TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

I quite agree, and said something similar back up the thread a ways...
For encrypted data, it's as simple as use keyfiles > dismount > secure delete keyfile
for TC and other system encryption, overwriting headers and shutting down ain't hard to script either.

For the rest of the non-James Bond obsessed world, the bar to destroy your data beyond recovery should require positive confirmation, and in the case of encrypted data, preferably authentication too (at least as a system administrator) as the price for doing so quickly, too many people render their data permanently inaccessible by accident as it is, without adding tripwires. Something that replaces or destroys the encryption keys would be fast and secure, but it absolutely shouldn't be remotely possible to trigger it by a rogue random click from a glitchy touchpad while exploring menus.

For those who actually really need such functions, heads of state, intelligence assets, military, such things are already done, but done properly in hardware with local or remote triggering as the use case warrants, trying in software is too easily defeated by your hardware being confiscated and disks cloned before you can trigger it anyway.

 

If you think people should learn to do things for themselves, why would you tolerate them calling upon other apps like eraser? It seems you recognize the value in having software elements that can be called upon to handle some details for you. So I think you'd recognize the value in having an encryption/decryption tool support a command line interface:

NextCrypt --create ...

What if we also had:

NextCrypt --destroy ...

Then, we'd have commands to [help] take care of the underlying details for both operations. For example, if for some reason the header moved or the format changed in a future release, a command such as:

NextCrypt --destroy --quick ...

could detect and handle either case for us. Say, down the road, we wanted to have NextCrypt support a specialized USB storage device that only it knows how to manipulate. Perhaps, in part, to eliminate those cases where Windows performs an undesired format. Then:

NextCrypt --destroy --full ...

could detect the situation and handle either case for us. There are probably other examples, but you get the idea. Those writing custom scripts to accomplish whatever it is they want to accomplish would appreciate such help I think. It could also be beneficial to carefully surface such a thing through GUI.

Point is, we *hopefully* will be starting a new chapter and NextCrypt or whatever will end up being genuinely better than TrueCrypt in appropriate ways. It would be wise to consider past arguments for this or against that. However, it would be UNwise not to take a "fresh" look at those arguments (be they ours or others').

 

I don't see the need for everything to be part of the same application, especially data destruction. If the same app does both encryption and data destruction, and that app is compromised or damaged, the user could lose the ability to destroy the data. It's basically the same rationale I have for preferring separate firewall and HIPS instead of a combined package. IMO, data destruction should be kept separate from everything else with restrictions on what can potentially execute it. On my setup for instance, the Eraser command line component can only be launched by one specific batch file (SSM enforced). As for using an app like Eraser, it makes sense to use an app that does one job and does it well, especially for users of Windows which has no secure delete of its own.

 

Well, the same executable wouldn't have to handle both creation and destruction. As an example, the design could be:

NextCrypt --create => NextCryptCreate
NextCrypt --destroy => NextCryptDestroy

The user could even have the option to not install, or just delete, the NextCryptDestroy.exe component so it isn't even present on the system. The GUI could be made to self-adjust to that situation so a GUI user wouldn't even see such a [non-functional] destroy option. I'm describing an ask or opt-out scenario there. Alternately, it could be an opt-in scenario where the destroy functionality is a separately downloadable/installable component.

With or without such changes, you would still be able to use other solutions if you prefer those. Eraser, your own modified build of the source, a totally from scratch solution, whatever. No one, here anyway, is proposing moving to a closed source solution which locks you in.

 

I'd rather see a command that replaced the key (cryptographicaly destroying the data), prompted you for a new passcode, then put a fresh filesystenm on the volume (quick format).
It'd still be reasonably fast, but it leaves you with something useful.
I know it'd be too slow for the ones with spy fantasies because of the time quick-formatting (still pretty quick)
but consider:
it's actually useful ro redeploy/repurpose storage (especially memory sticks)
a freshly created (useful but empty) container is easier to explain than one that's useless.

 

https://threatpost.com/audit-project-releases-verified-repositories-of-truecrypt-7-1a/106569

 

So are all the files from this website http://truecrypt.ch/ considered safe, as in, experienced TC users on this thread would use them, but not as in, there's really no way to say for sure? Or should I try to dig out an old version of TC I might be able to find on one of my old hard drives?

 

"Verified repository": https://github.com/AuditProject/truecrypt-verified-mirro.

 

Some new thoughts on the demise of TrueCrypt. In particular, why end the TrueCrypt endeavor? What to make of the "end of Windows XP support" explanation? Why recommend Microsoft BitLocker? How did the TrueCrypt developers transition their product to Windows7 faster than competitive commercial products?

