys heading up the Tor project on Youtube, you really think they're government stooges? Must be a pretty good disguise...! :-D

    As I recall they are govt-funded, or were at any rate. But that doesn't matter as much as control of the nodes.


  • Registered Users, Registered Users 2 Posts: 1,819 ✭✭✭howamidifferent


    Wasnt it originally if not still a US Navy project?


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    As I recall they are govt-funded, or were at any rate. But that doesn't matter as much as control of the nodes.

    You're right they do receive funding from the US government, as the tor browser is used by the Navy, diplomats etc. of course the AES cipher was also the result of a government sponsored competition, I don't really smell a rat as it helps the country as a whole if we all keep our data safe.


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    It's a much greater act of naivete to believe you've nothing to hide, therefore never need to worry about it, indeed it's one of the more common fallacies when it comes to security..

    I didn't say they didn't have data to protect. I said they don't expose it to certain types of risk.
    Also I don't see the fact that 100% security isn't always achievable to be a reason to conclude that the only way to maintain your privacy is to go live in a cave and use finger painting to communicate..

    There is a world outside of computers. People forget that. Its often far more practical/efficient than using a computer. You don't have to go all Sheldon on it.
    Even a well resourced adversary has to be able to distinguish only your traffic - this is why the Maginot line is such a poor basis of comparison as it was obvious to any fool where it was - a better analogy might be one letter amongst millions at the post office - which has to be found before any cryptanalysis can begin. This is why the article on the Tor website doesn't bother me that much - it tells us very little we didn't know before and isn't practical for surveillance purposes, at least on this scale.

    They don't need to look at all the letters. They only need to know the origin and the destination. Then they can refine that further outside of the post office.

    The reason the Maginot line failed was not because they knew where it was. It was because they believed that was the only route. They didn't consider it could be bypassed. That's appropriate is because attacks on tor network haven't been directly at it. But at things around it.


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    You're right they do receive funding from the US government, as the tor browser is used by the Navy, diplomats etc. of course the AES cipher was also the result of a government sponsored competition, I don't really smell a rat as it helps the country as a whole if we all keep our data safe.

    I don't think their objectives are as altruistic as that.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    I didn't say they didn't have data to protect. I said they don't expose it to certain types of risk.

    All the same, I'd like to keep as much of my data private all of the time if it's all the same to you. :)


    There is a world outside of computers. People forget that. Its often far more practical/efficient than using a computer. You don't have to go all Sheldon on it.

    When it comes to cryptography, you might have noticed a computer is pretty handy. :)

    Having said that if anyone wants to use an air gap to keep encrypted data safe or use a one time pad hand cipher, you'll have no argument from me. I just get ticked off by smug security researchers in pony tails saying that only face to face communication is secure.
    They don't need to look at all the letters. They only need to know the origin and the destination. Then they can refine that further outside of the post office.

    The reason the Maginot line failed was not because they knew where it was. It was because they believed that was the only route. They didn't consider it could be bypassed. That's appropriate is because attacks on tor network haven't been directly at it. But at things around it.

    A passive adversary does indeed need to look at all the letters - of course if you want to intercept mail to a certain address the job is made easier but you still have to locate the letter at some stage in the system.

    The reason the Maginot line failed was as you say that people who knew its location simply chose to walk around it. I agree that the basic structure of the tor network has yet to be compromised and that attacks have centred around the end points but as mentioned previously it's a moot point if you make use of the hidden services so that your traffic doesn't leave the network.

    This latest attack looks good on a white paper but it couldn't be used in its current incarnation to actively monitor a specific user at all times, even if you knew from where they're connecting.

    No harm in encrypting your messages as they go through tor mind you! :)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    I don't think their objectives are as altruistic as that.

    Answer your own question though - why not develop their own cipher in house? The answer I think is that security through obscurity is much weaker than open source.


  • Advertisement
  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    Answer your own question though - why not develop their own cipher in house? The answer I think is that security through obscurity is much weaker than open source.

