Forgot your password?
typodupeerror
Data Storage Encryption IT

Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt 75

Posted by timothy
from the turning-a-ship-takes-a-while dept.
An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future. Infrastructure can be complex to upgrade; how long is reasonable?
This discussion has been archived. No new comments can be posted.

Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt

Comments Filter:
  • If it ain't broke? (Score:5, Insightful)

    by Anonymous Coward on Saturday June 14, 2014 @04:21PM (#47237677)

    Why not use it until you HAVE to find an alternative. I mean the audit of 7.1a is not even done yet.

    software != fruit

  • AWS Email (Score:5, Informative)

    by darkain (749283) on Saturday June 14, 2014 @04:24PM (#47237691) Homepage

    13 hours ago, Amazon / AWS sent out the following email:

    Dear Amazon S3 Customer,

    Amazon S3 now supports server side encryption with customer-provided keys (SSE-C), a new encryption option for Amazon S3. When using SSE-C, Amazon S3 encrypts your objects with the custom encryption keys that you provide. Since Amazon S3 performs the encryption for you, you get the benefits of using your encryption keys without the cost of writing or executing your own encryption code.

    Until now, in order to use your own encryption keys, you needed to encrypt your data client-side prior to uploading them to Amazon S3. With SSE-C, you now have the option to securely store your data using keys that you manage, without having to build client-side encryption infrastructure.

    To use SSE-C, simply include your custom encryption key in your upload request, and Amazon S3 encrypts the object using that key and securely stores the encrypted data at rest. Similarly, to retrieve an encrypted object, provide your custom encryption key, and Amazon S3 decrypts the object as part of the retrieval. Amazon S3 doesn't store your encryption key anywhere; the key is immediately discarded after S3 completes your requests.

    You can learn how to use SSE-C today by visiting "Using SSE with Customer-provided Keys" in the Amazon S3 Developer Guide.

    Sincerely,
    The Amazon S3 Team

    • Re:AWS Email (Score:4, Insightful)

      by jcochran (309950) on Saturday June 14, 2014 @04:43PM (#47237773)

      Gee. Send the data in the clear along with an encryption key so it's stored at the remote site in an encrypted form. There's no way that a NLS will allow for the interception and disclosure of the key is there?

      Frankly, that "solution" is a rather poor one at best and far too likely to give the customer a sense of security while in reality their data is totally accessible.

      • by tehlinux (896034)

        So, as the email said, just "encrypt your data client-side prior to uploading them to Amazon S3"

      • This encryption is about protecting data against theft of storage, or accidental loss of unwiped storage due to for instance upgrading hardware by Amazon and disks not being wiped/destroyed before they are sent off to be recycled. At the time that you are actually working with your data, it will be unencrypted and the keys to unencrypt will have to be on their systems. That means there is no way you can have your processing in the cloud happening without working with unencrypted data.

        By not having Amazon u

      • by drolli (522659)

        It is fine that they introduced it. It protects against very specific things:

        a) S3 data in there to stay, probably for many decades. To me it is a difference if all S3 data is unencrypted if there is a bug in the system at some point, or a new insitutional requirement in the future, or just the data which is accessed during the unfixed bug or after the change in laws.

        b) One more layer of safety is never bad. You can use this to transport the key safely to the system of the user and the rest of the requests

      • Security is always a trade-off. Anyone who gives a shit about whether or not AWS has access to the plaintext will encrypt the data prior to transmitting it to AWS.

        The use case where I could see SSE-C being helpful is where a customer has a lot of data to encrypt, and the security requirements are minimal. Rather than the customer using their own CPU resources to perform the encryption/decryption, the customer can offload that work to AWS's servers.

        Another potential use case is one where the customer was ori

    • Does anyone else think this doesn't make any sense?

      So, you give them the key to encrypt your data with, and they couldn't possibly store that key, intercept it or otherwise save it somewhere for later?

      This is pretty much how all of the cloud providers operate though, the moment you hand over the keys to an intermediary its over.

  • Just provide a locally hosted "Amazon Edition" of TrueCrypt for the purpose of setting up import/exports. It's still great software... and sure as heck better than sending data unencrypted.

  • by Anonymous Coward

    Truecrypt code remains available and currently available 7.1a online exactly matches ones I downloaded over past 2-3 years now and then. It is still good (tho the "7.2" version that was recently put out is crippled and should be ignored.)
    It can be obtained at https://www.grc.com/misc/truecrypt/truecrypt.htm
    and matches exactly the ones downloaded over time.

    The code is being formally reviewed (still) and is likely to be picked up by others. Unfortunately one does not make money
    sellig cryptodisk software (I tr

    • by Kkloe (2751395)
      Was it needed in 1979?, only ones I could guess who needed that kind of cryptodisk software would have been governments at most?, as probably most system were closed off and there was no internet to speak of, thus the need for cryptodisk and combined with how slow computers were and the need of disk space thys making cryptodisk deemed a cost that you dont need to put any money into.
      • Was it needed in 1979?, only ones I could guess who needed that kind of cryptodisk software would have been governments at most?