These questions themselves suggest a *possible* answer to me. Please note the emphasis on *possible*. This *possible* answer: that one or more of the original TC developers was a MicroSoft employee.

MS employees have released excellent software for use with MS and other products, typically in the form of freeware, e.g., Sysinternals Suite. One would presume that MS frowns upon or expressly forbids, MS employee involvement in software products that compete with commercial MS products. However initially TC passed this test with flying colors. Windows XP did not offer system or container encryption. Hence the freeware TrueCrypt merely provided a non-competitive enhancement for Windows XP users.

Then came Windows 7. BitLocker arrived with the more costly Enterprise and Ultimate versions of Windows 7. Nevertheless TC was rapidly modified to allow use with Windows 7, perhaps in the belief that BitLocker was primarily directed to large enterprise clients; and perhaps further in the belief that TC enhanced use and value of Windows 7 for non-enterprise and non-ultimate users. TC never included any enterprise capabilities and hence did not compete with MS enterprise users. Hence there is at least a good faith argument that TC may have been believed to have been non-competitive with Windows 7.

The next needed enhancement for TC was modification sufficient for complete compatibility with Windows 8 and 8.1 etc. But Windows 8 and 8.1 came packaged with BitLocker for all users, weakening any arguments: that (i) TC was needed to enhance use and value of Windows 8+ and/or (ii) TC was not competitive with existing MS products.

The TC developers decision to abandon ship at this point, and to point TC users to BitLocker, thus might have been made to comply with existing MS employment contracts and/or to further evidence a lack of intent to compete with, or to harm existing MS products (in the event the identities of the TC developers may have been discovered by MS or might be discovered in the future). So TC bows out with a statement that MS now has the TC functionality fully covered and there is no longer a need for TC. End of story.

A two cent possibility.

__

 

Yes, I agree. More plausible that some of the other "theories". But no confirmation exists at this point.

 

I actually posted this earlier in this thread, but there's quite a few repositories...

https://en.wikipedia.org/wiki/TrueCrypt#Archives_and_repositories

I would venture that Filehippo is pretty trustworthy. The "DrWhax/truecrypt-archive" github is pretty widely cited too. It's been around for years, and it seems that pretty much everyone trusts it (not the least of which because it's been archiving the versions while they were easily verifiable on the official TC site).

If you're really curious/paranoid, I would just download copies from a few different places and then look at the hash values. For one thing, they should obviously all match with each other, and then you can also just do an Internet search for what the value should be. There's postings of the values everywhere. Here's one from this forum that someone actually went looking for and posted a link to it in one of these recent TC threads...

https://www.wilderssecurity.com/threads/truecrypt-honeypot-revisited.353108/page-2#post-2279861

Just for reference, the values for TrueCrypt 7.1a.exe:

CRC32: 1B1AC848
MD5: 7A23AC83A0856C352025A6F7C9CC1526
SHA-1: 7689D038C76BD1DF695D295C026961E50E4A62EA
SHA-256: E95ECA399DFE95500C4DE569EFC4CC77B75E2B66A864D467DF37733EC06A0FF2

 

I can verify that the MD5 hash you posted matches my copy of 7.1a.

 

Those hashes match those of a copy I downloaded last year.

 

Agreed entirely... this was my first impression when looking into this. It seemed an indictment of newer OS's of Windows post XP more-so than about TrueCrypt. They don't feel their product can be trusted to keep boxes safe post XP. I've never been convinced that any Windows OS since can be trusted, and this only reinforces that notion to me. I feel perfectly safe running any version from 7.1 (no bloddy "a" which N.S.A. can't be finished without). There were serveral things that my instincts didn't like about that version. The timing of the release, and lack of updates since. Even though I'd reformatted my PC since then I didn't feel right putting it on my box. Just the general notion that if a version isn't proven vulnerable, why take the risk? Seeing the changing landscape of things... the fiasco with OpenSSL. I just don't trust the new. This goes with Firefox versions since 28 as well.

It's like there's nothing left anymore. I sit here still on XP, with TC 7.1 and Firefox 28... almost like I'm just biding time and delaying the inevitable until this house of cards (if that sturdy even) comes crashing down. Then I guess I'll find a new hobby. I mention months ago that I felt if you want any data safe it should be physically disconnected from the net period. Trust nothing anymore. I do think the messages on the site were put up by TC and not a hack to warn people. There is cryptography in the messages. Again, it seems the distrust is for newer versions of MS and not their product specifically, though I won't trust anything past 7.1 still, and on XP. The crap about BitLocker looks shady no matter how you slice it. If it was the NSA, then it's hardly trustworthy. If TC put it up it just makes no sense they'd tell you to trust a proprietary MS method. It looks shady and they'd expect you to make that connection. And if you put both assumptions aside and just take it at face value... do YOU think trusting MS with your data... that there's no backdoor, is wise? So any way you cut it it reaks of BS.

