Silk Road forums

Discussion => Security => Topic started by: HCeline on July 22, 2013, 10:29 pm

Title: can we trust truecypt
Post by: HCeline on July 22, 2013, 10:29 pm
well stumbled across this while I was reading about truecrypt http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/


if tails doesn't trust it and they don't public show their code should we trust them with our freedoms?  Anyone know a good open source alternitive
Title: Re: can we trust truecypt
Post by: kennypowders on July 22, 2013, 10:31 pm
Astor...



kmfkewm .....

Where are yoooou guyyyyys?!?!?!?!
What's the skinny on this?





For the lulz:
https://www.youtube.com/watch?v=03L3lGso_5w
Title: Re: can we trust truecypt
Post by: kennypowders on July 22, 2013, 10:32 pm
P.S. Site is up!  ;D
Title: Re: can we trust truecypt
Post by: kmfkewm on July 22, 2013, 11:22 pm
Truecrypt domain registed with a false address
Truecrypt developers identity hidden
Truecrypt developers working for free

All of these points also apply to I2P, most of them also apply to Freenet, and for the most part it all applies to Bitcoin as well. As far as I know nobody knows who actually made I2P other than some pseudonyms, Freenet it is known who made it but he works for donations, Bitcoin nobody knows who made it but a pseudonym and he works for free but probably actually made himself a lot of money in doing so. I don't know who is maintaining GPG or follow it that closely, but I imagine they are doing it entirely for free. Most of the open source security software is entirely free, hell just look at OpenSSL it is a truly massive cryptographic library that is entirely free. The point is that any one of these points isn't unique to hardly any security project that is not funded by a corporation, and in the cypherpunk scene projects falling under all three of these criteria are not really out of place at all. You have three distinct groups, the corporate people doing shit for money, the academic people doing shit for knowledge and then the cypherpunks doing shit for ideology and knowledge as well, and the cypherpunk people are generally pretty pseudonymous themselves.

Compiling Truecrypt source code increasingly difficult

No idea, I am sure because of compiler options it is a bit difficult to get source code to compile exactly to the released binaries, but the thing is if you can do it once then you can validate the source code and the binary. It isn't like they are releasing a closed source product.

Truecrypt license contains distribution restrictions

Lots of people have always bitched about Truecrypts license, I think it is fine, I am not a license zealot ready to strap a suicide vest on for GPL like some people are.

Truecrypt removed from The Amnesic Incognito Live system

Doesn't mean anything really

Truecrypt open source code has never been reviewed

This is the biggest concern of all, I certainly have not analyzed Truecrypt and I don't know if anybody else has but I imagine so considering it is open source and popular.

Censorship at Truecrypt forums

Is kind of sketchy, Truecrypt forums have a bit of a reputation for being totalitarian shit hole, definitely sketchy

Can the FBI crack Truecrypt?

Not likely at all from what I have seen

Can the NSA crack Truecrypt?

Maybe, who knows. I don't.

Conclusion about Truecrypt reliability

read the source code let me know how it looks k thnz bye
Title: Re: can we trust truecypt
Post by: CannabisConsumer on July 24, 2013, 03:29 am
Are there any open source alternatives for full disk encryption or OS partition encryption?
Title: Re: can we trust truecypt
Post by: Bungee54 on July 24, 2013, 04:00 am
dm_crypt

http://www.hermann-uwe.de/blog/howto-disk-encryption-with-dm-crypt-luks-and-debian



Truecrypt ->

http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/


You can hide your containers in MP4 movies also with steno.


Quote
No one knows who wrote TrueCrypt. No one knows who maintains TC.

There is a quote right after that says the trademark is held by Tesarik, who lives in the Czech Republic. It's pretty safe to assume that whoever owns the trademark maintains the product.
Quote
Moderators on the TC forum ban users who ask questions.

Is there any proof of this, or is it just anecdotal? And by proof, I mean first-person proof, screen shots, et cetera.

Quote
TC claims to be based on Encryption for the Masses (E4M). They also claim to be open source, but do not maintain public CVS/SVN repositories

Source control is certainly an important part of a group programming project, but it's absence certainly does not decrease the credibility of such project.
Quote
and do not issue change logs.

Yes they do. http://www.truecrypt.org/docs/?s=version-history. Not all OSS publishes extremely clear change logs, because it's simply too much time sometimes.

Quote
They ban folks from the forums who ask for change logs or old source code.
Because it's a stupid question, considering that there is a change log and old versions are already available. http://www.truecrypt.org/downloads2

Quote
They also silently change binaries (md5 hashes change) with no explanation... zero.

