Hacker News new | past | comments | ask | show | jobs | submit login

This is the general assumption I've been under. When someone goes from "This is a secure product being actively developed" to "USE THIS PRODUCT FROM MICROSOFT INSTEAD OF THIS. THIS PRODUCT IS BAD. BAAAD", then well, yeah. That's sort of the canary.



No, it's not.


So do you know more about the sudden "TrueCrypt is not secure" thing (http://www.theregister.co.uk/2014/05/28/truecrypt_hack/) and can say definitively why the creators did that?


You can see elsewhere on this thread where I'm coming from and what I think about the project.


I appreciate the time you spent on the project (and on this thread!). However, I don't see this issue specifically addressed: The following was posted on TrueCrypt's SourceForge page [1]; I don't see how it's not a 'canary' (well, technically it's not because it's a direct message) and how users can trust TrueCrypt. Until this is resolved, every other discussion of TrueCrypt's future seems moot.

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

[1] Discussed here:

* https://news.ycombinator.com/item?id=7828107

* https://news.ycombinator.com/item?id=7812133

* https://news.ycombinator.com/item?id=7814725


Seconded. I was quite puzzled by this whole issue when it happened and surprised to see that there hasn't been much clarification since. The developers who posted this message are real people whom others have been in contact with since, correct? (such as https://www.grc.com/misc/truecrypt/truecrypt.htm ). There was a very unambiguous claim of _existing_ security vulnerabilities in the EOL announcement. Have the developers explicitly refused to elaborate on this? Is there no reference to these concerns in the dev mailing list or elsewhere? Have they refused to take ownership for the statement?


People involved in the TC audit project have talked to the developers. They developers do not have an ideological investment in Truecrypt. They're just developers. They built Truecrypt to scratch an itch, found that supporting it was a largely thankless task, and then watched their software get at least 80% obsoleted by modern operating systems.

They don't owe anyone on HN or anywhere else any kind of "ownership of statements" or explanation. The published some source code. They got sick of it. They've moved on. It's over.

I understand the urge people have to synthesize a soap opera narrative out of things on message boards --- that's fun, after all, and the alternative is boring. But that's all the conversation about the TC project abandonment really is: a synthesized soap opera.


As I re-read your response it is seeming stranger and stranger. It seems you, too, are refusing to answer the straightforward question put forward. If no-one has asked the devs to explain this claim of potential vulnerabilities, so be it. But if everyone related to the project is recusing themselves from this question I think it's quite reasonable for observers to be interpreting that as a red flag.

(Also to clarify, when I said 'take ownership of this statement' I was referring to the earlier conjecture that the message was written by people other than the original developers.)


I appreciate your response, but I think also you are misrepresenting the events here. If the developers simply moved on that would be one thing, but what actually happened is they also made this claim:

   Using TrueCrypt is not secure as it may contain unfixed security issues.
I don't think the developers owe anyone anything, in terms of supporting this project or even justifying their decision not to support it. But they did make this claim, which they didn't need to, which casts the entire project in doubt. You're saying they are refusing to elaborate on this claim? Or has no-one asked them to? Because I think this thread is evidence enough that plenty of people want to know.


I don't see anything wrong with that quote. They're simply saying it's no longer being developed, and therefore security issues could arise in the future and go unfixed.

However, I still use TrueCrypt because I'm familiar with it, don't believe it has been compromised, and I trust a random pickpocket will be unable to break it.


You mean to say, "Move one everyone nothing to see here"?

The circumstances were fishy - in a way that says don't trust the software to anyone that has anything to hide.


More or less yes, that is what I think. If you don't want to trust Truecrypt, I certainly wouldn't argue that point. I don't use it either.


I read your other comments on the project. And most of what you are conveying seems to be about the audit project specifically, which you're involved in.

My particular curiosity is about that announcement, and whether or not it was a government attempt to discredit a likely very effective product.


There was some talk about how BitLocker in newer versions of windows removed an "elephant diffuser" component or something, was that ever explained properly?


The "diffuser" was an attempt to provide last-ditch data integrity for a system that is fundamentally incapable of providing real data integrity. XTS doesn't provide integrity either.

Long story short: that change does not matter much.


Oh, the diffuser matters a lot actually. Your former colleagues (I think?) proved this by blindly popping calc on a bitlocker-protected Windows 8.1!

https://cryptoservices.github.io/fde/2014/12/08/code-executi...

With the diffuser, we have ~9 years of conjecture and speculation, with no one overly certain that attacks are possible. Without it, we have calc.exe fairly quickly after someone got the idea to try. You can't say these are roughly the same in practical terms.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: