CipherShed Forum

Hello,
First, thanks for putting time into this project. I hope it successfully fills in the void left by TrueCrypt.

I am concerned about the security of CipherShed, because of its history as TrueCrypt. TrueCrypt suddenly went offline with the mysterious declaration, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". There was rampant speculation that TrueCrypt shut down as a canary, like Lavabit or Silent Circle shutting down because they don't want to be (as the Lavabit founder said) "complicit in crimes against the American people."

So, as a potential new user of CipherShed:
- Is there any new information regarding how or why TrueCrypt shut down so suddenly?
- What information is available re: those "unfixed security issues"?
- When was the last public security review of the code?


In related news, today there's a story about Apple's Warrant Canary disappearing:
https://gigaom.com/2014/09/18/apples-wa ... t-demands/

Hi, welcome to the forum and CipherShed.

I understand your paranoia, I truly do, I was the same.

My dilemma is, if I take the time to answer your questions, why would you believe what I say ?

There is a good programming team here at CipherShed. I particularly like Bill Cox, although he is borderline paranoid himself (joke) he is a methodical and cautious programmer, from what I can see of his work.

All I suggest is that you don't over agonise about the security of CipherShed. It is good to be a little paranoid but unless you are a programmer yourself you will always just have to accept other peoples word that CipherShed is secure or safe.

There are plenty of skilled people watching CipherShed, I am sure they will shout out loud and clear if they spot something

Just keep reading our forums and simply enjoy the security without all the stress and worry

Sabbath wrote:

user1 wrote:I am concerned about the security of CipherShed, because of its history as TrueCrypt.

It is good to be a little paranoid but unless you are a programmer yourself you will always just have to accept other peoples word that CipherShed is secure or safe.

I'd suggest that CipherShed -- like TrueCrypt -- is probably a good security step among (hopefully) others. As the code is open and subject to peer review, it's probably more trustworthy than BitLocker or FileVault. Assuming a security researcher can get famous for cracking the code, that means there's folks out there looking for vulnerabilities.

Still, if you believe Slashdot and the spate of recent credit card hits against Target, Home Depot, and others, "real" security is probably out of reach. Remember the $5 hammer problem XKCD pointed out. The most we can probably do is duck most attackers who are not dedicated and/or don't have a huge budget by taking reasonable precautions.

As a non-maintained application eventual bugs will not be corrected, this is the reason of the warning. It seems than the project was dumped because of code licence issue between one of the developer and its ex-company accusing him of having stolen the code. So the developers just drop the project: Who will bother taking legal risk for a free project?
You can still download truecrypt from truecrypt.ch a site from two of the original developers' group.

There was a great talk at DEF CON 22 (Aug 2014) about this by Kenneth White and Matthew Green. If you're interested, you can see the talk on youtube:

https://www.youtube.com/watch?v=Udsu_Vdw_Q8

Be sure to read the notes under "show more" on that video. As well, there's a site with more up to date info on the topic (updated as of April 14, 2014):

http://istruecryptauditedyet.com/

I'm actually a bit surprised that the CipherShed folks didn't offer this info up front!

Cheers,
-adj

nlY_CRtMM9esMVh3TwMp wrote:There was a great talk at DEF CON 22 (Aug 2014) about this by Kenneth White and Matthew Green. If you're interested, you can see the talk on youtube:

https://www.youtube.com/watch?v=Udsu_Vdw_Q8

Ah, thanks for the link. I'll be sure to check it out when I have some time.

My take on the truecrypt developers departure message is based on their premise that truecrypt users would be as well served by switching to MS Bitlocker. This suggests the Truecrypt devs believe Bitlocker is as good a security measure as truecrypt which does not appear to make sense unless, as I suspect, the truecrypt devs became aware of something about Windows that the rest of us are not.
As we are now quite sure the truecrypt algorithm could not be defeated by conventional cracking tools there is always the possibility that TLA's "encouraged" MS to find a way to defeat truecrypt for them.
The truecrypt devs always said truecrypt is not secure on a compromised system.
What if Windows is now "a compromised system" ?
I wonder if the ciphershed devs have investigated this possibility and perhaps analyzed Windows behavior after truecrypt is installed ? We would be looking for evidence that Windows captures passwords or encryption keys and also unexplained internet activity.

I consider pressure on MS to introduce code in the OS to defeat Truecrypt (or any other form of encryption) extremely plausible.
And I am even more certain that MS would have obliged.
I also feel that it is a very good idea to analyze the behavior of more recent version of Windows when Truecript is being activated.