truecrypt unsafe? - SLUniverse Forums
Navigation » SLUniverse Forums > Off Topic Discussion > Science and Tech » truecrypt unsafe?


Science and Tech Discuss questions of science, science and progress, that do not speak as loud as your heart. Also, tech stuff.

 
Sponsor:
charity: water
Reply
 
LinkBack Thread Tools Display Modes
Old 05-29-2014, 06:28 AM   #1 (permalink)
OccupyE9 Sluni-Goon
 
Kara Spengler's Avatar
Hail Woz, the great and powerful!
 
Join Date: Dec 2008
Location: SL: November RL: DC
Posts: 20,943
SL Join Date: March, 2006
Client: Phoenix & Firestorm
Send a message via Skype™ to Kara Spengler
truecrypt unsafe?

There are not a lot of details but that is the statement we have from them. From what I read it has to do with support for xp dropping.

Here is what I was sent:
Quote:
truecrypt.org now redirects to truecrypt.sourceforge.net.

The Truecrypt site declares that it is unsafe and that Windows users
should migrate to Bitlocker. What changed in the source code between
v7.1 and v7.2 is very interesting.

Diffs: https://github.com/warewolf/truecryp...e/master...7.2

Articles:

‚€œTrueCrypt is not secure,‚€Ě official SourceForge page abruptly warns | Ars Technica

Encryption Tool Endorsed By Snowden Abruptly Shuts Down - Forbes

Do NOT install and run v7.2! If you have anything at all sensitive,
put it in cold storage until further notice!
I am not sure what this means for earlier than 7.2 but you generally want to keep your security software updated anyway.

edit: This also presents a problem for non-windows users sharing truecrypt files with windows users.

edit2: They suggest a mac tool as well, not sure if there is a linux equivalent. Why they did not just say pgp I have no idea (I am on a distributed project that uses encryption). Feature set differences maybe?
__________________
"The debug setting for Gender in SL (AvatarSex) is an unsigned 32bit integer value. Not a boolean. I'm still waiting to see what our other options will be. =^-^=" Imnotgoing Sideways

"Ok, I have to ask, WTF is this thread even about and why is it hundreds of posts? I am out of vodka so I don't feel like reading it to find out." Cristiano

"Why? Don't like me ban me" Cathiee

Last edited by Kara Spengler; 05-29-2014 at 06:36 AM.
Kara Spengler is offline   Reply With Quote
Old 05-29-2014, 07:30 AM   #2 (permalink)
Extendable
 
Similar McMillan's Avatar
Lizzard
 
Join Date: Aug 2007
Posts: 2,059
SL Join Date: 2007-02-06
Quote:
Originally Posted by Kara Spengler View Post
There are not a lot of details but that is the statement we have from them. From what I read it has to do with support for xp dropping.
It's very hard to make any sense of things right now.

Quote:
I am not sure what this means for earlier than 7.2 but you generally want to keep your security software updated anyway.
But 7.2 can only decrypt, not encrypt, judging from what I've read.
They pulled all the encryption stuff out of it, so it's pretty useless.
__________________
"I've always assumed I'm one of those people who knows a lot about planes, but I've never actually checked." -xkcd
Similar McMillan is offline   Reply With Quote
1 User Agreed:
Old 05-29-2014, 07:37 AM   #3 (permalink)
Senior Member

*SLU Supporter*
 
Han Held's Avatar
So I shall remain ...a stranger
 
Join Date: Sep 2010
Posts: 7,124
My Mood:
SL Join Date: 06/14/2005 then 04/06/2008
Client: Singularity 1.8.6
Blog Entries: 1

Awards: 1
SLU Creepy Avatar Competition 2014 Winner 
I've been reading about this, and it looks like the best bet for people on windows might be FreeOTFE ( FreeOTFE - Wikipedia, the free encyclopedia ), because it can read and write formats that Linux can understand. I think between that and cryptsetup you can probably work out a cross-platform encryption plan. I'm not sure what works on OSX, however.

[eta]
I'm not sure if FreeOTFE is being developed either, but at least it's open source (and available on sourceforge) so the code can be poked at and fixed if flaws emerge later.

