The Mysterious TrueCrypt Abandonment

Speaking of TrueCrypt, the open source encryption project was mysteriously brought to a halt last week.  The website url now redirects to their SourceForge page with a strange message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.  Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images...You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Now, at a glance this is a bit of a confusing statement.

The warning does not indicate that there are any actual security issues.  It is more of a blanket statement to warn users of the possible implications of using any unsupported piece of software.

In fact, since the Heartbleed bug there has been a movement to audit critical open source software to try and catch vulnerabilities.  The Open Crypto Audit Project has already completed a phase 1 audit report of TrueCrypt searching for backdoors.  Phase 2 would include a deeper look at the encryption algorithms and, despite the now abandoned status of the software, I hope it still happens.

Looking back at the above statement, Microsoft support ending for Windows XP doesn’t really have anything to do with TrueCrypt, which is a multi-platform encryption solution.  The only way to really connect these two separate events is that they are both ending support.  The whole recommendation of OS level encryption seems an odd recommendation from security experts when there are better alternatives out there.

The initial thought is this was a website hack, but I have personally checked the cryptographic signatures on the updated (crippled) version’s files (version 7.2) and everything looks legitimate (ie: they were released by the same people who released version 7.1a).  Others verify this and now we are left dealing with the reality of it.  Lots of people are reading between the lines and coming up with all sorts of conspiracy theories, but I won’t get into those here.

What it comes down to is that I trust the existing software and their proposed migration does not work for my cross-platform uses.  The latest stable version of TrueCrypt (version 7.1a) was released over two years ago, and has been publicly tested by security experts, law enforcement, and time.  The fact that the NSA has been unable to crack its encryption in court shows just how strong it really is.

People over at truecrypt.ch are organizing a future for users of the TrueCrypt software.  Likely, it will fork into a new project with a new name from this point forward.  I will closely follow security experts, like Steve Gibson of Security Now, for updated information.  But for now I will continue use my existing TrueCrypt encryption, and hopefully migrate to the new fork in the future.

UPDATE (June 18th, 2014): VeraCrypt is joining hands with truecrypt.ch in working together towards retaining truecrypt functionality and improving the project. (source)

Configure Time Machine to Save Backups to a TrueCrypt Volume

Recently I created a TrueCrypt volume on my Drobo array to contain my Time Machine backups on my iMac.  The key benefits that made me go this route:

1) Disk space is pre-formatted and gives me faster write times than writing directly to the Drobo file system.
2) Time Machine max size is limited by the size of the container (easier to manage than command line overrides which can cause headaches as the OS is updated in the future).
3) Many more encryption options than Time Machine gives.

I formatted the TrueCrypt volume to be Mac OS Extended (Journaled), however when completed the Time Machine GUI was unable to select it as a backup disk even when it was mounted.

The solution?  To the command line! Type the mount command and determine the name of the drive that you want to backup to. You should see something like this.

Davids-iMac:~ david$ mount
/dev/disk0s2 on / (hfs, local, journaled)
devfs on /dev (devfs, local, nobrowse)
map -hosts on /net (autofs, nosuid, automounted, nobrowse)
map auto_home on /home (autofs, automounted, nobrowse)
/dev/disk1s2 on /Volumes/Drobot (hfs, local, nodev, nosuid, journaled)
TrueCrypt@osxfuse0 on /private/var/folders/3s/zqga25x17gldc_5chs7qt1ch0000gm/T/.truecrypt_aux_mnt1 (osxfusefs, nodev, nosuid, synchronous, nobrowse, mounted by david)
/dev/disk2 on /Volumes/TimeMachine Drobot (hfs, local, nodev, nosuid, journaled, noowners, mounted by david)

The name of the drive I want is TimeMachine Drobot.  So, I’m going to use this information to add this drive as a TimeMachine destination:

Davids-iMac:~ david$ sudo tmutil setdestination /Volumes/TimeMachine\ Drobot/

Replace /Volumes/TimeMachine\ Drobot/ with the location of your drive.

Double check to see if the destination is correct:

Davids-iMac:~ david$ tmutil destinationinfo
====================================================
Name          : TimeMachine Drobot
Kind          : Local
Mount Point   : /Volumes/TimeMachine Drobot
ID            : 12345678-1234-ABCD-ABCD-1234ABCD1234

If it’s not, you can remove the destination with the tmutil removedestination command.  But assuming everything went correctly you should now see the drive is set up as a backup drive in the Time Machine Preferences GUI.  Simply turn on Time Machine backups, and you should be good to go.

Newsletter VS the spam filter.

Ugh.

Over the last while I have been putting together a newsletter service for my photography website.  As with most development, a lot of work went into this to get something simple at the surface level to work just right.  And, again as with most development, unforeseen headaches reared their ugly heads as soon as it was pushed live.

This newsletter service was no exception.  For some email addresses, everything worked perfectly as it should.  For others, confirmation emails were flagged as spam and hidden away in a background folder.  And others wouldn’t receive a darn thing (mysteriously sent e-mails couldn’t be found in either the inbox or the spam folder).

