TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

Discussion in 'privacy technology' started by Palancar, May 28, 2014.

  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
    http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That's reasonable except for one thing. Why create so much FUD that an open-source fork looks risky?

    What they're doing (if in fact they're doing it) would also make sense if an auditor had found a serious vulnerability, and they didn't want to reveal specifics. And maybe some TLA was effectively such an auditor, by how they explained what they wanted.

    For the present, I agree that waiting for clarification is the best course.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    What's that got do with anything ! People can still use previous versions on TC, PLUS

    This "might" have something to do with it ?

    As they have been communicating with outside parties on the audit, it's "possible" that somehow their Real identities have been discovered via for eg, MITM by the NSA etc. Which "could" have lead to visits & words in their ear etc ! And recommending Bitlocker as a solution, LOL that smells like crazy !

    Your beloved baby ain't your baby anymore.

    I wonder what Schneier might have to say, if/when he does ? https://www.schneier.com
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  5. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I just backed up my 7.1a to about 10 different places.

    SHA-256 - E95ECA399DFE95500C4DE569EFC4CC77B75E2B66A864D467DF37733EC06A0FF2

    It's the same version I've had on here for a while, and it matched what Raccoon put up, in an older thread about the authenticity/build from source.

    No way I'm stopping use - Daniel Dantas' drives are still secure. If Schneier/Green say stop, then I will.

    Edit: BTW, this took me forever to find! LOL

    https://www.wilderssecurity.com/threads/truecrypt-honeypot-revisited.353108/page-2#post-2279861
     
    Last edited: May 29, 2014
  6. JohnMatrix

    JohnMatrix Registered Member

    Joined:
    Apr 12, 2012
    Posts:
    48
    Location:
    Behind you
    Very strange, my money is on the dev(s) preventing the software to be compromised by a secret subpoena, a serious (physical) threat or something like that.
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    There are hints of this being an elaborate hack, could it be related to the recent sourceforge password reset ?

    http://www.theregister.co.uk/2014/05/28/truecrypt_hack/

     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Maybe the 2011 SourceForge compromise went deeper than they thought :eek:
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A comment in the link from post #8:
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I agree.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not sure that we'll ever get the full story here. I'm assuming the site change is their doing and not a hack or government coercion. It's possible that the problem isn't in Truecrypt itself. It might be something they've discovered regarding Windows leaking or exposing data that can't be fixed through Truecrypt. Their tying this to XP support would make me believe this is a possibility. It's possible that they discovered what they assumed was a big flaw in Windows and contacted them about it. Then all hell broke loose. If I had to bet on this, my bet is that they've been exposed and are incarcerated. IMO, the developers have sent us a message the best way that they could, tying it to XP support. Now it's up to us to understand the meaning, even though we don't have the details. Myself, I believe linking Truecrypt to XP support is a warning against using the newer versions of Windows.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @Mods: Thank you for changing thread title :).
     
  13. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    This is actually a standard warning if there are issues that the MS experience team find problematic, especially with an upgrade in place to Win 8 from an older, supported version of Windows with the app installed. Though they say the app could be malicious, the warning is more abundance of caution in many cases than it is potentially accurate...

    IOWs - be cautious and be aware that the warning MIGHT indicate a problem you need to pay attention to. What the actual problem IS however is still unclear...
     
  14. Nanobot

    Nanobot Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    473
    Location:
    Neo Tokyo
    This smells as PSYOP tactic from a quadrillion miles away.
     
  15. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
    Now 7.2 is available at the download sites, both in Fileforum and FileHippo. No warnings in either site.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I wonder if this could have anything to do with TrueCrypts recent audit of their code. A full audit of TrueCrypts code was started a few months back. Over $70,000 was raised for this. The last report was that no backdoors had been found. I would think Government entities, or the developers of TrueCrypt themselves would be the most likely culprits to shutdown TrueCrypt. Activist hackers would not want people to switch from TrueCrypt to Bitlocker unless a backdoor was found. If a backdoor would have been found then it could have been removed by the team auditing the code if the license would permit it. Their is a hug question with the license right now if anyone else can take over the TrueCrypt project. The developers have remained anonymous, and the license is very odd as some have put it. They are already talking about having an attorney look over the license. The articles below contain some good information in them.

    http://www.theregister.co.uk/2014/04/15/truecrypt_audit/
    http://arstechnica.com/security/201...s-no-evidence-of-backdoors-or-malicious-code/
    http://www.pcpro.co.uk/news/388990/truecrypt-encryption-service-shuttered-mid-audit
    http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
     
    Last edited: May 29, 2014
  17. Dogfather

    Dogfather Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    15
    Location:
    United Kingdom
    Meh! I assume since the audit was crowdfunded it will continue. I will wait for the results. If there is a vulnerability then (Assuming someone can work around the murky licence) we will know what it is and if it can be "fixed".

