TrueCrypt 6.0 Released 448
ruphus13 writes "While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."
More filesystems (Score:5, Insightful)
Well, I hope that it now supports more filesystems, because mucking about with FAT on MacOS X didn't appeal to me last time.
Local admin rights on Windows (Score:5, Insightful)
The issue is described in full here [truecrypt.org]:
Full release notes can be found here [truecrypt.org].
Only works if it's default install (Score:5, Insightful)
Otherwise users get exposed to "rubberhose cryptography".
Basically if all users even Joe Sixpack get an encrypted partition by default, then people using crypto will be safe - they have plausible deniability.
Re:Local admin rights on Windows (Score:5, Insightful)
You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.
Sad (Score:5, Insightful)
It's sad. I often travel between the US and China on business ( I live on the China side ). I've always been careful with sensitive data, but now I'm absolutely fascist. Why? I have no fear of the Chinese government. Besides, I work for a Chinese company. I fear my own country illegally accessing files to which they have absolutely no rights whatsoever.
Honestly. If someone works for the US government, pulls some CEO's laptop at the boarder for "inspection" and gets free access to all the company financials, would they do the right thing? How many semi-intelligent people wouldn't be tempted to start buying stock options or call their best friend with a really good "tip"? Even if they SEC investigated, they would never find the link.
Over the last several years, I've always been treated very respectfully inside China and going to and from. It is in the US, my own country, where I'm treated as if I'm already guilty.
Back to the topic at hand. TrueCrypt is a wonderful product. Everyone should be using it.
Re:Only works if it's default install (Score:1, Insightful)
The answer is hidden partition + shemale porn.
Give out the key to the shemale porn partition. No one would blame you for keeping that under encryption...unless of course, you are in a country where having shemale porn is punishable by death.If you have a girl friend (big if) take some semi nude photos of you and her. Very private stuff. Reasonable to keep encrypted..
and so on.
It's simply a matter of coming up with a good excuse in advance and preparing for it.
If you *really* are worried about a prison/torture/interrogation situation, just add layers. Like a terrorist who expects to be tortured for information, make up several plausible stories with lots of detail.
Initially, while you still have your strength you hand out layer after layer of well rehearsed bullshit. When you break, if the internal consistency is good enough the interrogators will have serious trouble determining if you have broken and is now telling the truth, or if you have broken, and is telling them what they want to hear.. or you may not have broken and is feeding another layer of bullshit.
The drawback of this approach is that you will be tortured even more, but your secrets can remain obscured if not hidden.
Re:Only works if it's default install (Score:5, Insightful)
Get a clue.
Does Joe Sixpack's computer come with Truecrypt? Does it come with a truecrypt container preinstalled?
The answer is NO.
So if the wrong people find Truecrypt on your computer guess what happens to you. If you say "Nothing" well: "Wrong answer!". They may give up after a few days of giving you the treatment, but it still means you get the treatment.
Whereas if everybody had truecrypt AND an encrypted partition, they could a) try to waterboard everyone, b) wait till they have more evidence.
And that is why I reported this bug/feature request: https://bugs.launchpad.net/ubuntu/+bug/148440 [launchpad.net]
Encryption must appear to be in _use_ by default by all users, then you get safety in numbers. When even your grandma using Ubuntu has a crypto partition, things are better for the people actually using it.
Re:Only works if it's default install (Score:5, Insightful)
Stop being an idiot and read up on it. You can *not* tell. And it certainly does not show up as free space. You can *not* prove OR disprove the existence of another hidden partition. Period. "Trained to look for it", oh please.
Re:Local admin rights on Windows (Score:5, Insightful)
You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.
You should copy the files that you don't mind exposing, to the unencrypted partition of the USB key or a different no crypto USB drive.
Obviously his specific use for truecrypt is to protect data in transit, should he lose the USB drive.
I think that's a very common scenario.
Your 'solution' completely negates the value of that use of truecrypt.
Re:Local admin rights on Windows (Score:5, Insightful)
You don't mind exposing your secrets to a machine you don't have control over (and thus should not trust)? I don't recommend it.
