Portlandia Cloud Services

Voice & FAX 503-690-2700 sales@portlandiacloudservices.com http://www.portlandiacloudservices.com

What is the TrueCrypt issue all about?

From the Wikipedia article: Here

TrueCrypt is a source-available, freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition (under Microsoft Windows, except Windows 8 with GPT) or the entire storage device (pre-boot authentication). TrueCrypt is also used as the name of the encrypted container format, by implementations of other disk encrypting software that are able to read and write the format created by the TrueCrypt utility.

TrueCrypt is from the class of programs that completely encrypt all contents of your hard disk so that if your PC gets stolen the thief cannot access your personal data.

Why is Truecrypt important?

Truecrypt is important because it’s much more than just a basic program that’s only good enough to keep your data secure from unshaven, never-finished-high-school, run-of-the-mill thieves looking for a few bucks for their next fix by stealing your laptop. TrueCrypt is considered Very High encryption, it’s encryption has been trusted by many in the community who’s lives depend on unbreakable encryption. TrueCrypt has been used by Edward Snowden See this, as well as security-conscious lawyers, journalists with sources to protect, and dissidents in countries where too much complaining can land you in prison (or worse). Of course, it has also been used for crime – such as illegal banking See this. Probably the most important thing about it is that it’s not part of a profit-making company. In the past, profit making companies have been paid by governments to install back doors in encryption software See this. And any profit making company is susceptible to pressure from the government that controls the region it operates out of, both legal and secret. TrueCrypt’s only weakness – a weakness shared by all encryption software – is if the user uses a weak password, such as, any word from the dictionary. A TrueCrypt cracker software named Truecrack has been written to demonstrate that a weak password used with TrueCrypt will not provide security.

While there are open source alternatives to TrueCrypt for the major Open Source UNIX distributions, FreeBSD & Linux, as well as Windows, there is no open source alternative for all of the major operating systems that is cross-platform – that will run on Windows, and Linux/UNIX. (While TrueCrypt also works for FreeBSD it’s not as smooth, as discussed Here)

Disk Encryption software is particularly valuable to Windows systems, because a Windows system writes swap to the disk and scatters data in many spots all over the filesystem, so there is really no way to keep data secure on it unless the entire disk is encrypted.

Disk Encryption software like TrueCrypt by itself does not produce a 100% secure system. When an encrypted system is booted, the data is accessible by the operator and by any software that is run on the system. For example a cracker might install a logging program in Microsoft Word so that when Word is run on an encrypted system it would transmit the contents of documents on that system to a remote attacker.

What Happened to it?

All we know for certain is that on 28 May 2014, the TrueCrypt website announced that the project was no longer maintained and recommended users to find alternate solutions.

This announcement was greeted with aghast and disbelief by the security community for several reasons:

1) The source code to version 7.1a was available and many people had copies. Nothing prevented anyone from taking a copy of the code and compiling it and continuing to use it. Furthermore the TrueCrypt software license in Section II gives explicit rights to continue to distribute the source. So it’s not possible simply by shutting down the truecrypt website to halt the legal, continued use of the software. And since the source is available, anyone else in the security community who wishes to, can continue to maintain the source. In short, once the TrueCrypt developers gave the source and specifications of the encrypted files and containers to the community, which was done years ago, they lost the ability to prevent people from continuing to use the software.

2) The new TrueCrypt website made the claim that TrueCrypt is not secure since it “may contain unfixed security issues” This was very strange because the Open Crypto Audit Project is in the middle of managing a contract to have TrueCrypt audited. In fact the first phase of the audit had been completed in April and is available here . On top of that one of the audit coordinators had exchanged emails with the TrueCrypt developers a few weeks earlier, who had expressed interest in seeing the results of phase II of the audit. Phase I of the audit had completed and found only 1 minor potential vulnerability, which could be easily worked around by the user using a longer passkey.

3) The TrueCrypt website didn’t simply say the developers were tired of the project and no longer interested in it. Instead, they posted a new version of Truecrypt that was “neutered” in that it permits READING of TrueCrypt containers but not writing. There was extensive work that went into creating this version, which does not indicate developers getting tired of it. If they had simply gotten tired they would have done nothing.

4) The TrueCrypt site was littered with “red herrings” The first was the recommendation to not use TrueCrypt and replace it with Microsoft’s Bitlocker for Windows users. Bitlocker is not available for all versions of Windows, while TrueCrypt is. Second was the recommendation for Apple Macintosh users to use Apples disk encryption – complete with screenshots of how to do it – except that the main screenshot shows encryption selected to NONE. Third was the recommendation to Linux users to search for “encryption” instead of just referring them to LUKS. (LUKS is the Linux-specific alternative to Truecrypt) Last was the odd wording of the announcement “Using TrueCrypt is not secure as it may contain unfixed security issues” when better grammar would have been to write “TrueCrypt isn’t secure since it contains security issues” It has been noticed that capitalizing the first letters of the phrase spells out NSA – “Not Secure As”. It has also been noticed that capitalizing the first letter of the entire phrase spells a Latin phrase – uti nsa im cu si – which translated equals “Unless I want to use the NSA” See article.

Speculation is that the site and it’s ridiculous suggestions for encryption substitutes constitute a Warrant Canary and one or more of the developers are either being held against their will by a government, or they have received a NSL or secret subpoena.

TrueCrypt Alternatives:

There are alternatives to TrueCrypt. The most obvious is BitLocker. The big problem with BitLocker under Windows is that because the code is proprietary and under Non Disclosure Agreement, Microsoft has prohibited an independent 3rd party security auditor to audit it and publish their findings. There has been some reverse engineering done which allowed the open source community to write the Dislocker software that allows a non-Windows system to read a bitlocker encrypted partition available here assuming you have the encryption passwords, of course. Bitlocker encrypted volumes can also be read with bdemount, part of libbde. If the format was terribly insecure that would have been published by now. But, knowing how the Bitlocker format on disk is laid out does not help with security as the actual binary code in Windows that generates the encrypted disk could be compromised.

This is the other big problem with Bitlocker, it is that you cannot download the sourcecode and compile it yourself under Windows. Thus there is no way to know if there are any back doors inserted in the bitlocker drivers on your Windows installer. This is a big concern with systems purchased with Windows preloaded. There is also a concern in the security community that Microsoft did in fact install a back door in BitLocker as a way of law enforcement to access data. Microsoft claims they did not and they also claim they were asked to do so and they refused. Since the code and build instructions are all proprietary, it is impossible to know. But, Microsoft does not have a good reputation in the security community due to the NSAKEY controversy. And Bitlocker by default sends people’s private keys to Microsoft during installation, the user must understand this happens and deliberately deselect that “feature.” So, if someone has sent a private key to Microsoft it could be obtained under court order. Microsoft has also worked closely with Law Enforcement to create the COFEE tool, available here. (COFEEs functionality was obsoleted by USB Switchblade and USB Hacksaw and all 3 tools are now obsolete, replaced by USB Rubber Ducky And lastly, even Microsoft itself isn’t sure about Bitlocker, saying “the diffuser is a new unproven algorithm“.

Bitlocker is not a real production solution for Linux. And it is not available on Windows Home, either.

Another alternative to TrueCrypt is LUKS, short for Linux Unified Key Setup. An overview of this is
here This is for encrypting Linux systems. Unlike Bitlocker it is open, freely auditable, and is well regarded. Unfortunately, it is not cross-platform, (meaning it’s Linux-only) although there is a program called FreeOTFE that can be used to read encrypted Linux volumes. FreeOTFE can be downloaded here. Unfortunately FreeOTFE does not have signed drivers and so cannot run on Windows 7 without allowing for unsigned drivers (and getting a lot of error messages thrown up in the process) FreeOTFE is also considered orphaned by it’s developer.

Note that LUKS is used by the cryptsetup program under Linux and cryptsetup also has the ability added to read TrueCrypt volumes. Information on that is here.

Fundamentally, the alternative Windows disk encryption software out there is either commercial software that isn’t cross-platform and can’t be trusted since it’s not subject to audit, or it is basically Truecrypt-compatible implementations that do not use the TrueCrypt source code but are able to read (and sometimes write) TrueCrypted volumes.

Legality of Truecrypt & legality of picking up Truecrypt development:

It is perfectly legal to use TrueCrypt to protect your data – if your located in the United States. Other countries – who knows? Consult a lawyer. TrueCrypt’s license allows for unlimited use by anyone, with no licensing fees required.

The difficulty with the TrueCrypt license is not in the use of the program – it is in the ability to modify it and distribute the modifications. The reason for this is as follows:

All versions of Truecrypt including the neutered 7.2 versions were released by anonymous developers who took extraordinary methods to conceal who they were. With a single exception:

WIPO has a trademark registered for Truecrypt: here.

Trademark # 925625

It lists:

TrueCrypt Developers Association, LC 375 N. Stephanie ST., Suite 1411 Henderson, NV 89014-8909 United States of America as the current copyright holder of the trademark. The prior owner being:

TesarĂ­k David 2972 Columbia St., Suite 7914 Torrance, California 90503 United States of America

This was registered in 2007 and expires in 2017.

