Truecrypt

bermudapineapple

I've always been a little paranoid about it so never used it. Has anyone read of any backdoors? I can't be bothered to flood my HDDs for days at a time with multiple passes whenever I want to erase a part of my life. Also I always feel something will show up somehow, some way. I'm figuring I can use Truecrypt and encrypt the HDD and butcher it with magnets and a pickaxe and disperse the pieces in various trash cans around Beirut. But I'm still worried about any backdoors. Any word? Google seems worthless. I'd like some hands-on experience if possible.

hussam

It is open source so any backdoors are unlikely. not impossible but very unlikely.
This does not however mean that there are no accidental security problems (as with all software).

samer

On April 14th, a partial audit of the TrueCrypt source code has found no evidence of backdoors, see: is TrueCrypt audited yet?.
If you're running on GNU/Linux, you're better off encrypting your whole disk using dm-crypt with the LUKS extension. For Windows and OS X, TrueCrypt seems to be the way to go.

It is open source so any backdoors are unlikely. not impossible but very unlikely.

A well crafted backdoor can hide in plain sight for years, especially in a huge code–base. That's why formal security audits are needed for critical tools like TrueCrypt. While I agree that they are more likely to be discovered and patched, we tend to overestimate our ability to notice them.

bermudapineapple

I was worried about backdoors. Thanks for the help. I'll go manual for now.

Joe

This paper is absolutely relevant: Reflections on Trusting Trust.

For the lazy among you, Ken Thompson is the inventor of Unix. In 1983 he was awarded the ACM Turing Award, the most prestigious distinction in Computer Science. This paper is the transcript of his acceptance speech. In it, he shows how he included a self-replicating backdoor into the C compiler, making it virtually undetectable to human audit of the code source. I highly recommended that you read it, at least the programmers amongst you.

Open Source helps. Frequent audits may reassure. I could add the fact that TrueCrypt is very widely used and nobody seems to have complained about breaches so far.

But nobody can give you full assurance that there are no backdoors.

bermudapineapple

rahmu wrote But nobody can give you full assurance that there are no backdoors.

Fuel to the fire of paranoia. Thanks.

hussam

samer wroteOn April 14th, a partial audit of the TrueCrypt source code has found no evidence of backdoors, see: is TrueCrypt audited yet?.
If you're running on GNU/Linux, you're better off encrypting your whole disk using dm-crypt with the LUKS extension. For Windows and OS X, TrueCrypt seems to be the way to go.

It is open source so any backdoors are unlikely. not impossible but very unlikely.
A well crafted backdoor can hide in plain sight for years, especially in a huge code–base. That's why formal security audits are needed for critical tools like TrueCrypt. While I agree that they are more likely to be discovered and patched, we tend to overestimate our ability to notice them.

I use LUKS on my computer at home :)

The fact that someone can boot from a CD and chroot into my installation didn't feel right. LUKS protects me from that.

Joe

Using Truecrypt is Not secure. The title may be a little alarming, but the truth seems to be that TrueCrypt is not supported anymore (which would make it not secure). The discussion on HackerNews is also relevant.

tt400 wroteFuel to the fire of paranoia. Thanks.

Welcome to the world of computer security. You haven't even seen the beginning of it. You want paranoia fuel? Read what Quinn Norton has to say about the state of security today.

You'd rather I lied and told you all is nice, safe and secure, like all these marketing campaign are desperately trying to convince you?

hussam wroteI use LUKS on my computer at home :)

Every time I read someone talk about safety through disk encryption, I think of this xkcd comic ;)

bermudapineapple

rahmu wrote Welcome to the world of computer security. You haven't even seen the beginning of it. You want paranoia fuel? Read what Quinn Norton has to say about the state of security today.

You'd rather I lied and told you all is nice, safe and secure, like all these marketing campaign are desperately trying to convince you?

Thanks, man. I'll look into that.

Joe

Tails, a Linux distribution focused on privacy is replacing TrueCrypt from its distro.
You can check which are the alternatives it's considering.

bermudapineapple

Just finished Quinn Norton's article, rahmu.

