What's happening with Truecrypt?
June 10, 2014 9:59 AM
Recently I noticed a lot of controversy about whether Truecrypt is secure or not. It looks like their webpage is raising concerns about it, even to the point of suggesting that people migrate their data away from it. Arstechnica and others are following the story.
What's going on? Might this be a hoax? Are truecrypt encrypted flashdrives not safe? If not, what level of security do they provide, if any? What would be a good alternative if we are to migrate away as quickly as possible?
Phase II of the audit hasn't finished, and Bruce Schneier is as surprised/baffled/dismayed as everyone else, so I'm inclined to think there's just a very small handful of people who actually know what's going on, and none of them are talking.
posted by johnofjack at 10:10 AM on June 10, 2014
posted by johnofjack at 10:10 AM on June 10, 2014
As everyone says, no one's sure of anything. Even if we suppose that it hasn't been compromised, I'd still suggest migrating from it because we don't know what will come of the proposed forks, and it's not a happy position to depend on unsupported software for something important. (I think the current situation is more easily explained by the devs flaking out than by skulduggery involving a known-to-some compromise of its crypto, but see first sentence.)
posted by Zed at 11:50 AM on June 10, 2014
posted by Zed at 11:50 AM on June 10, 2014
What's going on?
I'm a little more inclined to believe the developers were spooked by something, which perfectly easily could have been an NSL, but there's really no proof and they seem disinclined to provide any, which may or may not be by choice (see NSL).
Might this be a hoax?
Well, in the initial hours, that probably seemed plausible, but as time has passed there has been no obvious effort to reclaim control by the dev team. Since a non-hoax is very well plausible under the circumstances I see no basis to pursue this line of reasoning. The effect is the same.
Are truecrypt encrypted flashdrives not safe?
The audit thus far suggests they probably are generally safe in that no obvious code failures or compromises have been found. But the audit continues. I'm inclined to trust the audit team on this one.
If not, what level of security do they provide, if any?
Well, this is the real nut. Are you trying to protect your data from identity thieves, unscrupulous acquaintances and associates, or some sort of national security apparatus? It's all a matter, as with all security, of effort versus return.
What would be a good alternative if we are to migrate away as quickly as possible?
This is the other real nut. There isn't any broadly good and/or convenient one. With the absence of TC another may arise (and there is clearly a demand for a solution), so keep your nose in the wind. Bitlocker on Windows is probably as decent security as easily obtainable anywhere, but if your defenses are necessary against the FBI or NSA, few trust Microsoft that far.
posted by dhartung at 1:51 PM on June 10, 2014
I'm a little more inclined to believe the developers were spooked by something, which perfectly easily could have been an NSL, but there's really no proof and they seem disinclined to provide any, which may or may not be by choice (see NSL).
Might this be a hoax?
Well, in the initial hours, that probably seemed plausible, but as time has passed there has been no obvious effort to reclaim control by the dev team. Since a non-hoax is very well plausible under the circumstances I see no basis to pursue this line of reasoning. The effect is the same.
Are truecrypt encrypted flashdrives not safe?
The audit thus far suggests they probably are generally safe in that no obvious code failures or compromises have been found. But the audit continues. I'm inclined to trust the audit team on this one.
If not, what level of security do they provide, if any?
Well, this is the real nut. Are you trying to protect your data from identity thieves, unscrupulous acquaintances and associates, or some sort of national security apparatus? It's all a matter, as with all security, of effort versus return.
What would be a good alternative if we are to migrate away as quickly as possible?
This is the other real nut. There isn't any broadly good and/or convenient one. With the absence of TC another may arise (and there is clearly a demand for a solution), so keep your nose in the wind. Bitlocker on Windows is probably as decent security as easily obtainable anywhere, but if your defenses are necessary against the FBI or NSA, few trust Microsoft that far.
posted by dhartung at 1:51 PM on June 10, 2014
bue_beetle: "GRC has all the information you need."
Even if the head of the NSA walked up to me personally and said "Nope, trust me, we haven't infiltrated TrueCrypt and we don't even have any backdoors into it - it's A1, 100% secure, and we're not spying on users (nudge nudge, wink wink)", I'd still believe them over Steve Gibson.
He has a well-deserved reputation as someone who will say and do absolutely anything to support his personal opinions…
posted by Pinback at 7:43 PM on June 10, 2014
Even if the head of the NSA walked up to me personally and said "Nope, trust me, we haven't infiltrated TrueCrypt and we don't even have any backdoors into it - it's A1, 100% secure, and we're not spying on users (nudge nudge, wink wink)", I'd still believe them over Steve Gibson.
He has a well-deserved reputation as someone who will say and do absolutely anything to support his personal opinions…
posted by Pinback at 7:43 PM on June 10, 2014
This thread is closed to new comments.
posted by Tomorrowful at 10:09 AM on June 10, 2014