I'm not the OP, but this is being sillily unreasonable.
For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely. But if I'm walking back and forth with my USB key most days, the major threat is me leaving the key sitting on the bus seat or something like that, not information being stolen while I'm on the work computer.
It's not like just because you don't control a computer you don't trust it at all, or that just because something is in a TrueCrypt volume it's extremely sensitive.
Re:Only works if it's default install (Score:2, Insightful)
"There is no way of knowing if that second hidden volume exists unless you have both passwords."
Plausible deniability is not really working here, since it is one of TrueCrypt's main features, so if one has TC installed then it's pretty obvious he wants to hide something.
If one installs TC by choice then he surely doesn't do it just to have it eat up some unused harddisk space.
Independence day? (Score:5, Insightful)
While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend.
That might not be just a coincidence.
Re:Only works if it's default install (Score:5, Insightful)
Re:Breaking volumes (Score:5, Insightful)
You know, if law enforcement "fucked up your volume" as you so nicely put it, they have just destroyed whatever evidence you where trying to hide. So why would anyone using true crypt have a problem with that?
Re:Local admin rights on Windows (Score:4, Insightful)
For instance, I don't have admin rights on the computer in my office. So maybe I don't want to trust this computer entirely.
I do have admin rights to my computer at the office, but I don't trust it 100%. Why? Because any network admin in the company also has admin rights on it. And of course it was not installed by me, and runs some of their custom stuff...
Re:Breaking volumes (Score:5, Insightful)
AFAIK, yes, if you fill the decoy volume it will kill your hidden volume.
which makes you wonder how long it'll be until a tool is developed for law enforcement specifically designed to fuck up these volumes.
They can only do that if they've confiscated your laptop *and* acquired your 'decoy' password. At that point, your only concerns are they not getting your data and you being able to deny the data is there in the first place.
Somebody deleting all your sensitive files is not a bad thing to happen at that point.
Re:Only works if it's default install (Score:5, Insightful)
No, I'm quite positive that you do have a hidden volume. It's where you're storing all of your terrorist secrets, and unless you reveal the password then this ballpeen hammer has a date with your fingers.
Still don't want to talk? Maybe you just need a little more electricity.
We'll stop when you are able to prove to the nice men who are protecting your country that you _don't_ have a hidden encrypted partition, and then they will let you go.
Re:This message will self destruct in 5 seconds... (Score:2, Insightful)
ebonum describes one example in his "Sad" comment, although his specific concerns probably don't apply to very many of us. A more likely example, however, is if you become the target of a civil suit or a suspect in a criminal case; if (in the US) your computer equipment is seized by law enforcement and they ask for your encryption password, you could face additional criminal charges if you don't give it to them. Now, suppose that you're innocent, or don't feel like rolling over for a tort claim made with malicious intent. Do you really want to hand over all your private data to some cop or investigator who has no business accessing it? It's not as unlikely as you may think.
So yeah, "adversary" is probably a bad word choice, and those who made references to waterboarding are probably fair targets for sarcasm, but the geeks out there are putting together solutions to meet the valid and reasonable needs of the community.
Re:Only works if it's default install (Score:4, Insightful)
Unless it has a password that will *securely* wipe the hidden volume when entered, then it only has an illusion of a defence against that which is in reality no more than another example of security by obscurity.
Worse thant that, anyone with half a clue will be working on a clone of the original drive. No point in needlessly potentially damaging evidence. So if your dealing with someone competent, and who has time on their hands to do things right, a secure erase panic password will buy you nothing.
It's not a silver bullet but it's good enough... (Score:4, Insightful)
I keep a copy of both on a USB key drive and on an external hard drive which never leave my home. As well as a non-encrypted copy because I'm still wondering what happens to that encrypted file if I happen to have a fucked up cluster on the drive at some point.
The rational for using encryption is not that I am afraid of the local authorities, there is nothing on my computer that would cause me any long lasting trouble, despite the fact that I live and work in a limited freedom area (Middle East), but simply to avoid opportunity theft.