    Their involvement Open source I think its like planning a vegetarian meal with tiger.


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    ...When it comes to cryptography, you might have noticed a computer is pretty handy. :)

    Having said that if anyone wants to use an air gap to keep encrypted data safe or use a one time pad hand cipher, you'll have no argument from me. I just get ticked off by smug security researchers in pony tails saying that only face to face communication is secure.

    Smug researchers? I'm just saying in my experience at a certain level of business you'll never see an email. If you get a phone call it will be vague to the point of nonsense unless you know the context, and you won't know the number as it won't be from their main phone. Its not about it security either. Its about deniable responsibility. But has the same outcome.
    A passive adversary does indeed need to look at all the letters - of course if you want to intercept mail to a certain address the job is made easier but you still have to locate the letter at some stage in the system.

    If the person is not random. Then you have a starting location. Probably a destination. Also.
    The reason the Maginot line failed was as you say that people who knew its location simply chose to walk around it. I agree that the basic structure of the tor network has yet to be compromised and that attacks have centred around the end points but as mentioned previously it's a moot point if you make use of the hidden services so that your traffic doesn't leave the network.

    This latest attack looks good on a white paper but it couldn't be used in its current incarnation to actively monitor a specific user at all times, even if you knew from where they're connecting.

    No harm in encrypting your messages as they go through tor mind you! :)

    The Maginot line didn't fail in one part of its job. It prevent direct attack. But unfortunately that wasn't the only problem.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    Their involvement Open source I think its like planning a vegetarian meal with tiger.

    If you feel that strongly, there's no obligation for you to use Rijndael - the same developers also came up with Anubis cipher for instance.

    However I take your point in a more holistic sense - still it's not just the government who is reviewing the code, we have coders from all over the world examining it every day. Of course this isn't perfect (the Heartbleed scandal springs to mind!) but as I said even a global adversary has a near impossible task finding your traffic all of the time, let alone decrypting it, which is why I don't think we need to be unduly concerned about tor. Truecrypt on the other hand does seem to have outlived its usefulness, give me Linux's dm-crypt any day. :)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    Smug researchers? I'm just saying in my experience at a certain level of business you'll never see an email. If you get a phone call it will be vague to the point of nonsense unless you know the context, and you won't know the number as it won't be from their main phone. Its not about it security either. Its about deniable responsibility. But has the same outcome.



    If the person is not random. Then you have a starting location. Probably a destination. Also.



    The Maginot line didn't fail in one part of its job. It prevent direct attack. But unfortunately that wasn't the only problem.

    I think it's important to bear in mind that the attack here against the tor network isn't particularly effective.

    If we were to take a real world analogy besides the Maginot line (because with respect, it doesn't afford much anonymity having miles of tanks and barbed wire), I think this can be explained quite easily.

    Let's imagine a Post Office in a Banana Republic with 100 clerks. Let's say six of them have been bribed and are under the control of the local government.

    Bear in mind for state surveillance to be effective at all, these clerks need to be in place and bribed at all times, however this isn't a problem for people with access to tax money, so far things are looking good for our shadowy hypothetical Politburo.

    The clerks are bribed to write down the home address of everyone who sends mail at their counter as well as the intended recipient.

    All it then takes is to forward the Politburo a copy of this list and they'll know who's been talking with who, right?

    Well firstly, all you would be able to prove from a system such as this is that someone at one address had sent a message to a person in another. In itself it wouldn't tell you who the person was who sent the letters*, nor would it tell you anything about the contents of the letter, which is enciphered**.

    Moreover if the address to which the sender is traced is one used by many individuals like a college or a workplace, then the task is made much harder for the government. The same also applies to the recipient.

    Just to make things even more difficult for our imaginary Politburo, every time someone goes to the Post office counter, they could choose to use a clerk not under their control.***

    Of course they could try to solve this problem by bribing more clerks but the clerks themselves are subject to regular scrutiny by their own organisation which has a vested interest in maintaining the anonymity of the postal system and can immediately fire anyone found to be helping the government to trace mail.

