EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

05.31.14

TrueCrypt Too Proprietary to be Secure and Corporate Media Should Stop Blaming Free/Open Source Software (FOSS)

Posted in Free/Libre Software, Security at 4:36 am by Dr. Roy Schestowitz

TrueCrypt was never worth trusting in the first place

Telecommunication

Summary: Analysis of the whole TrueCrypt fiasco and response to the blaming of FOSS (where the licences are clearly not FOSS)

PROPRIETARY software should be assumed insecure by design, as it often contains back doors and one simply cannot prove otherwise. Based on experience alone, a lot of proprietary software comes with back doors, sometimes accidentally but not always. A lot has been written about this before, both here and elsewhere, so we are not going to write so much on this subject. Instead we wish to focus on the news that TrueCrypt development is moving to Switzerland (the first article we found about this is [1] and there is also some analysis [2]). The PATRIOT Act comes to mind and also the experiences of secure mail services in the United States, including Edward Snowden’s E-mail provider. When Groklaw shut down, citing concerns over NSA spying, it recommended that people adopt Kolab, which is based in Switzerland. It should be emphasised that Switzerland harbours privacy not because of humanitarian interests but because of national interests. For domestic prosperity it facilitates international crime (tax evasion from all nations) and wishes to guard the criminals.

The problems with TrueCrypt are not new to us; I very much predicted what the news insinuates and I had received flack for saying so. TrueCrypt has been thoroughly and even successfully openwashed based on some odd kind of marketing angle; those close to the project know better how it works and if an audit which is not transparent is needed for TrueCrypt, then we should quickly realise that the build process and some components are wrapped in a riddle/mystery. The very core of the problem, including its build process, are very crucial. The announcement from TrueCrypt was as vague — not transparent — as the project itself.

Now it is widely known that TrueCrypt gave an illusion of privacy, which is in many ways worse than having no privacy at all because there is impact on users’ behaviour. We may never know how many people have gone to jail or were killed because of TrueCrypt’s false promise.

FOSS-hostile sites try to spin that as an issue with FOSS even though it’s not FOSS. One source states: “The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world–after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai’i.”

Snowden uses Debian GNU/Linux (Tails) and the main reporter he worked with, Glenn Greenwald, only recently dumped Microsoft Windows and moved to GNU/Linux.

There has been a lot more coverage about it [1, 2], including the usual scaremongering by Mr. Goodin, who wrote about it not once but twice, saying: “One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn’t safe to use.”

Goodin’s colleague wrote about it as well. They are really milking this cow and the best known CIA-linked news site asked: “Is this the end of popular encryption tool TrueCrypt?”

The plutocrats’ press, Forbes, called it “Open Source” (in the headline), so it can’t even get its basic facts right:

Over the past 24 hours the website for TrueCrypt (a very widely used encryption solution) was updated with a rather unusually styled message stating that TrueCrypt is “considered harmful” and should not be used. If you have not come across TrueCrypt and why it has become so popular see the below section ‘why do people use TrueCrypt’.

Better coverage came from the expected sources, not playing to the tune of FOSS smears (TrueCrypt is proprietary).

Knowing that Microsoft is an NSA partner, Gordon in our IRC channels felt baffled because TrueCrypt is “now recommending bitlocker for windows”, to which Ryan replied: “Proprietary encryption from Microsoft that was designed in partnership with the NSA…”

Microsoft is talking to British police about encryption. When I wrote about this nearly a decade ago Microsoft staff were using personal insults against me, only later (much later) to realise that I was right. Sean Michael Kerner calls TrueCrypt “Open-Source” (with a dash) when he writes: “The other challenge facing TrueCrypt is the simple fact that there are many other disk-encryption technologies now available. On Microsoft’s Windows operating system in particular, which was a key target platform for TrueCrypt, versions of Windows after Windows XP include support for Bitlocker, which performs a similar function. In addition, there are multiple file-encryption technologies available, including, FileVault for Mac, DiskCryptor for Windows and Luks for Linux.”

Proprietary operating systems are not compatible with encryption for the same reason that proprietary hypervisors are not. If the NSA can infiltrate the lower layer (e.g. VM host, OS, BIOS) through back doors, then the rest (what’s above) is almost automatically compromised. No sane developer would recommend anything that’s proprietary for security and privacy. Don’t forget Microsoft's COFEE and CIPAV. Microsoft is very much in bed with spooks and police. Microsoft is an informant without conciousness. Privacy in Windows is not a goal; the contrary is true. One Linux/BSD site thinks that TrueCrypt is now “dead” and there is the following statement about the software licence:

Based on the wording of its license, there was always a question mark surrounding the open source-ness of Truecrypt. But that’s not the topic of this brief article. What prompted me to write this is an article that appeared in the Washington Post suggesting that TrueCrypt may have seen its last days as an (“open source”) software project.

Just remember that TrueCrypt is not FOSS.