“True Crypt Foundation” and “Truecrypt Developers Association, LC” (which is the copyright holder identified in the source code) are actual Nevada corporations, both formed in 2009. ID NV20091452250 Expiration is 8/31/2014 NV20091535312 exp 10/31/2014. Both appear to have precisely one stockholder, director, and officer – one Ondrej Tesarik. (The contact information is for a corporate registration service.)

What if someone, such as a user or a company, were to do the equivalent of waving a “red flag in front of the bull” that is, take the entire truecrypt code and start selling it under a commercial license, an action that would prompt a lawsuit by the copyright holders in any software license case? Would the Treucrypt developers sue them? Could they win?

For the Truecrypt developer to sue them would mean that David T (or Ondrej Tesarik) would need to do the following:

1) Identify himself – provide a birth certificate, or drivers license or family, friends, co-workers basically a community and history that would prove that he was “David (or Ondrej) Tesarik. That part of it is the easy part – indeed there are probably already a great many David Tesarik’s in the world. it’s an uncommon name but not a non-existent name.

2) Identify that he was “THE” David or Ondrej Tesarik who took out the copyright and filed for the Nevada corporation. The simplest and easiest way of doing so would be to provide a payment receipt from the corporate registration service. Other options would be providing the private key used to sign the distribution.

These are things that would be trivial for most company holders to do. But, not for company holders that wanted to remain anonymous and unfindable and have been anonymous and unfindable.

In other words, anyone can announce they are a truecrypt developer and there is no way to prove that they are not – or that they are. Proving you are who you say you are and you have the ownership you say you have is part of establishing the standing in a court needed to sue. Although Truecrypt Developers Association, LC could file a lawsuit that would survive long enough to force someone selling Truecrypt under a commercial license to litigate the meaning and enforceability of the license, the defendant would move to dismiss for lack of standing, and the suit would collapse – unless, the real Ondrej Tesarik was produced to verify that he was behind the lawsuit.

It is this legal uncertainty that prevents an ESTABLISHED commercial entity WITH SOMETHING TO LOSE from simply taking over the code and selling it. So, a Symantec or Microsoft or some company like that would not go near TrueCrypt.

BUT, a company that was SMALL that had NO OTHER ASSETS – why that company would be certainly able to do this. If threatened to be sued, or sued, they would have the option of simply folding operations. Any judgement found against them would be uncollectable.

And for a judgement to be found against them, they would be able to unmask the real developers behind Truecrypt. So far, however, no such company or developer has stepped forward to take over the Truecrypt code and branding.

TrueCrypt’s future

There are 2 futures that TrueCrypt has at this point:

1) Continuation of the existing codebase. There are 2 efforts underway:

The first site for this is here. Note that the people running this are NOT TrueCrypt developers and do not have legal rights to the TrueCrypt code. They claim they have the right to redistribute the TrueCrypt code and binaries under Section II of the TrueCrypt license and are looking into forking it. They are linking to the Open Crypto Audit Project and their existence will continue to apply pressure to that project to complete the audit of the TrueCrypt code by iSECpartners/nccgroup.

Assuming the audit finds no problems with TrueCrypt at the least the Swiss site will maintain as a holding source for TrueCrypt.

The big issue with using TrueCrypt going forward is the GPT / UEFI & Secure Boot issue. TrueCrypt’s partition encryption is only compatible with an operating system installed on a disk partitioned with MBR, which limits the hard drives to 2TB maximum size. While Windows 8 can be installed on MBR most preloaded systems come with it on a GPT partitioned disk.

The second site is CipherShed This is more of a fork as it has changed the name of TrueCrypt to CipherShed and intends on changing the license.

2) Forks & compatible implementations:

RealCrypt – The name truecrypt is changed to realcrypt throughout the application, as requested by the truecrypt License: -All original graphics are replaced with entirely original new ones, as requested by the truecrypt License

OSXCrypt – it’s an old fork for MacOSX.

cryptsetup (Linux)

DiskCryptor (Windows only) version 0.4 or earlier only, download from here Versions after .4 are not compatible with the TrueCrypt container format.

Veracrypt It answers one of the issues brought up by the TrueCrypt audit but it’s not cross-platform and its storage format is INCOMPATIBLE with TrueCrypt storage format.

LaCie Private-Public Very simple version of TrueCrypt, not much has been written about it.

While what happened with TrueCrypt is disturbing, one side benefit has been to focus increased attention on disk encryption. And perhaps that was the true goal of it’s developers when they made their announcement.