"Using TrueCrypt is not secure..."

Ken g6 · May 28, 2014

That message appeared today on the TrueCrypt homepage. Multiple sites are reporting on it, speculating it may be a hack, and recommending against downloading the new version 7.2.

http://www.theregister.co.uk/2014/05/28/truecrypt_hack/
http://arstechnica.com/security/201...ure-official-sourceforge-page-abruptly-warns/
http://lifehacker.com/truecrypts-web-site-updates-with-ominous-warning-detai-1582879439

The site itself recommends using BitLocker in Windows. Others recommend using 7-zip for archive encryption. Anybody know any other good methods of encrypting either a whole filesystem or a live filesystem inside a file? How about on other OSes such as Linux or Mac?

ussfletcher · May 29, 2014

I have a feeling this is not a legitimate claim that they intended to make.

Ken g6 · May 29, 2014

Well, I found some software supported on my platform...

https://wiki.archlinux.org/index.php/Tcplay

"tcplay is a free, fully featured and stable TrueCrypt implementation...."

Regardless of what happens to the "official" software, this works. Even with existing TrueCrypt file systems!

code65536 · May 29, 2014

There's nothing wrong with TrueCrypt 7.1a, so I'll keep using that. It did recently pass the first phase of the extensive audit, after all. Nor am I particularly worried about the future of TC--it's a sufficiently prominent product that people will fork it and continue to maintain it.

As for what the heck happened today, everyone has their own theory, and I don't think it's really worth blindly speculating until more info surfaces.

John Connor · May 29, 2014

It's been HAXXED! Try going to the forums. http://forums.truecrypt.org/ You get redirected. I call BS on this one. I was just going to ask a question on the forum too! I'm a member there. The simple fact that the forum is down tells me something is at play.

John Connor · May 29, 2014

Ken g6 said:
http://www.theregister.co.uk/2014/05/28/truecrypt_hack/

There's nothing here from the audit team that says there was a major announcement like the article mentions at the bottom. http://istruecryptauditedyet.com/

Earlier in the day, the audit project claimed: "We hope to have some *big* announcements this week, so stay tuned." These announcements remain a mystery.

Red Squirrel · May 29, 2014

Chances are this is a Lavabit situation.

They were probably ordered to put a backdoor or something and since they can't legally refuse, or disclose the request, they shut down the project. We'll have to wait and see if more info comes out to know for sure though. Could be anything at this point.

John Connor · May 29, 2014

Your computer specs are awesome in your sig.

frowertr · May 29, 2014

It's been days since that message was posted to their website. Surely if they were hacked they could have rectified their website by now. If they are truly lazy enough to the point that they can't bother to fix that, I wouldn't want to use their software anyway.

This looks legit to me.

Quantos · May 29, 2014

Warrant canary, perhaps?

PliotronX · May 29, 2014

Red Squirrel said:
Chances are this is a Lavabit situation.

They were probably ordered to put a backdoor or something and since they can't legally refuse, or disclose the request, they shut down the project. We'll have to wait and see if more info comes out to know for sure though. Could be anything at this point.

Jesus Hume C****, you're right I feel. If the government believes that it can do this kind of crap to the Lavabit founder:

He also wrote that "the government argued that, since the 'inspection' of the data was to be carried out by a machine, they were exempt from the normal search-and-seizure protections of the Fourth Amendment."[27]

Then that seems way too plausible. So how many backdoors are you willing to bet that BitLocker has?

Another thought, if one of the developers was burned and the NSA pressured him/her, why can't the project continue on because of the open source model?

WelshBloke · May 29, 2014

Red Squirrel said:
Chances are this is a Lavabit situation.

They were probably ordered to put a backdoor or something and since they can't legally refuse, or disclose the request, they shut down the project. We'll have to wait and see if more info comes out to know for sure though. Could be anything at this point.

I think that you're probably right there.

Isn't there an ongoing, independent analysis of truecrypt going on?
Maybe they suspect that some "problems" are going to be discovered that they are not in a position to talk about.

code65536 · May 29, 2014

The first phase of the audit passed. That's the part that matters. The second phase is a cryptanalysis audit, but since TC uses off-the-shelf algorithms that everyone else uses, phase 2 is really just a formality. So, unless there's something that the audit missed, 7.1a is safe.

seepy83 · May 29, 2014

code65536 said:
The first phase of the audit passed. That's the part that matters. The second phase is a cryptanalysis audit, but since TC uses off-the-shelf algorithms that everyone else uses, phase 2 is really just a formality. So, unless there's something that the audit missed, 7.1a is safe.

You're assuming that because an algorithm is "off-the-shelf", the implementation is always good. That's not always the case. Phase 2 of the audit is not a formality at all...it's very important to the big picture.

Regardless, it's looking more and more like TrueCrypt is a dead project, and people need to move on to other solutions.

owensdj · May 29, 2014

Given that the source code for TrueCrypt 7.1a is available, can't there be an Open Source project that continues developing it?

PliotronX · May 29, 2014

owensdj said:
Given that the source code for TrueCrypt 7.1a is available, can't there be an Open Source project that continues developing it?

seepy83 · May 29, 2014

owensdj said:
Given that the source code for TrueCrypt 7.1a is available, can't there be an Open Source project that continues developing it?

