Sophos Cloud Optix
Naked Security readers will be well aware of the great TrueCrypt mystery.
TrueCrypt is, or was, a long-running software project that claimed to provide strong encryption software that you could use for free on Windows, Linux and OS X.
Over the years, it became popular for many reasons, notably that it was free, cross-platform and apparently untainted by association with governments or commercialism.
It also had a feature called plausible deniability that gave it cachet amongst cypherpunks and privacy activists, even if they weren’t planning to use this feature themselves.
Plausible deniability works by letting you create an encrypted file with two passwords.
One password decrypts the content you really want to keep secret, while the other cunningly decrypts a bunch of innocent data to fool anyone who forces you, by fair means or foul, to reveal your password.
→ Be careful. This sort of feature can be a double-edged sword. Firstly, it’s harder than it sounds to maintain your fake data so that it actually looks plausible when you decrypt it. Secondly, if someone is determined to extract your data under duress, they’ll just ignore the first password you give them and keep squeezing you until you cough up the second.
You could even get the source code for TrueCrypt, as a sort of implicit guarantee that there were no shabby secrets or backdoors hidden in there.
But it wasn’t truly open source, since you couldn’t then do what you liked with that source code.
Furthermore, the developers were anonymous and the development process closed: you couldn’t go to conferences, for example, and openly meet the coders and ask them what was coming next in the product, and when.
So, despite (or, perhaps, because of) the apparent anti-commercialism of the software, there were certain commercial challenges in using it, not least that you couldn’t tell who you were dealing with, or what might happen to it next.
That’s a bit of a risk with any software product, especially one with the primary purpose of turning your precious data into shredded cabbage with the promise that you will be able to unshred it later.
Fair enough, of course: the coders provided it for free, and if you really wanted, you could use their source code to help you write your own replacement, but it wouldn’t be TrueCrypt and you couldn’t use the name to suggest it were.
Forking impossible
What that meant is that the open source practice of a fork was impossible.
Forking a software product gets its name from the Unix system call fork(), by which new processes are created.
When a process is forked, the new process, called the child, is a clone of the parent: it has the same code and data in memory, so it inherits access to all resources that the parent had.
Open file handles, network sockets, indeed all the data structures that the process currently has in memory, are duplicated so that the child process starts as a replica of the parent.
Thereafter, of course, the child process can, and does, diverge.
So when you fork a software project, you start off with an exact copy of the original, with the freedom to implement and experiment with changes that the original project wasn’t willing, or didn’t have time, to try.
If you’re a programmer, you’ll also be familiar with the word branch, which is an offshoot of a software project created in exactly the same way.
Technically, the road metaphor of a fork and the railway metaphor of a branch refer to the same process.
Generally speaking, however, branches are code variants that the coders on a software project start and maintain themselves, perhaps merging the changes back into the mainline later.
Forks, on the other hand, are usually more serious splits intended to deliver two independent versions of the project.
If programming were a religion [It isn’t? Ed.], you wouldn’t call it a fork, you’d probably call it a schism.
If the fork is better, it will take over; if it isn’t, it will wither away; if it caters to a different crowd, both new and old versions will continue, growing into similar but different products used more widely overall.
Anyway, as you will no doubt have heard, the developers of the don’t-care-about-commercialism TrueCrypt product recently decided to call it a day.
They shut down the project abruptly, declared it insecure, and published one final version that only did decryption, as a final way for you to unshred your cabbage.
Conspiracy theories
Conspiracy theories abounded:
- The NSA made them shut it down, because the product was too secure!
- Hackers got into their website and stole their code signing key, then set about destroying the product to push users onto tainted alternatives!
- Malicious actors forced them to introduce covert backdoors, and this was the way of telling us without actually saying so!
- It was all a bit of a hoax to raise awareness of encryption, so keep calm and carry on!
Well, the mystery is now solved.
The coders have called “game over” on the project, and they’ve decided to take their ball home, too, by refusing permission for a fork.