There is another project whose software licence was blamed for lack of participation and oversight. The OSI’s President blamed the licence. That project was OpenSSL, which is now scrambling to get some more money. The Economist makes FUD out of it while other sites take a more objective approach [4-15]. Remember this: if the project is not quite as open or free as it wants people to believe, then it might not be worth trusting. We never trusted TrueCrypt.

Related/contextual items from the news:

  1. TrueCrypt Not Dead, Forked and Relocated to Switzerland

    The development of TrueCrypt, an open source piece of software used for on-the-fly encryption, has been terminated and users have been advised not to use it because it is not secure enough. Now, it seems that another team of developers have forked the software and rebased it in Switzerland.

  2. Death (?) And Rebirth!
  3. TrueCrypt, An Open-Source Whole-Disk Encryption System, Leaves Users High And Dry
  4. Tough Love for the Encryption Software That Was Compromised by Heartbleed
  5. CII announces 2 full-time devs and a security audit for OpenSSL
  6. Heartbleed: Linux Foundation hires dynamic duo to fix OpenSSL
  7. Linux Foundation throws money at OpenSSL staffing post-Heartbleed
  8. The Linux Foundation’s Core Infrastructure Initiative Announces New Backers, First Projects to Receive Support and Advisory Board Members

    The Core Infrastructure Initiative (CII), a project hosted by The Linux Foundation that enables technology companies, industry stakeholders and esteemed developers to collaboratively identify and fund open source projects that are in need of assistance, today announced five new backers, the first projects to receive funding from the Initiative and the Advisory Board members who will help identify critical infrastructure projects most in need of support.

  9. The Linux Foundation Assigns Two Full-Time Developers to Work on OpenSSL
  10. LF Announces New Backers, Projects For Core Infrastructure
  11. Linux Foundation adds more Internet protocols to its protection list
  12. Everyone uses OpenSSL, but nobody’s willing to fix it — except the Linux Foundation
  13. Linux Foundation flings two full-time developers at OpenSSL

    The Linux Foundation’s new elite tech repair team has named its initial areas of focus as it works to find and seal holes in widely-used open source software.

    The Linux Foundation announced on Thursday that members of the “Core Infrastructure Initiative” (CII) will dedicate resources to working on the Network Time Protocol, OpenSSH, and OpenSSL to hunt down and fix flaws in the tech that helps tie the internet together.

    “All software development requires support and funding. Open source software is no exception and warrants a level of support on par with the dominant role it plays supporting today’s global information infrastructure,” said Jim Zemlin, the executive director of the Linux Foundation.

  14. Corporations put their cash where their open source security is

    OpenSSL and Open Crypto Audit Project are the first open source projects to receive funding from the Core Infrastructure Initiative.

  15. The Linux Foundation Draws Backers and Funds to Tackle Tech Problems
Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Why Authorities in the Netherlands Need to Strip the EPO of Immunity and Investigate Fire Safety Violations

    How intimidation and crackdown on the staff representatives at the EPO may have led to lack of awareness (and action) about lack of compliance with fire safety standards



  2. Insensitivity at the EPO’s Management – Part IX: Testament to the Fear of an Autocratic Regime

    A return to the crucial observation and a reminder of the fact that at the EPO it takes great courage to say the truth nowadays



  3. For the Fordham Echo Chamber (Patent Maximalism), Judges From the EPO Boards of Appeal Are Not Worth Entertaining

    In an event steered if not stuffed by patent radicals such as Bristows and Microsoft (abusive, serial litigators) there are no balanced panels or even reasonable discussions



  4. EPO Staff Representatives Fired Using “Disciplinary Committee That Was Improperly Composed” as Per ILO's Decision

    The Board of the Administrative Council at European Patent Organisation is being informed of the union-busting activities of Battistelli -- activities that are both illegal (as per national and international standards) and are detrimental to the Organisation



  5. Links 23/4/2017: End of arkOS, Collabora Office 5.3 Released

    Links for the day



  6. Intellectual Discovery and Microsoft Feed Patent Trolls Like Intellectual Ventures Which Then Strategically Attack Rivals

    Like a swarm of blood-sucking bats, patent trolls prey on affluent companies that derive their wealth from GNU/Linux and freedom-respecting software (Free/libre software)



  7. The European Patent Office Has Just Killed a Cat (or Skinned a 'Kat')

    The EPO’s attack on the media, including us, resulted in a stream of misinformation and puff pieces about the EPO and UPC, putting at risk not just European democracy but also corrupting the European press



  8. Yann Ménière Resorts to Buzzwords to Recklessly Promote Floods of Patents, Dooming the EPO Amid Decline in Patent Applications

    Battistelli's French Chief Economist is not much of an economist but a patent maximalist toeing the party line of Monsieur Battistelli (lots of easy grants and litigation galore, for UPC hopefuls)



  9. Even Patent Bullies Like Microsoft and Facebook Find the Patent Trial and Appeal Board (PTAB) Useful

    Not just companies accused of patent infringement need the PTAB but also frequent accusers with deep pockets need the PTAB, based on some new figures and new developments



