Analysis: Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?

Truecrypt domain registed with a false address

The domain name “truecrypt.org” was originally registered to a false address (“NAVAS Station, Antarctica”), and was later concealed behind a Network Solutions private registration.

Truecrypt developers identity hidden

The TrueCrypt developers used the aliases “ennead” and “syncon”, but later replaced all references to these aliases on their website with “The TrueCrypt Foundation” in 2010. The TrueCrypt trademark was registered in the Czech Republic under name of “David Tesařík”.

Nobody knows anything about the developers, they do not want to identify themselves. Everyone likes to be known and congratulated for their great work, but apparently not Truecrypt developers, they do not care about the glory and honour and all that comes with it.

Truecrypt developers working for free

Closed source full disk encryption competitors like WinMagic, DriveCrypt (Securstar) and PGP Corporation have a full time team of software developers working in their products, creating such a product is not an easy feat as any of them will tell you.

Meanwhile two unpaid Truecrypt developers manage to work on Linux, MAC and Windows versions, on 32 and 64 versions and support the next Windows 7 as soon as it has been released, at the same time, presumably, these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages .

Are closed source full disk encryption software developers overpaid lazy bastards and Truecrypt developers the finest, most hard working and charitable software developers on Earth?

Compiling Truecrypt source code increasingly difficult

Very few people compile the Windows binaries from source; it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt (due to compiler options, etc.)

This would be very convenient for a CIA mole, they are more likely to attack the software implementation other than the algorithm and the best way to do that is to insert some hard to find vulnerability during packaging. If someone else compiled the source code their plan would not work.

Truecrypt license contains distribution restrictions

Truecrypt is released under its own “Truecrypt license”, it is open source but it contains distribution and copyright-liability restrictions, most major Linux distributions do not want to know anything about it, Fedora has included TrueCrypt in its forbidden items list and forked it to RealCrypt instead.

Reference: http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt

UPDATE 2011: Truecrypt removed from The Amnesic Incognito Live system

The developers of the anonymous live CD called Tails have now decided to remove Truecrypt from their distribution claiming that development is done in a closed fashion, the licensing is restrictive and it is not being reviewed by too many people.

Reference: https://tails.boum.org/doc/encryption_and_privacy/truecrypt/

Truecrypt open source code has never been reviewed

Truecrypt’s source code has never been the subject of a thorough review, nor is there any reason to rely on the credentials of the developers, since they remain anonymous.

Good thorough code review and testing is hard, tedious and painstaking work, very few people have the skills to do it, and Truecrypt hasn’t been validated through a comprehensive review by any qualified cryptographer.

Censorship at Truecrypt forums

As per Truecrypt forum rule 3 you are not allowed to discuss about other encryption software, as per Truecrypt forum rule 8 you can’t discuss Truecrypt forks, as per Truecrypt forum rule 9 you can’t discuss software that decrypts Truecrypt.

You can’t say anything about their competitors and you are not even allowed to say anything about software that decrypts Truecrypt. If you post any criticisms or negative comments about their software, you will find that those posts will mysteriously disappear.

Truecrypt forum rules: http://forums.truecrypt.org/viewtopic.php?t=1651

Can the FBI crack Truecrypt?

The CIA would never share their intelligence with their FBI puppies unless it is a real national security matter, terrorism, et al. And they would not want to kill the cow that produces their milk in a public trial where their capabilities are revealed.

Furthermore, there has been recently a case of a corrupt Brazilian banker who has escaped prosecution after the FBI failed to break his fully encrypted disk, he was using Truecrypt.

Reference: https://en.wikipedia.org/wiki/Daniel_Dantas

Given those news I do not believe the FBI can crack Truecrypt and unless your name is Bin Laden you are probably still safe with Truecrypt, even if it has a backdoor and the FBI seizes your computer.

Alternatives to Truecrypt forums

Computer security and privacy newsgroups such as alt.privacy.anon-serveralt.security.pgp , alt.privacy and alt.scramdisk

Computer and security internet forums such as Wilders Security Forums.

Alternatives to Truecrypt

The only free full disk encryption open source software that I have found and can rival Truecrypt is Diskcryptor.

Conclusion about Truecrypt reliability

Don’t get paranoid, even if you are using Truecrypt I could as well be wrong on my analysis and it is highly unlikely the CIA will ever come after you anyway.