For example I can't recall how many time one of my clients or partner handed me a usb key drive containing all his companies financial statement, bank account number, internal price list with profit margin, internal memo, personal info and the wifey's naked picture so that I could copy them a few documents and then forgot about the keydrive because we kept chatting.
Sometime I too need to get some files from them and I don't want to look like I'm watching them while they dig around my keydrive. I now know that everything a casual observer should not see is encrypted so I don't mind throwing my key drive over the table to someone I don't know.
I don't understand the paranoid people here who believes in plausible deniability, decoy drive and other such thing. I also wonder if the same people only use their computers in safe room with controlled EM environment and bullet proof shade.
I didn't know either that so many people carried state secrets around international airports. To those I will say that if the NSA/FSB/Interpol/MI4/Mossad/Mafia or even the local police wants the content of your drive they will get it. period. It doesn't matter what you do. Unless of course you also work for one of the aforementioned in which case you might have been trained to accept that your life is worth less than the content of said drive.
I have never been subjected to physical or psychological torture (aside from clients and some ex-gf of course) but I am not Jack Bauer and I would "come clean" very quickly. I would give the real password, not the decoy, because I believe consequences would certainly worsen my situation if my interrogators were not convinced.
I am also pretty sure that the simple sentence: "The accused has so far always refused to give his encrypted drive password." would certainly help convincing a jury beyond "reasonable doubt" (In countries where such thing even exists).
Some people here should start to seriously look at themselves and wonder if what they are trying to hide is really worth it or if it's just about mommy not finding their downloadable girlfriend picture collection.
Re:Only works if it's default install (Score:4, Insightful)
" Have crypto tools installed by default (if the user does not select the "use of encryption is illegal in my country" checkbox)."
to
" Have crypto tools installed by default (if the user does not select the "don't install encryption" checkbox)."
If the UK courts are going to jail your grandma just because she has an Ubuntu install with a container she has no key too, then I think grandma is living in the wrong country - in the old days the UK courts had the "Reasonable Man" thing, maybe now things have changed.
I see it more as a bug in the UK law than a bug in my proposal.
Re:Local admin rights on Windows (Score:4, Insightful)
I'm not the OP, but this is being sillily unreasonable.
Not necessarily. Do you consider your data safe in the hands of everyone who has admin rights to the machine? Do they keep the machine patched and secured to a level appropriate for your secrets?
The answers to these questions depend on your threat model.
Non-geek friendly (Score:2, Insightful)
Re:Only works if it's default install (Score:5, Insightful)
Simple reason why I had seeks to an area that looks empty, it's because I *used* to have files there before I deleted them, then since I'm savvy enough to use Truecrypt, I ran one of those wipe programs that overwrites it with garbage, hence what you see if you look at the drive forensically, garbage.
I came up with that in the time it took to read your post.
Who said it's torture-proof? (Score:5, Insightful)
If you have to worry about it being torture-proof, you're almost certainly dead anyway.
All it needs to be, for most people, is audit-proof.
And for that you need a business case for having it. Porn is probably not a good choice.
Re:Sad (Score:4, Insightful)
What could you do if your laptop gets taken at the US border? File a complaint? Woot.
Chiming in with the GP here, I feel much safer and much better treated going into China than going into the US. There I am treated as though I am an actual person, here I am treated as though I am an annoyance.
If DHS gets their way, we'll be treated worse than that. DHS wants to require all airline passengers to wear a taser bracelet [washingtontimes.com]
Re:Local admin rights on Windows (Score:2, Insightful)
Shares ending in $ are hidden... it's hardly obvious when a new one is created. That said, if someone was adequately nosy (or suspicious), guessing random drive letters might still get them into your new shared volume.
Multi-core support (Score:3, Insightful)
Re:Only works if it's default install (Score:3, Insightful)
Although you have something of a point, I think all those damned trees have blocked your view of the forest.
