Become a Patron of Ask Leo! and go ad-free!
Boxcrypter, TrueCrypt, LastPass … Oh, my!
Hey, everyone! Leo Notenboom here for askleo.com.
In the last couple of weeks, we’ve had pieces of news, and I’ve had at least one experience with each of those three pieces of software I just mentioned. TrueCrypt, we heard about its security flaw a couple of weeks ago. LastPass, we just heard a couple of days ago that they’ve been sold to LogMeIn, and then I ran into something that doesn’t portend well for the future of Boxcryptor Classic.
All three of these are software that I’ve recommended, so I wanted to quickly take a few minutes and talk about what the issue is with each of them; why you shouldn’t necessarily panic, of course, but then also what I’m looking into to move forward for each of them, in case we end up needing to make some changes.
So, TrueCrypt, you probably heard announced a couple of weeks ago that there had been found a security flaw in TrueCrypt itself. As I understand it, it may only apply to TrueCrypt used in a specific way, meaning whole disk encryption.
It is likely that it’s not a huge deal, but as I understand it, the way it works is that the security flaw in TrueCrypt would allow malware on your machine to gain elevated privileges. In other words, become administrator on your machine, and once malware becomes administrator, they can do all sorts of nasty things.
So, naturally, I mean the good news is that it requires the cooperation or the presence of malware to take advantage of or to exploit that vulnerability in TrueCrypt. The really good news, of course, is that vulnerability has nothing to do with TrueCrypt’s encryption. TrueCrypt’s encryption remains solid. You don’t have to worry about your data being exposed somehow, unless of course, you have malware on your machine. Then with or without this particular vulnerability in TrueCrypt, you know malware could be logging your keystrokes, could be reading your data, doing whatever.
But it has got us thinking a little bit, because as we know, about a year ago now, TrueCrypt was unceremoniously dropped by its developer with some very vague notes that had everybody kind of freaking out at the time. There was an actual security audit performed on TrueCrypt. It clearly focused more on TrueCrypt’s encryption as compared to its interaction with the system but (which is where the vulnerability was found so that the encryption was fine), but the fact is some things slipped through.
Those kinds of vulnerabilities slipped through, which, and again, not to really be too concerned about it, I mean this is really complex software. That’s why we keep finding vulnerabilities all of the time everywhere. The systems we have today are incredibly complex. All software has bugs; it really does.
So I’m not concerned that this means anything about the quality of TrueCrypt, and as we’ve said, it has nothing to do with the encryption of TrueCrypt, but without formal support for TrueCrypt, in other words, this bug isn’t going to get fixed, because TrueCrypt development has stopped, we need to start thinking about what are the alternatives.
Now, it has been a year since TrueCrypt support was dropped. In that time, I had an opportunity to notice who were the “up and comers”, who are the suitable replacements for TrueCrypt. The one that’s coming to mind, the one that seems to be relatively solid is one called VeraCrypt.
I may refer to it as “Veera” Crypt because my first Corgi’s name was Vera so it’s really hard for me not to say that but VeraCrypt was developed from a snapshot from the TrueCrypt source code at that time TrueCrypt development stopped. It is TrueCrypt plus further development.
They have fixed this particular flaw, for example and apparently a few other things as well. I’ve tried it; I’ve played with it. If you are familiar at all with TrueCrypt then VeraCrypt will look really familiar, because it’s the same code; it is the same stuff; the dialogs look the same and so forth.
The one thing where it kind of fell down for me is that they supposedly won’t be able to open up and manage existing TrueCrypt volumes. It didn’t work for me. My volumes may be too old. But in all honesty, that’s probably not the way I’d recommend you switch to it any way if, indeed, you switch to it at all.
If you’re going to switch encryption technology, I strongly recommend that you build a new volume or you re-encrypt using VeraCrypt and then copy your data over onto a VeraCrypt volume or a VeraCrypt drive. So, VeraCrypt is out there. VeraCrypt is something that I’m looking at. I’ve been playing with it a little bit as a potential replacement for TrueCrypt given that A) There have been vulnerabilities found, and we know that they’re not going to get fixed in TrueCrypt.
So, what we’ve heard a couple of days ago now is that LastPass has been sold to LogMeIn. Now, I want to be really clear: That may be totally fine. There may never, ever be an issue with that sale.
