Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?

[AMD_Gamer]

I was looking to play around with TrueCrypt because i was bored and i read a bunch of interesting stuff about it.

http://www.privacylover.com/encrypt...oor-in-truecrypt-is-truecrypt-a-cia-honeypot/

What do you think about this? What do you use for full disk encryption?

 

[evilsofa]

I can't speak one way or the other for this particular source, but paranoia is an absolutely appropriate sentiment towards your disk encryption.

The wikipedia article for Truecrypt cites this source as an example of where the Brazilian government and the FBI were unable to crack into a Truecrypt volume. Of course, if you're paranoid, you don't trust Wikipedia articles, which is where you apparently got the link for the analysis you linked to. On the other hand, whoever's running Truecrypt isn't trying very hard to keep the info from the analysis out of the wikipedia article.

You can go as far down the rabbit hole of paranoia as you want to with disk encryption, but as the writer of the analysis says, if it really is a honeypot, the government is unlikely to blow its cover on anything short of a Bin Laden type.

 

[ShadowStriker]

I can't speak one way or the other for this particular source, but paranoia is an absolutely appropriate sentiment towards your disk encryption.

The wikipedia article for Truecrypt cites this source as an example of where the Brazilian government and the FBI were unable to crack into a Truecrypt volume. Of course, if you're paranoid, you don't trust Wikipedia articles, which is where you apparently got the link for the analysis you linked to. On the other hand, whoever's running Truecrypt isn't trying very hard to keep the info from the analysis out of the wikipedia article.

You can go as far down the rabbit hole of paranoia as you want to with disk encryption, but as the writer of the analysis says, if it really is a honeypot, the government is unlikely to blow its cover on anything short of a Bin Laden type.

I think that's the case where they didn't really try. If they wanted to, I'm pretty sure INC has the computer power to crack anything. Its not that TrueCrypt has a backdoor or not, its how strong the encryption you're using is.

 

[Spooony]

Why try to crack it. Just rip the key of the pagefile. Most people leave that unencrypted. There must be a key somewhere that's not encrypted

 

[stiltner]

If there is a backdoor, so be it. My concerns aren't the FBI, or the CIA. Its the shitdicks like Lulzsec that spam your information and / or sell it to the highest bidder (generally pennies).

If the FBI or the CIA give a shit about what I have on my PC, then someone has too much time on their hands, cause I got nothing to hide on that level. I'm more concerned about personal privacy and data being leaked that way, then the Feds busting down my door to stare at my resume and tax returns.

 

[FrostBite]

Backdoor, maybe but I think it's doubtful that they are in cahots/working for the CIA or anyone. The weakest link is the person, not the encryption. You could use a 30+ key password and all that needs to be done would be a hidden camera over your keyboard to watch you type it, or a week of torture before you give it up. All I'm saying is that there are a lot of ways to crack a nut, and going after the computer software is probably not the first step.

 

[YeOldeStonecat]

I think that the article that link points to is hilarious! Each bullet that the writer attempts to make is...oh wow, LMAO!
*1-Domain registered under a false address...frequently done, and often a bit of humor is put in there for the location.
*2-Software developers often hide their identity. Plus TrueCrypt is open source...there's a varying team.
*3-Workers working for free..uhm...yeah, again it's open source
*4-Compiling source code difficult...well...if people were lazy and the only free products offered were easy...would Sourceforge have any good stuff on it?
*5-License...that's up to the developers.

I've used it for FDE....it's not bad.

 

[ShadowStriker]

Backdoor, maybe but I think it's doubtful that they are in cahots/working for the CIA or anyone. The weakest link is the person, not the encryption. You could use a 30+ key password and all that needs to be done would be a hidden camera over your keyboard to watch you type it, or a week of torture before you give it up. All I'm saying is that there are a lot of ways to crack a nut, and going after the computer software is probably not the first step.

Hello! Everybody knows people use laser keyboard signal readers now!

 

[OldSchool]

I use Truecrypt and I am fairly confident that it has withstood much scrutiny. Really the only exploits that I am aware of involve administrator level physical access to the machine with the volume mounted, or even more extreme things like freezing the memory modules and moving them to a machine to read the stored key.

 

[evilsofa]

Truecrypt has been around since 2004. If it were a honeypot on anything but a government vs government level, that card would have been played a LONG time ago. If it is a government vs government level honeypot, those cards won't get played on individuals; it'll all be very deep, covert levels that individuals will never even know about. So unless you're Iran or North Korea... don't sweat it; this honeypot is not even slightly interested in you.

 

[ghost6303]

I use Truecrypt and I am fairly confident that it has withstood much scrutiny. Really the only exploits that I am aware of involve administrator level physical access to the machine with the volume mounted, or even more extreme things like freezing the memory modules and moving them to a machine to read the stored key.

this, and i would add that i have never, ever, seen truecrypt try to connect to any remote external servers for a phone-home or anything like that. and that is something i watch on my dev workstation, which is not connected to the outside world. i doubt its a honeypot sending your PWs back to the feds.

if there were any type of backdoor to it, its not apparent in the program's code, its would have to be activated by some secret way, like a special admin password, or a special keyfile that someone would have to point it to. there is nothing i have seen or read about in the program itself that would suggest there is an integrated open back door. if something existed, it would have to be an external source that could get around its internal security measures.

 

[C7J0yc3]

For FDE the only two hacks I am aware of are the cold boot attacks and the "Angry Maid" attack (which is essentially a hardware level keylogger).

TrueCrypt is one of the few programs I actually feel good about saying "its totally secure" because it is. Many of the other FDE centrally managed software suites I know of all have some form of backdoor.

 

[AMD_Gamer]

So we can put it this way. If you are afraid of a crook breaking in and stealing your computer/data then Truecrypt is great. If you are afraid of the CIA/NSA/FBI getting your data then maybe not.

 

[stiltner]

So we can put it this way. If you are afraid of a crook breaking in and stealing your computer/data then Truecrypt is great. If you are afraid of the CIA/NSA/FBI getting your data then maybe not.

Reasonably speaking sure. Like I said, the odds of the common criminal being the man to get to you before the FBI is 1000:1. If the skunk doesn't smell, the fox won't know its there basically.