Last edited by Han Held; 05-29-2014 at 07:44 AM.
Han Held is offline   Reply With Quote
1 User Said Thanks:
Old 05-29-2014, 07:39 AM   #4 (permalink)
Senior Member

*SLU Supporter*
 
Han Held's Avatar
So I shall remain ...a stranger
 
Join Date: Sep 2010
Posts: 7,124
My Mood:
SL Join Date: 06/14/2005 then 04/06/2008
Client: Singularity 1.8.6
Blog Entries: 1

Awards: 1
SLU Creepy Avatar Competition 2014 Winner 
Quote:
Originally Posted by Similar McMillan View Post
But 7.2 can only decrypt, not encrypt, judging from what I've read.
They pulled all the encryption stuff out of it, so it's pretty useless.
It's meant to be -they said that development has stopped and that there may be potential security flaws. 7.2 isn't meant for production use, it's intended to be used to get your data off of truecrypt and onto a supported encryption solution.

[ETA]
I don't think the announcement was meant to say that there are flaws they're currently aware of, I think it was to send up a red flag that there might be unknown flaws which haven't been found and won't be found because they're no longer developing the software. In other words they're saying "we're not working on this any more, there might be a heartbleed type of flaw in the code for all we know -so use this release to migrate to something else".
Han Held is offline   Reply With Quote
1 User Said Thanks:
Old 05-29-2014, 03:27 PM   #5 (permalink)
Senior Member
 
Bartholomew Gallacher's Avatar
 
Join Date: May 2010
Posts: 434
My Mood:
SL Join Date: 09/25/2006
Send a message via ICQ to Bartholomew Gallacher Send a message via Skype™ to Bartholomew Gallacher
The thing is that no one for sure right now knows what's the truth, because the Truecrypt developers at large do avoid the public and hide under some bushes or so.

So these are the possibilities:

  1. It is just their way of saying "goodbye world" on their ownand that's it, folks.
  2. Some disgruntled former team member defaced the web site and made a bad joke on the rest of the team.
  3. They were forced by the US or whatever government to shut down their software Lavabit style development (with a national security letter?) and that's the outcome.
  4. Someone else defaced the web site and made a bad joke on the team.
No one real has any clue right now, though 4) is quite unlikely, because the new binaries have been digitally signed by the key of the Truecrypt Foundation and is valid!

So we can choose between 1-3. How convenient. Maybe someone is just going to fork it and continue development, who knows.

The thing is, that there's right now a code audit still in process, which consists of different phases. Phase 1 is finished right now and did not find serious problems and phase 2 in progress right now.

So all we can do right now is sitting back in our seats and watching it, how it develops and turns out in the end.

I mean, the recommendations really are just strange and moving from TrueCrypt to Bitlocker e.g. on Windows, which might have a back door built in is not an option for everybody.

And take a look at that message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

"not secure as" == NSA.

Whatever. BTW, here's an actively developed open source alternative to TrueCrypt, named DiskCryptor. Works under Windows
Bartholomew Gallacher is offline   Reply With Quote
1 User Said Thanks:
1 User Likes This:
Old 05-29-2014, 06:31 PM   #6 (permalink)
Senior Member

*SLU Supporter*
 
Han Held's Avatar
So I shall remain ...a stranger
 
Join Date: Sep 2010
Posts: 7,124
My Mood:
SL Join Date: 06/14/2005 then 04/06/2008
Client: Singularity 1.8.6
Blog Entries: 1

Awards: 1
SLU Creepy Avatar Competition 2014 Winner 
Quote:
Originally Posted by Bartholomew Gallacher View Post
The thing is that no one for sure right now knows what's the truth, because the Truecrypt developers at large do avoid the public and hide under some bushes or so.

So these are the possibilities:

  1. It is just their way of saying "goodbye world" on their ownand that's it, folks.
  2. Some disgruntled former team member defaced the web site and made a bad joke on the rest of the team.
  3. They were forced by the US or whatever government to shut down their software Lavabit style development (with a national security letter?) and that's the outcome.
  4. Someone else defaced the web site and made a bad joke on the team.
No one real has any clue right now, though 4) is quite unlikely, because the new binaries have been digitally signed by the key of the Truecrypt Foundation and is valid!

So we can choose between 1-3. How convenient. Maybe someone is just going to fork it and continue development, who knows.

The thing is, that there's right now a code audit still in process, which consists of different phases. Phase 1 is finished right now and did not find serious problems and phase 2 in progress right now.

So all we can do right now is sitting back in our seats and watching it, how it develops and turns out in the end.

I mean, the recommendations really are just strange and moving from TrueCrypt to Bitlocker e.g. on Windows, which might have a back door built in is not an option for everybody.