However, I actually have a fairly bad taste in my mouth from LogMeIn and the reason that is because some years ago, I used to recommend a piece of software called Hamachi. Hamachi was a personal VPN. You could install it on half a dozen computers and they would all be on this little private network that could basically span the planet.
It was simple; it was cool; it just really worked, and I used it a lot. LogMeIn bought them, and you’ll notice that the product is actually fairly hidden these days. The product that they have, if I understand the offering correctly, what used to be Hamachi is now a couple of tiers. What used to be free, if you want that same functionality, you now have to pay a subscription. It’s just that a lot of what they did with Hamachi is not what I wanted for myself and not what I wanted, well, for you, for the folks that I recommend software to.
So, they kind of annoyed with that, and to be clear, it’s absolutely, their right, they purchased Hamachi, the guy who made Hamachi made some money off of it – more power to him. I’m glad he was able to profit from his work, but the fact is they turned it into something that is not something that I feel like I want to recommend anymore.
Naturally, I’m concerned about LastPass. LastPass is free. You get a ton of stuff with the free version. Even the Premium Version where you pay a buck a month or $12/yr, I mean that’s nothing for what you’re getting out of LastPass, and that’s one of the reasons that I’ve been recommending it and talking about it and using it myself for years now.
So, I’m concerned as you might expect. I mean there’s this experience where they’ve done something to some software that I really enjoyed, and I’m hoping that they don’t do the same. I’m not saying that they’re going to; I’m really not, and I wouldn’t expect them to say anything about that now, anyway. I don’t know what their plans are; I don’t know that they are ready to announce what their plans are.
They may have other reasons for wanting to purchase LastPass – that’s great. I hope that they support it the way it is for years into the future. But, because LastPass is such an important piece of technology, because it’s such an important part of what I recommend to people and because it’s such an important part of just how I run my day-to-day, I feel like I need to have an alternative prepared, and what I’ve been looking at is something called DashLane.
Now, I want to explain why DashLane. In fact, what that really means is I need to explain a little bit about why LastPass to begin with. LastPass uses something that they refer to or that others have referred to as “zero knowledge”. What that really means is that they never see your master password. They don’t get it; it never goes across the wire; it never goes on to their server.
What happens is all of the encryption and decryption happens on your device – your computer, your mobile device, whatever. So what that means is a couple of really cool things. One is, even if LastPass were hacked, and I don’t necessarily mean this stuff that happened a few months ago. Those weren’t real hacks; that was totally a non-issue but let’s assume the worst, right? If all of the data at LastPass somehow got exposed, it’s all encrypted; it’s all encrypted really, really well, and your master password isn’t part of it.
If you’ve got a strong master password on your data, then even hacking the data is totally useless to people that get it. That’s what I like. That’s a security model I like. It also means that the folks at LastPass can’t access your data because they don’t have the master password. They don’t have the key to open the door that gets them in.
And speaking of doors, that also means that they can’t give the information to someone else who might ask it. If there’s a government agency that comes along or somebody else that threatens them or whatever, they literally don’t have the technology to provide anything other than the encrypted data. That’s awesome; that’s great security; that’s one of the reasons that I chose LastPass a while back.
DashLane, apparently does the same thing. They use the same zero knowledge technique where they never see your master password. One quick way to tell if that’s what the situation is, one side effect of them not having your master password is that they can’t help you if you lose yours. If you lose your master password, your data is gone, that’s it. There’s no recovery.
It’s one of the reasons that I back up my LastPass database regularly just because if something happens. And you should be doing that too, by the way.
Because they’re using that same security model, that’s got me looking at DashLane as a potential, I’m not even going to say “alternative” to LastPass yet, but what I’m going to say is an additional recommendation or as an additional tool to use like LastPass. I’m still in evaluation mode; I’m still kind of looking at it, playing with it. I have it installed on my machines but right now, that’s kind of the direction I’m heading in.
So, I’ve been recommending Boxcryptor Classic for a long time. Boxcryptor Classic is a great way to keep files encrypted in Cloud storage at the file level, so you’re not uploading massive TrueCrypt databases; you’re uploading individual files; you’re transferring individually encrypted files. That’s what it was designed for; that’s what it does a really good job on.
