TrueCrypt Website Declares Project Dead

It appears that the truecrypt project is officially dead. At approximately 1800hrs the Truecrypt project’s sourceforge project page was updated, with the status being set to ‘inactive’ and new binaries posted – ostensibly of ‘Truecrypt v7.2′. The main page featured the warning that “Truecrypt is not secure as it may contain unfixed security issues.’ The signing keys used match those used previously. Krebs notes that there have been no changes to delegation, etc.

Their rationale that Truecrypt development was ended as a result of Windows XP becoming end-of-support seems curious as there appears no relationship between the two. Their advice to to abandon Truecrypt for propreitary solutions like Microsoft’s (almost certainly backdoored) BitLocker also seems odd.

Users on Schneier’s blog have been discussing the various possibilities with the most plausible mentioned being that the Truecrypt team were compelled via NSL or other government instrument to co-operate and that burning down the project was potentially the thing that they could have done. This is possibly why they were unable to give a legitimate explanation, instead citing the ludicrous one regarding Windows XP support. Another possibility is that Matthew Green et. al.’s TrueCrypt audit had spooked the authors in some way.

Just twelve hours ago I believed that this was a website compromise, but I am now convinced these actions were initiated by a member of the TC team and not by a malicious attacker. It is indeed possible that one of the developers has gone rogue, but I believe that it is almost a certainty at this point that TC – as we have known it, at least – is dead. Given the licensing issues (TC’s license is not completely FOSS friendly) it remains far from certain that anyone will fork the source from 7.1a and continue to develop the software.

This marks the death of the second free(ish) Windows full disk encryption suite with the first being FreeOTFE. The important thing to note is that Truecrypt had several very large stumbling blocks in the way of its acceptance by the community – some of them technical, some of them legal and license related, and the vast majority of them social. The shadowy Truecrypt Foundation and the way the organization attempted to shield themselves from any scrutiny made many understandably cautious of the software. Only several months ago on this very blog I detailed the myriad issues I have with Truecrypt and advised readers not to trust the product and to instead seek alternatives. That said, there are no free and trustworthy full disk encryption products for Windows (and obviously, Windows itself – and the underlying Wintel architecture – has some major trust issues of its own).

Advertisements

What Secrets Lurk In Your Cellphone Baseband

Aside

It was only a few months ago that we heard of a DoS for Android devices that mishandled the reception of a bunch of class 0 SMS messages, and the astute readers of this blog will recall this was fixed in Android 4.4 (at least for the Nexus branded devices).

I have spent my spare time playing with cellular basebands from a variety of cellphones of all operating system persuasions and at the risk of sounding alarmist will state – perhaps prematurely – that there are certain “features” that you, the owner of the cellular device likely don’t know about that could potentially violate your privacy in ways that you potentially haven’t even considered. We’re not just talking about relatively well known issues like the misuse of malformed class zero SMS messages as a way to “ping” phones to generate network traffic and thus assist with geolocation. This goes beyond that.

Anyone with a cellular phone needs to know that even if you run an AOSP build that you self compiled (and carefully source audited) that those binary blob drivers – often from Qualcomm – and the cellular baseband in its entirety may betray your attempts at achieving the privacy that should be a basic human right.

I been somewhat surprised at E911 and the way some carriers have implemented this “feature” – which can be invoked without 911 or 112 being dialed, but the real juicy stuff is buried deep in your phone. The ability to listen to your microphone without your consent or knowledge has been documented as fact and known by the FBI, an organization that is proud of stepping on the constitutional rights of Americans, as a “roving bug”.

I would argue that there would be a void in the market for a cellular phone that is provably secure (of course software can have bugs, but at least lay everything on the table and have some of the brightest minds in our industry examine it – keeping the number of lines of code down will make this task easier) and furthermore incorporates integrated encryption – not just over UMTS or other mobile IP services – but over the standard and GSM compressed voice channel. Although quality may be average this has been a long sought after feature.

That said – nothing will ever stop your carrier from finding you using radiolocation. Unfortunately this is just something we cannot design out.