Jump to content



Photo

TrueCrypt shuts down due to alleged 'security issues'


  • Please log in to reply
87 replies to this topic

#76 +Brando212

Brando212

    Neowinian Senior

  • 6,534 posts
  • Joined: 15-April 10
  • Location: Omaha, NE
  • OS: OS X Mavricks, Windows 7/8.1 Pro
  • Phone: Sony Xperia ZL, Nokia Lumia 925

Posted 30 May 2014 - 14:54

a good sign indeed. knew it would be the case. one way or another the project was bound to continue even if it's via fork




#77 GarakObama

GarakObama

    Neowinian

  • 97 posts
  • Joined: 23-October 12

Posted 30 May 2014 - 17:10

I don't know about a fork. Not until a definitive reason comes out for what happened or an audit produces backdoors or flaws that are then fixed. That should be the first priority. 



#78 +Brando212

Brando212

    Neowinian Senior

  • 6,534 posts
  • Joined: 15-April 10
  • Location: Omaha, NE
  • OS: OS X Mavricks, Windows 7/8.1 Pro
  • Phone: Sony Xperia ZL, Nokia Lumia 925

Posted 30 May 2014 - 17:19

I don't know about a fork. Not until a definitive reason comes out for what happened or an audit produces backdoors or flaws that are then fixed. That should be the first priority. 

that's pretty much what the website says as well. which i agree is a good way to handle it



#79 Jack 0Neill

Jack 0Neill

    Neowinian

  • 632 posts
  • Joined: 23-October 05

Posted 31 May 2014 - 04:55

Steve Gibson: TrueCrypt is still safe to use

 

Lmfao. That guy is a fool and a tool. I wouldnt trust him for anything and his Spinrite is snake oil.



#80 JJ_

JJ_

    Neowinian

  • 717 posts
  • Joined: 31-July 05

Posted 31 May 2014 - 10:50

[snip]That guy is a fool and a tool.[/snip]


Quite honestly you're making yourself out to look like one. Gibsons article is the most plausible explanation I've read from all the wild conspiracy theories out there and I won't be surprised if he is right. The audit will continue and it hasn't discovered any major flaws yet. Truecrypt will be forked and reborne once again. For now, keep calm and carry on using 7.1a

#81 n_K

n_K

    Neowinian Senior

  • 5,362 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 31 May 2014 - 11:30

Well you'd need an electron microscope and you can't really just scribble them down.  

 

of course the key on the chip is useless without your key as well. so...

 

as for a backdoor, no. NSA would't want a backdoor on the very same equipment they use themselves.  kind of a backfire scenario. and as you so smartly pointed out, by reading what the chip does, other people (foreign elint for example) could find this backdoor. 

Actually they would, which is why all the DoD 'secure smartcard' solutions all also have backdoors, it wasn't designed as a backdoor to get the data from the card, it was designed for firmware upgrading (JTAG etc) but can be used to get the data off the cards or rewrite them, etc.



#82 HawkMan

HawkMan

    Neowinian Senior

  • 21,376 posts
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 31 May 2014 - 11:58

Getting data from the card doesn't mean getting useful data or the right data you need.

#83 +ChuckFinley

ChuckFinley

    member_id=28229

  • 9,571 posts
  • Joined: 14-May 03

Posted 31 May 2014 - 13:37

I would hate it if the reason they stopped was because they didn't receive enough donations to continue running!! Then they have every right to pull the plug. The last few years they were heavily "asking" for donations. Its just a shame its come to this.



#84 macstar

macstar

    Neowinian Senior

  • 2,503 posts
  • Joined: 19-January 03
  • OS: Kubuntu 14.04 x64
  • Phone: Samsung Galaxy S3

Posted 31 May 2014 - 13:39

Lmfao. That guy is a fool and a tool. I wouldnt trust him for anything and his Spinrite is snake oil.

 

i think the old 7.1 is save but not 7.2. claiming 7.2 to be secure is as ridiculous as truecrypts claim by now to switch to bitlocker.



#85 ITFiend

ITFiend

    ハッピー

  • 322 posts
  • Joined: 13-October 09
  • Location: Galactic Sector ZZ9 Plural Z Alpha
  • OS: Windows Server 2012 R2, Windows 8.1
  • Phone: Windows Phone 8.1

Posted 31 May 2014 - 15:36

A long winded post about why using a TPM as a key-factor along with BitLocker is a good thing.  Not responding to anyone specifically since a lot of little things have been said through the thread.

