From zenadsl6186 at zen.co.uk Fri May 30 02:20:39 2014 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 30 May 2014 02:20:39 +0100 Subject: TrueCrypt takedown Message-ID: <5387DCE7.1020800@zen.co.uk> I guess you have all seen the news about the TrueCrypt takedown, eg http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ and http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/ . Basically the TrueCrypt website has mostly closed it's doors in a surprise move. There is a new version which only decrypts existing volumes, the earlier versions have gone. There are lots of theories about why, from a hack through a "Warrant Canary" to an existing backdoor or hole. Some thoughts. I discard outright any possibility of it being an outside website hack - too hard, an attacker would need access to the TC website, the Sourceforge TC site, and to the code signing key. The "Warrant Canary" theory doesn't seem to make a whole lot of sense either. It's possible, but why recommend BitLocker? When did someone have time to write all those code changes between being served the warrant and having to execute it? An existing hole or backdoor, which may have been about to be revealed by the audit? But the audit people say there is no sign of that, at least so far. The theory which makes most sense to me is that it was an at least partly commercially-motivated self-takedown by the devs. The recent change in name on the otherwise "same old code and binary signing key" is possibly significant here - the developers, or perhaps just some of them, may want to start up a commercial product in the new name. Their commercial aspirations are well-known, witness the previous license issues, the failed crowdfunding and donations campaigns, the "TrueCrypt Developers LLC" registered in Nevada (thanks to Piergiorgio Sartor for that info). And they already own a good chunk of the the IP rights in the TrueCrypt source. The ending of the project was graceful, to some extent at least - people were not left with unrecoverable archives, and temporarily acceptable but not-as-good alternatives were suggested. A whole lot of work went into that. It is obvious that this wasn't done in the heat of the moment - it must have taken at least several weeks to do the code revisions for the 7.2 release. There have also been hints (eg the robots.txt file) for about six months that something might be happening. The only reason I can think of for doing all that work is maintaining reputation (or technical reputation at least - TrueCrypt devs are not exactly known for being people people, or for being particularly into "free open source" either). No reasons why the code is/may be broken are given. Actually the "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" does not even actually say TrueCrypt is broken, just that it may be. And the unfixed issues might be fixed later, in the commercial version. Which would have been independently audited... at no cost to TrueCrypt... -- Peter Fairbrother From dw+ukcrypto at hmmz.org Fri May 30 02:55:55 2014 From: dw+ukcrypto at hmmz.org (dw+ukcrypto at hmmz.org) Date: Fri, 30 May 2014 01:55:55 +0000 Subject: TrueCrypt takedown In-Reply-To: <5387DCE7.1020800@zen.co.uk> References: <5387DCE7.1020800@zen.co.uk> Message-ID: <20140530015555.GA19360@k2> On Fri, May 30, 2014 at 02:20:39AM +0100, Peter Fairbrother wrote: > An existing hole or backdoor, which may have been about to be revealed by > the audit? But the audit people say there is no sign of that, at least so > far. > No reasons why the code is/may be broken are given. Actually the "WARNING: > Using TrueCrypt is not secure as it may contain unfixed security issues" > does not even actually say TrueCrypt is broken, just that it may be. A little too obvious, but perhaps it's simply the fact XTS encryption offers no authentication, leading to a huge range of tampering possibilities for anyone with physical access. Some concrete, repeatable attack may have been discovered by the developers. Possibly in support of this is their recommendation of Bitlocker, which relies on CBC instead of XTS. Alternatively they might simply be alluding to the difficulties inherent in securing the firmware and pre-boot environment, or have strong evidence of a related attack. David From jj.gray at shc.qinetiq-tim.com Fri May 30 08:56:42 2014 From: jj.gray at shc.qinetiq-tim.com (JJ Gray) Date: Fri, 30 May 2014 08:56:42 +0100 Subject: TrueCrypt takedown In-Reply-To: <20140530015555.GA19360@k2> References: <5387DCE7.1020800@zen.co.uk> <20140530015555.GA19360@k2> Message-ID: <538839BA.4010600@shc.qinetiq-tim.com> On 30/05/2014 02:55, dw+ukcrypto at hmmz.org wrote: > A little too obvious, but perhaps it's simply the fact XTS encryption > offers no authentication, leading to a huge range of tampering > possibilities for anyone with physical access. Some concrete, repeatable > attack may have been discovered by the developers. This was also demonstrated (with access to memory) by Volatility Labs [1] and there is also a good summary of the issues associated with XTS [2] which includes some interesting footnotes, such as the NIST public comments. Cheers, JJ [1] http://volatility-labs.blogspot.co.uk/2014/01/truecrypt-master-key-extraction-and.html [2] http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/ From g+ukcrypto at cobb.uk.net Fri May 30 10:44:57 2014 From: g+ukcrypto at cobb.uk.net (Graham Cobb) Date: Fri, 30 May 2014 10:44:57 +0100 Subject: TrueCrypt takedown In-Reply-To: <20140530015555.GA19360@k2> References: <5387DCE7.1020800@zen.co.uk> <20140530015555.GA19360@k2> Message-ID: <53885319.6090108@cobb.uk.net> On 30/05/14 02:55, dw+ukcrypto at hmmz.org wrote: > On Fri, May 30, 2014 at 02:20:39AM +0100, Peter Fairbrother wrote: >> No reasons why the code is/may be broken are given. Actually the "WARNING: >> Using TrueCrypt is not secure as it may contain unfixed security issues" >> does not even