What version is this of? Is there any other proof? Downloadable, signed old versions?
Quote
The Trademark is held by a man in the Czech Republic ((REGISTRANT) Tesarik, David INDIVIDUAL CZECH REPUBLIC Taussigova 1170/5 Praha CZECH REPUBLIC 18200.)

So what? Someone in the Czech Republic owns a trademark for a major encryption technology. Why does it matter?

Quote
Domains are registered private by proxy. Some folks claim it has a backdoor.

Who? Where? What?

Quote
Who Knows? These guys say they can find TC volumes: http://16systems.com/TCHunt/index.html

Duh, the TC volumes in the screenshot all END WITH .tc.

Quote
And anyone seen this image on the Contact page?

TrueCrypt Foundation address
http://i.stack.imgur.com/PXIrm.gif







The Problem with TChunt was solve long time ago..bte if you use stego TCHunt wont find them even if the code will ever be optimzed.




On teh other hand ->


See this document, which explains that the government's goal is to encourage the widespread use of encryption for which they can recover the keys: http://www.justice.gov/criminal/cybercrime/cryptfaq.htm
Quote
Actually, the Administration encourages the design, manufacture, and use of encryption products and services that allow for recovery of the plaintext of encrypted data, including the development of plaintext recovery systems, which permit through a variety of technical approaches timely access to plaintext either by the owners of data or by law enforcement authorities acting under lawful authority. Only the widespread use of such systems will both provide greater protection for data and protect public safety.

....

Quote
The Department's goal -- and the Administration's policy -- is to promote the development and use of strong encryption that enhances the privacy of communications and stored data while also preserving law enforcement's current ability to gain access to evidence as part of a legally authorized search or surveillance.
...
Quote
In this regard, we hope that the availability of highly reliable encryption that provides recovery systems will reduce the demand for other types of encryption, and increase the likelihood that criminals will use recoverable encryption.



In other words, whether the software is trustworthy is quite independent from whether the devs are sociable people or not. If you you believe the availability of source code is not enough to ensure security, you will have to organize a code audit. There certainly are people outside the TrueCrypt project who look at the source code, so a deliberate backdoor is probably hard to hide, but there might be hidden bugs. This bug in Debian's OpenSSL package went unnoticed for quite a while.




All text st 8stolen from a 5 minute search via non logging search engines
Title: Re: can we trust truecypt
Post by: Bungee54 on July 24, 2013, 04:08 am
http://www.hacker10.com/tag/truecrypt-alternative/

very good alternative. ( sorry no alternaitve--but based in TC , so they should have looked at it before risking their reputation)

LaCie also seems to have developed a very interesting encrypted cloud.

Servers in switzerland..payable by bitcoin...what do you need more :)

Just use a cascade of encryption schemes if you are mega paranoid...

password strength and other attack vectors are a much bigger concern..

God help you if you do your stuff with windooze or mac os  ;D

This is a real alternative->

http://www.hacker10.com/encryption-software-2/diskcryptor-vs-truecrypt-comparison/
Title: Re: can we trust truecypt
Post by: kmfkewm on July 24, 2013, 05:05 am
Finding any significantly sized encrypted file isn't hard to do unless it is hidden with steganography, it looks like a big block of randomness in a sea of non-randomness.
Title: Re: can we trust truecypt
Post by: xpat on July 24, 2013, 05:27 am
Bungee54, how would you go about hiding a encrypted container in an mp4, if you would be so kind
Title: Re: can we trust truecypt
Post by: Rastaman Vibration on July 24, 2013, 05:38 am
Are there any open source alternatives for full disk encryption or OS partition encryption?

LUKS+ for Linux?
Title: Re: can we trust truecypt
Post by: Bungee54 on July 24, 2013, 04:20 pm
Bungee54, how would you go about hiding a encrypted container in an mp4, if you would be so kind

Enter exactly " hiding a encrypted container in an mp4" in your non-loging search engine of choice and see the first hit :)
Title: Re: can we trust truecypt
Post by: Amadeus on July 24, 2013, 04:24 pm
From the beggining I knew there was something fishy with TrueCrypt.

I suggest you to use LUKS+ (if you use Linux).
Title: Re: can we trust truecypt
Post by: CannabisConsumer on July 24, 2013, 05:03 pm
Are there any open source alternatives for full disk encryption or OS partition encryption?

LUKS+ for Linux?
That's what I currently use.
Title: Re: can we trust truecypt
Post by: xpat on July 24, 2013, 06:38 pm
Bungee54, how would you go about hiding a encrypted container in an mp4, if you would be so kind

Enter exactly " hiding a encrypted container in an mp4" in your non-loging search engine of choice and see the first hit :)

Check this out and let me know what you think
http://dkn255hz262ypmii.onion/index.php?topic=189785.0