"Using TrueCrypt is not secure..."

[smakme7757]

Seems like its all legit. The developers are just moving on. I don't blame them. A thankless job and getting truecrypt up to speed with modern standards would be a big job.

They could have commercialized it though, but I guess they were keen on moving onto bigger and better things. They deserve credit for creating the software. Wish them well in the future.

 

[John Connor]

If true that really blows. I was hoping for a UEFI update. I for one will keep my computers encrypted and will back up my 7.1a build to the FTP and thumb drives. I hope there is a fork of this great program.

 

[smakme7757]

I've always used dmcrypt/LUKS on my Linux machines so I might just keep using that there. I'm not a fan of Bitlocker, but its free and Symantec PGP costs 100 euro for 1 license. Drivecrypt is available for a decent price, I just recently received a coupon from them which I deleted he he ah well.

 

[seepy83]

Remember, there was a 7.2 release which seems like malware.

Where do you get your information from? All credible sources that have analyzed ver 7.2 have been concluding that there is nothing malicious about it. It is a Decrypt-Only binary that was signed with the same code-signing key that was used on previous releases. All signs are pointing to it being legit, and the developers bowing out.

If you want to believe the conspiracy theories about their code-signing key, and Sourceforge credentials, and control of TrueCrypt.org all being compromised...then go ahead and let your mind run wild, but don't spread false information. The consensus in the Information Security industry is that there is no reason to believe 7.2 is malware.

 

[John Connor]

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

http://www.theregister.co.uk/2014/05/28/truecrypt_hack/

Hell if I'm using it!

 

[smakme7757]

http://www.theregister.co.uk/2014/05/28/truecrypt_hack/

Hell if I'm using it!

They are wrong.

Its an official version that can only Decrypt Truecrypt volumes.

The TC developers have responded to a researcher involved in the: is Truecrypt audited yet, project and said that they have given up on the project.

Summary can be found here: https://www.grc.com/misc/truecrypt/truecrypt.htm

 

[John Connor]

Well that sucks. I have both computers encrypted and I was a member of their forum and had a question to ask over there. CRAP! I'm hoping there is a fork. I only trusted TC. Payed for crap could have back doors. And Bitlocker can't encrypt both my hard drives and I Googled and asked about it and tried various things to no avail. I don't want to use a M$ product that encrypts my data my data anyway. Was there ever an audit on Bitlocker?

 

[seepy83]

Well that sucks. I have both computers encrypted and I was a member of their forum and had a question to ask over there. CRAP! I'm hoping there is a fork. I only trusted TC. Payed for crap could have back doors. And Bitlocker can't encrypt both my hard drives and I Googled and asked about it and tried various things to no avail. I don't want to use a M$ product that encrypts my data my data anyway. Was there ever an audit on Bitlocker?

Can you explain the logic and rationale behind trusting a completely anonymous developer (or set of developers), and not trusting Microsoft?

Let's speculate for a minute (just for the hell of it, because it's fun...and speculation carries as much weight as all the other rumors). Since the TrueCrypt devs are anonymous, who's to say that it wasn't a NSA/FBI/3-letter-agency project to begin with? They build TrueCrypt with the goal of being able to decrypt anything that evil-doers (child pornographers, terrorists, organized crime, etc) are using TC to protect. Then they pull the plug on the project because there are alternatives being developed and maintained by private industry, and they've got hooks into those anyway.

Again, that's all speculation and it's just one of the wild ideas that can be imagined. But I see no reason to trust anonymous developers over any other software company. TrueCrypt could have been developed by the US, Chinese, Russian, etc Gov't's, or it could have been developed by someone with the intent to be able to hide things from those organizations. But you don't know, and really no one knows other than the developer. Even the folks involved in the on-going code audit have very little communication with the dev(s). It's extremely secretive, and secrecy doesn't breed trust in my book.

