Nobody seems sure what’s going on, not even the spectacularly well-informed Bruce Schneier. But TrueCrypt, the whole-disc encryption program many have relied on for a decade, has either been mysteriously compromised or somebody’s pulled off a hoax. Brian Krebs thinks it’s the real deal and that the secretive TrueCrypt team is sending us all a warning.
As some have pointed out, the cryptic “official” announcement that “TrueCrypt is not secure as it may contain unfixed security issues …” could be read as “Not Secure As …”
Let’s hope for a hoax. TrueCrypt being subverted would be a major heartbreaker. And always … be careful out there.
(Tip o’ hat to S.)
That’s just a bizarre statement. Anything I can come up with for why that might be true is immediately refuted by the other voice in my head.
Prediction: we’ll never know what really happened.
And, most people will just go ahead and use BitLocker, or stay with their older version of TrueCrypt. Maybe the audit will come up with something that will cause any sensible person to stop using it — even older versions. But, it will eventually just fade from use, as eventually, old versions will not run on newer versions of the OS.
I uses LUKS and dmcrypt for my personal machines but my employer does use TrueCrypt so I’m following this pretty closely. There is very little reliable information right now and, so far, the hypotheses beng floated are a mixture of speculation and ignorance.
“TrueCrypt is not secure as it may contain unfixed security issues …” could be read as “Not Secure As …”
And “unfixable”, if nothing later than XP can be protected by TrueCrypt. TrueCrypt (probably under another name) will have to do a complete overhaul of its security features ― and keep frequent updates ― in order to compete and remain viable and trustworthy. Right now, speculation indicates it has been left behind.
The part that makes me most uneasy about this, is the advice to move to a Microsoft product. I don’t know anything about BitLocker, but isn’t that a closed source product from a company known to collude with the government?
A quote from reddit:
“It’s really terrifying though realizing that something such as an encryption platform can just be silently destroyed by the government at will.”
Gives me the willies. I can’t wait until the history books are written about this time period, I suspect it will be fascinating. The possibilities I imagine for the future of this country are much more colorful and plausible lately than ever before. There is so much confirmed federal activity which outrages so many different people, groups, and governments, so suddenly…..
Claire, here’s an OT.
I was poking around looking for low tax counties in Oregon. First I found this, which has an interesting map on p7:
I decided to look at Gilliam County which has the lowest property tax in the state. The wikipedia entry says, “The largest individual employers in the county are two subsidiaries of Waste Management Inc., Chemical Waste Management of the Northwest and Oregon Waste Systems, Inc., who run two regional waste disposal landfills. By levying a fee of $1 a ton, Gilliam County receives enough money to pay the first $500 of the property tax bills of its inhabitants, an amount that covers the full tax bill for almost half of the county inhabitants, as well as funding other county projects.” In other words, Arlington gets all Portland’s garbage.
Of course, you have to put up with that gigantic windfarm, sure to depress the county property values in perpetuity. On the other hand, if SHTF, a wind farm in your back yard is not a bad thing to have…
Amusingly, the county has lost control of its official site. Take a look at
My kind of place! Low/no property tax, no sales tax, and if you are retired or have no visible source of income, no income tax. Also, Linus Pauling was born and grew up there in Condon.
I’ve also been following Josephine and Curry Counties, prominent on that map for low property taxes, and resistant to tax hikes. I think retirees end up there and vote that crap down. Former “state” of Jefferson…
I’ve been pushing Tillamook County but my wife says, “too farmy”, sheesh. Guess she thinks Tillamook Cheese comes from the store rather than from cows. I like that cow smell, reminds me of Wisconsin as a kid.
A comment on Schneneir’s blog points to GRC.com that claims to have heard from the developers:
If this is accurate, it reflects rather poorly on the TrueCrypt developers.
Looks like Truecrypt got a National Security Letter. That comes with a gag order.
Thanks for the heads-up, Borepatch. So their strange instructions to migrate to a Microsoft product and that oddly phrased “…Not Secure As…” would be cryptic messages to hint at what they’re not allowed to say.
Makes sense. Well, as much as anything makes sense when cryptographers and the NSA are involved.
Being that TrueCrypt was first released in 2004, I rather like the theory that the oddly phrased message is “TrueCrypt IS NSA”, initially developed by and wholly owned by that particular agency. Perhaps via careful constructs to avoid any traceable ties, which permitted a whistle blower enough control to deface the whole project.