Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Website Says To Switch To BitLocker

Posted by Soulskill on from the so-long-and-thanks-for-all-the-Jkkms0EuPPlvOmW7Mk5x2A== dept.

Several readers sent word that the website for TrueCrypt, the popular disk encryption system, says that development has ended, and Windows users should switch to BitLocker. A notice on the site reads, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. ... You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." It includes a link to a new version of TrueCrypt, 7.2, and provides instructions on how to migrate to BitLocker. Many users are skeptical of a site defacement, and there's been no corroborating post or communication from the maintainers. However, the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases. A source code diff of the two versions has been posted, and the new release appears to simply remove much of what the software was designed to do. It also warns users away from relying on it for security. (The people doing an audit of TrueCrypt had promised a 'big announcement' soon, but that was coincidental.) Security experts are warning to avoid the new version until the situation can be verified.

8 of 566 comments (clear)

  1. Re:Fishy by jones_supa · · Score: 5, Interesting

    Or they were smoked out by NSA, because TrueCrypt encryption was "too good", and Microsoft's BitLocker has an NSA backdoor.

  2. Re:Fishy by Nyder · · Score: 5, Interesting

    Except most Windows 7 editions doesn't support Bitlocker - only Enterprise and Ultimate.

    I'm wondering who the fuck trusts MS enough to use Bitlocker. I don't.

    --
    Be seeing you...
  3. Re:Fishy by trmj · · Score: 5, Interesting

    Here's a theory, based on the timing:

    TC was Sabu's pet project. Since he was caught and working for the Feds, he has provided the very access everybody is afraid of them now having.

    Sabu was just released from the service of the Feds a few days ago. Enough time to rewrite the binaries, change the passwords, and disable the whole lot since it's all been compromised for years. Gets rid of a dangerous product, and pisses off the Feds without violating the terms of anything since TC is still available for download, just in a crippled form.

    --
    Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
  4. Here's something interesting... by Anonymous Coward · · Score: 5, Interesting

    truecrypt.org

    >This URL has been excluded from the Wayback Machine.

  5. SourceForge problem? by CygnusTM · · Score: 5, Interesting

    Hmmm. SourceForge forced a password reset last week citing "changes to how we're storing user passwords." Coincidence?

  6. Re:my 2p conspiracy theory by Anonymous Coward · · Score: 5, Interesting

    Alas, one or more of the TrueCrypt devs (syncon?) have been located and are acting under duress, as a 'canary' previously agreed upon has been published:
    1. Compiling with VC2010, and then not manually changing the .rc's language from "English (United States)" to "English (U.S.)" as it was in VC6;
    2. Changing the published release date from "on " to "in ";
    3. Format/InPlace.c #12, remove reference in comment to "(likely an MS bug)" - changing this parenthetical should not be counted as canary, but removing it should

    TC's build process is surprisingly arcane (includes old software due to bootloader code size, etc), and while a lot of it is accumulated dust, some of the dust is deliberately placed.

    I do not know precisely what this means, as I have no contact with the developers anymore: but this is what was agreed upon.

    They should no longer be trusted, their binaries should not be executed, their site should be considered compromised, and their key should be treated as revoked. It may be that they have been approached by an aggressive intelligence agency or NSLed, but I don't know for sure.

    While the source of 7.2 does not appear to my eyes to be backdoored, other than obviously not supporting encryption anymore, I have not analysed the binary and distrust it. It shouldn't be distributed or executed.

  7. Re:Fishy by grep+-v+'.*'+* · · Score: 5, Interesting

    I'll join the chorus of people speculating about them getting a court order they couldn't bring themselves to follow.

    I think that's exactly wrong -- I think he DID follow the court order and actually gave up the keys.

    And therein lies :-) the trick: in order to keep them from actually using their new keys to create TC-NextGen -- with New! and Improved! Holes for Your Convenience! -- he trashed the brand. Now, *NO ONE* will trust new versions of TC.

    "I gave you the keys just like the order said. But you never said that I couldn't make any new version worthless."

    This is an analog to a groups' public secretary who in every meeting says they haven't received an NSL, and then in one fine meeting doesn't say that.

    Lets see who now up-and-disappears on some weird charge.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  8. Nicely done, Truecrypt team! by Anonymous Coward · · Score: 5, Interesting

    From the "new" website, in red letters: ...TrueCrypt is not secure as...

    Now, with added emphasis: ...TrueCrypt is Not Secure As...

    NSL for sure. Nicely sidestepped.

    (Captcha: "collects" Really.)