TrueCrypt, the soap opera to the heroic saga

Data encryption is one of those topics that get the audience numb in about 90 seconds. Notes on encryption overlooked with a hint of disdain. Thing hackers, I do not care. You’re not interested until you lose your smartphone or you steal the notebook. There you realize two things. First, the value of the hardware is negligible compared with the personal information you had on the device. Second, you’d never put password to your computer. Or talk to encrypt the disk.

True, if someone stays with your smartphone, tablet or notebook will not, in general, to look at your pictures or steal passwords (what to do if they steal your phone, see here). Rather, the scumbag tends to explore the possibilities of making the team money. But anyway no one likes to risk your digital life is exposed. Never, not once, victims of a theft told me: “Oh, no problem, just want to sell”. By contrast, it panicked at the prospect of the spoiling of their mail accounts, Facebook, Twitter and so on.

In total, the encryption part or all of the storage space of a digital device remains as fundamental as little as practiced. So largely TrueCrypt sudden death, on May 28, went almost unnoticed. This software whose developers keep their identities secret is the encryption standard open source. So much so that to use it in your Amazon storage service in the cloud, called S3 (for Simple Storage Service).

Following revelations of Edward Snowden spy on U.S. intelligence agencies, the importance of TrueCrypt increased further, while the scandal inevitably ended up splashing it. Why? For though TrueCrypt is open source, review its more than 100,000 lines of programming costs money. Lots of money. Was conducted, therefore, a collection to pay an audit was called Open-Crypt-Audit Project, whose first phase ended with good news. They found no evidence of serious failures or malicious routines in version 7.1a.

But before we finished providing the site TrueCrypt changed its cover, announced that software development had ended as a result of the end of support for Windows XP, and published a comprehensive tutorial for moving volumes encrypted by TrueCrypt to Bitlocker, the Microsoft application for this kind of Requirement. TrueCrypt site also offered a new version, 7.2, while warning that it was risky to use. To make matters worse, the WOT Safe Browsing extension (for Firefox and Chrome), advised not to enter the site. All very strange.

There was talk of a cyber attack. From an excuse to terminate the software. Etcetera. It looked for all kinds of conspiracy theories. At press time, none of the people I spoke with was clear what happened. According to Gibson Research, one of the developers of TrueCrypt told them “no longer had an interest in maintaining the project”. In total, out of the 7.1a version is, prima facie, free spy, all else is a mystery. As a result, Windows users had to leave to look for alternatives. I was in it when I came across several interesting things.

FROM FRANCE WITH MORE ITERATIONS

The first is that there is a fork (a derivative) TrueCrypt enjoying good health. VeraCrypt called, and the data passed it Maximiliano Miranda, on Twitter, along with a link to the project, which is hosted on CodePlex, the development platform for Microsoft’s open source code.

I sent an email to the French company that developed it, Idrix, and then I said Mounir Idrassi, its founder. I asked how I affected the disappearance of their software TrueCrypt. He said: “VeraCrypt is based on the 7.1a version of TrueCrypt, with improvements in the algorithm of key derivation, because the implementation of TrueCrypt is not sufficiently robust in this respect compared to current advances in the techniques of attack to. date, have not been discovered or backdoors or vulnerabilities in version 7.1a of TrueCrypt, and what happened on May 28 is a contract lifecycle to a real security threat. So I do not see has no impact on VeraCrypt. Moreover, VeraCrypt can evolve independently and will add new features. For example, SHA-512 for encryption of the partition operating system and support for GPT partition tables Partition Table (global unique identifier)”.

Mounir says that he made an audit of TrueCrypt in 2013, when he began the project VeraCrypt and discovered some vulnerability. “In fact – I said – the first TrueCrypt weaknesses found by the Open Crypt Audit Project is which originates the birth of VeraCrypt, last year. This is why I defined new iterations for key derivation. Also I discovered a problem in implementing RIPEMD160 for encrypting system partitions (I used 16-bit counters instead of counters 32.) This was not discovered by the Open Crypt Audit Project, but I already corrected in VeraCrypt. The other vulnerabilities on your list should be repaired, but none are serious enough to constitute a realistic threat scenario”.

He also asked if their software had been subjected to some kind of independent safety audit. I said no. “Since its inception a year ago, VeraCrypt not received much attention and has been used for internal purposes rather our company and for some specific tasks by external entities. Moreover, as VeraCrypt TrueCrypt is based on the results of the Open Crypt Audit Project our software can be applied to almost directly. course, I have faith that now attracting renewed interest VeraCrypt to deliver the funds to make independent audit”.

The fork Idrix TrueCrypt uses Microsoft Public License. Mounir asked why he had not adopted the General Public License (GPL, for its acronym in English, which is used, for example, Linux). “That choice-he answered was based on the simplicity of Microsoft’s license and that seems to be closer to the original license of TrueCrypt. I’m not a legal expert, but I’m not sure if the license original TrueCrypt compatible with the GPL. Perhaps in the future more people with legal knowledge can advise in this regard. ” (Incidentally, no, TrueCrypt license is not compatible with the GPL.)

VeraCrypt told me Mounir was born at the request of one of his clients, who wanted a more robust version of TrueCrypt. “It is a project development Idrix and I did, with evidence inside and outside the company. It published the source code to comply with the open source license and in order to build a community around the program. Maybe TrueCrypt saga helps us with this”.

MUST NOT DIE

Well, precisely: TrueCrypt saga is far from over. That was the second thing I learned these days. There are two programmers, Thomas Bruderer and Doekbrijder Jos, the resurrection of the proposed encryption software. Its Web site states the motto TrueCrypt Must Not Die. Great news, in my opinion.

Currently, the website, the developers stayed in Switzerland “to be free of legal pressure from the United States,” We offer safe version, 7.1a, for all platforms; ie, Windows, Mac OS X and Linux. On Thursday, I spoke by phone with Doekbrijder to learn more about this project, so far, is named TCNext ( @ TrueCryptNext on Twitter).

“The most urgent-he told me is to clarify the legal issues related to the license, the domain name and more. Fortunately, we have lawyers who are helping us with that right now.’re Also doomed to build a community and a development team. Indeed, we would like to enlist the help of IT people of Argentina”.

About what they want to achieve, if will cost, who will elect licensing, etc., said: “The idea is to play the role of TrueCrypt, relaunch with a new name (can not use TrueCrypt because it’s a trademark) and launch an open source license compatible with the GPL.’d of course free. More importantly, the development team will not be anonymous, as in the case of TrueCrypt”.

I also asked for VeraCrypt, because in a way it is a similar effort. “I’m aware of the existence of VeraCrypt-I replied. Indeed, there are half dozen forks of TrueCrypt. Some are not updated for quite some time. Mostly the plan we have is that all these projects will join in one solid product that works, that gives the public the protection offered TrueCrypt”.

So, long before visiting the alternatives, and as often happens with open source code, appeared hopeful that this excellent software reincarnate in one or more robust and transparent versions. It was not completely unexpected, the degree of popularity of TrueCrypt. But it was quick: