Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Website Says To Switch To BitLocker

Posted by Soulskill on from the so-long-and-thanks-for-all-the-Jkkms0EuPPlvOmW7Mk5x2A== dept.

Several readers sent word that the website for TrueCrypt, the popular disk encryption system, says that development has ended, and Windows users should switch to BitLocker. A notice on the site reads, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. ... You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." It includes a link to a new version of TrueCrypt, 7.2, and provides instructions on how to migrate to BitLocker. Many users are skeptical of a site defacement, and there's been no corroborating post or communication from the maintainers. However, the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases. A source code diff of the two versions has been posted, and the new release appears to simply remove much of what the software was designed to do. It also warns users away from relying on it for security. (The people doing an audit of TrueCrypt had promised a 'big announcement' soon, but that was coincidental.) Security experts are warning to avoid the new version until the situation can be verified.

5 of 566 comments (clear)

  1. Bummer by I'm+just+joshin · · Score: 5, Insightful

    The best aspect of Truecrypt was the cross-platform compatibility. Being able to open an encrypted drive on any platform was the killer feature.

  2. Truecrypt was the hardest thing for the NSA by ourlovecanlastforeve · · Score: 5, Insightful

    Truecrypt was the hardest thing for the NSA and the US government to deal with when seizing storage equipment. It makes sense that they would pressure the project to shutter.

  3. Re:Fishy by MozeeToby · · Score: 5, Insightful

    If you're gonna post compromised binaries of TrueCrypt, you generally wouldn't stick them on a page with "WARNING: Using TrueCrypt is not secure" in large, bright red text. You'd also expect some kind of statement from the good folks that have been running TrueCrypt for the past decade.

    I'll join the chorus of people speculating about them getting a court order they couldn't bring themselves to follow. I would stay far, far away from that latest binary, if I had to guess it contains whatever loophole they were ordered to put in place, hence all the big and bright warnings.

  4. Re:Fishy by AmiMoJo · · Score: 5, Insightful

    Yep, I'm guessing National Security Letter. The only defence against being forced to hand over signing keys or release versions with flaws and backdoors is to release a final version yourself to discredit any future releases.

    The web site looks hastily knocked up, which supports this theory. What I can't quite get my head around is the suggestion to use BitLocker though. I know MS resisted an NSL recently, but that doesn't meant we can trust BitLocker.

    Alternatively, maybe the site is by the person behind the NSL, trying to drive people to BitLocker which is already compromised. Since TrueCrypt is being audited maybe they figure they can't insert back doors now.

    Either way, this is and extremely worrying development in the crypto wars.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Re:Fishy by eean · · Score: 5, Insightful

    Um, anyone using Windows should trust Microsoft enough to use their disk encryption. Or they shouldn't be using Windows at all.