Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt 75
An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future.
Infrastructure can be complex to upgrade; how long is reasonable?
More NSA sponsored anti-Truecrypt FUD (Score:5, Interesting)
Truecrypt has been the no.1 target for the NSA and GCHQ for the longest time now. Truecrypt implements encryption in the ONLY way that makes sense- known state-of-the-art mathematical algorithms used against the simplest file system driver emulation, allowing encrypted data to simply exists in monolithic data blocks. No different from Ram Disk and zip-folder technologies, with an encryption front-end. A NIGHTMARE for the full surveillance programs of the NSA/GCHQ.
Remember, Truecrypt is of no consequence for TARGETED victims of the security apparatus. If you are a true, named, subject of State surveillance, covert cameras, keyloggers, and other simple, cheap hardware solutions will be used to disable your attempts at encryption in the first place. The 'problem' with Truecrypt is that as its use spreads, large amounts of online data go 'DARK' for the security apparatus. The use of Truecrypt is like refusing to connect the NSA designed Kinect2 spy platform to your Xbox One console.
But, you argue, even so the numbers of Truecrypt users were never going to be THAT significant? Well, while this is kind of true, the reaction to Snowden's revelations was an ever growing general concern about the visibility of private data. Sheeple were rightly learning to absolutely distrust all solutions from corporations- and pressure was growing to create more publicly friendly equivalents to systems like Truecrypt. To consider a parallel, take Ad-Block. Large numbers of people ONLY began using Ad-Block, because the online ad business, even on the largest web-sites, adopted the most abusive, anti-user practices imaginable. Of late, the most mainstream sites have all been responsible for using browser exploits to deliver illegal trojan code package to unsuspecting users. And when people complain, these disgusting companies all say "don't blame us, blame the ad-serving services we use".
The consequence of the 'Wild West' of online ads is more people want to block the whole damned industry (and rightfully so). And the same now applies to encryption. More and more people want to fight back against the obscenity of the FULL SURVEILLANCE society. And the NSA wants these people to fight with 'weapons' the NSA has already ensured are useless.
It does NOT matter that Truecrypt 'could' have minor, unusual 'vulnerabilities'. All software falls into that category. What matters is that Truecrypt protected files are the greatest pain-in-the-ass for the NSA. Do not let Slashdot's NSA sponsored content tell you otherwise.
Re:AWS Email (Score:5, Interesting)
With truecrypt images, you give them your public key and have authorized their private key to decrypt. With this situation, you send them cleartext data and a private key; they encrypt your private key against theirs, and then encrypt your data against your private key.
So with the first setup, you've got a chain of reputation, segmentation of authority, and only encrypted data going over the wire. In the second setup, you've got no chain of reputation, only a partial segmentation of authority, credentials in memory on the public system, and cleartext on the wire.
So this isn't about the data being decrypted as much as it is about the security of the data in transit, and the security of the credentials used to secure the data.
Think of it this way: in both cases, in order to publish data the publisher needs access to the private key. In one case, that private key is held in private by the author. In the other case, it is held on a public system, and is accessible by anyone able to scrape memory or by anyone with access to the AWS corporate key.
Re:And the problem is? (Score:5, Interesting)
If you're using AWS, your data is unencrypted on their end ANYWAY. Or at least, they have to hold the decryption keys in a way that lets them decrypt it, so its irrelevant to encrypt it unless you just enjoy wasting CPU cycles.
The truecrypt container is only useful when transferring data between your end and the Amazon servers if you're not using an encrypted channel to start with for the transfer.
Considering the situation with truecrypt, ... well, theres nothing really useful to discuss since the only thing known is they stopped maintaining it in a OMGDRAMA sort of way.
Amazon's continued use is a good sign ... (Score:4, Interesting)
Because there are probably known vulnerabilities actively being exploited by government agencies that they were told not to fix.
The TrueCrypt project is not dead, it is open source. It merely has lost its original developers.
An audit of the source code is underway. They are using the source for the last full featured create/read/write version released prior to the current read-only version. I believe they have confirmed the source matches the public binaries and that there are no backdoors. They are currently studying it for vulnerabilities and exploits. When they are finished this audited source code will provide that basis for continued work on the project.
Amazon's continued use is a good sign. Perhaps Amazon and other interested commercial entities will support future work on the project. Much like various commercial entities support the majority of the work on the Linux kernel.
Re:If it ain't broke? (Score:4, Interesting)
The group currently doing the security audit announced their full intent to continue the project. So it hasn't "melted down" any more than MySQL did. Just somebody else taking the reins.
(Just to clarify, I meant MariaDB. I don't count Oracle as "taking the reins". That was more like a stampede over a cliff.)