Where to start in debugging this.  Well, if you happen to be going down the same path I was, take my advice and utilize this useful website:
www.mail-tester.com

Simply send it a sample e-mail and it will analyze it in the same way that other email providers will when looking for spam.  Does your subject resemble a lot of known spam subjects?  It’ll warn you about that.  Forgot to set a Sender Policy Framework (SPF) key in your DNS?  Yup, this will remind you too.  DKIM missing?  Bounce e-mail spoofed incorrectly?  Yup, it’ll alert you to those too.

Basically it helps you fix the problems that others might see with your otherwise awesome email.   Problems you might now be aware of otherwise.

Don’t get too frustrated, there’s always a solution! 😛

Springpad to Evernote Migration

Evernote is one of those programs that I had heard a lot about peripherally over the years but never really dived in to explore it myself.  The pile of documents in my Dropbox account however was beginning to get a bit unwieldy, and the traditional file system model just wouldn’t allow me to make the additional links of logic that keywording organization could, so I thought I would finally take a look.

So far I have enjoyed the new-to-me ecosystem, and have made the move to consolidate a few of my other accounts into my Evernote one.  Springpad in particular seems to be one that people are having problems migrating over.

I have written a Python script that saved me and a friend some time, and maybe it can save some of you some time as well.  It’s not perfect, and it takes some organization/editing  once everything is imported to Evernote (due to different APIs), but it is a good starting point.

#!/bin/python

import re

def writeNote(noteSubjectParam):
  origParam = noteSubjectParam

  for ch in ':;/\\`<>|' :
    noteSubjectParam = noteSubjectParam.replace("&", "&")
    noteSubjectParam = noteSubjectParam.replace("&#8211;", "-")
    noteSubjectParam = noteSubjectParam.replace(ch, '-')

  print "Processing: ", origParam, "\n         -> ", noteSubjectParam

  nf = open(noteSubjectParam + '.htm', 'w')
  nf.write(note)
  nf.write(footer)
  nf.close()

f = open('index.html','r')
header = ""
headerComplete = False
footer = """</div>
</body>
</html>
"""
noteStart = False
noteSubject = ""
note = ""
h2re = re.compile('
<h2 class="fn">(.*)</h2>
', re.IGNORECASE)
invalidFSChars = re.compile
i = 0

for line in f:
  if '
<div class="instance' in line:
    if not headerComplete:
      headerComplete = True
      #Finish header
    if noteStart:
      #Finish note
      writeNote(noteSubject)
    i += 1
    noteStart = True
    note = line
  elif '
<h2 ' in line:
    m = h2re.match(line)
    noteSubject = m.group(1)
  else:
    if not headerComplete:
      header += line
    elif noteStart:
      note += line

if noteStart:
  #Finish last note
  writeNote(noteSubject)

General usage instructions:

  • Save this code to a Python file (eg: pythonSplitScript.py) in its own directory.
  • Download a backup of your Springpad data.  Log in to your account at www.sprintpadit.com and go Settings -> Services -> Backup to create/download a zip file of your account information.
  • Extract the zip file and you should see an index.html file.  This file has all of your information in it!  Move this file into the same directory as your script so that it can be split into seperate html files that Evernote can understand and import.
  • Open your terminal and run the script from the command line.  On a Mac, the command looks like:
    python pythonSplitScript.py
    
  • Now there will be a bunch of *.htm files in your directory.  Open your Evernote desktop app, select all these generated files (omit the original index.html file) and drag them into an Evernote notebook to import them.

This should work fine with the Mac and PC Evernote apps.  As far as I know, the mobile and browser apps do not have this import functionality.

On: Learning.

I have been thinking a lot on learning these days; how it is an ongoing and important aspect of life to continually search out learning in our day-to-day activities.  I believe this is the key to continued personal growth, and avoiding the plateau that a lot of people seem to find themselves on as they get older.

To quote Thom Fougere, a humble furniture designer who spoke on his quick rise to success at a Pecha Kucha Winnipeg event a few months ago:

You know you are in the right situation when you are uncertain about what you are doing.  You may fail, or you may succeed, but you will learn a lesson.  Keep looking for these situations and keep growing.

Accepting failure is hard.  Personally, I find that it goes against my perfectionist tendencies.  But it is true: better to fail and learn from it than to never have tried at all.  In fact, you can turn the whole idea of failure on its head and recognize it as a good thing.  Fear of failure is natural and not something to be overlooked, but it is also not something that should be allowed to take control your life.

When you find yourself at a point in life where you are no longer learning, I think you owe it to yourself to do something about it.  Whether it’s creatively looking for opportunities within your current situation or a more drastic uprooting, .  Life is a pretty amazing thing and I think you owe it to yourself to explore your full potential.  Learning seems to go in tandem with pushing yourself, but the responsibility of that push falls on your own shoulders.