TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

Discussion in 'privacy technology' started by Palancar, May 28, 2014.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I just tried to go there and it is showing TrueCrypt's site being shut 5/2014. Its been a few weeks since I have gone there.

    Anybody else seeing this??


    www.truecrypt.org


    sourceforge.net was popping up a dialogue about it but now its being over hammered.
     
  2. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,285
    I get a page about migrating to BitLocker.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Same here.

    Seriously, who would migrate to a system run by and controlled by Microsoft? Sure a business might, but a privacy advocate that wants his/her stuff to be "eyes only" wouldn't dream of it.

    Tin foil hat thought: TrueCrypt's site is shut so lets get the "suckers" to migrate from something we cannot break into. Then when they go to BitLocker we can have any access that we want. Until I hear about the hundreds of encrypted hard drives sitting around LE evidence lockers being opened I think I'll likely stay with TrueCrypt.

    I am waiting for a few big court cases to run their course regarding 5th amendment rights. If it ends up being that I/we have the right to remain silent regarding passwords I'll probably move everything over to LUKS/DmCrypt. That does not have hidden volumes so that is why I am waiting.
     
  4. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    This is disturbing...
     
  5. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    It looks like a total hack job. Check out the Wikipedia page history and talk page. It was immediately bombarded by no-account edits and a couple of SPAs, two of which being the not-so-discreet handles "truecrypt-end" and "Noonnee"...all basically removing info and spamming the page with verbatim copies of the warnings about the program being unsafe.

    Everything about this looks like a classic phishing attempt. Someone gained control of the TC domains (the sourceforge and the main site...the sourceforge was where Version 2.1a was released, and a few months after that it started redirecting to truecrypt.org).

    But it does look like they've covered the bases...

    TrueCrypt.org redirects to truecrypt.sourceforge.net. They even got the sourceforge projects page plastered with the same warning:

    http://sourceforge.net/projects/truecrypt

    And if you go the bottom of the main page there's a link to that new binary, allegedly of version 7.2. (Let's just say I wouldn't run this thing if I were you.) It even comes with signatures, but at least one person on Wikipedia says they don't validate.

    My biggest question is, why the push to Bitlocker? Would anyone from Microsoft or NSA really be that naive? Or could this be like a false flag-false flag?
     
  6. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    @blainefry: It might be so, however if it is true please notice that the "hacker" didn't just take over truecrypt.org in order to serve malware from it. It is using the domain to discredit TrueCrypt, which makes this a more elaborate attack...
     
  7. linp

    linp Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    70
  8. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
  9. linp

    linp Registered Member

    Joined:
    Aug 29, 2007
    Posts:
    70
    Github:

    "the binary on the website is capable only to decode crypted data, not encode, and may contain trojan. The binary is signed with the valid (old) key. All old versions are wiped, the repository is wiped too."
    So it looks like a hack
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Glad I'm not the only one who went "Huh?" Here's to getting everything back up and running.
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    This makes the avast forum username and password hack look like a booger.
     
  12. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,285
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    So Snowden supposedly knows something about it?

    That's probably not good news :(
     
  14. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    40
    The real suspicious thing about the TC shutdown explanation is that it revolves around Windows XP support. What would that have to do with TC security? Also, other Windows versions are capable of Bitlocker but Win7 Home Premium (probably millions of copies in use) does not come with Bitlocker. Pretty weak line of reasoning. Most security savvy people would not buy this simplistic explanation.

    This looks like a very sophisticated hack by a government agency. Which one I have no idea but getting a bunch of Chinese dissidents or Al Qaeda terrorists to freak out and decrypt their data before they get raided....o_O
     
  15. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
  16. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    TrueCrypt Setup
     

    Attached Files:

  17. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    This is a bogus hack. I have seen several stories on this now and the facts just do not line up with a legitimate shutdown of TrueCrypt. The date format on the about screen is all wrong, the website redirects to a different place, they offer non-free-open-source bitlocker alternative. This is all wrong. I have made a youtube video with the hopes it will catch people's attention who would otherwise miss this news: https://www.youtube.com/watch?v=WJvNTsJesgQ

    This is really bad. I have backed up my copy of TC in case something has happened and I cannot ever get a working copy again.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    I'm betting that the wrench got to them, and that they gave it all up :blink:
     
  19. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    If this is going to be the Truecrypt thread concerning this issue, we really need a better subject title.

    This could be so many different things. I think the prudent thing is to do nothing. Yet.

    I think the most likely thing is this is Lavabit all over again. Truecrypt may have been compromised and they are telling us, without "telling us", that the software is not safe and has been compromised. Instead of going forward with their developers having been outed to governmental authorities in NATO countries, the software itself could no longer be considered 100% "clean" - they are simply shutting down and writing it off to "security issues" in a very broad sense. In other words, they are not playing along. They are just closing shop.

    Many possibilities, but the above is very possible.
     
    Last edited: May 29, 2014
  20. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Perhaps similar to Lavabit/Levison? An NSL/National Security Letter has been served?
    As in, 'either you fully cooperate and give us everything encryption-wise or we'll sue you into oblivion'.
    Levison decided not to play along and opted to pull the plug/destroy his product, rather than hand over his customers data/privacy.
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    >> Just a coincidence that SourceForge had a forced password change last week?

    sourceforge password change.jpg
     
  22. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I am surprised by the number of people I am reading on other sites fleeing their current versions of Truecrypt. I think my post 19 and Baserk's post 20 is still the most logical explanation - all the way down to the non-sensical nature of some of their suggestions. That could very well be the icing on the cake in their making it obvious that things have been compromised one way or another.

    As many know, I have been a big believer in hardware FDE, and stand by that. I also thought using TC with hardware encryption was also a viable option. If someone feels that need to abandon TC, take a look at some of the high-quality hardware FDE products. As far as software encryption, I feel comfortable with Jetico and their Bestcrypt line of encryption products. They've been at it since 1993, have very sharp developers, maintain their products well, and have a reputation of excellence from their base in Finland. It is not open-source, but Jetico has always been highly regarded.
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Sigh, and I just came back from DiskCryptor not too long ago for AX64 (and Parted Magic to an extent) compatibility. Will have to wait and see for now.
     
  24. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

    TrueCrypt is Not Secure As...

    Emphasis on the NSA in "not secure as"
     
  25. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    Not sure that would make sense as the source code was already available to everyone. Perhaps a directive to include a backdoor might be possible but then it also would be discoverable by anyone unless they switched to closed source which would result in immediate suspicion.

    Closing down the entire project without any prior news/hints doesn't make sense if it was actually due to a flaw. In addition why not simply fix the potential issues after so many years getting the program to where it was? I wouldn't suggest jumping ship until things are made clearer.
     
Loading...