And take a look at that message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

"not secure as" == NSA.

Whatever. BTW, here's an actively developed open source alternative to TrueCrypt, named DiskCryptor. Works under Windows
I read an interesting comment on Ars that sounds the most plausible to me. The truecrypt devs are from Eastern europe -outside of the reach of an NSL. However, they have their own agencies which are as nasty -or worse- than ours. The truecrypt software is used where they are, and in places like Syria where the government would torture people ...so there's a moral angle, any flaws found in truecrypt could potentially lead to people (dissidents, for one) being tortured or killed -they can't just walk away because potentially people's misplaced trust could lead to them being killed.

By burning it to the ground, including its' reputation, those people will stop using it and the devs will not need to feel guilt over unseen flaws leading to people's misery. The assumption is that they wanted to retire (releases have been slow for years) but they didn't want to leave a vulnerable product out there unsupported (flaws potentially leading to people being tortured) so they yanked everything and wrote this in such a way that no one in a vulnerable position would trust it enough to use it.

Either that, or some countries (ours, there) three-letter-agency hacked the site with the intent of ruining their reputation.

Either way, the truecrypt format will live on -there's apps for Linux that can create truecrypt-compatible containers and there's no shortage of FDE formats that can be used by Windows and Linux (I assume the same is true for OSX, but I haven't heard anything specific; a trip to macrumors might prove illuminating).
Han Held is offline   Reply With Quote
2 Users Said Thanks :
Old 05-30-2014, 12:40 AM   #7 (permalink)
That Bitch

*SLU Supporter*
 
Void's Avatar
Innocent as far as you know
 
Join Date: Nov 2011
Location: Online
Posts: 14,947
My Mood:
SL Join Date: late 04 original account, mid 05 current
my thinking is a variation of Han's, based on what we do know about the devs... namely that they highly value privacy.

so, how do people that highly value privacy get apathetic people to take seriously and end of development cycle on a product that is based on keeping privacy, and avoid any legal entanglements because of that apathy? Simple. use the strongest language available, and the insinuation that the product may already be compromised.

Privacy maintained, security maintained, entanglements avoided. Mission accomplished.
__________________
- These eyes can do more than see
Quote:
Originally Posted by Cajsa Lilliehook View Post
It's not enough to care about liberty if the only liberty you care about is your own.
Quote:
Originally Posted by Jupiter Firelyte View Post
Why doesn't anyone ever ask, "What is the real meaning of the winter solstice?"
Quote:
Originally Posted by Eboni Khan View Post
Thanks for being passive agressive.
Void is offline   Reply With Quote
1 User Agreed:
1 User Likes This:
Old 05-30-2014, 03:46 AM   #8 (permalink)
Senior Member
 
Bartholomew Gallacher's Avatar
 
Join Date: May 2010
Posts: 434
My Mood:
SL Join Date: 09/25/2006
Send a message via ICQ to Bartholomew Gallacher Send a message via Skype™ to Bartholomew Gallacher
Quote:
Originally Posted by Han Held View Post
I read an interesting comment on Ars that sounds the most plausible to me. The truecrypt devs are from Eastern europe -outside of the reach of an NSL. However, they have their own agencies which are as nasty -or worse- than ours. The truecrypt software is used where they are, and in places like Syria where the government would torture people ...so there's a moral angle, any flaws found in truecrypt could potentially lead to people (dissidents, for one) being tortured or killed -they can't just walk away because potentially people's misplaced trust could lead to them being killed.
Well dunno... I mean, Truecrypt is in the middle of a commercial grade code audit right now and so far it is looking quite good in favor for that piece of software. I mean if Bruce Schneier thinks 7.1 is still good enough, we can take his advise on it for sure and he thought so.

7.2 is another kind of story and he switched back to PGPdisk.

Either way, Truecrypt has been in use world wide for over ten years (!) as the software package of choice of many, many people and the moral angle never bothered its developers, so I wonder if it is really the moral angle: why now? (BTW, the US government also sadly tortures people on a daily base).

Either way, we don't know for sure and if we'll ever know - I don't know about that.
Bartholomew Gallacher is offline   Reply With Quote
1 User Likes This:
Old 05-30-2014, 05:40 AM   #9 (permalink)
Senior Member

*SLU Supporter*
 
Han Held's Avatar
So I shall remain ...a stranger
 
Join Date: Sep 2010
Posts: 7,124
My Mood:
SL Join Date: 06/14/2005 then 04/06/2008
Client: Singularity 1.8.6
Blog Entries: 1

Awards: 1
SLU Creepy Avatar Competition 2014 Winner 
Why now? Maybe they simply got burned out and decided to say "fuck it"?