 

[smakme7757]

Well that sucks. I have both computers encrypted and I was a member of their forum and had a question to ask over there. CRAP! I'm hoping there is a fork. I only trusted TC. Payed for crap could have back doors. And Bitlocker can't encrypt both my hard drives and I Googled and asked about it and tried various things to no avail. I don't want to use a M$ product that encrypts my data my data anyway. Was there ever an audit on Bitlocker?

DriveCrypt is based off the same foundation as Truecrypt - ScramDisk.

If you want to stay within the TC world you could always just buy a license for Drivecrypt. It's not cheap at $125 for a license, but it's cheaper than Symantec PGP which is $100 a year, not renewing with Symantec will force decryption of your encrypted drives after 90 days. The DriveCrypt license lasts forever for the version you have purchased.

If you're using Linux systems Dmcrypt/LUKS is perfectly fine.

Bitlocker on Windows can encrypt both removable and fixed storage. That means internal HDD, external HDD and USB drives. But you need the professional/Enterprise version of Windows 7 or Windows 8 to do that.

For simple file encryption i would use GnuPG on either Linux or Windows.

 

[Red Squirrel]

Well that sucks that they lost interest. Seems odd, there is a bigger demand for encryption now than there ever was. It looks like there's already a fork out though:

http://truecrypt.ch/

Guess that's the beauty of open source. We'll just have to wait and see if this becomes more official or what not.

If anyone has source on their PC I recommend you keep it safe! For now I probably would not trust anything new that comes out until it's determined safe.

 

[fleshconsumed]

If this is in any way a result of NSA pressure, it would actually be dramatically different from the Lavabit situation. In that case Lavabit was served with a search warrant requiring them to hand over certain information. They were required to keep it secret and hand over encryption keys which made it especially controversial, but basically that's how search warrants always work. That's also why they lost their appeal.
Truecrypt doesn't have any information to order them to hand over. Ordering them to release a broken product to the world, I don't know what authority they would claim authorized that.

It seems to me more likely that they either decided to abandon the project, or really did find a flaw. The developers have always been anonymous and never been very forthcoming about anything.

I want to respond to bolded. It is my understanding that the feds requested SSL keys that would have compromised every single lavabit customer. If that is true, then no, this is not how search warrants work. Search warrants are issued for specific item for a specific location for a specific person. My understanding is that feds wanted a blank access to all lavabit information. This is not how search warrants are supposed to work and it is unacceptable and I believe it is illegal. The reason lavabit lost is because they went against federal government.

 

[smakme7757]

Well that sucks that they lost interest. Seems odd, there is a bigger demand for encryption now than there ever was. It looks like there's already a fork out though:

http://truecrypt.ch/

Guess that's the beauty of open source. We'll just have to wait and see if this becomes more official or what not.

If anyone has source on their PC I recommend you keep it safe! For now I probably would not trust anything new that comes out until it's determined safe.

It's not a fork yet though. When or if they eventually fork it and start a new project it cannot be named TrueCrypt.

Truecrypt is a registered trademark.

Regarding the source and binaries, you can get a copy here.
https://github.com/DrWhax/truecrypt-archive

The hashes checkout and so do the signatures. So it's legit.

 

[John Connor]

Can you explain the logic and rationale behind trusting a completely anonymous developer (or set of developers), and not trusting Microsoft?

Let's speculate for a minute (just for the hell of it, because it's fun...and speculation carries as much weight as all the other rumors). Since the TrueCrypt devs are anonymous, who's to say that it wasn't a NSA/FBI/3-letter-agency project to begin with? They build TrueCrypt with the goal of being able to decrypt anything that evil-doers (child pornographers, terrorists, organized crime, etc) are using TC to protect. Then they pull the plug on the project because there are alternatives being developed and maintained by private industry, and they've got hooks into those anyway.