        Corporations need it too. Especially larger ones. Keep in mind that the famous Enigma machines of WW2 were derived from commercial crypto hardware developed for the commercial market, so that corporate headquarters could have secure communications with regional offices, people negotiating contracts at remote locations, etc.

        A lot of espionage is industrial in nature.

    • Jesus Christ, Gibson's writing hasn't changed in fifteen years.

      What's the web equivalent of "chewing the scenery?"

    • by mimino (1440145)

      Unfortunately one does not make money selling cryptodisk software (I tried when I published some back in 1979)

      You should have tried selling cryptoperfocards software back then, disks were not in wide use.

  • by rolfwind (528248) on Saturday June 14, 2014 @04:41PM (#47237767)

    Yeah, sure, use bitlocker as sourceforge says.... because MS totally doesn't open backdoors for the NSA that makes goatse jealous. *snort*

    http://truecrypt.ch/ [truecrypt.ch]

    • by BitZtream (692029)

      ...

      If MS wanted to 'backdoor' you, they wouldn't bother fucking with BitLocker, they'd just do it for ALL VOLUMES, which would catch your mounted TrueCrypt volumes as well.

      If you're using TrueCrypt on Windows, BitLocker is indeed 'just as good' until a flaw is found. They don't NEED a backdoor in BitLocker, they own the kernel which is the place where you would actually want the back door if you were going to do it. TrueCrypt can't save you from a kernel module/driver/service that wants to see all data to

    • by Megol (3135005)

      *Sigh* can you share just one of those backdoors? Or are you just spouting bullshit?

  • Seriously, Amazon.com should have evaluated, selected, and implemented a new encryption system in 24 hours! I am OUTRAGED! /sarcasm

    Shit doesn't happen immediately...

  • by Anonymous Coward on Saturday June 14, 2014 @05:21PM (#47237897)

    Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now. Truecrypt implements encryption in the ONLY way that makes sense- known state-of-the-art mathematical algorithms used against the simplest file system driver emulation, allowing encrypted data to simply exists in monolithic data blocks. No different from Ram Disk and zip-folder technologies, with an encryption front-end. A NIGHTMARE for the full surveillance programs of the NSA/GCHQ.

    Remember, Truecrypt is of no consequence for TARGETED victims of the security apparatus. If you are a true, named, subject of State surveillance, covert cameras, keyloggers, and other simple, cheap hardware solutions will be used to disable your attempts at encryption in the first place. The 'problem' with Truecrypt is that as its use spreads, large amounts of online data go 'DARK' for the security apparatus. The use of Truecrypt is like refusing to connect the NSA designed Kinect2 spy platform to your Xbox One console.

    But, you argue, even so the numbers of Truecrypt users were never going to be THAT significant? Well, while this is kind of true, the reaction to Snowden's revelations was an ever growing general concern about the visibility of private data. Sheeple were rightly learning to absolutely distrust all solutions from corporations- and pressure was growing to create more publicly friendly equivalents to systems like Truecrypt. To consider a parallel, take Ad-Block. Large numbers of people ONLY began using Ad-Block, because the online ad business, even on the largest web-sites, adopted the most abusive, anti-user practices imaginable. Of late, the most mainstream sites have all been responsible for using browser exploits to deliver illegal trojan code package to unsuspecting users. And when people complain, these disgusting companies all say "don't blame us, blame the ad-serving services we use".

    The consequence of the 'Wild West' of online ads is more people want to block the whole damned industry (and rightfully so). And the same now applies to encryption. More and more people want to fight back against the obscenity of the FULL SURVEILLANCE society. And the NSA wants these people to fight with 'weapons' the NSA has already ensured are useless.

    It does NOT matter that Truecrypt 'could' have minor, unusual 'vulnerabilities'. All software falls into that category. What matters is that Truecrypt protected files are the greatest pain-in-the-ass for the NSA. Do not let Slashdot's NSA sponsored content tell you otherwise.

    • by swillden (191260)

      Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now.

      Cite?

      I suspect that Truecrypt is secure, but we don't actually have any reason to believe that it doesn't contain one or more weaknesses that give the NSA ready access to Truecrypt volumes. And even if it is secure, we don't have any specific reason to believe it's their number one target.

    • by NReitzel (77941)

      Nice comment, until the end when you found it mandatory to take a shot at Slashdot's reporting as anti-Truecrypt advocacy.

      Giveth us all a break.

    • by drcagn (715012)

      Or maybe TrueCrypt is really compromised and your post is NSA-sponsored, in an effort to get people to feel secure using TrueCrypt when really the NSA can read it all.

      Hmmm.... We really don't know.

      • by Megol (3135005)

        Does that matter when we are all perhaps living in a computer simulation? We really don't know that either...

