BuckoA51 Posted May 28, 2014 Share Posted May 28, 2014 http://truecrypt.sourceforge.net/ "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." Okay anyone got any ideas? This seems rather unlikely. I can understand Truecrypt devs throwing the towel in but, migrate to Bitlocker?! A closed source solution, I don't think so. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 28, 2014 Share Posted May 28, 2014 Sit back, don't speculate, wait for a day or two and whatever has really happened will come out. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 28, 2014 Author Share Posted May 28, 2014 Ah but speculation is such fun! Quote Link to comment Share on other sites More sharing options...
digininja Posted May 28, 2014 Share Posted May 28, 2014 In which case I blame the time travelling space monkeys. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 28, 2014 Author Share Posted May 28, 2014 I guess time travelling monkeys would work quite well at brute forcing containers now that you mention it. More speculation here:- https://news.ycombinator.com/item?id=7812133 Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 28, 2014 Share Posted May 28, 2014 The biggest issue I see is this: We do not know the identity of the truecrypt maintainers. We do not know if the private key used to sign the binaries was compromised. This means that there is no real way of knowing if this was a hack or real. The maintainers could now change the website, show us a new key and say "Sorry, we got hacked" - but can we verify this is actually them? It's hard to tell what will happen.. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 28, 2014 Author Share Posted May 28, 2014 "the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases." Interesting.... Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 28, 2014 Share Posted May 28, 2014 "the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases." Interesting.... Exactly. But if the private key has been compromised.. that is moot. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 28, 2014 Author Share Posted May 28, 2014 true but wouldn't that suggest more than a mere website hack? Quote Link to comment Share on other sites More sharing options...
cooper Posted May 29, 2014 Share Posted May 29, 2014 Heartbleed anyone? Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 29, 2014 Author Share Posted May 29, 2014 Heartbleed? What has a SSL vulnerability got to do with Truecrypt? Or do you mean that's how logins were stolen for the website? Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 29, 2014 Share Posted May 29, 2014 All is possible. It's also quite possible that this was a lavabit style going out. Maybe a warrant cannary? Best Regards, Sebkinne Quote Link to comment Share on other sites More sharing options...
mosler Posted May 29, 2014 Share Posted May 29, 2014 If its true it has been compromised. what are some trusted alternatives? Quote Link to comment Share on other sites More sharing options...
Dec100 Posted May 29, 2014 Share Posted May 29, 2014 All is possible. It's also quite possible that this was a lavabit style going out. Maybe a warrant cannary? Best Regards, Sebkinne That's my bet. Why else the recommendation for Bitlocker? Either than or a massive hissy fit prompted by something the audit found. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 30, 2014 Author Share Posted May 30, 2014 The more I think about this the more I think it's a massive blow for privacy advocates around the world. I've been looking into alternatives and they are either expensive commercial products (e.g Drivecrypt, PGP Disc, Bitlocker only works with Windows Pro) or somewhat under-developed (DiskCryptor). There's no way Bitlocker is a replacement for Truecrypt, the only product I've found that does hidden volume/hidden OS is Drivecrypt, and it's nearly £100 per computer, the licensing is too inflexible for hackers and hobbyists. I know a number of folks that used Truecrypt because it was free, convenient and relatively easy to setup. Hopefully I've helped a bunch more with my tutorials too. Now, I imagine a lot of people will look at the alternatives and decide they would rather just take their chances and stay unencrypted than shell out a lot of cash or try to get DiskCryptor working. Sad times indeed. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 30, 2014 Share Posted May 30, 2014 Guess you aren't a Linux user, dm-crypt works great for me http://en.wikipedia.org/wiki/Dm-crypt Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 30, 2014 Share Posted May 30, 2014 Guess you aren't a Linux user, dm-crypt works great for me http://en.wikipedia.org/wiki/Dm-crypt This is what I use on linux. But sadly, there isn't a great cross platform alternative. Something I can encrypt a USB disk with / have a file in a dropbox which I can decrypt no matter what OS. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted May 31, 2014 Author Share Posted May 31, 2014 Guess you aren't a Linux user, dm-crypt works great for me I use Windows and Linux but honestly I prefer Windows as my "day to day" OS, and I doubt a lot of people who were using Truecrypt because it was free and convenient on Windows would want to change to Linux. I know for instance my dad wouldn't change to Linux and will probably just run his laptop unencrypted. Quote Link to comment Share on other sites More sharing options...
buckboy223 Posted May 31, 2014 Share Posted May 31, 2014 Looks like people are trying to save truecrypt: http://truecrypt.ch/ and http://truecrypt71a.com/ anyone seen these popping up on the net? Quote Link to comment Share on other sites More sharing options...
Wanders11 Posted May 31, 2014 Share Posted May 31, 2014 (edited) If it is an internal developer struggle, there are usually 2 sides and both have some compassion for users. I would expect some king of message from the "other faction". Nothing yet. Perhaps a show topic....please. Maybe including Kenn White or M. Green? Because there are two questions: 1) Is there actually a vulnerability? and the related 2) is ther any reason I shouldn't just keep using 7.1a? thanks for the work. Edited May 31, 2014 by Wanders11 Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted June 1, 2014 Author Share Posted June 1, 2014 The audit so far seems to suggest there's no serious vulnerabilities. Frankly I think I'm going to keep using it in the short term and I see no reason to panic and switch over to another solution just yet. Longer term is another matter of course, lets hope something comes of truecrypt.ch Quote Link to comment Share on other sites More sharing options...
cooper Posted June 1, 2014 Share Posted June 1, 2014 Your wording there is off. A partial audit can't suggest the absence of serious vulnerabilities. It's like receiving a finger severed just below the knuckle in the mail and saying that based on the investigation of the distal and intermediate phalanges which have shown themselves to be fully intact the person has suffered no injuries at all (like, say, having your finger severed). The audit so far hasn't uncovered any serious vulnerability and the current, sudden folding of the project is considered by some media folk as fairly damning proof that something is there and the auditors are closing in on it. But we'll know eventually as the guy that set up the kickstarter and is currently in charge of getting the code audited says he's going to continue the audit, if nothing else because people paid good money for it to get done. The only thing you can currently say about the TrueCrypt codebase currently under audit is that the bootloader is probably safe to use. Which is about as green as that specific light is ever going to get. For all other parts the lights are still on red simply because there's nothing there yet to warrant making it a green. Quote Link to comment Share on other sites More sharing options...
digininja Posted June 1, 2014 Share Posted June 1, 2014 http://meta.ath0.com/2014/05/30/truecrypt-warrant-canary-confirmed/ Some more conspiracy for you all. Quote Link to comment Share on other sites More sharing options...
BuckoA51 Posted June 11, 2014 Author Share Posted June 11, 2014 Hmm, see the thing is the US government is unpopular enough at the moment, if word got out that it WAS the government who put a stop to Truecrypt, there would be a huge outcry. I just don't see it, if you are the NSA and you want in to someones files, much easier to hack their PC while it's running and decrypted, or grab your target and torture them for the password. In short, Truecrypt is probably nothing more than a nuisance to the US govt and not worth risking the potential backlash of taking it down when there are quieter, more effective ways to get what you want. Of course, I could be totally wrong....I mean it's actually really scary that the CIA/NSA is basically getting away with so much as it is. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.