Even if this audit is revealed to uncover some poop, I still don't know that they haven't been compromised. Until I start seeing TC encrypted drives being decrypted with my own eyes I won't believe it. And on XP machines too. I suspect it will be revealed that it isn't safe to use on post XP OS's. But they won't make that distinction and just say it's unsafe entirely, since they won't urge people to stay on a dated OS, even though I'm convinced it's the more secure/private/anonymous MS has ever or will ever make. I was never in a hurry to upgrade and am even less so now. That push to get people to change seemed like it was contrived, and almost had a machinery and iron fist behind it. Now after not biting and keeping it for some time after I'm seeing that agenda being followed through with.

I really hope that old school techy communities can continue to support XP (and not via the POS hack, which I don't trust). And maybe even take on continuing the vein of Firefox v28, before the massive overhaul. I've mentioned before why I don't trust it in light of recent changes (staffing a former NSA employee that worked on breaking cryptography). You really can't trust the new anymore... only true purists to continue on the legacy of, well... the legacy stuff.

 

And if anyone needs the installer for TC 7.1, PM me and I can get it to you.

 

luciddream, Im on XP and your post is interesting. Im on FF29. Can you give me headsup on why you stop at 28? When computers hit the internet I have no trouble in "trusting no one". My best level of defence is that if my system gets compromised it won't exactly be rich pickings lol.

Editied to ask... how do I verify my TC executable ( 7.1a) ...I cant remember where I DL'd from.

 

I recommend Firefox ESR instead of the main version: https://www.mozilla.org/en-US/firefox/organizations/

 

You can see what I mean about Firefox by looking at a post in the "other software & services" section, thread titled "Firefox 29 Final" on page 3. Page 2 of the thread, post #49. As I said FF took on a new member to it's team recently that should carry plenty of cause for concern... yet nobody is talking about it. Ever since this I've had my eye out for (bad) signs of change, and have seen it. Like everything else the ability to customize and fine tune settings... the war on open source many people cite in this thread, FF & TC are microcosm's of a larger picture. And from their team I hear the same lame rationale for people to embrace the change I heard from proponents of "upgrading" to newer versions of Windows: "It's the way/direction things are moving in these days... you have to get with the times and adapt." Basically, because all the cool kids are doing it and it's the new wave/future. But when it comes to mentioning tangible specifics about what improvements have truly been made, well, you just don't really hear of any, because none really exist. Umm... the tabs are more aerodynamic! If you care to, watch a Youtube video entitled: "Firefox 29 Shiny New Things" to see my thoughts exactly on this topic...

I really can't believe that some people deny that there are hidden messages in that warning message. Not only cryptography right before your eyes, but just things that by common sense alone don't add up. The words that add up to "n.s.a." when taking the first letters... the latin message when using the same method over a larger sample size. The overall nature of things that just reek of "the man interfering". The fact that these people are all about using cryptography in their language... it's what they do/did for a living & hobby. If you take any one of them in an isolated incident, sure, you can say it's a coincidence. But when you add them all together the chances of it all being coincidence is probably less than 2%. I don't think they are incarcerated though, as it also reeks of being an attempt to smoke them out by making them feel compelled to provide an explanation to people.

I think that in their mission to make TC compatible with Windows 8 they discovered something they weren't supposed to. This was the only way to protect themselves and other people, while also leaving a trail of bread crumbs behind they knew would be picked up on while not making it obvious that it was intentional (even though it is). Really I'm surprised it wasn't something much more elaborate and difficult to see, like a Cicada 3301 recruiting campaign.