actually say TrueCrypt is broken, just that it may be. > > A little too obvious, but perhaps it's ... ...snip suggested issues... Is my naive reading of the message unreasonable? I read the message as intended to remain up for a long time and just as a warning that as there had been no further maintenance, there may have been issues found since the last release which no one has fixed (not suggesting they know of any issues). If the developers have stopped work on TrueCrypt then that seems a reasonable warning to leave behind to the world. That does seem the simplest explanation to me. At this stage, the more interesting question seems to be whether someone will create a commercial or open-source follow-on. From jj.gray at shc.qinetiq-tim.com Fri May 30 14:43:11 2014 From: jj.gray at shc.qinetiq-tim.com (JJ Gray) Date: Fri, 30 May 2014 14:43:11 +0100 Subject: TrueCrypt takedown In-Reply-To: <53885319.6090108@cobb.uk.net> References: <5387DCE7.1020800@zen.co.uk> <20140530015555.GA19360@k2> <53885319.6090108@cobb.uk.net> Message-ID: <53888AEF.2010904@shc.qinetiq-tim.com> On 30/05/2014 10:44, Graham Cobb wrote: > of any issues). If the developers have stopped work on TrueCrypt then > that seems a reasonable warning to leave behind to the world. > > That does seem the simplest explanation to me. That would appear to be the case, at least at this stage. https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff Cheers, JJ From bakeryworms at gmail.com Fri May 30 14:55:51 2014 From: bakeryworms at gmail.com (bakeryworms at gmail.com) Date: Fri, 30 May 2014 14:55:51 +0100 Subject: TrueCrypt takedown In-Reply-To: <53888AEF.2010904@shc.qinetiq-tim.com> References: <5387DCE7.1020800@zen.co.uk> <20140530015555.GA19360@k2> <53885319.6090108@cobb.uk.net> <53888AEF.2010904@shc.qinetiq-tim.com> Message-ID: <20140530135551.5984401.8672.259@gmail.com> It made me think of the Lavabit shutdown.? KRS Mark ? Original Message ? From: JJ Gray Sent: Friday, 30 May 2014 14:43 To: UK Cryptography Policy Discussion Group Reply To: UK Cryptography Policy Discussion Group Subject: Re: TrueCrypt takedown On 30/05/2014 10:44, Graham Cobb wrote: > of any issues). If the developers have stopped work on TrueCrypt then > that seems a reasonable warning to leave behind to the world. > > That does seem the simplest explanation to me. That would appear to be the case, at least at this stage. https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff Cheers, JJ From wendyg at pelicancrossing.net Fri May 30 16:49:27 2014 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Fri, 30 May 2014 16:49:27 +0100 Subject: TrueCrypt takedown Message-ID: Me too. ?It really does make you wonder what hidden factors might have been at work.? wg --- www.pelicancrossing.net Twitter: @wendyg -------- Original message -------- From: bakeryworms at gmail.com Date: 2014/05/30 14:55 (GMT+00:00) To: ukcrypto at chiark.greenend.org.uk,UK Cryptography Policy Discussion Group Subject: Re: TrueCrypt takedown It made me think of the Lavabit shutdown.? KRS Mark ? Original Message ? From: JJ Gray Sent: Friday, 30 May 2014 14:43 To: UK Cryptography Policy Discussion Group Reply To: UK Cryptography Policy Discussion Group Subject: Re: TrueCrypt takedown On 30/05/2014 10:44, Graham Cobb wrote: > of any issues). If the developers have stopped work on TrueCrypt then > that seems a reasonable warning to leave behind to the world. > > That does seem the simplest explanation to me. That would appear to be the case, at least at this stage. https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff Cheers, JJ -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at casparbowden.net Sat May 31 00:25:45 2014 From: lists at casparbowden.net (Caspar Bowden (lists)) Date: Sat, 31 May 2014 01:25:45 +0200 Subject: TrueCrypt takedown In-Reply-To: References: Message-ID: <53891379.9000504@casparbowden.net> It's not irrational to recommend BitLocker to users trusting a Microsoft's platform A mundane reason may be they realized the weaknesses of their cipher mode, and the support hassle they would get from disk re-encrypts gone bad if they changed Or they might be subject to a coercive order to backdoor future versions, and/or realize they may have been infiltrated with a weakness already, and mucho data is hanging out there, so cheshire cat best policy But it dramatically illustrates why should anyone now trust a codebase whose audit threat model has changed overnight from presumed benign authors to now unknown influences. Suppose the Truecrypt authors believed it secure, why should they declare it not so? If they believe it could be insecure, it probably is FWIW neither BitLocker nor Truecrypt deals with Evil Maid attacks properly Linux needs some well-engineered hidden container software though Caspar In 05/30/14 17:49, Wendy M. Grossman wrote: > Me too. It really does make you wonder what hidden factors might have > been at work. > > > wg > --- > www.pelicancrossing.net > Twitter: @wendyg > > > > -------- Original message -------- > From: bakeryworms at gmail.com > Date: 2014/05/30 14:55 (GMT+00:00) > To: ukcrypto at chiark.greenend.org.uk,UK Cryptography Policy Discussion > Group > Subject: Re: TrueCrypt takedown > > > It made me think of the Lavabit shutdown. > > KRS > Mark > > Original Message > From: JJ Gray > Sent: Friday, 30 May 2014 14:43 > To: UK Cryptography Policy Discussion Group > Reply To: UK Cryptography Policy Discussion Group > Subject: Re: TrueCrypt takedown > > On 30/05/2014 10:44, Graham Cobb wrote: > > > of any issues). If the developers have stopped work on TrueCrypt then > > that seems a reasonable warning to leave behind to the world. > > > > That does seem the simplest explanation to me. > > That would appear to be the case, at least at this stage. > https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff > > Cheers, > JJ > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: