Mostly harmless: Berlin boffins bleat post epic TrueCrypt audit feat Ten auditors from the lauded Fraunhofer Institute for Secure Information Technology have given TrueCrypt a security tick after completing a comprehensive six-month audit under contract from the German Government. The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient …
If you want VeraCrypt, it's at https://veracrypt.codeplex.com. Current version is 1.16.
Hell no!
For what possible reason?
I already have my properly authenticated TC 7.1a binaries, code and keys. I had them long before the abandonment. The cryptography is (of course) as solid as it has always been, the code has now been scrutinised at length by multiple independent authorities, and all that has ever been discover is a smattering of benign and contextually utterly trivial coding imperfections. As a result of all this FUD, TC 7.1a has been rendered/proven by far the most studied, robust and trustworthy block cryptography application I know of. I really can't imagine any reason arising to even consider moving from TC 7.1a at any point in the foreseeable future.
Anyone who does not already have copies can readily obtain them from and compare them with multiple sources, disseminated widely across the interwebs and the world. There is no longer a single point of failure. At present a search of the signing key's "short fingerprint" (F0D6B1E0) yields 2780 results on Google. Presumably now 2781 ;o)
Just for good measure, here's the key's full spec along with a few of its digests...
pub 1024D/F0D6B1E0 2004-06-06
Key fingerprint = C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0
uid TrueCrypt Foundation <info@truecrypt-foundation.org>
uid TrueCrypt Foundation <contact@truecrypt.org>
sub 4077g/6B136ECF 2004-06-06
Key fingerprint = EB79 356A 3AFA B492 66A3 322F DCEA 1B7C 6B13 6ECF
TrueCrypt-key.asc
MD5:41612478ceeee8448b87a5e872f07302
SHA256:26d4446f040bf6989a19b197f69d0fc2a80fb6fa826750163f396ee904ac4b27
WHIRLPOOL:c3deb2b0a45ce04293088ac0e44a8fe7a0df1a6e0c6fa37dd46598ca4d554895f0a234bb3f8646f5ba1c020088b573e98e1f6b8ce93c8bb9e5c65c0d7b09d5da
@AC Whilst I take your point, since this is open source and that it could always benefit from a few tweaks and improvements, perhaps a new version of the code (with the delta closely scrutinised with every update) is a good thing?
Having the signed binaries from the original is a good thing, and always useful as a back-stop, but compiling* it yourself from known code is also good.
*Assuming you can trust your compiler of course :)
Total agreement Sir RC. The devil is, of course, in the close scrutiny of every delta.*
Seeing no meaningful utility to any "upgrade" due to...
* (Emboldened _AND_ italicised for the pleasure of our sarcastic friend. Now featuring a list too!)
Downvoted because essentially you're saying a fixed known frozen in time version is better than something that is under active development - a point which is extremely debatable since its public knowledge who the Veracrypt developers are vs the unknowns who coded the original.
Your whole argument rests on balancing 2 imponderables - dormant but well audited legacy code vs maintained but changing code, which may or may not be introducing new bugs with new functionality.
Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV.
"Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV."
"Frequently used" doesn't necessarily mean heavily scrutinised, at least, not until those bugs emerged. It was active maintenance that introduced the Debian ssl bug.
"
Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV.
"
Well, my *logic* is certainly different to yours.
Unless the Veracrypt team (person?) finds a security flaw in Truecrypt that was missed by the extensive audit, and then produces a fix, I cannot see how it could possibly come up with a product that is more secure. Security flaws are seldom fixed by accident in the course of making other tweaks and adding new features. Exactly the reverse is in fact the case.
Governments are not monoliths. They can both do good and bad. Sometimes at the same time.
This audit was done to see if TrueCrypt is secure for Government use: Some cryptography solution used by German federal institutions uses parts of TrueCrypt, and thus the BSI (Bundesinstitut für Sicherheit in der Informationstechnologie/Federal institute for Security in Information Technology) ordered this audit to see if the solution is secure for their use.
Thus in this case the interests of the Government and the public are the same.
Somewhat contrary to that, Germany has generally been pretty strong on the whole personal privacy and was the target of hacking by the NSA, which apparently they got quite annoyed at. It wouldn't surprise me if they were having an audit done for internal use and someone suggested making a public statement of the results to try and counter some of the bad press from being part of Five Eyes
My tinfoil hat is tingling....
I'm not saying this is true but what if, the governments know that trucrypt is breakable (they found a way somehow) the previous devs found out and told us all. Governments now trying to convince us to keep using it because its "like secure guys" rather than having us use something new that they cant crack.
Just sayin..
Chaps, please remember: the manufacturers of tin foil are paid by the government to include microscopic trackers at regular intervals in every roll.
Think about it: the trackers will need aerials; aerials need to be conductive; tin foil is conductive.
But sometimes there is simply no conspiracy.
You think they haven't thought of that? The tin foil thing is a bluff, people think they're safe, but they aren't. In fact, the recorders have been miniaturised and distributed as dust across the whole world. Whenever the government want information they just send in people with vacuum cleaners. They got the idea from a series of short stories by Bob Shaw...
You think all this talk of drones is true? They just send a signal to the transmitters in a specific area and they detonate. It looks like a missile explosion, but it isn't. The drones are just a convenient cover.
"What if you run a few thousand volts through* your tin foil"
For the love of $DEITY, don't do that, man! The unavoidable arcing creates millions of tiny punctures in the tin foil which then all proceed to diffract the incoming mind control signal right into your skull, as a tiny all new source each! It's the worst thing you could do, which is exactly why THEY create this sort of misleading rumour! Don't listen to them! Or to me! I could be one of them - just think about it...!
Was one (or more) developers of Truecrypt USA citizens? If so it is likely that they received a secret court order, ordering them to weaken parts of the code or leave subtle vulnerabilities. You would never know as the order would be secret and so in defiance the developers just packed up shop like a well known encrypted mail provider.
If the intentional bug was found for those even bothering to look they could just claim unknown bug and then fix it (and leave another bug elsewhere)
Or simply, they got fed up of coding it.
- S.A
Ukraine, I vaguely recall?
I more clearly recall an absolutely extraordinary amount of FUD-slinging on the official forum. All baseless of course but the tone and effect it created was very impressive. Now gone and poorly archived, sadly, as it would have been interesting to revisit, armed with a couple of years hindsight. I'd be surprised if that hadn't contributed to the apparently "fed up" ultimate outcome.
The "extra vulnerabilities" is the subject of the "none are sufficient..." Since the subject is plural, the verb should match. Consider this rewrite:
The 77-page report on [TrueCrypt] dug up extra vulnerabilities, but the report says that none of the vulnerabilities are sufficient to undermine [TrueCrypt].
On the other hand, the "77-page report" is 3rd person singular, so "say" should be "says".
The confusion comes from having two subjects with accompanying verbs scattered throughout the sentence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