It seems they were going to retire the code anyway, even if they’d kept going with the project, and intend to keep true to that decision:
I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase.
And that would seem to be that.
Solution is the new mystery
Except, of course, that an anonymous message on Pastebin can never be considered definitive.
So the mystery, far from being solved, might now be deeper than ever:
- The NSA made them say it!
- Hackers did it! [Posting on Pastebin is not “a hack”. Ed.]
- It’s still a hoax, you’ll see!
What’s your theory?
For further information
Sophos security experts Chester Wisniewski and John Shier recorded a podcast to discuss the issues behind the demise of TrueCrypt:
(Audio player above not working? Download MP3, or listen on Soundcloud.)
We’ve also put together an information page (yes, we’re suggesting a commercial replacement!) at http://sophos.com/truecrypt.
I happen to think that a new, open codebase, for a new, opensource encryption product would be a really good idea, regardless of the motives of the TrueCrypt authors.
There is certainly expertise and interest out there.
We just need a shiny new security proselytiser to take centre stage and kick something off.
Paul?
The dual password thing is not for the case where your adversary knows for a fact you’ve got something hidden and will just twist the thumbscrews harder until you give it up. It’s for the case where someone doesn’t really know for sure and just wants to check. For example, a country that hates Israel might want to check to make sure there’s nothing pro-Israel on your laptop when you enter that country. You could give them the “safe” password, and it’s not easy for them to demonstrate that there’s any other password, so you can claim there isn’t one.
Fork it anyway.
At least it would bring the “anonymous” developers into the light if they want to legally fight it. They’d have to to engage the courts and they can’t do that as non-entities.
“Fork it anyway.”
Translation: Steal it anyway.
One wonders if you would be so unprincipled if your own property were involved.
Infringing on a copyright monopoly is not stealing, so says the US Supreme Court. Also, there is no real property involved, as “intellectual property” is not a scarce resource.
You’re acting as though the developers have done something wrong by letting you use their intellectual property for free – for what? a decade? – and then deciding they want to pack it all in.
To add insult to injury, you’re then suggesting that the best way to correct this terrible wrong they have done is to follow it up with another wrong by flagrantly disregarding what seems to be the letter and the spirit of their licence.
Why do so many people suddenly seem to think these guys owe them something?
Ignoring the moral argument for a moment, a license is a contract between two parties that sets out terms of usage. If one of the parties is anonymous the other can’t reasonably agree to the contract. It may be possible to act through a proxy but I doubt this would result in an enforceable contract. Then you have the issue that the ‘Truecrypt Foundation’ doesn’t appear to be a legal entity, in which case there isn’t even a second party in the license contract and the whole thing is null and void.
So fork to your heart’s content.
Please see the the 2 versions of trucrypt before the last one, unpack them , but not installed, analise by virustotal.com *.exe of version 7.1.a and then same procedure 7.1 , first has or not a backdoor and the other has a other malware or not. analyse the *.pf files of both version and the one of the last version
7.1.a is not detected for backdoor any more, but it did, now it does not !!!! strange
Maybe you should take that up with the vendor of the product that “detected” it.
I am guessing that you simply uploaded one or more files out of TrueCrypt to a service like VirusTotal. That just tells you what a bunch of different products report when they are presented with that file in a not-quite-real-world situation.
So, what is everyone using now?
I still use TrueCrypt and will continue to use it until TrueCrypt is no longer compatible with my Operating Systems, or until a known major vulnerability is demonstrated in TrueCrypt. AFAIK the next best thing is BestCrypt, but this is not free and not fully open source either. I’m confident another free, open source on-the-fly encryption program similar to TrueCrypt will emerge soon though. Before TrueCrypt existed, there was Scramdisk and E4M – two very good, open source and free encryption systems. You had PGP Disk too, which until Network Associates International (Now McAfee) got hold of it was free and open source as well. So I believe a free open source alternative is inevitable as there is now a gap in the open-source market, and like how Scramdisk and E4M were superseded by TrueCrypt, another program will fill this gap.