Newer is hardly ever better these days in the tech industry when it comes to security and privacy. Not when you look past the initial facade to see what's underneath... behind that UAC and a shiny new mitigation technique or two is an inherently flawed framework that's broken by design to allow "the man" easy access to every click or keystroke you ever make. When I see that message I see: "We can't guarantee you that XP is safe anymore... but we CAN guarantee you that anything made since isn't." It comes through loud and clear, and it should be widely acknowledged and not just swept under the rug and obfuscated by semantics. And the only way to salvage the situation is for the people that truly care to, and have the ability to do so put forward their time, effort, skill and resources to continuing to harden good, known traditional means/software... before it went south, and continue to support it. What I mean is basically take things like Windows XP, TrueCrypt 7.1, Firefox 28, etc... and carry the torch and continue to update it ourselves from there. Get organized, but keep it relatively small too to lower the chances of infiltration. Discernment is critical... people of sound character and moral fiber. A tough balancing act because you must have funding too. Start your own "secret handshakes", so to speak. Ironically just before this all happened I was talking to someone else about how nothing can be trusted anymore, and that the best way to be sure your communication is really protected end to end is to have your own code/runes that only you and that other person(s) knows, to decipher on the other end. That is how cryptography all got started at it's roots, and it's funny how things tend to come full circle over time. And a message that appears innocuous to an oblivious MITM could say something entirely different to the people on either end. The codes/runes would have to be changed often, preferably never kept on a computer (because rumor has it even offline computers can be hacked remotely these days), only via pencil & paper, which would be destroyed after learnt... fake deciphers left in easy to find places in case of raids. This all sounds extreme and is the type of stuff that gets one moved way up to the top of a list at a fusion center, but drastic times call for drastic measures. Otherwise all is lost.

Chances are that everything I just mentioned is already underway. Chances are also that even if people with good intentions (initially) got organized like this, well, you know the whole thing about absolute power corrupting absolutely? And how today's revolutionaries are tomorrows dictators? But that's a chance you have to take when the system/regime in place now is clearly in need of an overhaul.

And I believe that the people working on TC are the types of individual I just mentioned. Not necessarily the part where they become dictators (the ending isn't written yet in this case), but about being people with good intentions. I don't buy that they were corrupt/G-men from the very beginning, or even that they are now.

sorry for the rambling...

 

@luciddream
What you're describing is basically the way I'm seeing it. The only real differences is in our choices of operating systems and software versions. I don't trust anything past XP either, and then only after a lot of disabling and stripping. With operating systems, browsers, and most other software, we've been trading convenience and eye candy for basic control on a constant basis. It's reached the point that it's a major fight to shut off the things that you don't need or to prevent apps/browsers from calling home. I have yet to hear of anyone completely closing all of the ports on Win 7 or 8. The "get with the times" crowd claims it's not necessary because those ports are only open to the LAN, not the internet. That reasoning doesn't take compromised/backdoored routers into consideration. Compromise the router and all of those ports can be exposed. I'm convinced that encryption of any kind can't be trusted on post XP systems. For my own use, I won't trust any of the NT systems with anything that I consider sensitive or personal.

I can't completely agree with that statement. I'll admit that it's lost its appeal as a hobby but computing and the internet is still a viable communications tool. It's still the only realistic way to get access to news that the mainstream doesn't give you. If anything the "house of cards" would be the internet itself.

 

Luciddream, youre not rambling. Great post and many thanks. It will take me a while now to go through more carefully and look at your references.

Regarding the so-called latest and greatest feature list, for a long time Ive seen on both the MAC platform and the PC, the reload/recycle syndrome. Security aside for a moment, I mean just plain out bloatware. Who really needs it? I don't. XP works just fine for what I need (not taking into account the things I need to understand security wise). My MAC OS has a certain job to do and does it just fine OFFLINE, but what do they do? try to phone home for no good reason at all. My software is legit and paid for. There's no need for them to know anything more than that at the time I brought it at a bricks and mortar place. Its nothing more than spyware when it tries to force you to do things such as "register your product" and you'll get a nag screen every 5 times you load the program until you do.

I most certainly believe that the lamestream media is NOT to be trusted and that its heavily tailored and managed to keep the masses on the right diet to keep them dumbed down. The internet has some great pickings if you know where to look. How long that remains, remains to be seen. In the meantime, in a backdoor way (excuse the play on words) you actually get more information in places like this board, though granted, you still have to be careful who you listen to. Broadly speaking, I find eventually, when you go to certain places for info, the dots connect up and you start to see a pattern of verification from the same sources. One real caveat is even with the alternative news, its beware. Those places have been infiltrated as well from ex ...... (insert your 3 letter agencies).

 

For those who aren't addicted to a steady stream of barely useful features and aren't caught up in the newer is better mentality, the older software and systems work just fine. With browsers for example, I'd rather close a vulnerability with a filtering proxy and not have to worry about the new holes created by the new features that I didn't need. IMO, rapid update is shoving changes through faster than the code can be properly inspected. Open Source apps no longer seem to care what the users want. They're just commercial corporations pretending to be user oriented. Example, Mozilla corporation vs Mozilla foundation. On a virtual XP unit, I run the current version of SeaMonkey. On my main box, I'm still running version 2.0.14. Except for a very few sites, the old versions works just fine, doesn't call home, and doesn't have many of the new "features" that do more to make a browser trackable than anything else. Except for a few HTML5 sites that don't work on the old version, I don't see anything that makes the new version better. It's slower and more bloated. It's the same with operating systems. There is no good reason an OS should need several gigabytes of RAM and disk space just to run. On XP and earlier systems, it was fairly easy to strip out the bloat, close the ports, and disable services most would never need. On win 2000, trimming down the number of services was easy. It started getting harder on XP with each service pack adding more, making them more interdependent, and removing the users ability to disable others. Then you look at Win 7, this thread for instance. There is no reason an OS needs 169 services.

