TrueCrypt Hacked - Alternativescmp.20140719
2. Alternatives So Far
1. IntroductionTo be clear, my definition of "hacked," is a little different than most people's. So, when I say TrueCrypt has been "hacked," I have gotten several of my friends upset! "Hack" = "Copy/Paste". It is the "old-school" form of "code reuse," where we hacked parts of code from one program/version, and pasted it into another.
"Hi-Jacking" software is pretty much the same thing, but where you take the ENTIRE code base, reuse it, add your own functionality, and redistribute it as the original.
It goes without saying that the encryption algorithms used by TrueCrypt in the past are "robust," "Enterprise", and even "Military" grade. There were, though, questions regarding legacy code, dead code, etc, that hadn't been audited in a while.
TrueCrypt has become compromised because people are distributing unofficial "new" and "old" versions of TrueCrypt based off of previous source code branches. The published SHA Hashes no longer match these new releases, (a SHA Hash is a kind of security token that was used to validate previous versions that were audited).
This is especially signficant, for me, in the instances of people using rooted Android operating systems on mobile phones and tablets with customized TrueCrypt support, (custom APK installation packages, including Cerberus, (which has not been affected to my knowledge)).
What this means: people, (organizations and even governments), are able to modify the old code, inject whatever logic they want, and distribute it on "alternative" download sites since the originial source code is now unmaintained.
This lures users into a "false sense of security," believing that the version of TrueCrypt that they have is the "Latest and Greatest," even though these releases have the very high potential of having malware and spyware injected.
2. Alternatives So FarWhat can I say? TrueCrypt was awesome. Its features including file containers, hidden volumes, portability, etc, are very hard to find in the market.
2.1 BitLockerI have been experimenting with this for a couple of weeks. It should go without saying that this appears to be an absurd alternative, prima facie, in view of portability, Android devices, Linux, etc, but I had to try to see if I could find a solution--especially given its integration with the TPM, (Trusted Platform Module).
So, BitLocker "out of the box," secures your drive--if it is removed from the host computer. And, you have to use a boot pin, to help ensure it is secured even if there is access to the Host Computer.
All of that being said, there is a reliance on Windows, and Microsoft making sense--for once.
Which of course ... So, I updated device drivers, on the System partition. Now, Windows requires the full recovery key, not just the pin, to update these drivers, and System Startup. Quite the hassle. More-so, if these drivers are new security drivers, (and unsigned), like the encryption drivers used by DM-Crypt, (FreeOTFE), etc.
Ruled Out Because: Reliance on Windows O.S., Microsoft Design Decisions, No Support by third parties, (Linux/Android/OSX), and needlessly complex for users, (the process for enabling a Boot Pin, (which is a very common Use Case), requires all sorts of non-intuitive security policy hacks.
2.2. Luks / DM-Crypt / FreeOTFEUnsigned drivers are plaguing this solution on Windows. That, and I also had BitLocker running ... So, its fair to say I set myself up for failure on this one.
I have been able to integrate DM-Crypt with the TPM on Linux Systems. But I have not managed to get this to work with FreeOTFE yet.
Will hopefully update sometime in the future!