Very, very few of us use TC because we fear having our fingers broken to discover our secrets. We use it to keep client data safe from accidental loss; we use it to store personal info on shared machines at work; we use it to protect our financial records on home PCs from possible compromise. We may even use it to hide some questionably legal material, but generally nothing that will cause us to vanish one night and wake up in Jordan with a date with a rusty drillbit.
In theory, yes, I absolutely agree with you that easy-to-use encryption should come preinstalled everywhere. In practice, plausible deniability works well enough in the Western world that I simply don't care whether or not the NSA could theoretically detect whether or not I have a hidden TC volume.
An open letter to all the paranoid freaks... (Score:3, Insightful)
if you are so concerned about getting captured and tortured for normal/hidden/hidden(hidden)/hidden(hidden(hidden)))/ad naseum passphrases, then quit having digital copies of your stuff in the first place.
99% of the TrueCrypt userbase is just fine using it on jump drives to keep stuff secure from the guy who finds it when you lose it on the train/plane/whatever.
Quit making up impossible "movie scenarios" (there, I used a Schneierism, you HAVE to respect me now!) about how gov't agents are going to come in black helicopters for your fetish vids and the 200 page backstory you wrote for a character you rolled in middle school. No one cares.
Yours truly,
-Reality.
Re:first (Score:2, Insightful)
Re:That might betray the presence of a hidden volu (Score:5, Insightful)
Since I didn't understand anything you just said, and I'm a C# Programmer who has Ubuntu installed on a few machines, I highly doubt the $10/hour lunk at the airport is going to notice...
Re:An open letter to all the paranoid freaks... (Score:3, Insightful)
You forget that the US is currently waging war on its own citizens in the form of the War on Drug Users. There are many people out there who are doing nothing but growing plants and consuming them in the privacy of their own home, for whom there is a real risk of government agents with black helicopters taking them and their data. That is the reality we live in.
Re:Local admin rights on Windows (Score:4, Insightful)
Re:An open letter to all the paranoid freaks... (Score:3, Insightful)
I think you miss the point of things like multiple passwords with volumes hidden in volumes, and it doesn't involve being able to resist torture. Resisting an audit, legal threat, or annoying security agent is a more likely scenario.
I would be willing to bet that a non-trivial number of people who something illegal on their computer from pirated versions of software, "hacking tools", pirated entertainment, pr0n illegal in one country or another, etc. The ability to effectively resist being compelled (with legal threats, not hot irons) to prove you have it is a valuable thing.
Even something as simple as not wanting to show a border agent your pr0n collection or hiding sensitive data (corporate, personal, embarrassing foot fetish videos) is enough reason to have two passwords. Instead of putting up a stink about how it is unfair or you can't give up customer information, you shrug, give them a password to a clean drive, and even if they were paranoid enough to clone the entire thing they get nothing but a clean system with data hidden in noise that the NSA would struggle to decrypt. Eh, you could fight it out with the border agent, but I personally would rather smile, comply, and feel secure in knowing my companies data and pr0n of my girlfriend is still sitting snuggling amongst some random noise unknown to the border agent.
If you want to venture off into the slightly more paranoid realm, realize that you might not be encrypting for today. You might be encrypting to defend against an entity (government, corporate, UFOs, whatever) in the future. Forget applying laws retroactively, just imagine over the course of your life, how many computer laws have you broken. If someone was to go back and nail you for each and every single one, how many years in jail and millions of dollars would you be on the hook for? What laws have you violated that are legal in one places and illegal in another? A 16 year old kid who has watched two girls and one cup, has a 2 gig MP3 collection, a foot fetish pr0n collection, and a pirated version of Half Life is probably technically on the hook somewhere for a stoning and a 2 billion dollar fine.
There are good solid paranoid (OMG the black helicopters) and non-paranoid (I really don't want this border agent to see client information and my wife's nude pictures) reasons to go for crypto. Personally, I think that if you are crossing national borders and have anything on your computer you wouldn't feel happy showing to any client or any security agent of any nation you travel to, you are being a little foolish.