Jump to content

Truecrypt WTF?

BuckoA51

By BuckoA51
in Security

 Share

Recommended Posts

BuckoA51 Newbie

BuckoA51

Posted
Posted

http://truecrypt.sourceforge.net/

"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."

Okay anyone got any ideas? This seems rather unlikely. I can understand Truecrypt devs throwing the towel in but, migrate to Bitlocker?! A closed source solution, I don't think so.

Link to comment
Share on other sites
Sebkinne Grand Master

Sebkinne

Posted
Posted

The biggest issue I see is this:

We do not know the identity of the truecrypt maintainers.

We do not know if the private key used to sign the binaries was compromised.

This means that there is no real way of knowing if this was a hack or real.

The maintainers could now change the website, show us a new key and say "Sorry, we got hacked" - but can we verify this is actually them?

It's hard to tell what will happen..

Link to comment
Share on other sites
Dec100 Newbie

Dec100

Posted
Posted

All is possible. It's also quite possible that this was a lavabit style going out.

Maybe a warrant cannary?

Best Regards,

Sebkinne

That's my bet. Why else the recommendation for Bitlocker?

Either than or a massive hissy fit prompted by something the audit found.

Link to comment
Share on other sites
BuckoA51 Newbie

BuckoA51

Posted
  • Author
Posted

The more I think about this the more I think it's a massive blow for privacy advocates around the world.

I've been looking into alternatives and they are either expensive commercial products (e.g Drivecrypt, PGP Disc, Bitlocker only works with Windows Pro) or somewhat under-developed (DiskCryptor).

There's no way Bitlocker is a replacement for Truecrypt, the only product I've found that does hidden volume/hidden OS is Drivecrypt, and it's nearly £100 per computer, the licensing is too inflexible for hackers and hobbyists.

I know a number of folks that used Truecrypt because it was free, convenient and relatively easy to setup. Hopefully I've helped a bunch more with my tutorials too. Now, I imagine a lot of people will look at the alternatives and decide they would rather just take their chances and stay unencrypted than shell out a lot of cash or try to get DiskCryptor working.

Sad times indeed.

Link to comment
Share on other sites
BuckoA51 Newbie

BuckoA51

Posted
  • Author
Posted
Guess you aren't a Linux user, dm-crypt works great for me

I use Windows and Linux but honestly I prefer Windows as my "day to day" OS, and I doubt a lot of people who were using Truecrypt because it was free and convenient on Windows would want to change to Linux. I know for instance my dad wouldn't change to Linux and will probably just run his laptop unencrypted.

Link to comment
Share on other sites
Wanders11 Newbie

Wanders11

Posted
Posted (edited)

If it is an internal developer struggle, there are usually 2 sides and both have some compassion for users. I would expect some king of message from the "other faction". Nothing yet.

Perhaps a show topic....please. Maybe including Kenn White or M. Green? Because there are two questions:

1) Is there actually a vulnerability? and the related 2) is ther any reason I shouldn't just keep using 7.1a?

thanks for the work.

Edited by Wanders11
Link to comment
Share on other sites
BuckoA51 Newbie

BuckoA51

Posted
  • Author
Posted

The audit so far seems to suggest there's no serious vulnerabilities. Frankly I think I'm going to keep using it in the short term and I see no reason to panic and switch over to another solution just yet. Longer term is another matter of course, lets hope something comes of truecrypt.ch

Link to comment
Share on other sites
cooper Newbie

cooper

Posted
Posted

Your wording there is off. A partial audit can't suggest the absence of serious vulnerabilities. It's like receiving a finger severed just below the knuckle in the mail and saying that based on the investigation of the distal and intermediate phalanges which have shown themselves to be fully intact the person has suffered no injuries at all (like, say, having your finger severed).

The audit so far hasn't uncovered any serious vulnerability and the current, sudden folding of the project is considered by some media folk as fairly damning proof that something is there and the auditors are closing in on it. But we'll know eventually as the guy that set up the kickstarter and is currently in charge of getting the code audited says he's going to continue the audit, if nothing else because people paid good money for it to get done.

The only thing you can currently say about the TrueCrypt codebase currently under audit is that the bootloader is probably safe to use. Which is about as green as that specific light is ever going to get. For all other parts the lights are still on red simply because there's nothing there yet to warrant making it a green.

Link to comment
Share on other sites
  • 2 weeks later...
BuckoA51 Newbie

BuckoA51

Posted
  • Author
Posted

Hmm, see the thing is the US government is unpopular enough at the moment, if word got out that it WAS the government who put a stop to Truecrypt, there would be a huge outcry. I just don't see it, if you are the NSA and you want in to someones files, much easier to hack their PC while it's running and decrypted, or grab your target and torture them for the password. In short, Truecrypt is probably nothing more than a nuisance to the US govt and not worth risking the potential backlash of taking it down when there are quieter, more effective ways to get what you want.

Of course, I could be totally wrong....I mean it's actually really scary that the CIA/NSA is basically getting away with so much as it is.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...