It reminded me of that general attitude you find around Lebanon or even around the rest of the world. You have a conversation ongoing about this or that war or about the banks or the CIA or anything, and someone makes a reference to the likes of: "Man, of course the CIA can do that. They've been able to do that ten years ago and they can do stuff now that you can't even imagine. Of course, the CIA is doing all kinds of stuff you can't imagine."

I don't adopt the powerless and naive vibes that come with that policy in the sense that I don't feel like the CIA is the god everyone makes it out to be, but at the same time I'm able to see some truths in these fears, truths that Norton presents.

It is completely mind-boggling exactly how many thousands upon thousands of Norton's little boxes are full of bugs. He hits the nail right on the head: the entire superstructure that is computing is fundamentally flawed and this flaw arises from many variables ranging from culture, politics, or just plain laziness.

This article reminded me of the time my uncle's car got stolen. My uncle had a Toyota FJ Cruiser parked outside his house. He'd park it outside his house every night. He wakes up one day to find it missing with the keys in his hand. Turns out the thieves were probably parked nearby as he arrived home, had some sort of hardware that picked up his remote's frequency and the digital security code, waited until the early hours of the morning, somehow decrypted and replicated and broadcasted that code and got into the car and drove off.

That's a 50,000 dollar investment gone in a few hours.

At the end of the day, people just want to go home. The programmers and security experts who code for the money want to go home and eat dinner and sleep. Therefore the fundamental flaw in computer security goes hand in had with the fundamental flaw in human nature, I suppose.

Thanks for the article, though.

I guess formatting my HDD every 4 or 5 months doesn't make me crazy after all.

Joe

Interesting points, @tt400. Some random thoughts, in no particular order.

The lack of security in our systems come from their sheer complexity. You cannot possibly defend a system you don't fully understand, and we're reaching a point where a whole lifetime is not enough to understand even the simplest actions like saving a file to disk or visiting a web page.
We're perpetuating the mistake by creating technologies that try to add many new features instead of focusing on security through simplicity. HTML5 is a perfect example of this.
Norton's a she, not a he. Not that it actually matters.
Paranoia is a form of mental illness in every case. Except in InfoSec. In InfoSec, paranoia's a virtue.
The CIA, NSA or other government agencies aren't the only ones targeting your data. Try to host a server online and analyze traffic logs. Every computer everywhere is under constant attack by everyone. Couple this with software so complex that it's impossible to secure correctly, and you have the state of Internet today.
Advertisers everywhere will tell you that their platform is "secure". When a kid stumbles upon an upon door on their platform, they paint him as a dangerous "hacker" and send him to life in prison. It'd be better if we simply admitted that all software is crap.
There's an effort to keep TrueCrypt alive. This is good news. I would watch closely.

hussam

There is also tcplay

bermudapineapple

rahmu wroteInteresting points, @tt400. Some random thoughts, in no particular order.

The lack of security in our systems come from their sheer complexity. You cannot possibly defend a system you don't fully understand, and we're reaching a point where a whole lifetime is not enough to understand even the simplest actions like saving a file to disk or visiting a web page.

We're perpetuating the mistake by creating technologies that try to add many new features instead of focusing on security through simplicity. HTML5 is a perfect example of this.

Norton's a she, not a he. Not that it actually matters.

Paranoia is a form of mental illness in every case. Except in InfoSec. In InfoSec, paranoia's a virtue.

The CIA, NSA or other government agencies aren't the only ones targeting your data. Try to host a server online and analyze traffic logs. Every computer everywhere is under constant attack by everyone. Couple this with software so complex that it's impossible to secure correctly, and you have the state of Internet today.

Advertisers everywhere will tell you that their platform is "secure". When a kid stumbles upon an upon door on their platform, they paint him as a dangerous "hacker" and send him to life in prison. It'd be better if we simply admitted that all software is crap.

There's an effort to keep TrueCrypt alive. This is good news. I would watch closely.

Thank you, yes! HTML5! That was my thought exactly! I was wondering why everyone was porting over to it at an alarming rate. I was just waiting for that massive hole to be found in it that compromises everything once all everyone had finished moving over to it. Glad to see I am not alone with these fears!

Thank you for that last link.

Also, check this out. I'm not saying we're all going to have one tomorrow. But eventually, when the tech spreads and more and more people have access to it, the threat of the entire framework will exponentially rise.