TrueCrypt Website Says To Switch To BitLocker

← Back to Stories (view on slashdot.org)

TrueCrypt Website Says To Switch To BitLocker

Posted by Soulskill on Wednesday May 28, 2014 @09:35AM from the so-long-and-thanks-for-all-the-Jkkms0EuPPlvOmW7Mk5x2A== dept.

Several readers sent word that the website for TrueCrypt, the popular disk encryption system, says that development has ended, and Windows users should switch to BitLocker. A notice on the site reads, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. ... You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." It includes a link to a new version of TrueCrypt, 7.2, and provides instructions on how to migrate to BitLocker. Many users are skeptical of a site defacement, and there's been no corroborating post or communication from the maintainers. However, the binaries appear to be signed with the same GPG key that the TrueCrypt Foundation used for previous releases. A source code diff of the two versions has been posted, and the new release appears to simply remove much of what the software was designed to do. It also warns users away from relying on it for security. (The people doing an audit of TrueCrypt had promised a 'big announcement' soon, but that was coincidental.) Security experts are warning to avoid the new version until the situation can be verified.

101 of 566 comments (clear)

Min score:

Reason:

Sort:

Fishy by CelticWhisper · 2014-05-28 09:41 · Score: 4, Interesting

A FOSS project shutters itself and, rather than linking to a fork or posting tarballs of a few versions' worth of source, recommends commercial alternatives? If this isn't a hacked site then I'm thinking Lavabit - someone pressured someone else and in order to spill without spilling, they made the most absurd possible kind of announcement that they were closing.

--
Help protect civil rights from abuse by the TSA - visit TSA News Blog.
http://www.tsanewsblog.com
1. Re:Fishy by Ardyvee · 2014-05-28 09:50 · Score: 3, Insightful
  
  Yes. You are right. This doesn't seem "right" at all. The very definition of fishy.
  
  --
  I don't care if I'm wrong. I only care about everyone obtaining something from the discussion.
2. Re:Fishy by nine-times · 2014-05-28 09:57 · Score: 4, Insightful
  
  Yeah, it doesn't quite make sense up. First, why has the page suddenly dropped all styling and logos? And then there's the quote at the top:
  
  The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
  It seems to imply that the following thought process: The only purpose of TrueCrypt was in order to support Windows XP, which is no longer supported, so it's not useful for that purpose anymore. Since new operating systems provide their own encryption mechanisms, there is no value in the project, so we're shutting things down.
  However, the fact that Windows XP has lost official support does not mean that no one is using Windows XP anymore. Further, one of the valuable aspects of TrueCrypt was that it was open source (meaning the encryption could be independently verified) and cross-platform (meaning a disk encrypted on Mac could be accessed on Windows and vice versa). There's still a lot of potential uses for such a project.
  Aside from that, what would possibly be the harm in continuing to provide the source code? If the intention were to deny people binaries as a method of providing a stern warning to potential users, surely they could still provide the source and say, "... but if you know what you're doing well enough to make use of the source code, go ahead and use at your own risk."
  Something's wrong here, unless the people maintaining the project are just kind of retarded.
3. Re:Fishy by gbjbaanb · 2014-05-28 09:58 · Score: 4, Insightful
  
  it appears it might be compromised.
  From https://news.ycombinator.com/i...
  Odd, 6 hours ago someone updated the TruCrypt-key.asc files, then 3 hours later posted all the new binaries.
  Also odd is whoever posted the new binaries completely yanked all the previous ones, leaving only the new and questionable binary available for download.
4. Re:Fishy by gbjbaanb · 2014-05-28 10:06 · Score: 5, Informative
  
  Except most Windows 7 editions doesn't support Bitlocker - only Enterprise and Ultimate.
5. Re:Fishy by K.+S.+Kyosuke · 2014-05-28 10:19 · Score: 4, Insightful
  
  The only purpose of TrueCrypt was in order to support Windows XP, which is no longer supported, so it's not useful for that purpose anymore.
  I thought the purpose was to facilitate moving encrypted volumes between different operating systems? Why wouldn't that be useful on Windows 8? How do I mount a Bitlocker volume in Linux?
  
  --
  Ezekiel 23:20
6. Re:Fishy by MozeeToby · 2014-05-28 10:20 · Score: 5, Insightful
  
  If you're gonna post compromised binaries of TrueCrypt, you generally wouldn't stick them on a page with "WARNING: Using TrueCrypt is not secure" in large, bright red text. You'd also expect some kind of statement from the good folks that have been running TrueCrypt for the past decade.
  I'll join the chorus of people speculating about them getting a court order they couldn't bring themselves to follow. I would stay far, far away from that latest binary, if I had to guess it contains whatever loophole they were ordered to put in place, hence all the big and bright warnings.
7. Re:Fishy by jones_supa · 2014-05-28 10:22 · Score: 3, Interesting
  
  There was 2 years to the previous version, so it seems that the TrueCrypt project wasn't very active anyway. Maybe they thought that the discontinuation of Windows XP was a good moment to finally officially shut down operations.
8. Re:Fishy by mrchaotica · 2014-05-28 10:24 · Score: 2
  