Again, that's all speculation and it's just one of the wild ideas that can be imagined. But I see no reason to trust anonymous developers over any other software company. TrueCrypt could have been developed by the US, Chinese, Russian, etc Gov't's, or it could have been developed by someone with the intent to be able to hide things from those organizations. But you don't know, and really no one knows other than the developer. Even the folks involved in the on-going code audit have very little communication with the dev(s). It's extremely secretive, and secrecy doesn't breed trust in my book.

Bruce Schneier uses Truecrypt and for all we know he could be a Dev of TC. After all, he only helped make Blowfish and Twofish. I will monitor Bruce Schneier's blog and see what he recommends after TC's demise.

 

[ringtail]

I updated from 7.1 to 7.2. Was that a mistake?

Would it be safer to go back to TrueCrypt Setup 7.1a.exe?

Was TrueCrypt-7.2.exe issued in order to give a back door or other transparency to the US Government?

 

[smakme7757]

I updated from 7.1 to 7.2. Was that a mistake?

Would it be safer to go back to TrueCrypt Setup 7.1a.exe?

Was TrueCrypt-7.2.exe issued in order to give a back door or other transparency to the US Government?

7.2 can only decrypt. That's it. If you want encryption you need to go back to 7.1a

 

[lxskllr]

Can you explain the logic and rationale behind trusting a completely anonymous developer (or set of developers), and not trusting Microsoft?

I agree with your overall point, but proprietary software can't be trusted at all; ever. If the code can't be audited by anyone, it can't be trusted. I'd just as soon sync my data on NSA servers, as use a MS "security" product. The Truecrypt audit came too late, but the fact it could be done at all instills trust in the product. Its origin doesn't matter as long as it can be reviewed.

 

[grandpaflo]

TrueCrypt: Is The Party Really Over?

By: Anon | 05/2014

Fiction: Do you remember the scene near the end of the movie Scarface where the group of criminals conspired in an attempt to remove an individual speaking out against them before he spoke at the UN? (UN - IIRC)

Reality: Do you remember the individual who died just shortly prior to speaking out about pacemakers (and possibly other technology) and how they are vulnerable to hacker attacks?

Possibility: Sn0wd3n and/or others about to deliver a speech which mentions the useful tool TrueCrypt to a wider audience - TrueCrypt project dies.

I'm interested in the results of the complete TC code audit, but give this comparison some thought.

However, I was concerned about the project when releases ceased after 7.1a. There were steady releases up until that time and I'm curious if 7.1a was released as low hanging fruit with a backdoor and the site was allowed to operate for a few years before closing shop when the hunger for enough interesting people who downloaded/used TC was satisfied.

######

TrueCrypt WTF @ Bruce Schneier blog https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html

Also contains TC posts: https://www.schneier.com/blog/archives/2014/05/friday_squid_bl_426.html

 

[MichaelBarg]

I want to respond to bolded. It is my understanding that the feds requested SSL keys that would have compromised every single lavabit customer. If that is true, then no, this is not how search warrants work. Search warrants are issued for specific item for a specific location for a specific person. My understanding is that feds wanted a blank access to all lavabit information. This is not how search warrants are supposed to work and it is unacceptable and I believe it is illegal. The reason lavabit lost is because they went against federal government.

Sure it is. The pen trap order was for a specific account. Lavabit refused to provide it, and then provided only encrypted information. So they got a warrant for the SSL key. Just because the key opens a bunch of other stuff too doesn't mean they are not allowed to use it to open stuff covered by the pen trap order. In applying for it they agreed it would only be used to access the information sought.

Look, I get that lots of people don't like it. But the law is actually pretty clear here. With probable cause for a warrant an email provider can be required to provide the contents of an account. If the contents are encrypted they can be required to decrypt it. And just because Lavabit setup their system so that the only way they could comply was by handing over the SSL key doesn't mean they don't still have to comply.

https://s3.amazonaws.com/s3.documentcloud.org/documents/1114251/lavabit-usca4-op.pdf

 

[code65536]

I don't know why people are so fascinated by conspiracy theories.