  • Does anyone now think that an NSL was not behind the shutdown of TrueCrypt? Really? The fact that the developers have not come forward and the hillarious suggestion to use bitlocker.

    The results are likely to negative for the USA -- think of Americans travelling in Asia, with laptops on which the data is encrypted using systems which are likely to have backdoors.

    That's why the defenders of the NSA are wrong -- even if you accept the privacy violations, the net result is reduction in security. Even with
    • by BitZtream (692029)

      On Windows, BitLocker is just as secure as TrueCrypt. Well, assuming there are no massive unintended flaws in BitLocker.

      If you want to get around BitLocker, you don't bother exploiting BitLocker, you just install a kernel driver that filters ALL read/writes to volumes, this would be just as effective against TrueCrypt as it is against BitLocker.

      MS doesn't need to provide a back door for BitLocker, a back door for mounted volume IO is FAR more useful since it leaves BitLocker untainted and it would catch an

      • by whoever57 (658626)

        On Windows, BitLocker is just as secure as TrueCrypt. Well, assuming there are no massive unintended flaws in BitLocker.

        Just to clarify your statement above -- you are saying that neither TrueCrypt nor Bitlocker is secure on Windows and both can easily be compromised on Windows?

      • If you want to get around BitLocker, you don't bother exploiting BitLocker, you just install a kernel driver that filters ALL read/writes to volumes, this would be just as effective against TrueCrypt as it is against BitLocker.

        On Windows you don't even need to do that. Detours [microsoft.com] gives you the ability to intercept any API call you'd like. Hook the appropriate file I/O calls, and you're done, no compromised drivers needed. Of course, there are ways to determine that the calls have been detoured, but there
      • On Windows, BitLocker is just as secure as TrueCrypt. Well, assuming there are no massive unintended flaws in BitLocker.

        Consiring that MS tends to release software with "unintended" flaws numbering in the thousands, that eases my mind about the security of bitlocker.

      • On Windows, BitLocker is just as secure as TrueCrypt. Well, assuming there are no massive unintended flaws in BitLocker.

        Or an intended back door. You seem to be envisioning an "evil maid" scenario, where the NSA/FBI/whatever installs software on your computer that monitors it as you use it. In that case, no, nothing's secure. In the case where the LEOs have your hard disk, and are trying to read it, having a way to monitor disk reads/writes is useless. What is useful is a way to crack the encryption w

  • by Tolvor (579446) on Saturday June 14, 2014 @11:43PM (#47239015)

    TrueCrypt was trusted because the source code is/was open source, the binaries could be checked, it used respected algorithms, and had few flaws. Yes, there was minor fixes that could be done to make it more secure, and there are methods to defeat the keys (Flash freezing the ram chips in the computer to preserve the stored keys is one). But TrueCrypt reigned supreme with the cost-reputation-cryptostrength score.

    Of course, according the (canary) Truecrypt homepage it recommends BitLocker by Microsoft, which few people take seriously. Microsoft recently peeked at its employees private hotmail account, and is known to include features in its OS to make NSA happy as well as copyright holders.

    What alternative is there to TrueCrypt?

  • So the old project is done. Stick a fork in it, grab the source, and spin another.

  • You guys are aware that TCnext exists, a new effort to keep the software alive based in Switzerland.

    You can get there via truecrypt .ch

    The source code for TrueCrypt 7.1a is available for download, and there are various forums where we're discussing the implementation, how to proceed, where to take the project, future audits, and so on.

    Last, the general consensus is that 7.1a is "safe enough for our current needs based on what we know". Many of us in that community also feel the 7.2 shutdown in a hurry was

    • You guys are aware that TCnext exists, a new effort to keep the software alive based in Switzerland.

      You can get there via truecrypt .ch

      Hmmm. How do we know that people behind TCnext aren't the NSA?

      • by ciurana (2603)

        We don't - beyond peer reviewed code, and they're on board with continuing the independent audits and such.

        Contribute to the project and find out -- let's weed them feds out!

        Cheers!

    • by ciurana (2603)

      Sorry - one more thing: there are also known (based on pre-existing signatures) binaries ready for download, if that's your cup 'o tea. So, given where the audit is (to which I'm also a financial supporter) and what we know... OKi for now, let's keep the project alive.

      "You can't stop the signal, Mal."

    • by sshir (623215)
      Actually ( and surprisingly) Swiss have bad reputation when it comes to all things crypto. Google "Crypto AG"...
  • Not only Amazon but Steve Gibson as well as many other and myself TRUST Truecrypt more than ever. I mean the whole things is so amateurish by redirecting to BitLocker where the MAJORITY of windows users do not have access to and must UPGRADE. A money grab as a bonus for this disinformation campaign? There is nothing magical about encryption. Encryption as been around before the personal PC. It is based on scrambling of characters via a KEY. All encryption software works the same way. There is no such thing

Are you having fun yet?

Working...