ebrke Posted May 28, 2014 Share Posted May 28, 2014 TrueCrypt may have packed it in: http://arstechnica.c...abruptly-warns/ Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted May 28, 2014 Share Posted May 28, 2014 Hmm... Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 28, 2014 Share Posted May 28, 2014 Steve Gibson noted that there is only a Windows EXE available on Sourceforge..... Seems really odd. I bet the project was compromised somehow. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 28, 2014 Share Posted May 28, 2014 The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis, appears to contain only changes that warn the program isn't safe to use. Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key. That suggested the page warning TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers. In either case, it's a good idea for TrueCrypt users to pay attention and realize that it's necessary to move to a new crypto app. Ars will continue to cover this unfolding story as more information becomes available. http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/?kw=100k_pvs&search=100k_pvs Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted May 28, 2014 Share Posted May 28, 2014 Not-So-TrueCrypt? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 (edited) TrueCrypt now encouraging users to use Microsoft's Bitlocker - PCWorld The site continued: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," it read. "Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." ... The move was especially puzzling, given that TrueCrypt, a popular security choicefor PCWorld users for several years, had recently passed the first round of a security audit. iSec, the firm that did the audit, found 11 flaws, but none that were immediately exploitable. Otherwise, iSec said it “found no evidence of backdoors or intentional flaws”. Could have been quite a few things. Might even have been some sort of strong arm tactics by some 3-4 letter agencies ... Edited May 29, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 I heard some speculation that this might have something to do with Snowden's interview on TV tonight. Entirely rumors, though. Adam Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 29, 2014 Share Posted May 29, 2014 I assume this is for all platforms? I thought since truecrypt is an open source encryption application. one would generally assume that people are auditing it quite a bit since it's open source. I wonder if the devs purposely put in a back door to let the NSA bypass it.... Oh well.... at least we still have dm-crypt/LUKS (for the moment anyway) https://wiki.archlinux.org/index.php/LUKS Quote Link to comment Share on other sites More sharing options...
crp Posted May 29, 2014 Share Posted May 29, 2014 inside job ? this situation is just so weird , for instance why setup a new security key just for a program that does not encrypt ? Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 The speculation is rampant at reddit right now..... http://www.reddit.co...s_ended_052814/ Specifically... http://www.reddit.co..._052814/chtf998 The binary on the website is capable only to decode encrypted data, not encode, and may contain trojan (seems like it doesn't, but don't believe me). The binary is signed with the valid (usual) key. All old versions are wiped, the repository is wiped too. Assumption #1 The website is presumed hacked, the keys are presumed compromised. Please do not download or run it. And please don't switch to bitlocker. Latest working version is 7.1a. Version 7.2 is a hoax On the SourceForge, the keys were changed before any TrueCrypt files uploaded, but now they are deleted and the old keys got reverted back. Why I think so: strange key change, why bitlocker? Assumption #2 Something bad happened to TrueCrypt developers (i.e. take down or death) or to TrueCrypt itself (i.e. found the worst vulnerability ever) which made them do such a thing. So this version is legit Why I think so: all files are with valid signatures, all the releases are available (Windows; Linux x86, x86_64, console versions, Mac OS, sources), the binaries seems like was built on the usual developer PC (there are some paths like c:\truecrypt-7.2\driver\obj_driver_release\i386\truecrypt.pdb, which were the same for 7.1a). License text is changed too (see the diff below). Why is it ridiculous for TrueCrypt developers to suggest moving to BitLocker? Well, TrueCrypt was strictly against of using TPM because it may contain extra key chains which allow agencies like NSA to extract your private key. So why would they suggest such a thing and not other open-source alternatives? It looks like a clear sign that the developer can't say he's in danger so he did this. As many suppose, this could be the sort of warrant canary Assumption #2 is more likely true than assumption #1. Sad but true. Assumption #3 7.1a is backdoored and the developer wants all users to stop using it. Why I think so: there is a website http://truecryptcheck.wordpress.com which contains all the hash sums for TrueCrypt 7.1a. Is has only 1 blog record from August 15, 2013, only for TrueCrypt and only for 7.1a. It's a bit strange to make a website with the hash sums for only one program and only one version of it. SourceForge sent emails on 22 May, they said they changed password algorithms and everybody should change their passwords. SourceForge claims everything is as usual (from https://news.ycombin...em?id=7813121): Providing some details from SourceForge: We have had no contact with the TrueCrypt project team (and thus no complaints). We see no indicator of account compromise; current usage is consistent with past usage. Our recent SourceForge forced password change was triggered by infrastructure improvements not a compromise. FMI seehttp://sourceforge.n...assword-change/ Thank you, The SourceForge Team communityteam@sourceforge.net TrueCrypt developers are unknown and currently there is no way to know who is who and who should we listen to. From wikileaks twitter https://twitter.com/...69936038461440: (1/4) Truecrypt has released an update saying that it is insecure and development has been terminated http://truecrypt.sf.net (2/4) the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement (3/4) the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict.. (4/4) in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys. From Matthew Green (one of TrueCrypt auditor) twitterhttps://twitter.com/...52508147519488: @SteveBellovin @mattblaze @0xdaeda1a I think this is legit. TrueCrypt Setup 7.1a.exe: sha1: 7689d038c76bd1df695d295c026961e50e4a62ea md5: 7a23ac83a0856c352025a6f7c9cc1526 TrueCrypt 7.1a Mac OS X.dmg: sha1: 16e6d7675d63fba9bb75a9983397e3fb610459a1 md5: 89affdc42966ae5739f673ba5fb4b7c5 truecrypt-7.1a-linux-x86.tar.gz: sha1: 0e77b220dbbc6f14101f3f913966f2c818b0f588 md5: 09355fb2e43cf51697a15421816899be truecrypt-7.1a-linux-x64.tar.gz: sha1: 086cf24fad36c2c99a6ac32774833c74091acc4d md5: bb355096348383987447151eecd6dc0e Diff between latest version and the hoax one:https://github.com/w...re/master...7.2 Screenshot:http://habrastorage....a4e54038fc1.png Topics: https://news.ycombin...item?id=7812133 http://www.reddit.co...s_ended_052814/ http://www.reddit.co...ecrypt_is_dead/ http://www.reddit.co...t_of_truecrypt/ http://arstechnica.c...abruptly-warns/ http://krebsonsecuri...-is-not-secure/ Twitter stream: https://twitter.com/...ecrypt&src=typd You may join IRC #truecrypt@irc.freenode.net, although there is no OPs right now. Quote Link to comment Share on other sites More sharing options...