    Worse still, if the government is looking to track a particular individual, they have no way of knowing when or from where their message will be sent, nor can they easily know every person with whom they'll have contact.

    Perhaps when it's put in these terms, it's easy to see why I don't think this type of attack on the tor network is very practical. Still I'm pleased they plugged the gaps but as I said, I'm not losing any sleep.



    *Admittedly in a real life post office you may have to provide your name or at least consent to having your face filmed but this isn't the case for Tor users.

    **Again, in real life a postal clerk could admittedly open the envelope but that's not practical here as the type of attack described doesn't decrypt traffic, just helps to trace it.
    *** In the attack described, only around 6% of entry nodes were compromised. They have now been removed from the network.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes.

    Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.

    http://www.wired.com/2014/08/operation_torpedo/


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    I think it's important to bear in mind that the attack here against the tor network isn't particularly effective.

    If we were to take a real world analogy besides the Maginot line (because with respect, it doesn't afford much anonymity having miles of tanks and barbed wire), I think this can be explained quite easily....

    You're kinda stuck in a loop around electronic anonymity. My point was you can attack at other points other than the network.


  • Advertisement
  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    You're kinda stuck in a loop around electronic anonymity. My point was you can attack at other points other than the network.

    Did you actually read what I said? I did a full rundown of points of attack without referring to electronics once.


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    IMO its incomplete, and its still assuming anonymity in a network. Just not an electronic one. Anyway, you're focused on a very specific area of security, which is taken as secure until the internet tell us other wise. I was talking about security in general as I see it used in business.

    How about returning to the subject of the thread. True-crypt was secure....and now it isn't. Or maybe it never was. Or maybe it is, and they don't want you to use it.

    .. or just because you're paranoid doesn't mean they're not out to get you.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    IMO its incomplete, and its still assuming anonymity in a network. Just not an electronic one. Anyway, you're focused on a very specific area of security, which is taken as secure until the internet tell us other wise. I was talking about security in general as I see it used in business.

    How about returning to the subject of the thread. True-crypt was secure....and now it isn't. Or maybe it never was. Or maybe it is, and they don't want you to use it.

    .. or just because you're paranoid doesn't mean they're not out to get you.

    I'm sorry if I didn't make it clear, I explained the vulnerability as simply as I could - nothing needs to be assumed, anonymity is a practical goal if the Tor browser is used correctly.

    We've already discussed security in a more general sense and as I mentioned theoretically perfect security is not necessary in practice to anonymously and privately store and share your data even (gasp) with a computer!

    This has to do with the fact that there's equally no such thing as theoretically perfect surveillance - unless of course you believe in the divine! :-)

    I'm more than happy to discuss alternatives to Truecrypt though, feel free to scroll back I've suggested a couple of alternatives already on here, would love to hear your thoughts but please bear in mind you will need a computer to use them. :-D


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49



    Thanks for this RF, a colleague and I were discussing this a few weeks ago - particularly worrying as of course verifying the key used to sign the software wouldn't help here as no doubt that would be swapped out too! :-)

    He said that maybe compiling the code from source would be an idea, however this would mean you'd have to minutely examine each line to be on the safe side.

    Am I right in thinking that this was a worry surrounding Truecrypt in that it was virtually impossible to determine whether the compiled binaries matched the code on the website?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Just going back over this thread now...
    I agree with your point about the trade off between security and convenience but I don't think we need to give up on e-mail altogether - intercepting a message that for instance you've encrypted with a 4096 bit gpg key wouldn't do the NSA much good.

    Unfortunately I believe that even having sent such an email would make you a target. I routinely encrypt emails between myself and technically competent friends but I believe the fact that I've sent a PGP encrypted email probably has me on some list somewhere.


  • Advertisement
  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    Khannie wrote: »
    Just going back over this thread now...



    Unfortunately I believe that even having sent such an email would make you a target. I routinely encrypt emails between myself and technically competent friends but I believe the fact that I've sent a PGP encrypted email probably has me on some list somewhere.

