Episode: 1780
Title: HPR1780: 16 - TrueCrypt and GnuPG - An Update
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1780/hpr1780.mp3
Transcribed: 2025-10-18 09:11:34

---

This is HPR Episode 1,780 Entitled, 16 True Crypts and Ganupigee Update and in part of the series Privacy and Security.
It is hosted by AYUKA and is about 15 minutes long.
The summary is Ganupigee and True Crypt updated and how we support FreeSoftware.
This episode of HPR is brought to you by Ananasthost.com.
Get 15% discount on all shared hosting with the offer code HPR15, that's HPR15.
Better web hosting that's AnastomFair at Ananasthost.com.
Hello, this is AYUKA.
We're going to bring you to Hacker Public Radio and another exciting episode in our security and privacy series.
What I want to do now is update you on some things involving True Crypt and Ganupigee.
Previously we looked at some of the issues around True Crypt and Heartbleed.
We noted that a fundamental problem was that technologies we rely on to be safe are often developed and maintained by volunteers
or people on a shoestring budget.
So we've got a little more news so it was time to revisit some of this and see where we stand.
Now Ganupigee is the Ganupigee Privacy Guard and is a FreeSoftware implementation of PGP.
That makes it pretty darn important to anyone who is a FreeSoftware supporter and a privacy advocate.
The support for this was drying up.
Ganupigee was started in 1997 by a German software developer named Werner Koch.
And he was facing financial problems because donations were falling.
In fact, he had resolved to walk away from the project in 2013 because he has a family.
They need to eat and so on.
But then Edward Snowden put Ganupigee in the headlines and it became clear that this was an important technology so Werner decided not to give up just yet.
He started a donation drive but by November of 2014 it had raised just 7,000 euros which won't support a family.
Formerly, fortunately, Julia Angwin wrote an article on ProPublica that went viral.
And it was called the world's email encryption software relies on one guy who is going broke.
And I have a link to that article in the show notes so you can take a look.
Another response was very gratifying. I know I contributed and I'm sure many other people did and money started to come in.
But the donation model is not sustainable for most projects.
There is a well-known issue of contribution fatigue that happens when people are constantly bombarded with requests to give money.
Even the most generous person can only do so much and we have families too.
As the recent flap over elementary OS indicates, demanding contributions can drive people away as well.
To really make critical free software work, you need a mechanism to channel funding where it's needed in a predictable way.
Now we made an important step in that direction in response to the heart-bleed problem when the Linux Foundation created the Core Infrastructure Initiative.
This is a consortium of top companies such as Google, Microsoft, Facebook, Amazon and many others.
That contribute funds which can then be allocated to support key infrastructure, like OpenSSL, that so many companies and projects rely on.
This matters because the whole idea of free software is that it can provide freely reusable code to solve problems.
And this is a way that codes can be supported.
In the case of GNU PG, this group gave 60,000 for 2015.
Then Stripe and Facebook each pledged 50,000 in support.
All of this is good.
But look at what Werner said in response.
GNU PG does not stand alone.
There are many other projects, often unknown to most people, which are essential to keep the free internet running.
Many of them are run by volunteers and spend a lot of unpaid time on them.
They need our support as well.
That is a message we all need to keep in mind.
At least for now, though, it looks like GNU PG is on a firm footing.
And Werner plans to add a full-time developer, which should make it even better.
Now, the other thing I want to talk about here is True Crypt.
This is another key piece of software that many people relied upon to provide a file and disk encryption.
Though not exactly open source, it was provided free of charge and seemed to do a good job.
But legitimate questions were raised about whether it was in fact secure and developers arranged to have an audit.
They had a crowdfunding program to get this going, which I contributed to,
and the audit was begun by a team assembled by Matthew Green, a highly respected cryptography researcher at Johns Hopkins University.
And someone whose blog I subscribed to, and if you want to as well, I've got a link to that in the show notes.
Now, Phase 1 was an analysis of the bootloader.
And it found a few minor bugs worth fixing, but nothing that suggested any deliberate backdoors or other similarly similar security.
It was basically a clean bill of health for the bootloader.
Phase 2 was to be the analysis of the actual cryptography.
But then the True Crypt developers shut down the project in a mysterious manner, which raised questions in many quarters about whether they were afraid that something would be revealed.
My own view, and it's the view of many people, is that they just got tired of doing it and walked away.
But I don't think there is a definitive proof of just what exactly was going on.