A couple of interesting things I was reading on it last night gave me some food for thought:

An Imagined Letter from the TrueCrypt Developer(s) | Steve†(GRC) Gibson's Blog

The death of TrueCrypt: a symptom of a greater problem – @bradkovach.blog()
Han Held is offline   Reply With Quote
Old 05-30-2014, 06:19 AM   #10 (permalink)
Senior Member
 
Bartholomew Gallacher's Avatar
 
Join Date: May 2010
Posts: 434
My Mood:
SL Join Date: 09/25/2006
Send a message via ICQ to Bartholomew Gallacher Send a message via Skype™ to Bartholomew Gallacher
Well, surprise, surprise, there are at least some news about that matter!

Look here at those lovely tweets! To put things into perspective: Matthew Green from John Hopkins University is one of the peoples behind the code audit and he had this dialogue with Steven Barnhart.

Steven Barnhart claims that he had contact with a Truecrypt delevoper named "David" twice. David stated, that the developer team behind Truecrypt just lost interest into the project at all and that's it, no pressure from any kind of government whatsoever.

David's also fine with Bitlocker and think it is "good enough", also he has no problem with Bitlocker only being available under Windows, because Windows has always been the primary platform for Truecrypt. David also thinks a fork of Truecrypt would be "harmful", since only the developers really would understand the code.

Of course, if "David" is really a member of the Team or just an email account being hacked by someone, no one does really know at the moment.

I just did some minor research on my own: Truecrypt.org belongs to a "Truecrypt Developers Association LC", 18222 Drums/PA, phone number 1.5707088780.

Who knows it those entries are really valid or not just a letterbox company. Of course, if those entries are valid and at last some developers really live in the USA, the probability of a NSL comes back into existance. Then again some stuff about Truecrypt was being registered in the Czech Republic, so I guess aside some intelligency agencies maybe no one else really knows who those developers are.

Last edited by Bartholomew Gallacher; 05-30-2014 at 06:31 AM.
Bartholomew Gallacher is offline   Reply With Quote
1 User Said Thanks:
Old 05-30-2014, 07:40 AM   #11 (permalink)
Senior Member

*SLU Supporter*
 
Han Held's Avatar
So I shall remain ...a stranger
 
Join Date: Sep 2010
Posts: 7,124
My Mood:
SL Join Date: 06/14/2005 then 04/06/2008
Client: Singularity 1.8.6
Blog Entries: 1

Awards: 1
SLU Creepy Avatar Competition 2014 Winner 
I'm less fussed about why they went dark (burnout is a plausible enough explanation for me, so is the idea that they were only concerned with XP and other ports were just gravy) and more concerned with the question of what do we do now.

Each platform has a FDE implementation and there's ways to read and write the truecrypt format in Linux (and the older truecrypt versions didn't stop working), so in that sense, truecrypt isn't "dead", time will tell if other open source projects will step forward and carry on the work their project did.
Han Held is offline   Reply With Quote
Old 05-30-2014, 07:55 AM   #12 (permalink)
Senior Member
 
Bartholomew Gallacher's Avatar
 
Join Date: May 2010
Posts: 434
My Mood:
SL Join Date: 09/25/2006
Send a message via ICQ to Bartholomew Gallacher Send a message via Skype™ to Bartholomew Gallacher
Linux itself is not dependant on Truecrypt, because it has itself enough open source implementations to encrypt files or whole partitions (Ecryptfs, EncFS, DM-Crypt, LUKS) beside Truecrypt.

On Windows you could use DiskCryptor, which I already linked in a former article. This is still being developed and maintained OSS, too. Or you could do it like Bruce Schneier and use PGP DIsk again.

Mac OS X still has File Vault, though again the question if you trust that.

The stuff that really was unique in TrueCrypt though was the hidden volume with plausible deniability. I guess nothing else so far has a feature like that, and the other unique thing about TrueCrypt is that it ran under Windows, OS X and Linux all the same!

www.truecrypt.ch seems to be an effort to fork it, if necessary.