    Hi Khannie,

    While I doubt you're going to be bagged and tagged by Mossad anytime soon, this is an excellent point in that use of privacy tools can in and of itself attract unwanted attention.

    I think you could probably mitigate the risk of your e-mails being intercepted by using a mail provider that uses a Tor hidden service e.g MailtoTor or I2P's own Susimail but of course this could be seen as a regressive argument as then an Orwellian government will know you're blanketing all your traffic, not just your e-mails.

    Personally I try to use the obfsproxy browser to send my messages which makes some attempt to disguise the fact you're using tor, although I'm told that it's not 100% effective.

    One of the former security gurus I met in the heyday of the Silk Road suggested using stego tools to hide encrypted messages inside innocent looking photos but I think this just reiterates the same problem in that the presence of such tools on your hard disk would lead to a minute examination of every file there - of course if you're feeling impish (as I often am), you could download several of such tools and use them to hide junk data in an image or two, just to keep everyone guessing! :)


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard


    Why Privacy Matters Even if You Have 'Nothing to Hide'
    whether there are good responses to the nothing-to-hide argument. I received a torrent of comments:

    My response is "So do you have curtains?" or "Can I see your credit-card bills for the last year?"
    So my response to the "If you have nothing to hide ... " argument is simply, "I don't need to justify my position. You need to justify yours. Come back with a warrant."
    I don't have anything to hide. But I don't have anything I feel like showing you, either.
    If you have nothing to hide, then you don't have a life.
    Show me yours and I'll show you mine.
    It's not about having anything to hide, it's about things not being anyone else's business.
    Bottom line, Joe Stalin would [have] loved it. Why should anyone have to say more?

    On the surface, it seems easy to dismiss the nothing-to-hide argument. Everybody probably has something to hide from somebody. As Aleksandr Solzhenitsyn declared, "Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is." Likewise, in Friedrich Dürrenmatt's novella "Traps," which involves a seemingly innocent man put on trial by a group of retired lawyers in a mock-trial game, the man inquires what his crime shall be. "An altogether minor matter," replies the prosecutor. "A crime can always be found."

    I like the Bold bit.


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    They could simply invent something to frame you with. They don't have to base it on your data.


  • Registered Users, Registered Users 2 Posts: 1,819 ✭✭✭howamidifferent


    beauf wrote: »
    They could simply invent something to frame you with. They don't have to base it on your data.

    This. A driveby to load your PC with kiddy porn and thats you fcuked.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    This. A driveby to load your PC with kiddy porn and thats you fcuked.

    Or indeed simply stealing someone's credit card info to buy kiddy porn as your man Brian Cooper found out. It's still possible of course to be acquitted but you can lose your job and reputation.

    Hopefully this will debunk the "nothing to hide" fallacy once and for all.

    Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.

    :)


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    They could simply invent something to frame you with. They don't have to base it on your data.

    ...This said, all the more reason to make sure you encrypt all your drives - that way it's extremely difficult to add data there which doesn't belong, so a different drive would have to be planted on your person or premises - one without your dabs on it hopefully! :)


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    ...Hopefully this will debunk the "nothing to hide" fallacy once and for all...

    Explain how considering that in those example the data used to initiate the event didn't come from the individual. But from an illegal source. A stolen credit card.


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    ...This said, all the more reason to make sure you encrypt all your drives - that way it's extremely difficult to add data there which doesn't belong, so a different drive would have to be planted on your person or premises - one without your dabs on it hopefully! :)

    You're really fixated on your bubble. They can create data or non electronic information outside your control.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    You're really fixated on your bubble. They can create data or non electronic information outside your control.

    Yes... but then your dabs wouldn't be on it -do you ever actually read what people post or are you permanently on transmit? Deep sigh...
    Edit : I have put the important part in bold, further to my last post.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    Explain how considering that in those example the data used to initiate the event didn't come from the individual. But from an illegal source. A stolen credit card.

