Mysterious announcement from Truecrypt declares the project insecure and dead

Look, if the NSA decides it needs to see what’s on my TC-protected laptop and flash drives, the possibility that they might get in there and find my banking passwords or a couple of torrented episodes of “Cosmos” and “Justified” is already not my biggest problem.

I’m much more concerned that some script kiddie might get hold of my laptop if stolen and be able to open up my bank and investment accounts. And at this point I see no reason to believe that TC 7.1a with a strong password and keyfile authentication (I keep the keyfile on a separate device, inside its own TC folder), is vulnerable to that sort of attack.

So as of today, me no change-o.

Stupid question… would running linux as the main OS and then Windows in a virtualized sandbox help? Having both systems on hand, using one to access the sensitive data and to maintain the virtual machine for the insecure other one?

The mass of coins can serve as a pretty good shielding. For plausible deniability, they can be held in the proper masking shape with a suitable “natural” binder, e.g. chocolate.

The position of the card is also important. The direction of the xray beam is flat “blade” perpendicular to the belt. Attach the card onto (or better, into) something that will keep it upright, and the xray signature will not be a shape of the card but a short line, some 11 millimeters on the shortest side of the card, about 1mm thick. Put some common clutter around, and you have a pretty good chance the operator will miss the line entirely.

Check out some photos of the colorful screens of the xray systems. The orange is for lightly absorbing stuff that lets high-energy through. The blue/black is for stuff that stops the higher-energy xrays as well. The green is for the intermediates.

The sensor uses two layers of xray-sensing photodiodes, separated with a thin sheet of copper. The copper filters out the low-energy xrays and the differential signals are then used for generation of the color information. The card will likely show as a dark blue line, in the least-recognizable orientation. Imagine how the stuff in the bag will look, and apply common rules for visual camouflage to make it less noticeable. Mind the operators look for something different (guns, knives, blades…) and have only few seconds for each image.

The official pressure on authors/maintainers of security system happens. Sometimes the attempts even get so botched they get recorded and publicized, as it happened in Czech Republic some four years ago to a vendor of smartphone crypto software.

Hello,

While I had been leaning towards the theory that Truecrypt’s cessation was in response to a National Security Letter (or similar legal mechanism), it occurred to me there might be another reason that is consistent with the facts at hand, including the tying of the closure to Windows XP’s end of life:

Suppose the developer (developers?) of Truecrypt is a Microsoft employee. Not one that worked on Microsoft’s disk encryption techonologies, per se, such as BitLocker and EFS, but perhaps a related area that involved cryptography or file systems or whatnot.

It is common for employers in the computer industry (or at least the ones I’ve worked for) to ask employees to fill out some kind of employee proprietary information and inventions contract, listing pre-existing work or IP that they’ve, have rights to, etc., and are the property of the employee, not their new employer. This protects the employee, so the company cannot say that they “own” it since the employee listed it at the time of hire, and protects the company, who can state they’re not involved. These types of issues (and similar ones) can also come up when you start working on personal projects unrelated to your day job at your employer, and you notify your manager and HR of them.

Perhaps the developer notified his bosses at Microsoft that he was involved in developing Truecrypt, and they okayed it, with standard provisos about not using work resources on it, not to use any of Microsoft’s IP, nor introduce any of Truecrypt’s code into Microsoft’s products, etc. Kind of the standard “you do what you want on your own spare time, as long as it doesn’t involve the company.” Microsoft might have had some extra terms in there, because they had similar products (either under development or already available) and that the employee couldn’t work on those or look at their source code until divested from the Truecrypt project. For that matter, the programmer may have been allowed to keep on working it because there was no comparable version of BitLocker for Windows XP, at least for as long as Microsoft continued to support XP. Sometimes managers are cool about things like that. I can see a manager going to HR and saying, “This developer is working on an open source project in his own time that greatly benefits our own customers running XP, for whom we’re not going to be providing this type of solution. Please come up with a contract rider that allows him to keep working on it, and long as it helps keep our XP customers more secure.” and that’s what HR has LCA go off and write…

XP support finally ends, Microsoft now is supporting BitLocker on Vista, 7, 8 and Server 2008+ and the Truecrypt developer, who was allowed to keep working on it, has to honor his side of the contract.

Anyhow, that’s one possible interpretation I came up with. I don’t have any knowledge of this at all—it’s completely conjecture on my part, but it could explain that oddity about why Truecrypt development had to end with Windows XP.

This topic was automatically closed after 5 days. New replies are no longer allowed.