Everyone has something to hide, but take it easy,you will need to trust some encryption product in the end and nobody out there knows 100% sure which one is safe, because what is safe today might not be tomorrow.

Just use the best encryption product according to your opinion and relax, there is no point in keeping in your head what could happen to you if you got it wrong, hopefully you did not, and as long as you did your best research on it, that is all that is needed.

For the record, I still recommend Truecrypt, they are my second choice of full disk encryption software after DiskCryptor. I am just raising what I believe are some fair points, because in security, you TRUST NOBODY.

Review: Full disk encryption DiskCryptor v0.7.435.90

Most of you will have heard of Truecrypt, a free an open source hard disk encryption product, there are only another free and open source software for full disk encryption in Windows that I am aware of, DiskCryptor. You can download a 32bit or 64bit version of Diskcryptor depending on your OS.

I tested DiskCryptor using it for full disk encryption of my netbook, an Asus PC901 with a 12GB HDD divided in between two solid state disks of 8GB and 4GB. DiskCryptor is an ideal alternative to encrypt a netbook because netbooks do not have a CD drive and Truecrypt will force you to burn a CD to use system encryption, which DiskCryptor does not.

DiskCryptor cascade algortyhms
DiskCryptor cascade algortyhms

The first thing that impressed me of DiskCryptor is how small it is in size, a little over 500KB, but this comes at a price since the software manual does not come along and you get a link to their website instead.

I was pleased to see DiskCryptor offering a wide choice of encryption algorythms, AES-256, Twofish or Serpent algorithms in XTS mode, all of them seem to be pretty sound algorythms to me, and they can be used on cascade mode as well, VIA Padlock hardware accelaration for encryption and hashing is supported too.

The built-in benchmark shows the top speed with which cryptographic algorithms can perform, but I have to tell you that even on a netbook with a single core Intel Atom processor, regardless of the encryption algortyhm used I noticed no perfomance difference while using the netbook.

DiskCryptor encryption of partition
DiskCryptor encryption of partition

DiskCryptor allows wipe while encrypting, with three, seven or thirty five passes (Guttman method), but wiping a solid state disk like the one Asus Eee PC901 has is not safe, since solid state disks, like thumb drives, use wear levelling technology and the wiping passes are spread evenly accross the disk and not on the same sectors. If you are using a solid state disk, make sure it does not contain any confidential data that an electrons microscope could recover(very expensive to do right now), the only way to do this is by using a new disk, wiping it may fail to sanitize de disk.

With DiskCryptor you also can encrypt an ISO file and then burn it to CD-R/DVD/BD-R , after that you  will only be able to mount the image with DiskCryptor and the correct password/keyfile.

You can also set up a hot key to cause a blue screen of death, if you need to urgently shut down your computer when someone busts into your home unexpectedly this seems the way to go, it is quicker than clicking on the power off button.

The Good Stuff

DiskCryptor works with RAID volumes, you get a wide choice of algorythms, DiskCryptor is easy to use and unlike Truecrypt, it works on netbooks out of the box. DiskCryptor is open source, you can check for backdoors if you have the skills.

The software does not cost you any money, you can customize the boot loader widely, DiskCryptor boot loader customization is far better than Truecrypt, you can choose to install the bootloader on a CD/DVD, set up timeouts, choose if you want to use a QUERTY or DVORAK keyboard, and there is also a Windows live CD BartPE plugin for DiskCryptor.

The Bad Stuff

DiskCryptor should include some basic documentation at the very least, the GUI is easy to use and intuitive but encryption products need to come with instructions, a newbie could easily feel overwhelmed. DiskCriptor is only available for Windows, and there is no choice of hashing algorythms other than the default SHA-512.

There is also no choice of burning a recovery CD in case the boot loader gets corrupted (although you can backup the headers).

DiskCryptor password enter box
DiskCryptor password box

Conclusion

DiskCryptor is an excellent free and open source full disk encryption  alternative to Truecrypt, with a wide choice of encryption algorythms and easy to use, but they need to improve their poor documentation.

Their FAQ states that they are planning to implement a hidden OS in future versions, I think Diskcryptor looks promising and Truecrypt has a worthy competitor.

http://www.diskcryptor.net