Use TrueCrypt 7.1a. It is just as secure as it always was. There is no substantive reason not co continue using TrueCrypt or not to carry out fresh installations.
Also it seems to me from looking at the license that forks of it are perfectly feasible; you just can’t call the fork ‘TrueCrypt’ since, after the fork, it no longer is TrueCrypt. Firefox is licensed on similar terms.
That said, it does seem a very goo time to start with a fresh code base, using TrueCrypt and OTFE as guides to how to do this.
Indeed, OTFE is a fully open source project that could do with being revived regardless of the status of TrueCrypt (or of, say, a fork called ‘LibreCrypt’).
agreed, I still use 7.1a at home. It is still perfectly viable for the major risk it protects, theft of your laptop.
I never liked TrueCrypt, anyway. I prefer using PGP.
Hi,
I had a friend in Australia who wrote a totally uncrackable encryption programme and he was prohibited from offering it for sale in the USA and eventually had to stop offering it for sale in OZ as well…’They’ want only encryption software with Back doors
Paul
:..a totally uncrackable encryption programme…”
No such thing!
Actually, there _is_ an unbreakable cryptosystem: the one time pad. But it was invented at the time of the First World War, long before digital computers as we know them today came on the scene, and (as far as I am aware) has never been prohibited by law in either the USA or Australia, at least in recent times.
(Also, as afar as I recall, the regulations controlling the sale of encryption software in the USA that existed until around the end of last century never blocked the sale of strong crypto *into* the USA, only ever the export of it *from* the USA. The commercial absurdity of such an arrangement for software companies in the USA was amongst the reasons that the regulations were ultimately changed.)
Here is another conspiracy theory, but with the TC team as the culprits:
How can you be sure the source code is complete and accurate if you are allowed to only look at it and not experiment with it using slightly different builds? (for example by adding some check points at certain places in the code)
I forgot to mention that I trusted and have been using TC for years
I think “Forking” really comes from the definition in the dictionary, not some Unix program since the Unix program name came from that in the first place. Forking means: n. A bifurcation or separation into two or more branches or parts.
So when you fork software, you do just that, it has nothing to do with copying what is in the running memory…
I think the concept of a code fork being like a process fork is both clear and important: the fork and the original start out identical, with exactly the same codebase; the fork then diverges from the original.
The thing about a code fork that is it’s not merely “going off on your own,” but very specifically the act of “starting with an identical copy of the codebase but under different management.”
That’s why open source projects commonly get forked, but commercial or closed source projects generally get reimplemented – a very particular sort of licence is needed to make forking possible at all.
A fork starts instantly, duplicating both the strengths and weaknesses of the original; a reimplementation gets off the ground more slowly, but is different from the outset.
The fact that both sorts of fork trace their ultimate linguistic origin to a bifurcation in the path doesn’t prevent the sense of “fork as in a code” deriving from “fork as in process” 🙂
So who’s the Ed. who made the interjections in your copy? Chet?
And where’s Graham Cluely when we need him?
Like the authors of TrueCrypt, the identity of the Editor (or Editors) whose interjections appear in this article will have to remain a mystery.
PS. I have a pretty good idea who he/she/they was/were. But if you hear anything definite…please let me know 🙂
If the authors are anonymous and the announcement on pastebin is anonymous, what legal grounds are there for anyone to prevent someone to fork a source code that has no owner? Can the words of someone that is anonymous have any legal value? As I see it, nobody is representing the code and therefore it can not be stolen.
I guess when you park your car and leave it unattended, there’s no-one looking after it, so even if you lock the doors and put a nice sign saying, “Private property” on it, you shouldn’t be surprised when someone decides to “borrow” it 🙂
The things is, for commercial use, why would you want to use code acquired in the way you describe? To save money? Because you can trust abandoned code better than a product under active development? Because you can? Sounds like a bit of a legalistic quagmire to me. It would have to be a LOT better than the competition…and IIRC TrueCrypt doesn’t support Windows 8, and doesn’t do full disk encryption on OS X and Linux.