    Whether or not volunteer developers pick up and run with the TrueCrypt code to keep it going, Green said he’s committed to finishing what he started with the code audit, if for no other reason than he’s sitting on $30,000 raised for just that purpose.

    If the audit stops then I guess I will have no choice but to look for an alternative.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I think the audit will continue. It should not stop. It was already payed for. If it is stopped that would be like stealing peoples money.
     
  19. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Something wrong with that logic as they tell users to migrate to bitlocker in this 'new version' used for decryption only. That's the smelliest part of all this IMO.

    Devs being exposed and turning tail seems more likely but it wouldn't explain the older digital signature used to sign this new 'decryption only' version. The most likely answer for THAT part of the riddle is that one of the devs who had access to that signature but later fell out with the others managed to get access to the source forge pages during the password reset last week and is having a bit of fun. Of course that's conjecture and wouldn't explain the main page/forum. We can all throw different ideas out but the truth is we will have to wait until more information is available. (If it ever is) Regardless of how it plays out I think truecrypt has lost a portion of it's user base already. If it does turn out to be legit (eg backed up by the audit) and there are issues I expect very few people would continue to use it even if it was picked up by someone else and 'fixed'. The timing of it all is odd though! Very interested to see how this all plays out. /me grabs the popcorn.
     
  20. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    Hey guys, when I first titled this thread I had no idea this was going to be so BIG!! I am a very long time user of this code.

    I am mostly using Linux now but I still have many encrypted externals that were created via windows 7 and before. I have TC on my linux machines so that I can fully access those externals. Being cautious I have stayed with 6.3a because I believe the 2009 code is secure, and was created before all the Gov pressure started coming down on the dev's. Just like PGP where I stayed with 6.5.8 for as long as possible.

    I actually feel that using TC with linux is safer due to some likelihood that there are "windows" leaks, which are not likely accidents. I have to use LUKS and LVM for the system disks but I like TC for the other stuff because of the hidden volume features. I am not panicking at this point, but I am considering using TC to re-create some of the volumes -- ONLY -- I will use a linux OS to host TC during the process. My linux 6.3a works well and is fast.

    You would think the answer is none, but I wonder what differences there are between a 200 Gig windows created TC volume and its twin being created via a Linux OS instead?

    I do have personally compiled code so I don't have to worry about "crappy" binaries which don't reflect the source for windows. I have never tried to compile the linux version at all. My linux binary is many years old and I grabbed it long ago.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    If the license can be changed to allow Truecrypt to be worked on by the opensource community then TC will live on. I'm not sure which license would be best for TC.
     
  22. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    List of Truecrypt compatible encryption software.

    -- Tom
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This assumes that they were given a choice. If they were discovered and their door kicked in, whoever it was may have all they need to sign anything that they want. Imagine yourself in that scenario. How would you warn users in a way that looks plausible to someone standing over your shoulder but still has a chance of getting the message across? They may have been forced to suggest bitlocker. Regardless, all we can do right now is guess, and look very closely at whatever else comes out. For all we know, the NSA may have seized their equipment and accounts and are responsible for that page.

    I'm not a Truecrypt user so this doesn't directly affect me. It does have me asking if we're seeing an escalation on their war against privacy and encryption. It wouldn't surprise me at all if this is similar to what happened to lavabit, but with additional measures to assure that they got everything that they wanted ahead of time.
     
  24. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    The whole story smells fishy, thats sure...
    but keep in mind that TC wasn't updated for a very long time... support for windows 8 was long due.
    And remember the money collection/donation they head runnign for the past year or so...
    It may be just a case of people loosing interest on maintaining an old project...
     
  25. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    I noticed one mention of saving a copy in 10 different places...For anyone interested, you don't have to worry about losing access to the software. There's repositories out there...

    https://github.com/DrWhax/truecrypt-archive
     
    Last edited by a moderator: May 29, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.