 

Why use BitLocker over TrueCrypt:

  1. Microsoft only supports Windows booting from BitLocker encrypted volumes.
  2. Windows BitLocker supports TPM’s and smart cards.
  • Apple only supports Mac OS booting from FileVault encrypted volumes.
  • Apple FileVault does not support TPM’s (it can however support smart cards), and more unfortunately, Apple hardware does not contain a TPM or equivalent.
  • TrueCrypt does not support TPM (though supposedly it could support smart cards)

 

What good is a TPM:

  1. It can measure your device configuration. A TPM can be aware of what state your computer should be in to be considered "trustworthy". If a device becomes untrustworthy, the TPM will no longer release its key until it's rearmed.
  2. If the physical device supports intrusion detection, your firmware records that an intrusion occurred, when it occurred, and announces this. A TPM can consider a device "untrustworthy" after an intrusion.
  3. You can configure a TPM to consider a device "untrustworthy" when measurements change. Firmware settings have several levels of what can be measured for changes. Otherwise Secure Boot, and OS Boot Loader options are measured. If anything measured fails to match its last known secure configuration, then the TPM fails to release its key. (Enabling or disabling Hyper-V counts as a measurement change)
  4. A TPM can be configured to work with secondary key factors. Using a TPM + Network Unlock, TPM + PIN, TPM + USB, or TPM + USB + PIN is significantly more secure than using a TPM on its own.
  5. When a TPM is used with a secondary factor, it doesn’t matter as much if a third party steals that key. They still don’t have access to boot or data without all factors.

 

Is a TPM, as the only key-factor, "secure"?:

  1. Not really, though it may be considered "secure enough" by some. I personally only think of the TPM as a component that measures everything about a device and then stamps it as "approved" for use. Like a smart card (and in fact a TPM can be used as a smart card), it’s a great key-factor, but on its own it’s not foolproof. You are always best off using a second key-factor in conjunction with a TPM, preferably a factor that cannot be easily obtained along with the device. If the device is portable, or a home computer, TPM + PIN or TPM + USB is great. TPM + PIN + USB is awesome. If device is an enterprise device with Windows 8 or Server 2012 or above, TPM + BitLocker Network Unlock is awesome, especially used with Hyper-V. Now physical servers can have two key-factors required without requiring encryption be suspended before rebooting (or always leaving the USB key attached to the server), and while leaving the server automatically bootable from a cold/crashed state because we’re all not crazy enough (… most of the time) to require a PIN on a production server.
  2. If a third party could gain internal access to a computer without triggering an intrusion, then the TPM is probably not "secure enough" for most usage scenarios.
  3. If a TPM considers a device untrustworthy, it is extremely difficult to attack it and extract the keys. It requires time, energy, knowledge, and skill.
  4. If a TPM considers a device trustworthy, and a man in the middle can insert itself between the TPM and motherboard without altering this state, the device’s security is completely penetrated. The only thing that protects data at this point is if more than one key factor was required.

 

Other Comments:

BitLocker for bootable devices can be done via USB without a TPM, but there are costs.  Your boot key is never really “secure”, and you cannot have multiple key-factors on a bootable partition unless a TPM is present, but if a third party steals a device without stealing the key they at least didn’t gain access to the data. You lack measured boot without a TPM. On older devices that do not support UEFI Secure Boot, this is a more serious attack vector, as your boot loader never exists on an encrypted partition and can be tampered with without the device user becoming aware of it.

 

Anyway, all said, Windows is most secure when used with a TPM + (Other Key Factor) with full Measured Boot options enabled, UEFI Firmware that is password protected, UEFI Secure Boot is enabled plus Trusted Boot measuring all code used in the OS boot process. If you use all of those, plus Windows SmartScreen and AppLocker, your Windows device is one seriously tough nut to crack open.



#86 Thrackerzod

Thrackerzod

    Neowinian Senior

  • 2,905 posts
  • Joined: 14-November 01

Posted 31 May 2014 - 15:56

i think the old 7.1 is save but not 7.2. claiming 7.2 to be secure is as ridiculous as truecrypts claim by now to switch to bitlocker.

 

7.2 is not capable of encryption anyway. It is a stripped version they only put up to decrypt your existing files.



#87 Ian William

Ian William

    I work great with Windows Vista!

  • 1,185 posts
  • Joined: 01-March 13
  • OS: Windows Vista

Posted 31 May 2014 - 21:36

A long winded post about why using a TPM as a key-factor along with BitLocker is a good thing.  Not responding to anyone specifically since a lot of little things have been said through the thread.


[. . .]

ITFiend, your post is a beautiful summary of Bitlocker and TPM benefits and features. It also doesn't include any nonsense (read: uninformed speculation) about the hardware, which is rare . . .



#88 elenarie

elenarie

    Neowinian

  • 952 posts
  • Joined: 23-March 14
  • OS: Windows 8.1 Pro x64
  • Phone: Lumia 920 Yellow

Posted 31 May 2014 - 22:05

plus Windows SmartScreen and AppLocker, your Windows device is one seriously tough nut to crack open.

 

Unless the NSA uses their backdoor access and gets in without any trouble. :shiftyninja:

 

:laugh:





Click here to login or here to register to remove this ad, it's free!