That's up for debate. I don't have the exact text, but the license that ships with TrueCrypt leaves it questionable whether or not users have the right to modify the code for use in other projects. It's not clear. Google around for the license.... Matthew Green (who has been involved in the TrueCrypt Audit) mentioned the unclear license situation.

Licensing issues aside, too many people might view the TC code as being toxic after the statements that were made yesterday, so you might not find devs with the appropriate knowledge-level that are willing to maintain the code. And even if there are some capable devs that want to fork the project, there is still going to be a significant amount of hesitation and rejection by the user-base.

smakme7757 · May 29, 2014

Red Squirrel said:
Chances are this is a Lavabit situation.

They were probably ordered to put a backdoor or something and since they can't legally refuse, or disclose the request, they shut down the project. We'll have to wait and see if more info comes out to know for sure though. Could be anything at this point.

I thought the same thing. I usually reframe from profane language, but this is a real fucking shame.

A bit of a loss if we do have a Lavabit type case.

It's Not Lupus · May 29, 2014

Red Squirrel said:
Chances are this is a Lavabit situation.

They were probably ordered to put a backdoor or something and since they can't legally refuse, or disclose the request, they shut down the project. We'll have to wait and see if more info comes out to know for sure though. Could be anything at this point.

Wouldn't this only apply if the developer is American?

Red Squirrel · May 29, 2014

It's Not Lupus said:
Wouldn't this only apply if the developer is American?

I wonder, but probably not. Look at Dotcom, he was from New Zealand and was still subject to US laws. The US is so powerful they can just force their laws on other countries.

I just know if I was in a situation where the US wants me to put a backdoor into something I'd do everything I can to resist it. Worse case scenario I'd put it to shut them up but make sure it's buggy and does not actually work properly. Either way I'd definitely get a lawyer to help with figuring out what is the bare minimum I have to do or if there's any way to fight it. I'm sure there are lawyers who salivate over cases like this because they are probably against this oppression too.

WelshBloke · May 29, 2014

It's Not Lupus said:
Wouldn't this only apply if the developer is American?

The developers of Truecrypt have always remained secret if my memory is correct.

MichaelBarg · May 29, 2014

Red Squirrel said:
Chances are this is a Lavabit situation.

They were probably ordered to put a backdoor or something and since they can't legally refuse, or disclose the request, they shut down the project. We'll have to wait and see if more info comes out to know for sure though. Could be anything at this point.

If this is in any way a result of NSA pressure, it would actually be dramatically different from the Lavabit situation. In that case Lavabit was served with a search warrant requiring them to hand over certain information. They were required to keep it secret and hand over encryption keys which made it especially controversial, but basically that's how search warrants always work. That's also why they lost their appeal.
Truecrypt doesn't have any information to order them to hand over. Ordering them to release a broken product to the world, I don't know what authority they would claim authorized that.

It seems to me more likely that they either decided to abandon the project, or really did find a flaw. The developers have always been anonymous and never been very forthcoming about anything.

Red Squirrel · May 29, 2014

MichaelBarg said:
If this is in any way a result of NSA pressure, it would actually be dramatically different from the Lavabit situation. In that case Lavabit was served with a search warrant requiring them to hand over certain information. They were required to keep it secret and hand over encryption keys which made it especially controversial, but basically that's how search warrants always work. That's also why they lost their appeal.
Truecrypt doesn't have any information to order them to hand over. Ordering them to release a broken product to the world, I don't know what authority they would claim authorized that.

It seems to me more likely that they either decided to abandon the project, or really did find a flaw. The developers have always been anonymous and never been very forthcoming about anything.

Well it's the same idea in the sense that it's the government forcing them to make it so they can see the information, just two different approaches as it's two different products.

Of course this is just conspiracy/speculation at this point. Hopefully the devs step up and explain things better.

It could also be they found something really nasty in the security audit and they need to buy time to fix it, but don't want to disclose what the flaw is yet.

MichaelBarg · May 29, 2014

Red Squirrel said:
Well it's the same idea in the sense that it's the government forcing them to make it so they can see the information, just two different approaches as it's two different products.

Of course this is just conspiracy/speculation at this point. Hopefully the devs step up and explain things better.

Right, but what I mean is Lavabit actually had the information they wanted. Assuming Truecrypt works, they want them to introduce a flaw so that when a target uses it they can break the encryption right? Truecrypt doesn't have anything to hand over that lets anyone open a volume without the password.

I do hope the devs clear this up, but based on their track record I am not optimistic. They barely say anything.

John Connor · May 30, 2014

Remember, there was a 7.2 release which seems like malware.

"Using TrueCrypt is not secure..."

Programming Moderator, Elite Member

Platinum Member

Programming Moderator, Elite Member

Golden Member

Lifer

Lifer

No Lifer

Lifer

Golden Member

Senior member

Diamond Member

Lifer

Golden Member

Platinum Member

Golden Member

Diamond Member

Platinum Member

Golden Member

Senior member

No Lifer

Lifer

Member

No Lifer

Member

Lifer