Truecrypt development stopped. Recommend changing to Bitlocker.

Rucking_Fetard · 29-05-2014 1:07am #1

truecrypt.sourceforge.net/

Truecrypt development stopped. Recommend changing to Bitlocker.

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Wonder what's going on here then...

Rucking_Fetard · 29-05-2014 1:33am

theregister.co.uk/2014/05/28/truecrypt_hack/

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to the project's official SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative

Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.

edanto · 29-05-2014 8:06am

Surely it's just a compromised sourceforge account, a temporary thing?

Gone West · 29-05-2014 8:16am

edanto wrote: »

Surely it's just a compromised sourceforge account, a temporary thing?

This is much more than a compromised wensite or compromised keys.

AnCatDubh · 29-05-2014 9:00am

Story on forbes also.

trout · 29-05-2014 9:25am

Krebs has a piece on it too ... recommending BitLocker doesn't ring true for some reason.

I hope it's a hoax, but it does seem legit so far.

Khannie · 29-05-2014 10:04am

I really hope this is a hoax.

davej · 29-05-2014 10:09am

davej

Khannie · 29-05-2014 11:15am

Got the following ditties from the ACH mailing list:

- The signing key seems to be genuine, signatures are good.
- The signing key is 1024/DSA. The key could have been compromised to sign the ?new release?.
- The signing key available for download on the website has Windows line endings.
- One previously downloaded version of the SAME key from the website had Unix line endings.
- It doesn't make any sense to release 7.2 just to shut it down.
- The TC audit team doesn't know anything about an upcoming release.
- The TC audit team has completed Phase 1 of the audit with good results which - make it unlikely that there is something to be afraid of.
- The changes made in the source code are quite strange.
- The 7.2 release contains an updated license (TC license 3.1, I haven't diffed it yet.)
- 7.2 can only read TC volumes.
- The Windows installer for 7.2 doesn't make any network connections during installation.

Overall stink level: High.

howamidifferent · 29-05-2014 11:27am

I'm not normally in the conspiracy forums but this stinks to me.
I'd go with the idea the devs were being forced to backdoor it and instead aborted it with a big red flag pointing to bitlocker as an alternative.
No one in their right mind would trust Bitlocker.

Khannie · 29-05-2014 11:32am

howamidifferent wrote: »

I'd go with the idea the devs were being forced to backdoor it

I thought this might be the case initially, but I'm not sure how you'd force someone to back door open source code. It would be much easier to have someone become a regular contributor, then deliberately add in sneaky code that weakens the crypto subtly. That's what I'd do if I were trying to screw an open source security tool. *maniacal laugh*

howamidifferent · 29-05-2014 12:57pm

Khannie wrote: »

I thought this might be the case initially, but I'm not sure how you'd force someone to back door open source code. It would be much easier to have someone become a regular contributor, then deliberately add in sneaky code that weakens the crypto subtly. That's what I'd do if I were trying to screw an open source security tool. *maniacal laugh*

But since no one has ever managed to produce a 100% identical binary from the source, who's to say the source published would be the source used to build the published binary. Backdoor in binary, clean source. No one would be the wiser except the devs who probably wouldn't go along with that idea. All conjecture on my part obviously.

liamo · 29-05-2014 2:10pm

The point has been made on other forums that Truecrypt 7.1a is still perfectly usable. It's a point that I agree with.

I have encrypted all laptops and external disks in our office with TC 7.1a.
I had a home laptop stolen recently which was encrypted with 7.1a. The thieves may factory reset it but they won't get at my data.

The stolen laptop was replaced this morning and I'm using TC 7.1a to encrypt that as well. I discovered the news about Truecrypt when I visited their site to see if there was any recent release. While there was, indeed, a new release, it certainly wasn't what I was expecting.

Having read the content on the site and looked into it a little I asked myself "what are you trying to protect and against whom and what are you trying to protect it?"

If I was worried about the NSA getting their hands on my data, then this development might make me reconsider the use of Truecrypt.
I'm only trying to protect my laptop (and our work laptops) against data theft/breach through loss or theft of the device.
Truecrypt is entirely acceptable to me for this (for the moment) - even if it appears to no longer be in development.