    A stolen credit card.. wait for it... (drum roll)... in THE NAME of said individual. I also mentioned that even if someone is exonerated on criminal charges, their reputation could still suffer.

    PLEASE read posts properly before replying as your missing the point time and again is getting very tiresome. I am happy to put the important points in bold if you feel it would help.


  • Advertisement
  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    That doesn't answer the question asked.

    How do you secure/hide data you're not in control of.


  • Closed Accounts Posts: 1,004 ✭✭✭Recondite49


    beauf wrote: »
    That doesn't answer the question asked.

    How do you secure/hide data you're not in control of.

    Actually it does, you're just not reading what I said. No one else seems to have trouble with this.

    Surely it's not too difficult to grasp the concept that if your drive is already encrypted it's very difficult for anyone to add any incriminating information to it?

    Are we really going to have to go through this every time I post in here where I say something then have to explain it to you twice more because you didn't understand properly the first time round - is what I am saying really so complicated?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Keep it civil please lads.

    Recondite - I think the point is that information could be planted on a source outside your control, say an incriminating URL at your ISP's data retention facility.


  • Closed Accounts Posts: 1,260 ✭✭✭Rucking_Fetard




  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    Don't think I've seen the update mentioned around here.

    That second part of the audit is in;

    http://www.theregister.co.uk/2015/04/02/truecrypt_security_audit/

    And the report itself;

    https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf


  • Registered Users, Registered Users 2 Posts: 570 ✭✭✭hooplah


    The report is positive in that it hasn't shown up any serious problems but I have to say I'm disappointed that no-one has created a serious fork of the project yet.

    From reading around tomb url]https://www.dyne.org/software/tomb/[/url seems to be the best things on Linux. For me however one of the major benefits of Truecrypt is it's portability and the way I can encrypted volumes from Windows [work] and linux [work & home].


  • Closed Accounts Posts: 22,648 ✭✭✭✭beauf


    I still prefer truecrypts feature set, to the newer ones. Early days yet I guess.


  • Registered Users, Registered Users 2 Posts: 7,518 ✭✭✭matrim


    hooplah wrote: »
    The report is positive in that it hasn't shown up any serious problems but I have to say I'm disappointed that no-one has created a serious fork of the project yet.

    From reading around tomb url]https://www.dyne.org/software/tomb/[/url seems to be the best things on Linux. For me however one of the major benefits of Truecrypt is it's portability and the way I can encrypted volumes from Windows [work] and linux [work & home].

    IIRC truecrypt's license doesn't allow forking the code


  • Registered Users, Registered Users 2 Posts: 570 ✭✭✭hooplah


    matrim wrote: »
    IIRC truecrypt's license doesn't allow forking the code

    Yeah, that point is frequently raised but it seems to be ambiguous, also if the original developers are not around who would enforce the dubious licence?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 25,069 ✭✭✭✭My name is URL


    matrim wrote: »
    IIRC truecrypt's license doesn't allow forking the code

    Someone should tell that to the VeraCrypt devs.

    I've been using it for the last few months


  • Closed Accounts Posts: 720 ✭✭✭anvilfour


    Someone should tell that to the VeraCrypt devs.

    I've been using it for the last few months

    Couldn't get Veracrypt to open on my Mac. Worked like a charm on Linux though.

    If you want a bottom up rewrite of the code I suppose there's always CipherShed.


  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    I know Security Now (Steve Gibson and Leo Laporte) did a podcast recently on a TrueCrypt audit, haven't had the time to listen to it yet, but will tonight/tomorrow. Quick scan of the podcast transcript, found the author of the report and the site it's audited on. https://opencryptoaudit.org/

    Again, haven't read it in full, but the gist is, it's still pretty viable, no gaping holes, some bad code, but nothing that can't be improved upon.


    Well feck, somehow managed to miss AnCatDubh's post, who already posted the report. Ignore the above :P


  • Closed Accounts Posts: 720 ✭✭✭anvilfour


    BoB_BoT wrote: »
    I know Security Now (Steve Gibson and Leo Laporte) did a podcast recently on a TrueCrypt audit, haven't had the time to listen to it yet, but will tonight/tomorrow. Quick scan of the podcast transcript, found the author of the report and the site it's audited on.