zlim Posted May 29, 2014 Share Posted May 29, 2014 I wanted to see what Bruce Schneier had to say because he uses this and he is a security expert I trust. Here's his post today https://www.schneier.com/ Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 Spoiler alert- he has no idea either. Right now everything I've seen regarding TrueCrypt is pure speculation. No information of any substance has come forward, and that is really interesting/scary. Here's the thing- this is an open source project. Someone has the code for it. Assuming the NSA hit the authors (despite being anonymous) with a NSL, and True Crypt behind in the same way Lavabit did earlier, what's to stop someone from restarting to project elsewhere? This poses interesting implications for Open Source software, assuming the above is true. How should the OSS community respond to such actions? Move projects overseas to international servers? Continue development within the Tor network? Knowing what really happened in the TrueCrypt situation is critical before moving forward. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 This would all be a lot clearer if only it were April 1. http://www.zdnet.com/truecrypt-quits-inexplicable-7000029994/ It may rank up there with the greatest mysteries of history: What is Stonehenge? Who was Jack the Ripper? What happened to TrueCrypt? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 (edited) I wanted to see what Bruce Schneier had to say because he uses this and he is a security expert I trust. Here's his post today https://www.schneier.com/ Adam's right. He has no ideas posted but he does have a couple more links (Brian Krebs and Cory Doctorow) than we have here so far. Here's the full link to that blog posting: https://www.schneier...ecrypt_wtf.html Edited May 29, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 Hmmm, another possibility... Since the Windows version is an .exe on SourceForge, maybe the project became an unwitting dev that started using SourceForge's crapware installer for executables and the project's users started getting burned by it in Windows. Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 Interesting..... But the page specifically mentions security problems within TrueCrypt. If the Sourceforge crap was a problem, they could simply move the project to Github.... Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 (edited) Interesting quote from Cory Doctorow's BoingBoing article: Truecrypt is a widely used system for disk-encryption, and is particularly noted for its "plausible deniability" feature, through which users can create hidden partitions within their cryptographic disks that only emerge if you enter the correct passphrase; this is meant to be a defense against "rubber hose cryptanalysis," in which someone is physically or legally threatened in order to coerce them into yielding up her keys. In the "plausible deniability" scenario, the victim can give up the keys to a "harmless" partition while keeping the very existence of a second partition for sensitive material a secret. I am a Truecrypt user, as, apparently, is Edward Snowden, who lectured on the software's use at a Cryptoparty he held in Hawai'i before going on the run. I begin to smell a rat. Remember Lavabit... Edited May 29, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 Interesting..... But the page specifically mentions security problems within TrueCrypt. If the Sourceforge crap was a problem, they could simply move the project to Github.... Adam Good point. But look above. The style of taking it down is very much like Lavabit. Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 Yep. This is widely speculated. Adam Quote Link to comment Share on other sites More sharing options...
ebrke Posted May 29, 2014 Author Share Posted May 29, 2014 (edited) BoingBoing webpage won't load, neither will a link to this on Twitter. I don't know if just too many people are hitting the sites or if there's a more ominous reason. I did pick up a reference to Glenn Greenwald's believing that TrueCrypt was penetrated on his partner's computer. The lack of any specific information makes this entire situation more than a little alarming. Edited May 29, 2014 by ebrke Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 Weird! http://isitup.org/boingboing.net reports: boingboing.net seems to be down! Quote Link to comment Share on other sites More sharing options...
ebrke Posted May 29, 2014 Author Share Posted May 29, 2014 I begin to smell a rat. I'm smelling an extended family of rodents. 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2014 Share Posted May 29, 2014 Weird! http://isitup.org/boingboing.net reports: boingboing.net seems to be down! https://twitter.com/...090563139760128 Back up now! Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 Back up what? Adam Quote Link to comment Share on other sites More sharing options...
ebrke Posted May 29, 2014 Author Share Posted May 29, 2014 Back up what? Adam BoingBoing was down completely for a while. Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 29, 2014 Share Posted May 29, 2014 Derp. Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted May 29, 2014 Share Posted May 29, 2014 I think I dated that guy's sister once. She had a stiffer beard, though, if I remember correctly. Quote Link to comment Share on other sites More sharing options...
ross549 Posted May 30, 2014 Share Posted May 30, 2014 Anyway.... there is one key thought I have about the whole situation. TrueCrypt is Open Source. Someone has the code for it, I guarantee it. So why not just resurrect the project elsewhere? Why does TrueCrypt have to be dead? Adam Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 30, 2014 Share Posted May 30, 2014 This is beginning to be quite the mystery. It will be interesting to see what the real story is. Quote Link to comment Share on other sites More sharing options...
Robert Posted May 30, 2014 Share Posted May 30, 2014 https://www.grc.com/misc/truecrypt/truecrypt.htm Looks like I'll keep using it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.