Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Website Says To Switch To BitLocker

Posted by Soulskill on from the so-long-and-thanks-for-all-the-Jkkms0EuPPlvOmW7Mk5x2A== dept.

Several readers sent word that the website for TrueCrypt, the popular disk encryption system, says that development has ended, and Windows users should switch to BitLocker. A notice on the site reads, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. ... You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." It includes a link to a new version of TrueCrypt, 7.2, and provides instructions on how to migrate to BitLocker. Many users are skeptical of a site defacement, and there's been no corroborating post or communication from the maintainers. However, the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases. A source code diff of the two versions has been posted, and the new release appears to simply remove much of what the software was designed to do. It also warns users away from relying on it for security. (The people doing an audit of TrueCrypt had promised a 'big announcement' soon, but that was coincidental.) Security experts are warning to avoid the new version until the situation can be verified.

2 of 566 comments (clear)

  1. Re: Fishy by epyT-R · · Score: 1, Flamebait

    1. how do you know this for sure? The answer is that you don't, so assume they have been. If the state comes knocking making an offer you can't refuse, part of that deal is you can't admit to it without facing criminal charges.

    2. yeah, you mean what happened to the telcos after edward snowden? riight.

    3. Maybe so, maybe not, but at least it cannot be unknowingly usurped. At least not by those who are tracking its code changes. Is it guaranteed? hell no, but it's better than just taking some company rep's word for it.

  2. Re: Fishy by VTBlue · · Score: 1, Flamebait

    I'm calling bullshit on your points. My point on #1 wasn't a hypothetical, this was the bitlocker lead product manager making the statement behind closed doors and then repeating it again in numerous public forums. I was there, and I trust his word, and not blindly. As for point three, you realize that the TC team is largely anonymous right? So what you're saying is that you trust the "code reviews" conducted by a faceless team and are willing to stake reputation and legal liability on it simply because it's open source? Whether you agree or not about bitlocker's security, the point is that with a named organization backing the product, the customer or class of customers have legal recourse to extract damages for material defects in the software. There is not legal recourse with TC, plus they have no money.

    You want to use TC as an individual, fine no argument, but if you're looking for best in class FDE for business, I don't think TC is there yet.