
TrueCrypt Is Safer Than Previously Reported - AdmiralAsshat
http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previously-reported-detailed-analysis-concludes/
======
nacs
If you want to use Truecrypt tech but something that is still updated, try
VeraCrypt [1]. It uses the same codebase but has a number of fixes and
improvements.

[1] [https://veracrypt.codeplex.com/](https://veracrypt.codeplex.com/)

~~~
saganus
Are there any new developments regarding the TC license?

I seem to recall that part of the problem with doing a follow-up project based
on TC's source was the license.

Has VeraCrypt addressed this successfully or did they just went along,
assuming no one would come forward to sue them for license breach?

Does anyone have any more info on that?

~~~
beeboop
The chance of TrueCrypt suing anyone is near zero. They only stipulation they
really gave anyone for using their code was to not use the same name, which
VeraCrypt is satisfying (unlike the knuckleheads at truecrypt.ch).

------
jmnicolas
> [...]TrueCrypt cannot actually properly protect data on a running system.

This I understand : as long as you store the encryption key in RAM somebody
that can access your system can get it.

> If such protection is desired, one cannot get around solutions that use
> smartcards or other hardware-based key storage such that the encryption key
> can be better kept a secret.

Can someone expands a bit on this please ?

~~~
ilurk
Like you said with TrueCrypt the key stays in RAM and is vulnerable to
attacks.

Using a hardware based key makes digital attacks impossible AFAIK. Although
it's still subject to physical attacks (eg: theft, coercion).

BTW, I'm surprised there is no mention of SSD and other flash drives, since
IIRC that poses problems for FDE.

------
jaimehrubiks
TrueCrypt shut down because it was indeed the most secure encryption software
ever made (and mostly used). Government forced creators to shut it down and
agreement conditions remain unknown. Any vulnerabilities found and disclosed
after then do not compromise the security of a fully encrypted drive or file
when analyzed on another machine. In fact, if the software was indeed
vulnerable then it would still remain active since it would be decryptable by
governments agencies.

Note: This is MY opinion on this subject, I might be totally wrong.

~~~
whoopdedo
And not because the sole developer was too busy to keep working on it?

Never attribute to maliciousness what can adequately be explained by laziness.

~~~
jmnicolas
Never attribute to laziness what can adequately be explained by NSA
maliciousness ;-)

~~~
whoopdedo
But what is more probable? The number of known NSA backdoors is greater than
zero, but is small compared to the number of known lazy or sloppy programming
mistakes.

That said, the likelihood that a potential exploit will be used by the NSA is
very close to if not exactly 100%. You don't have to inject a vulnerability
into a system when there are more than enough unintentional holes already.

------
finchisko
Problem with security issues in FOSS is SEWCS. Somebody Else Will Check
Syndrome.

~~~
jmnicolas
For Truecrypt you have to be a C++ dev and a cryptographer, I guess there's
only a handful of people that have the requirements.

------
mtgx
Still seems to have plenty of vulnerabilities within a codebase that will
never be updated anymore.

~~~
tormeh
Not for encrypting USB drives. If that's your use case then it's probably
better than any unaudited software.

I don't get this obsession with updates. If it's secure now for certain use
cases then an update could only put that use case at risk. It's not like it
can get "more secure" or something.

~~~
stingraycharles
Of course it can. A system that was secure in 2005 doesnt necessarily have to
be secure in 2015. With that in mind, it might be a good idea to slowly move
away from TrueCrypt to a system that is equally secure but actually
maintained.

~~~
spacehome
> A system that was secure in 2005 doesnt necessarily have to be secure in
> 2015.

Can you clarify what you mean by this? What sort of vulnerability could
magically appear in Truecrypt to make it less secure now than a decade ago?

~~~
liw
I don't use TrueCrypt myself, and haven't followed what's happening with it in
any detail, but I'll comment on the general question here: why do you need to
keep up to date with vulnerabilities in order to keep secure.

First, nothing is ever totally secure. If a system gets audited today, the
best the auditors can say is that to the best of their knowledge, the system
has either no flaws, or list the vulnerabilities they know about. There might
be vulnerabilities they missed. Some of the unknown ones might be blatant
(say, a backdoor), or very subtle. When the unknown ones are found later on,
and become public, the only way to not be vulnerable to those is to update.

Second, a system may become vulnerable later by the environment around it
changing. This might be, for example, a change in the compiler (you rebuild
for a new platform, and the kernel introduces a vulnerability), or in the
language interpreter, or some library that the software uses, or the operating
system kernel, or something else. It might be that you upgrade the CPU and the
hardware random number generater on the new CPU is worse than in the old CPU.
It might be that you move your system from physical hardware you control to a
virtual machine you rent, thereby violating security assumptions made by the
software.

A system, or software, that is never updated stays still, and never gets
better, while potential attackers learn more tricks and more ways to attack.
Sooner or later they'll find a way to attack any stale systems.

And that is why updating is important for security.