The simplest, most logical, Occam's Razor explanation is that the authors (or just author?) (who, BTW, hadn't updated TC in over 2 years) just got tired/bored/whatever and decided to quit. If you're not going to maintain the code and fix any problems that may be uncovered, then it's probably a good idea to tell the world that they should move to a different product that's still being maintained and cared for so that people don't get hosed by some flaw that was unfixed because of your abandonment.

The removal of the fork-unfriendly advertising clause from the license seems to be a signal to people, "hey, fork this!" (My guess is that the author, not being a lawyer, didn't consider the problem that the license change technically only applies to 7.2, and that it was likely his intention that it apply to 7.1a as well.)

All the other scenarios have gaping holes that people seem to just ignore.

 

[seepy83]

I agree with your overall point, but proprietary software can't be trusted at all; ever. If the code can't be audited by anyone, it can't be trusted. I'd just as soon sync my data on NSA servers, as use a MS "security" product. The Truecrypt audit came too late, but the fact it could be done at all instills trust in the product. Its origin doesn't matter as long as it can be reviewed.

Fair enough, but it's not common that 10's of thousands of dollars are be crowd funded to finance a proper audit by qualified individuals. But I do agree that the possibility for trust is greatly increased when the code is available for review.

 

[ctk1981]

Fair enough, but it's not common that 10's of thousands of dollars are be crowd funded to finance a proper audit by qualified individuals. But I do agree that the possibility for trust is greatly increased when the code is available for review.

And what commercial piece of encryption software has had this done? I haven't found any that were touting on a feature page or such that their program was audited by an independent company and found to be in a good order.

 

[smakme7757]

And what commercial piece of encryption software has had this done? I haven't found any that were touting on a feature page or such that their program was audited by an independent company and found to be in a good order.

Up until now no one had actually done or started an extensive audit of TrueCrypt either.

So we have:
Locked code base & No audit
Open code base & No audit

Is the open code automatically problem free because it isn't proprietary?

Maybe the proprietary solution has a backdoor, maybe it doesn't. Who knows. It's all speculation. But blindingly trusting an open code base without an audit is just as foolish as blindly trusting a closed source product.

I honestly don't think TrueCrypt has ever had a backdoor, but hiding one in plain site is entirely possible.

 

[ctk1981]

Agree completely. But at least with an open code if you manage to do a crowd fund for an audit you can proceed and have it audited. With locked code....probably not. And even if they did allow it, who's to say they wont change it a month later and introduce a backdoor into it.

For me, I'd like an open code base product with clean audit done....and I'll gladly pay the money to use that product. I'm hoping the truecrypt 7.1a comes back fully audited and good to go.

 

[smakme7757]

Agree completely. But at least with an open code if you manage to do a crowd fund for an audit you can proceed and have it audited. With locked code....probably not. And even if they did allow it, who's to say they wont change it a month later and introduce a backdoor into it.

For me, I'd like an open code base product with clean audit done....and I'll gladly pay the money to use that product. I'm hoping the truecrypt 7.1a comes back fully audited and good to go.

I don't think (hoping) anything scary will be turned up by the TC audit. However TrueCrypt does have a few limitations now, such as no GPT support which might cut it's lifespan if no one is able to continue the project.

It will be interesting to get back the cryptanalysis report in a few months time.

 

[PrincessFrosty]

I don't understand this at all, it looks suspiciously like a hack to me.

TrueCrypt was JUST professionally audited and came back with only minor issues none of which significantly impacted the security of encryption, this unprofessional page is left in place of the truecrypt site, with some random new version that can decrypt only, which is completely unnecessary.

I find it hard to believe they'd recommend bitlocker or something of that nature since it's closed source? And we know the NSA puts pressure on businesses like microsoft to hand over encryption keys if they know them, so I don't know how much I trust it.

This whole thing is just...odd. Doesn't seem real to me at all, they would have offered up a reason I'm sure or at least disclosed some of the reasons as to why it's not secure.