It too, supports this zero knowledge approach to your master password. If you lose your master password to your Boxcryptor collection, you’re done. All that data remains encrypted, and you can’t get it. The hackers can’t get it. The service providers can’t get it, and Boxcryptor can’t get, it because they don’t know your master password.
That’s security that I like.
Boxcryptor Classic is not going to support the next version of the Mac OS – El Capitan, and I say that – there will be a read only version, so you’ll be able to read your Boxcryptor, but you won’t be able to write your Boxcryptor data using El Capitan, using Boxcryptor Classic on El Capitan.
That’s not a big issue for most people. I’m sure most of you aren’t yet running El Capitan. Most of you are running Windows; everything’s fine, but what it tells me is that the Boxcryptor folks are really not that interested in supporting the classic version of their product. The 1.0 version of their product. If there are problems; if there are compatibility issues in the future, clearly they’re going to say, no, we’re not going to do it. You should be using our 2.0 product.
Now, the reason that I haven’t immediately jumped on their 2.0 product is because it required a Boxcryptor account; you actually have to create yourself an account with Boxcryptor.
I inferred from that that it meant they also had your master password. Apparently, they do not. Boxcryptor 2.0 still uses this zero knowledge technology or terminology or concept to manage your data, so that once again, your password never leaves your machine. Your master password to your Boxcryptor data, even in Boxcryptor 2.0 doesn’t leave your machine. If you lose it, they can’t recover your data but it also means they can’t see your data; they can’t give your data to anybody. They just can’t. Their technology isn’t set up that way.
So, I’m looking into Boxcryptor 2.0. I’ve got that installed on couple of my machines and am playing around with it, and I’m hopeful that it may be a reasonable alternative or a reasonable addition for those folks that are running into issues maybe with El Capitan right now, but in the future, when there are support issues with Boxcryptor Classic.
The other change, I believe, is that it’s a little bit more expensive. You are paying a certain amount, I think per year, for the 2.0 product as opposed to the classic product, which there were different licenses but for the most part, it all just worked.
That’s another difference that you may encounter with Boxcryptor 2.0, but nonetheless, that’s what I’m looking at when I’m looking at Boxcryptor. I did look for other alternatives that tried to do what Boxcryptor does and on as many as platforms as Boxcrypter does it. I’m not finding that many. I’m not finding any that really, really met the need.
So that’s where I’m at. I’m still looking at Boxcryptor 2.0 as an alternative or an addition to Boxcryptor Classic.
So, bottom line on all of these is that you don’t need to panic. There’s no need for any panic here at all. Don’t make any rash judgments. Don’t make any rash switches. I’m not yet changing my recommendations.
I haven’t changed; the only thing I’ve done is I’ve put that one warning up on my TrueCrypt recommendation just because there’s a vulnerability that’s not going to get fixed, but especially on the other two. These are things to be aware of but now when you hear about them you’ll know, okay, it’s not yet that big a deal and that there are some potentially viable alternatives out there that I’m still looking into.
So, with that in mind, I would love to hear from you if you’ve had experience with any of these tools that I’ve mentioned be it VeraCrypt or Boxcryptor 2.0 or DashLane, let me know. I’d love to hear if there are holes in my thinking right now or if there are better alternatives. I’ve kind of sort of come up dry on all three fronts. These seem to be the ones, but like I said, you probably have a lot more time to play with a lot of this stuff than I do, so I’d love to hear if you’re already doing some of these things. Let me know how it’s turning out. Let me know what’s good, what’s bad, what concerns you about some of these tools, if in fact, you’ve used them, if in fact, you’ve heard good or bad stories about them.
So, as always, by now, you certainly know the drill. If you’re anywhere but on askleo.com here’s the URL to go visit this video on askleo.com. Leave your comments there. Let me know what you think about things. I hope you appreciate this little quick video. It turned out to be a little bit longer than I expected that I’m sort of shooting in here as an additional video this week. I figured it was a quicker way to get this information out to you in a way that would help as many of you as possible in the timeframe that we’re talking about here.
So, at any rate, I will see you again next week. Thanks again for watching. I hope this has been helpful. Take care, everyone.