Tuesday, April 10, 2012

Truecrypt Safety

From time to time someone asks if Truecrypt is really secure (1, 2). I think the concern is raised from a legal point of view that gets sometimes misunderstood. I will explain that below. From the other point of view, that is from the user, Truecrypt can keep your files safe from even FBI, provided that you have a strong password. There is a famous case of Daniel Dantas. This is from Wikipedia:
"In July 2008, several TrueCrypt-secured hard drives were seized from Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology (INC) tried for five months (without success) to obtain access to TrueCrypt-protected disks owned by the banker, after which they enlisted the help of the FBI. The FBI used dictionary attacks against Dantas' disks for over 12 months, but were still unable to decrypt them."
The real concern is from a developer point of view, well analysed by lawyers from Red Hat. The problem is that besides be free as in "free beer" and open source, Truecrypt is not "free as in freedom". You cant use it as you wish. You cant make money out of it. You can be sued even if you respect the License agreement!. This discussion explain the License agreement:
These remarks are against v2.5 of the TrueCrypt license:
Section III:
1. d. : This provision requires distribution of source code if you distribute "Your Product". However, it says
To meet this condition, it is sufficient that You merely include the source code with every copy of Your Product that You make and distribute . . . *provided that You make the copies available to the general public free of charge*; it is also sufficient that You merely include information . . . about where the source code can be freely obtained . . . with every copy of Your Product that You make and distribute . . . *provided that You make the copies available to the general public free of charge*.
This is ambiguous, but the best reading of "the copies" seems to refer to "every copy of Your Product that You make and distribute". That therefore means that if you distribute modified versions of TrueCrypt, you cannot charge for copies. That is non-free.
Section VI, Paragraph 2:
The license says:
NOTHING IN THIS LICENSE SHALL IMPLY OR BE CONSTRUED AS A PROMISE, OBLIGATION, OR COVENANT NOT TO SUE FOR COPYRIGHT OR TRADEMARK INFRINGEMENT.
(...)
While Fedora certainly has no intent to commit copyright infringement, our counsel advises that licenses are promises not to sue. If Fedora complies with all of the conditions and/or obligations imposed by this license, we would not be protected from a lawsuit from TrueCrypt. If we cannot rely on this license granting us copyright permissions, counsel advises us that this license is non-free.