A car has a license plate which links it to a specific person, therefore breaking into the car and driving it away is absolutely theft as you know that someone specific owns it and it’s possible to trace that person.
If I find a suitcase full of money on the street and decide to take it home there is no theft (at least in the UK) as there is no way to trace the owner definitively.
Ironically, and perhaps even interestingly, driving off in a car without the owner’s consent is not “stealing” or “theft” in the UK, but TWOCcing. (Taking Without Consent.)
And if you find a suitcase of money I am pretty sure you are committing an offence if you take it home. After all, the one thing you know for sure is that it isn’t yours. Your obligation is to report it and hand it over to the authorities, who *will* try to trace the lawful owner.
lol sure they will. Bet they’d try real hard *sarcasm*
downvote, downvote, downvote. Jeez people.
To quote Jeff Foxworthy (don’t judge me based solely on the beginning of this sentence),
“booing it won’t make it less true.”
I don’t know why people say that forking is impossible. Have you read the truecrypt license? It specifically allows forking, provided you keep their crappy license, change the name and pictures, and mention that the code is based on TC.
So as a standalone application, TC can be forked as an open source project without a problem.
What is not possible is to change the license into one of the standard open source licenses, and therefore TC forks will not be included in Linux packages etc. But the majority of TC users, being on Windows and Mac, don’t really care about that.
Really? Actually, in the USA, if you turn over a suitcase full of cash to the local police, approx 20% of the time it will “go missing”…
Who said it is impossible to fork TC? TC developer!
On 16 June 2014, the only alleged TrueCrypt developer still answering email, replied to a message by Matthew Green (an auditor in Open Crypto Audit Project (OCAP)) about the licensing situation. He is not willing to change the license to an open source one, believes that Truecrypt should not be forked, and that if someone wants to create a new version they should start from scratch. (wiki, 9/30/2016).
The mistery is solved!
Truecrypt: It is IMPOSSIBLE to fork it (Read: Do not fork, please).
(We know, it is technically POSSIBLE).
Thieves: Fork it, any good reason can be made later.
(Veracrypt, Ciphershed, etc, had already began forking).
P. Ducklin: “… why would you want to use code acquired in the way you describe? To save money? Because you can trust abandoned code better than a product under active development? Because you can? Sounds like a bit of a legalistic quagmire to me. It would have to be a LOT better than the competition…”
Let’s see its history.
Wiki: According to the TrueCrypt Team, Hafner claimed in the email that the acknowledged author of E4M, developer Paul Le Roux, had stolen the source code from SecurStar as an employee. … Tesarik (TrueCrypt Team member David Tesarik) concluded that should the TrueCrypt Team continue distributing TrueCrypt, Le Roux may ultimately be held liable and be forced to pay consequent damages to SecurStar (was his employer in creating E4M). To continue in good faith, he said, the team would need to verify the validity of the E4M license. However, because of Le Roux’s need to remain silent on the matter, he was unable to confirm or deny its legitimacy, keeping TrueCrypt development in limbo.
And now. We must clean up our business before we pray for our after-death.
Le Roux had given it to public for good in 2004-2014. Ten years, exactly good number for a limbo in dispute, and it is more than enough.
In the end, TC team also do good with releasing decryptor and guiding us to free alternatives (BitLocker in Windows. Disk Utility in MacOS, and ecryptfs etc in Linux).
You, folks, have to back to reality & honesty.
Paul apostle: … thieve do not steal anymore, he/she must work for stuf …
—
Fork it?
As SecurStar do not want to be forked (E4M case), Truecrypt does, and many real-hard-poor-geek-dilligent and ‘programming for living’ programmers does.
Do not steal, do not fork what its author beg you not to do so.
10’th law in Torah : Do not covet.