    Again, haven't read it in full, but the gist is, it's still pretty viable, no gaping holes, some bad code, but nothing that can't be improved upon.


    Well feck, somehow managed to miss AnCatDubh's post, who already posted the report. Ignore the above :P

    The security concerns surround the Windows version only. There's a string of encrypted data in the volume headers which might contain the actual password to unlock the containers. Interestingly in the Linux version the same string of data is just a string of zeroes.

    Of course since it's no longer in active development, there's no real way yo can be sure of your data being safe so might be best to use something like Veracrypt.


  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    anvilfour wrote: »
    The security concerns surround the Windows version only. There's a string of encrypted data in the volume headers which might contain the actual password to unlock the containers. Interestingly in the Linux version the same string of data is just a string of zeroes.

    Of course since it's no longer in active development, there's no real way yo can be sure of your data being safe so might be best to use something like Veracrypt.

    Well that's it, will be best to use the newer forks. But we're also assuming that they're not working the same type of volume header encryption as truecrypt and that it's all above board, again it would need to be audited. Can you really trust anyone? :)


  • Closed Accounts Posts: 720 ✭✭✭anvilfour


    BoB_BoT wrote: »
    Well that's it, will be best to use the newer forks. But we're also assuming that they're not working the same type of volume header encryption as truecrypt and that it's all above board, again it would need to be audited. Can you really trust anyone? :)

    You can trust open source code you've checked and compiled yourself - sadly in the case of Truecrypt it wasn't really possible to check that the Windows installer available on the website was compiled from the publicly available source code line for line - also it apparently is very convoluted and difficult to lock down!

    I suppose it's best to go with the traditional method of seeing security as a mindset and employing multiple layers of encryption...

    Even when I had a Truecrypt encrypted USB stick, this in turn contained an encrypted file container I had created with the program tomb (which is simply a very easy way to use Linux built in encryption tools dm-crypt and cryptsetup.

    I think the command line tool tcplay has previously been mentioned which can create Truecrypt style containers without any of the messy code and security concerns too.

    Take your pick! :)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,835 ✭✭✭BoB_BoT


    Encryption is like an onion, it can have many layers, then sometimes it just makes you cry. :P


  • Registered Users, Registered Users 2 Posts: 35,462 ✭✭✭✭Hotblack Desiato


    anvilfour wrote: »
    You can trust open source code you've checked and compiled yourself

    Ah but did you compile the compiler yourself - and did you compile the compiler you compiled the compiler with yourself - and did you compile the compiler you compiled the compiler you compiled the compiler with yourself - and...

    https://en.wikipedia.org/wiki/Backdoor_(computing)#Compiler_backdoors
    Thompson's paper describes a modified version of the Unix C compiler that would:
    - Put an invisible backdoor in the Unix login command when it noticed that the login program was being compiled, and as a twist
    - Also add this feature undetectably to future compiler versions upon their compilation as well.

    Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead.

    Scrap the cap!



  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    That's so beautiful.


  • Closed Accounts Posts: 720 ✭✭✭anvilfour


    Ah but did you compile the compiler yourself - and did you compile the compiler you compiled the compiler with yourself - and did you compile the compiler you compiled the compiler you compiled the compiler with yourself - and...

    Yes. :)


  • Closed Accounts Posts: 720 ✭✭✭anvilfour


    Ah but did you compile the compiler yourself - and did you compile the compiler you compiled the compiler with yourself - and did you compile the compiler you compiled the compiler you compiled the compiler with yourself - and...

    On a more serious note, it seems from reading this month's Cryptogram newsletter, the CIA apparently did try to create a corrupted version of XCode in a vain attempt to undermine iOS. Of course they had no way to install the corrupted compiler on developers' machines...!


  • Advertisement
Advertisement