Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?
Posted on 14 August, 2010
Truecrypt domain registed with a false address
----------------------------------------------
The domain name “truecrypt.org” was originally registered to a false address
(“NAVAS Station, Antarctica”), and was later concealed behind a Network
Solutions private registration.
Truecrypt developers identity hidden
------------------------------------
The TrueCrypt developers used the aliases “ennead” and “syncon”, but later
replaced all references to these aliases on their website with “The TrueCrypt
Foundation” in 2010. The TrueCrypt trademark was registered in the Czech
Republic under name of “David Tesarík”.
Nobody knows anything about the developers, they do not want to identify
themselves. Everyone likes to be known and congratulated for their great work,
but apparently not Truecrypt developers, they do not care about the glory and
honour and all that comes with it.
Truecrypt developers working for free
-------------------------------------
Closed source full disk encryption competitors like WinMagic, DriveCrypt
(Securstar) and PGP Corporation have a full time team of software developers
working in their products, creating such a product is not an easy feat as any of
them will tell you.
Meanwhile two unpaid Truecrypt developers manage to work on Linux, MAC and
Windows versions, on 32 and 64 versions and support the next Windows 7 as soon
as it has been released, at the same time, presumably, these two Truecrypt
developers also hold full time jobs that pays them a salary to feed their
families and covers their mortgages .
Are closed source full disk encryption software developers overpaid lazy
bastards and Truecrypt developers the finest, most hard working and charitable
software developers on Earth?
Compiling Truecrypt source code increasingly difficult
------------------------------------------------------
Very few people compile the Windows binaries from source; it is exceedingly
difficult to generate binaries from source that match the binaries provided by
Truecrypt (due to compiler options, etc.)
This would be very convenient for a CIA mole, they are more likely to attack the
software implementation other than the algorithm and the best way to do that is
to insert some hard to find vulnerability during packaging. If someone else
compiled the source code their plan would not work.
Truecrypt license contains distribution restrictions
----------------------------------------------------
Truecrypt is released under its own “Truecrypt license”, it is open source but
it contains distribution and copyright-liability restrictions, most major Linux
distributions do not want to know anything about it, Fedora has included
TrueCrypt in its forbidden items list and forked it to RealCrypt instead.
Reference:
http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt
UPDATE 2011: Truecrypt removed from The Amnesic Incognito Live system
The developers of the anonymous live CD called Tails have now decided to remove
Truecrypt from their distribution claiming that development is done in a closed
fashion, the licensing is restrictive and it is not being reviewed by too many
people.
Reference:
https://tails.boum.org/doc/encryption_and_privacy/truecrypt/
Truecrypt open source code has never been reviewed
--------------------------------------------------
Truecrypt’s source code has never been the subject of a thorough review, nor is
there any reason to rely on the credentials of the developers, since they remain
anonymous.
Good thorough code review and testing is hard, tedious and painstaking work,
very few people have the skills to do it, and Truecrypt hasn’t been validated
through a comprehensive review by any qualified cryptographer.
Censorship at Truecrypt forums
------------------------------
As per Truecrypt forum rule 3 you are not allowed to discuss about other
encryption software, as per Truecrypt forum rule 8 you can’t discuss Truecrypt
forks, as per Truecrypt forum rule 9 you can’t discuss software that decrypts
Truecrypt.
You can’t say anything about their competitors and you are not even allowed to
say anything about software that decrypts Truecrypt. If you post any criticisms
or negative comments about their software, you will find that those posts will
mysteriously disappear.
Truecrypt forum rules:
http://forums.truecrypt.org/viewtopic.php?t=1651
Can the FBI crack Truecrypt?
----------------------------
The CIA would never share their intelligence with their FBI puppies unless it is
a real national security matter, terrorism, et al. And they would not want to
kill the cow that produces their milk in a public trial where their capabilities
are revealed.
Furthermore, there has been recently a case of a corrupt Brazilian banker who
has escaped prosecution after the FBI failed to break his fully encrypted disk,
he was using Truecrypt.
Reference:
https://en.wikipedia.org/wiki/Daniel_Dantas
Given those news I do not believe the FBI can crack Truecrypt and unless your
name is Bin Laden you are probably still safe with Truecrypt, even if it has a
backdoor and the FBI seizes your computer.
Alternatives to Truecrypt forums
--------------------------------
Computer security and privacy newsgroups such as alt.privacy.anon-server ;
alt.security.pgp , alt.privacy and alt.scramdisk
Computer and security internet forums such as Wilders Security Forums.
Alternatives to Truecrypt
-------------------------
The only free full disk encryption open source software that I have found and
can rival Truecrypt is Diskcryptor.
Conclusion about Truecrypt reliability
--------------------------------------
Don’t get paranoid, even if you are using Truecrypt I could as well be wrong on
my analysis and it is highly unlikely the CIA will ever come after you anyway.
Everyone has something to hide, but take it easy, you will need to trust some
encryption product in the end and nobody out there knows 100% sure which one is
safe, because what is safe today might not be tomorrow.
Just use the best encryption product according to your opinion and relax, there
is no point in keeping in your head what could happen to you if you got it
wrong, hopefully you did not, and as long as you did your best research on it,
that is all that is needed.
For the record, I still recommend Truecrypt, they are my second choice of full
disk encryption software after DiskCryptor. I am just raising what I believe are
some fair points, because in security, you TRUST NOBODY.
Source:
http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/