 

but atleast w7 still gives you the ability to tighten it down to proper secure levels, i know alot of guys that still use it and plan on using it for a very long time due to w8 and beyond having gone 3 steps back in terms of GUI design and usability, possible security holes , backdoors the list goes on and on , i myself wouldnt use anything beyond 7 as of currently , unless microsoft stops bending over for everyone and starts to

think about theyre userbase instead of including backdoors into every peace of software they release , maybe windows 9 will change perhaps? wishfull thinking i guess , xp is abit aged if i myself as a previous w95, Me, 98 , 2000 and XP user might say so lols, heres a good thread for tightening down your w7 OS to make it usable without home calls , lols ,

https://www.wilderssecurity.com/threads/security-hardening-windows-7-64-bit-install.324004/

and using a ramdrive for the pagefile is a must if you plan on to not having your TC passwords including content and history recovered , since theres still some old apps that require a pagefile , just saying but you guys knew that of course


btw its nonsense and abit ridiculous to think firefox
28 was the last secure iteration of firefox , as long as you go through the about:config and

check it through for any suspicious entrys you should be ok , and call home "features" can be disabled + using the proper security addons mitigates the rest of the security issues , such as random user agent and noscript, https everywhere, selfdestruct cookies ,

refcontrol and requestpolicy are only a few good ones, the list goes on , btw theres an addon to restore the old theme layout for the guys that hate the new layout and about open ports , well get yourselfs a proper firewall such as comodo firewall no need to run 2 seperate

programs , it got a great hips included and a sandbox as well and its easy as all hell to block all ports except ones you want to allow then to make sure everythings safe and no home calls you just run wireshark and see for yourself if youve done good or it needs more polish, pretty much leak proof the way i see it, this goes for any network interface be it LAN or Wifi , not to mention you can use whonix vms for isolation and pfsense

vms for enterprise grade firewalling etc ontop for added security, i honestly dont see the issue here just some overly paranoid guys that are glued to theyre xp systems and this coming from someone that has a healthy amount of awareness himself , lols, atleast upgrade to w7 its xp just much more easier on the eyes and has better support all around,

and to finish it off use Shadow Defender to keep your OS squeaky clean while regular use aka not updating, oh and before i forget TC 7.1a is perfectly fine i dont think theres anything wrong with it at all , its been the last proper update released before the recent issue about TC devs stopping work on TC, hell even Tails has it included , my 2 cents

 

Using a firewall (software or hardware) to block open ports is a bandaid approach that hides the problem instead of solving it. If the firewall fails, you're exposed. If there are no open ports, an adversary can bypass your router, kill your software firewall, and still not have an entry point. Software firewalls are intended to control legitimate traffic, not compensate for the operating system.

Regarding FireFox, or any other current browser, you're assuming that all of the call home features can be disabled and will remain that way. It's easy to say "disable the call home features". Try to find them all without allowing that browser to call home in the process. Not everyone has the skill or spare equipment to route all of a PCs traffic through another unit and properly monitor it. It shouldn't be necessary to have separate hardware between the web and your PC in order to control it.

 

who said anything about hardware , just use wireshark portable on the pc facing the net and have it check your networking hardwares packets and youll see if theres any call home instances no extra hardware required , thats how one checks if firefox isnt doing anything its not supposed to do but you may use an extra setup if you so may wish thats up to you , and about firewalls software or hardware being killed off , first off now

were in hacking territory , so first thing is your absolutely right if someone determined enough wanted access to your pc they would most likely get to it, i by default never 100% trust my router , even thou it runs custom locked firmware and a tightened down firewall , and your example would only work then if you wasnt blocking all incoming connections in advance and disabling ipv4 and ipv6 on your host OSs network interface and then running a bypass from your network interface to a isolated pfsense vm , effectively blocking off any ability for intruders to access your PC unless you invite them to aka malware , viruses etc, the above goes for LAN and Wifi the same, if ive missed something do tell


btw that firefox 29 shiny things clip on youtube is da bomb xD