In any case, this raised the question of where True Crypt was going and would the audit be completed.
As to the audit, we now have an answer from Matthew Green.
In a post on his blog, April 2, 2015 entitled True Crypt Report.
In this blog post, go ahead, read it. It isn't that long. There's a link in the show notes.
He gives the TLDR as follows.
True Crypt appears to be a relatively well-designed piece of crypto software.
The NCC audit found no evidence of deliberate backdoors or any severe design flaws that will make the software insecure in most instances.
That is not to say that they found nothing.
After all, it is probably no software ever written that does not have some issues in it somewhere.
And they found a few, but nothing that would pose a problem for users.
You can read his article for more, and that has links to the full report if you want to get into that.
I will add that Bruce Schneier has also added in his blog post called True Crypt Security Audit Completed.
Again, a link in the show notes regarding these problems.
And Bruce says, nothing that would make me not use the program, though.
So the bottom line is that True Crypt 7.1A has been audited.
The security pros have gone over it carefully, and they found nothing that should make you stop using the software.
Now, you may ask, why auditing a dead piece of software is useful?
Well, first of all, we might note that 7.1A is the basis for several forks of the True Crypt software.
So by association, it might be assumed, depending further results, that are True Crypt 7.1A is good, so are the forks.
One of the first was a group in Switzerland that created TC Next.
Now, to my mind, this looks like just an offer of the True Crypt 7.1A software, and perhaps is a stopgap until one of the other options matures.
Cypher Shed is another fork, and it emphasizes on its page that it is both free of charge and free as in speech.
It appears to be attempting a gradual refactoring of the True Crypt code with their new code, and looks interesting for the long term.
But for now, you would probably not want to use it for production.
The third one I will mention is Vera Crypt.
This looks like a base of True Crypt, with some changes made by the developer, but it looks like it is usable in its current form.
Now, since True Crypt in one sense is gone, and the developers show no signs of resurrecting the project, you may want to start looking at these alternatives.
The question I have here takes us back to sustainable support. Are these projects going to be relying on volunteers?
Will they be asking for donations on their download pages to support themselves?
I would worry a bit in that case. What I would really like to see is some kind of model whereby enough funding to keep a core team of developers going is reliably available over time.
Of course, there is also a legal issue involved.
The license that True Crypt was released under does not permit forking.
So any attempt to fork the project could be quickly shut down by a lawsuit.
Whether that is likely, I couldn't say.
But I would take this into account.
Although I cannot give legal advice, I think simply offering a people, offering people a copy of 7.1a such as TC next seems to be doing is probably okay.
And if Cypher Shed can create an equivalent with their own code, that might be okay.
Though the fact that they studied the True Crypt code to get there might be a factor.
In the world of commercial software that is under copyright, you generally need to show that you did a clean room development without looking at the other parties code to avoid a lawsuit.
But I really don't know how this would work in the case of the somewhat eccentric True Crypt license.
Vera Crypt may be on the shakiest grounds since they seem to be clearly using True Crypt code in their product.
In terms of personal use, though, you shouldn't have anything to fear from legal issues.
So the biggest problem might be that you adopt a program product that is later sued out of existence and have to switch again.
Of course, given the extreme reluctance of the original developers to do anything in public, are they really likely to launch a copyright lawsuit?
My guess is no.
But the other factor to bear in mind is that True Crypt 7.1a has been audited.
That is a big deal in my book.
And it does what you need it to do.
If anyone forks the code and starts their own development, will that be as good?
Will anyone audit their work?
I think for right now I would stick with True Crypt 7.1a.
Now, Steve Gibson, the noted security guru and host of security now, says that the True Crypt developers cannot stop the distribution.
And in fact, he has it on his website.
And I've got a link to that in the show notes.
It's not just a link to download it, but also it's worth going there to read what he says about offering that software.
And basically saying, you can't put something out on the internet and then say you're going to take it back later.
The internet doesn't work that way.
So probably worth taking a look at what he has to say.
So this is our update on these issues.
This is a hookah signing off for Hacker Public Radio and reminding everyone to support free software.
Bye-bye.
You've been listening to Hacker Public Radio at Hacker Public Radio.org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hacker Public Radio was founded by the digital dog pound and the Infonomicon Computer Club.
And it's part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly.
Leave a comment on the website or record a follow-up episode yourself.
Unless otherwise stated, today's show is released on the Creative Commons,
Attribution, ShareLite, free.or license.