  10. Links 21/4/2017: Qt Creator 4.2.2, ROSA Desktop Fresh R9

    Links for the day



  11. At the EPO, Seeding of Puff Piece in the Press/Academia Sometimes Transparent Enough to View

    The EPO‘s PR team likes to 'spam' journalists and others (for PR) and sometimes does this publicly, as the tweets below show — a desperate recruitment and reputation laundering drive



  12. Affordable and Sophisticated Mobile Devices Are Kept Away by Patent Trolls and Aggressors That Tax Everything

    The war against commoditisation of mobile computing has turned a potentially thriving market with fast innovation rates into a war zone full of patent trolls (sometimes suing at the behest of large companies that hand them patents for this purpose)



  13. In Spite of Lobbying and Endless Attempts by the Patent Microcosm, US Supreme Court Won't Consider Any Software Patent Cases Anymore (in the Foreseeable Future)

    Lobbyists of software patents, i.e. proponents of endless litigation and patent trolls, are attempting to convince the US Supreme Court (SCOTUS) to have another look at abstract patents and reconsider its position on cases like Alice Corp. v CLS Bank International



  14. Expect Team UPC to Remain in Deep Denial About the Unitary Patent/Unified Court (UPC) Having No Prospects

    The prevailing denial that the UPC is effectively dead, courtesy of sites and blogs whose writers stood to profit from the UPC



  15. EPO in 2017: Erroneously Grant a Lot of Patents in Bulk or Get Sacked

    Quality of patent examination is being abandoned at the EPO and those who disobey or refuse to play along are being fired (or asked to resign to avoid forced resignations which would stain their record)



  16. Links 21/4/2017: System76 Entering Phase Three, KDE Applications 17.04, Elive 2.9.0 Beta

    Links for the day



  17. Bristows-Run IP Kat Continues to Spread Lies to Promote the Unitary Patent (UPC) and Advance the EPO Management's Agenda

    An eclectic response to some of the misleading if not villainous responses to the UPC's death knell in the UK, as well as other noteworthy observations about think tanks and misinformation whose purpose is to warp the patent system so that it serves law firms, for the most part at the expense of science and technology



  18. Links 20/4/2017: Tor Browser 6.5.2, PacketFence 7.0, New Firefox and Chrome

    Links for the day



  19. Patents on Business Methods and Software Are Collapsing, But the Patent Microcosm is Working Hard to Change That

    The never-ending battle over patent law, where those who are in the business of patents push for endless patenting, is still ongoing and resistance/opposition is needed from those who actually produce things (other than litigation) or else they will be perpetually taxed by parasites



  20. IAM, the Patent Trolls' Voice, is Trying to Deny There is a Growing Trolling Problem in Europe

    IAM Media (the EPO's and trolls' mouthpiece) continues a rather disturbing pattern of propaganda dressed up as "news", promoting the agenda of parasites who drain the economy by extortion of legitimate (producing) companies



  21. The Patent Microcosm Keeps Attacking Every Patent Office/System That is Doing the Right Thing

    Patent 'radicals' and 'extremists' -- those to whom patents are needed solely for the purpose of profit from bureaucracy -- fight hard against patent quality and in the process they harm everyone, including individual customers



  22. Another Final Nail in the UPC Coffin: UK General Election

    Ratification of the UPC in the UK can drag on for several more years and never be done thereafter, throwing into uncertainty the whole UPC (EU-wide) as we know it



  23. Links 19/4/2017: DockerCon Coverage, Ubuntu Switching to Wayland

    Links for the day



  24. Links 18/4/2017: Mesa 17.0.4, FFmpeg 3.3

    Links for the day



  25. Patents Roundup: Microsoft, Embargo, Tax Evasion, Surveillance, and Censorship

    An excess of patents and their overutilisation for purposes other than innovation (or dissemination of knowledge) means that society has much to lose, sometimes more than there is to gain



  26. How I Learned that Skype is a Spy Campaign (My Personal Story) -- by Yuval Levental

    Skype is now tracking serial numbers, too



  27. Links 17/4/2017: Devil Linux 1.8.0, GNU IceCat 52.0.2

    Links for the day



  28. EPO Patent Quality and Quality of Service Have Become a Disaster, Say EPO Stakeholders

    Stakeholders of the EPO, in various sites that attract them, are complaining about the service of the EPO, the declining quality of patents (and the rushed processes), including the fact that Battistelli's blind obsession with so-called 'production' dooms the already-up-in-flames EPO and makes it uncompetitive



  29. IAM is a Think Tank for Patent Trolls, Software Patents, the EPO, Microsoft, and Whoever Else is Willing to Pay

    The site where you get what you pay for continues to promote highly damaging agenda, which threatens to disrupt operations at a lot of legitimate companies that employ technical people



  30. An Australian Patent Troll, Global Equity Management (SA) Pty Ltd (GEMSA), is a Bully Not Just in the Patent Sense, Explains the EFF

    The mischievous troll GEMSA, which doesn't seem to get enough out of bullying real companies, is now attacking a civil rights group's free speech rights


CoPilotCo

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

CoPilotCo

Recent Posts