Last edited by Bartholomew Gallacher; 05-30-2014 at 08:55 AM.
Bartholomew Gallacher is offline   Reply With Quote
1 User Agreed:
1 User Likes This:
Old 05-30-2014, 08:55 AM   #13 (permalink)
That Bitch

*SLU Supporter*
 
Void's Avatar
Innocent as far as you know
 
Join Date: Nov 2011
Location: Online
Posts: 14,947
My Mood:
SL Join Date: late 04 original account, mid 05 current
any volume that doesn't show in the directory tree of windows (which is is just a checkbox on the management screen) is plausability for most windows users... even experienced ones.... because who bothers checking it even if they know about it?
Void is offline   Reply With Quote
1 User Agreed:
Old 05-30-2014, 09:13 AM   #14 (permalink)
OccupyE9 Sluni-Goon
 
Kara Spengler's Avatar
Hail Woz, the great and powerful!
 
Join Date: Dec 2008
Location: SL: November RL: DC
Posts: 20,943
SL Join Date: March, 2006
Client: Phoenix & Firestorm
Send a message via Skype™ to Kara Spengler
Quote:
Originally Posted by Void View Post
any volume that doesn't show in the directory tree of windows (which is is just a checkbox on the management screen) is plausability for most windows users... even experienced ones.... because who bothers checking it even if they know about it?
Same on macs. Oh sure, you can use 'go' on the menu but unless you opened a shell to look you probably do not know about it. About the same thing with kindles, plugging them in takes you to the media folder not the actual root.

Another way to hide directories is add ".app" to them and it will appear as an application icon. Most casual users do not realize an application is just a directory (with some things in specialized places) and a .app extension.

Another way is a partition that does not show up on the desktop, like the recovery partition. With the size of drives the space that uses is almost a rounding error.
Kara Spengler is offline   Reply With Quote
Old 05-30-2014, 09:40 AM   #15 (permalink)
Nan
Senior Member
 
Nan's Avatar
"I feel like SL but BETTER"
 
Join Date: Jan 2012
Posts: 983
My Mood:
Tries to look like she understands - fails. Ok so it this basically a third party encryption system is a) not safe ) closed- closing ? I do know about mac file vault.

Just like with password storage places - how do you know who/ where these things go?

If I ran a government - I would offer these services for free- cheaper than decoding stuff .
Nan is offline   Reply With Quote
Old 05-30-2014, 10:57 AM   #16 (permalink)
Imp
 
Gabriell Anatra's Avatar
Who are you?
 
Join Date: Nov 2010
Location: In between.
Posts: 5,732
My Mood:
SL Join Date: Early '06 or late '05, not sure.
Client: Singularity, mostly.
Ahh, the beauty of the NSA. Even if it is perfectly legitimate and they're not involved at all you still can't reliably tell whether they've added backdoors to your stuff or not.

It r secur!
Gabriell Anatra is offline   Reply With Quote
Old 05-30-2014, 10:59 AM   #17 (permalink)
Senior Member
 
Bartholomew Gallacher's Avatar
 
Join Date: May 2010
Posts: 434
My Mood:
SL Join Date: 09/25/2006
Send a message via ICQ to Bartholomew Gallacher Send a message via Skype™ to Bartholomew Gallacher
Quote:
Originally Posted by Void View Post
any volume that doesn't show in the directory tree of windows (which is is just a checkbox on the management screen) is plausability for most windows users... even experienced ones.... because who bothers checking it even if they know about it?
This is not what plausible deniability is about.

Plausible deniability is about this: let's say you are using TrueCrypt in a case where you are really, really dependant on hiding your stuff on the hard disk drive for whatever reasons.

Let's say you are under legal pressure to open up your encrypted TrueCrypt stuff, because some court wants it that way. So you do it and they see your mp3, p03n or whatever kind of collection, how embarassing!

What they do not see is that you got a much smaller TrueCrypt container hidden inside this one, where the stuff you really do want to hide is in, which needs another passphrase (and maybe key).

And - in theory if done right - a closer inspection on the file containing the outside container (the hidden container is a small part of that one) will leave no clue about either there's a hidden container in it or not.

So you can tell and just lie "look, yes, there's my TrueCrypt container and I encrypted it, because I got my slash of p03n inside it, how embarassing, please don't tell my wife about it!" without telling the rest about the hidden container because no one is able to tell for sure, that there is one.

That's the concept behind plausible deniability and AFAIK only TrueCrypt does that until now.

Of course, if you had a keylogging component/trojan installed on your computer to monitor all your activities, they might know about that. That's the other side of the story, cryptography is not broken, if done right, so for the intelligence agencies it is mostly about finding ways around it. And a cheap way of finding a way around this is installing key logger components or beating someone with a stick.

And to be on the safe side: the recommendations of BitLocker and other software with quite probably builtin backdoors out of the box is no real solution. That's one of the really strange facts about that "we quit"-post around TrueCrypt.

Maybe most computer devices nowadays even come with sniffing equipment builtin, who knows? This article of Privacy International really makes me wonder about it: https://www.privacyinternational.org...s-that-we-dont

In case you have no clue about what's that about: The Guardian was one of the British newspapers which had access to Snowden's documents and leaks. They had it saved on a laptop and without any legal base the GCHQ told the police to get this notebook by force. If you don't know the GCHQ: that's the British Intelligence Agency, which does most of the dirty work for the NSA when the NSA has "moral issues" about doing it themselves. Later The Guardian got the notebook back and took a closer look at it. Despite the destructed hard disk drive, which they expected, several parts of the hardware have also been destroyed for unknown reasons, and it seems according to some plan. That's what the article is about.

Last edited by Bartholomew Gallacher; 05-30-2014 at 11:09 AM.
Bartholomew Gallacher is offline   Reply With Quote
1 User Agreed:
Old 05-30-2014, 11:21 AM   #18 (permalink)
OccupyE9 Sluni-Goon
 
Kara Spengler's Avatar
Hail Woz, the great and powerful!
 
Join Date: Dec 2008
Location: SL: November RL: DC
Posts: 20,943
SL Join Date: March, 2006
Client: Phoenix & Firestorm
Send a message via Skype™ to Kara Spengler
Quote:
Originally Posted by Nan View Post
Just like with password storage places - how do you know who/ where these things go?
The one on macs was just plain strange. Until the latest version of the OS they stored passwords and such locally. Then there were rumors of NSA talking to Apple so what was in the latest OS but a cloud storage of passwords. I doubt the two things were related but TERRIBLE optics and cloud storage of passwords is pretty pointless anyway (if I have an uber-secure password the last thing I want is it to be on another person's machine, especially given the rash of breakins all over the net lately).

Some businesses, like 1password, must have loved it though, especially since they had features like multi-platform. The security-conscious flocked to third party apps like that one in droves.

Last edited by Kara Spengler; 05-30-2014 at 12:00 PM. Reason: remove link
Kara Spengler is offline   Reply With Quote
Old 05-30-2014, 11:53 AM   #19 (permalink)
Senior Member
 
Cerise's Avatar
Rawr
 
Join Date: Oct 2010
Posts: 3,749
My Mood:
Client: SL Viewer 5
Quote:
Originally Posted by Bartholomew Gallacher View Post
I just did some minor research on my own: Truecrypt.org belongs to a "Truecrypt Developers Association LC", 18222 Drums/PA, phone number 1.5707088780.

Who knows it those entries are really valid or not just a letterbox company.
It's the latter, all private registrations with Network Solutions use that address and number.
Cerise is offline   Reply With Quote
1 User Said Thanks:
Old 05-30-2014, 12:50 PM   #20 (permalink)
*blink*
 
Soen Eber's Avatar
Vatican mole
 
Join Date: Oct 2009
Location: Minneapolis, Minnesota, USA
Posts: 6,769
My Mood:

Awards: 1
SLU Creepy Avatar Competition 2014 Participant 
I think if I were to encrypt something I would write it on an obsolete piece of hardware running an obsolete operating system that is not connected to the Internet, and from the command line write a 3 line one key pad script that uses a random offset into an executable file on that device as the key. I would would then mask it as noise on a sound or image file.

Would that be secure?

Last edited by Soen Eber; 05-30-2014 at 01:08 PM.
Soen Eber is offline   Reply With Quote
Old 05-30-2014, 01:26 PM   #21 (permalink)
Imp
 
Gabriell Anatra's Avatar
Who are you?
 
Join Date: Nov 2010
Location: In between.
Posts: 5,732
My Mood:
SL Join Date: Early '06 or late '05, not sure.
Client: Singularity, mostly.
It could be, for a certain quality of secure. It might corrupt the file though. A file scanner that sifts through the whole file system would find it then, though it might not be able to prove it's not just random corruption.

It is possible to add information to a sound file as sound though. Just encode the data as sound and add it to the existing sound. If done carefully enough it wouldn't be detectable without running the resulting sound through the decryptor.