Khannie · 29-05-2014 2:28pm

howamidifferent wrote: »

But since no one has ever managed to produce a 100% identical binary from the source, who's to say the source published would be the source used to build the published binary. Backdoor in binary, clean source. No one would be the wiser except the devs who probably wouldn't go along with that idea. All conjecture on my part obviously.

You would need the exact build spec to achieve an identical binary. OS, compiler, compiler flags, linker, linker flags, exact source tree, yada yada. If you were sufficiently paranoid, you'd be building from source yourself anyway.

But yeah....I always wondered about that myself, just as a general wondering.

Last point I'll make: I thought it was kinda funny how they had IE in the first screenshot. Not sure if it was another nod to it being a "lol bitlocker". I don't use windows, but I wouldn't trust bitlocker to encrypt my toast recipe.

Recondite49 · 29-05-2014 3:47pm

Rucking_Fetard wrote: »

truecrypt.sourceforge.net/

Truecrypt development stopped. Recommend changing to Bitlocker.

Wonder what's going on here then...

As I understand it the issue relating to a possible backdoor only affected the headers of volumes created in the Windows versions, isn't that right? The corresponding area in the Mac/Linux versions was just a string of encrypted zeroes.

I have being experimenting with the program TCPLAY which works from the Linux Command line. It can create and mount Truecrypt partitions and I've been having a lot of fun with it. Have posted a guide on my blog and will put it up here when able.

I like the idea of using multiple ciphers at once (unlike Bitlocker, Filevault, CryptFS etc.) but of course this only works for creating encrypted containers on Linux so maybe Bitlocker is a better option.

Khannie · 29-05-2014 10:34pm

Any more word on this anywhere?

liamo · 30-05-2014 12:17am

Nah. Same stories being regurgitated across all sites. Nothing new of any substance that I've come across.

I wouldn't think that this is going to go away quietly though.

Rucking_Fetard · 30-05-2014 1:08am

Khannie wrote: »

Any more word on this anywhere?

This-->http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

Is where it's at, nicely summed up.

Nutshell-->It's really gone(1), the "open source" license they used may mean no one else can pick it up but someone probably will.

The Dude that gathered the funding to Audit it hopes it's not because their is some big vulnerability gonna appear in the phase two part of the Audit, which is still going ahead as he has $30,000 to do it. Be done by summer end...probably.

Same Dude knows the guy involved in developing Bitlocker, reckons he's sound and didn't backdoor it.

(1) If you have an Installer of 7.1a downloaded before this happened then it's as good as it's gonna get untill someone picks up the torch.

Bruce Schneier switched back to PGP.

Tails guys are wondering what to switch to.

Mysterious announcement from Truecrypt declares the project insecure and dead

Recondite49 · 30-05-2014 9:59am

Thanks - I had thought though that TAILS had settled on using tc-play as an alternative?

I can't post links atm due to being new user but if you look under ticket number 5373 on TAILS website it says : Replace Truecrypt with tcplay - resolved. Perhaps that just means they have chosen to replace it?

I hope they do choose tc-play as it allows you to encrypt the same volume with multiple ciphers not to mention use of keyfiles with password, hidden volumes etc.

Something I did think looked promising was Zulucrypt which acts as a GUI frontend for both Truecrypt and cryptfs volumes. Anyone else used it?

Khannie · 30-05-2014 10:40am

This is all very interesting. I'll be intrigued to see what comes of that security audit now. I wish I knew about these kickstarter things. I'd be inclined to chip in for funding of code reviews of security software that I rely on.

Recondite49 wrote: »

Something I did think looked promising was Zulucrypt which acts as a GUI frontend for both Truecrypt and cryptfs volumes. Anyone else used it?

Not me. I don't use truecrypt though.

ssaye2 · 30-05-2014 11:44am

https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

30-05-2014 11:45am

Recondite49 wrote: »

As I understand it the issue relating to a possible backdoor only affected the headers of volumes created in the Windows versions, isn't that right? The corresponding area in the Mac/Linux versions was just a string of encrypted zeroes.

I have being experimenting with the program TCPLAY which works from the Linux Command line. It can create and mount Truecrypt partitions and I've been having a lot of fun with it. Have posted a guide on my blog and will put it up here when able.

I like the idea of using multiple ciphers at once (unlike Bitlocker, Filevault, CryptFS etc.) but of course this only works for creating encrypted containers on Linux so maybe Bitlocker is a better option.

A good write up here of some alternatives to TrueCrypt including tc-play from the Gurgq http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations

My name is URL · 30-05-2014 12:38pm

Have any of you switched to an alternative yet? I have version 7.1a installed at home and on my work computers. Would it be very foolish to leave things as they are until what happened becomes clearer?

Khannie · 30-05-2014 12:43pm

I reckon it's usable in 99.9% of scenarios. There may be security holes in it, but the question is: Are you trying to protect your data from those who have the expertise to find and exploit those holes? If yes : I'm glad I'm not you.

If no : continue using it.

No harm in investigating alternatives though.

Recondite49 · 30-05-2014 1:05pm

Khannie wrote: »

I reckon it's usable in 99.9% of scenarios. There may be security holes in it, but the question is: Are you trying to protect your data from those who have the expertise to find and exploit those holes? If yes : I'm glad I'm not you. If no : continue using it.

No harm in investigating alternatives though.

The problem we have here Khannie is that you never know in what context your data might be used or interpreted in the wrong hands.

For instance after the young girl Millie Dowler went missing in the UK, the investigation was derailed because it turned out her father watched pornography, which in itself is legal but led the Police down the wrong path.

We also have to consider those people who might have downloaded something innocently - I know you like me put in a lot of time on the Survivalism Thread and when downloading books about Bushcraft and Homesteading I have sometimes accidentally downloaded plans to build guns and bombs.

As we've discussed though, we don't have to choose between Truecrypt or nothing - all the main distributions of Linux offer full disk encryption with built in tools, so I say use that in the first instance.

Recondite49 · 30-05-2014 2:32pm

My name is URL wrote: »

Have any of you switched to an alternative yet? I have version 7.1a installed at home and on my work computers. Would it be very foolish to leave things as they are until what happened becomes clearer?

Aside from aforementioned tcplay it's also possible to use CryptSetup which is built into Linux. Sadly both require the command line. If you google my Blogger ID 'machellotech' I have written some guides on how to use both.

I think though that you were asking about friendly GUI encryption tools. I'm afraid I have nothing in your colour if so, anyone else?

Edit : My addled brain has reminded me that the built in Disk Utility in Linux can be used to quickly and easily format a drive or USB stick in such a way that it requires a password to unlock it. I don't care for it as you don't get any say in the algorithim used (it uses LUKS default options which as memory serves is AES 128 bit) but at least is user friendly and should keep everyone out but shadowy government agents.

Khannie · 30-05-2014 3:16pm

Recondite49 wrote: »

The problem we have here Khannie is that you never know in what context your data might be used or interpreted in the wrong hands.

Ah yes. This is the strongest argument in favour of total privacy. We're not far off that in fairness. I reckon 10 years and the entire internet will be encrypted up the ying yang. Email being the last problem to solve.

Recondite49 · 30-05-2014 3:37pm

Khannie wrote: »

Ah yes. This is the strongest argument in favour of total privacy. We're not far off that in fairness. I reckon 10 years and the entire internet will be encrypted up the ying yang. Email being the last problem to solve.

Good man, here's hoping. I know Snowden said he was in favour of it. Of course we could always switch over to Tor but as you know it's quite tricky to use it correctly to protect your identity.

When it comes to e-mail there's always gpg I suppose but too few people take the time and bother to set it up. This is a shame as integration in programs like Outlook, Thunderbird and Mac Mail is pretty seamless these days. Perhaps they don't think their e-mails are important enough to bother with?

Khannie · 30-05-2014 3:44pm

Recondite49 wrote: »

Perhaps they don't think their e-mails are important enough to bother with?

This seems to be the case alright. "Ah sure let them read it, I've nothing to hide". Yet they still use an envelope.

Recondite49 · 30-05-2014 4:27pm

Khannie wrote: »

This seems to be the case alright. "Ah sure let them read it, I've nothing to hide". Yet they still use an envelope.

You said it bro! I once had a teacher who said you shouldn't put anything on the internet you wouldn't write on the back of a post card. Seems a little nihilist to me but there you go.

I wonder if it actually wouldn't be more secure in practice to exchange written letters with correspondents using hand ciphers than risk having your e-mail hoovered up because it contains the wrong keyword?

Gone West · 30-05-2014 6:16pm

All the emails get copied, regardless of what keyword you put in it.

Truecrypt development stopped. Recommend changing to Bitlocker.

Comments