If wouldn't even add errors to the data being encoded if it's a lossless sound format.
Gabriell Anatra is offline   Reply With Quote
1 User Said Thanks:
Old 05-30-2014, 07:43 PM   #22 (permalink)
Verti's Minion

*SLU Supporter*
 
Sean Gorham's Avatar
A dozen years of PURPLE!
 
Join Date: Sep 2007
Location: New England
Posts: 1,897
My Mood:
SL Join Date: March 5, 2005
I was initially worried about this, but not after a couple of days. For now I'll keep using v7.1a and wait for the inevitable code fork. Truecrypt is far from dead - the net won't allow it.
Sean Gorham is offline   Reply With Quote
1 User Agreed:
Old 05-30-2014, 08:49 PM   #23 (permalink)
That Bitch

*SLU Supporter*
 
Void's Avatar
Innocent as far as you know
 
Join Date: Nov 2011
Location: Online
Posts: 14,947
My Mood:
SL Join Date: late 04 original account, mid 05 current
Quote:
Originally Posted by Bartholomew Gallacher View Post
This is not what plausible deniability is about.

Plausible deniability is about this: let's say you are using TrueCrypt in a case where you are really, really dependant on hiding your stuff on the hard disk drive for whatever reasons.

Let's say you are under legal pressure to open up your encrypted TrueCrypt stuff, because some court wants it that way. So you do it and they see your mp3, p03n or whatever kind of collection, how embarassing!

What they do not see is that you got a much smaller TrueCrypt container hidden inside this one, where the stuff you really do want to hide is in, which needs another passphrase (and maybe key).

And - in theory if done right - a closer inspection on the file containing the outside container (the hidden container is a small part of that one) will leave no clue about either there's a hidden container in it or not.

So you can tell and just lie "look, yes, there's my TrueCrypt container and I encrypted it, because I got my slash of p03n inside it, how embarassing, please don't tell my wife about it!" without telling the rest about the hidden container because no one is able to tell for sure, that there is one.

That's the concept behind plausible deniability and AFAIK only TrueCrypt does that until now. [...]
what you are describing isn't plausible deniability, it's nascent false flag. Misdirection is a good feature, and yes, AFAIK no one else does it, but not quite the same thing.
Void is offline   Reply With Quote
Old 05-31-2014, 05:18 AM   #24 (permalink)
Senior Member
 
Bartholomew Gallacher's Avatar
 
Join Date: May 2010
Posts: 434
My Mood:
SL Join Date: 09/25/2006
Send a message via ICQ to Bartholomew Gallacher Send a message via Skype™ to Bartholomew Gallacher
What I described is what Bruce Schneier calls a deniable file system (DFS), also in his paper.

This feature had been dubbed by the TrueCrypt devs as "plausible deniability", so I just called it as that.

The problem with a DFS is, though, as Schneier states, that modern OSes like Windows do leak information almost everywhere and are prone to a forensic attack on those leaks. (Best thing would be to use them with something like Tails or so, which does not save any information at all.)
Bartholomew Gallacher is offline   Reply With Quote
1 User Said Thanks:
Old 06-01-2014, 11:19 AM   #25 (permalink)
OccupyE9 Sluni-Goon
 
Kara Spengler's Avatar
Hail Woz, the great and powerful!
 
Join Date: Dec 2008
Location: SL: November RL: DC
Posts: 20,943
SL Join Date: March, 2006
Client: Phoenix & Firestorm
Send a message via Skype™ to Kara Spengler
Quote:
Originally Posted by Soen Eber View Post
I think if I were to encrypt something I would write it on an obsolete piece of hardware running an obsolete operating system that is not connected to the Internet, and from the command line write a 3 line one key pad script that uses a random offset into an executable file on that device as the key. I would would then mask it as noise on a sound or image file.

Would that be secure?
No.

Any piece of information in the universe can be obtained. It is like one big Gordian knot problem.

Physical safes do not say "unbreakable" (despite what the movies would have you believe). Rather they are rated in how long it will take someone to break them. It is the same with computers.

Someone with enough interest in your information given sufficient time and resources WILL get the information. All you can hope to do is make obtaining that information more expensive than the value of the information. That is still no guarantee, just that most people will not spend a billion dollars to get a nickel.

Last edited by Kara Spengler; 06-01-2014 at 03:31 PM. Reason: typo
Kara Spengler is offline   Reply With Quote
1 User Agreed:
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are On




SEO by vBSEO