  If you're gonna post compromised binaries of TrueCrypt, you generally wouldn't stick them on a page with "WARNING: Using TrueCrypt is not secure" in large, bright red text.
  That's what they want you to think!
  (I'm not sure if I'm joking or not...)
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
9. Re:Fishy by jones_supa · 2014-05-28 10:25 · Score: 5, Interesting
  
  Or they were smoked out by NSA, because TrueCrypt encryption was "too good", and Microsoft's BitLocker has an NSA backdoor.
10. Re:Fishy by AmiMoJo · 2014-05-28 10:29 · Score: 5, Insightful
  
  Yep, I'm guessing National Security Letter. The only defence against being forced to hand over signing keys or release versions with flaws and backdoors is to release a final version yourself to discredit any future releases.
  The web site looks hastily knocked up, which supports this theory. What I can't quite get my head around is the suggestion to use BitLocker though. I know MS resisted an NSL recently, but that doesn't meant we can trust BitLocker.
  Alternatively, maybe the site is by the person behind the NSL, trying to drive people to BitLocker which is already compromised. Since TrueCrypt is being audited maybe they figure they can't insert back doors now.
  Either way, this is and extremely worrying development in the crypto wars.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
11. Re:Fishy by Nyder · 2014-05-28 10:40 · Score: 5, Interesting
  
  Except most Windows 7 editions doesn't support Bitlocker - only Enterprise and Ultimate.
  I'm wondering who the fuck trusts MS enough to use Bitlocker. I don't.
  
  --
  Be seeing you...
12. Re:Fishy by trmj · 2014-05-28 10:45 · Score: 5, Interesting
  
  Here's a theory, based on the timing:
  
  TC was Sabu's pet project. Since he was caught and working for the Feds, he has provided the very access everybody is afraid of them now having.
  
  Sabu was just released from the service of the Feds a few days ago. Enough time to rewrite the binaries, change the passwords, and disable the whole lot since it's all been compromised for years. Gets rid of a dangerous product, and pisses off the Feds without violating the terms of anything since TC is still available for download, just in a crippled form.
  
  --
  Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
13. Re:Fishy by PopeRatzo · 2014-05-28 10:50 · Score: 2
  
  one of the valuable aspects of TrueCrypt was that it was open source (meaning the encryption could be independently verified)
  
  And the value of that "open source" is that it's still forkable for anyone who wants to do the work.
  My other guess is that the NSA is putting so much pressure on TrueCrypt that they'd rather just close their doors than face jail time if they don't bend to the NSA's wishes.
  Seriously, if it's FOSS, doesn't that mean anyone can take the TrueCrypt code and do with it what they will?
  
  --
  You are welcome on my lawn.
14. Re:Fishy by Anonymous Coward · 2014-05-28 11:05 · Score: 2, Funny
  
  Since TrueCrypt is being audited maybe they figure they can't insert back doors now.
  ^^^^THIS would be my guess. TC has always smelled very suspicious with its 3 anonymous developers supposedly maintaining a large and complex program on multiple platforms - it's too much for 3 coders - and the highly suspect "Truecrypt Foundation" (registered with bogus details). It is probable that TC was established and developed by a 3-letter agency purely so they could plant backdoors.
15. Re:Fishy by AC-x · 2014-05-28 11:23 · Score: 4, Interesting
  
  Enough time to rewrite the binaries, change the passwords, and disable the whole lot since it's all been compromised for years. Gets rid of a dangerous product, and pisses off the Feds without violating the terms of anything since TC is still available for download, just in a crippled form.
  Well, the TrueCrypt audit project did manage to exactly recreate the binaries from the source file and so far haven't seen anything fishy in the source code other than some slightly weak encryption options making brute forcing of weak to medium strength passwords realistic.
16. Re:Fishy by Kardos · 2014-05-28 11:29 · Score: 2
  
  How would he magically know what happened? He's almost, but not quite, omnipotent.
17. Re:Fishy by AmiMoJo · 2014-05-28 11:29 · Score: 3, Insightful
  
  Sabu doesn't have the skill to write TrueCrypt. No offence to the guy, but it's just not the sort of thing he does. He was a glorified script kiddie, his main value being community standing and some admin tricks he learned to defeat DDOS attacks and dox the people behind them.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
18. Re:Fishy by Anonymous Coward · 2014-05-28 11:36 · Score: 3, Insightful
  
  All sorts of people who like the idea of encryption enough to check a few boxes and type their password, but not enough to make their system hard to support or use, and who don't consider their data valuable enough to be worth much extra work -- i.e. people choosing between doing nothing to protect their data and doing something. Common applications include transparent encryption on all corporate desktops/laptops.
  Whether you trust MS or not, BL provides reasonable protection against the most common threat -- theft/loss to someone primarily interested in the resale value of the hardware. Most people aren't worried about the NSA getting their data, and those that are aren't relying on boot-time-unlocked full-disk encryption from any provider, as the model itself is insecure against serious attackers.
19. Re:Fishy by XMorbius · 2014-05-28 11:42 · Score: 2
  
  I like this theory, but it would mean Sabu was working on TrueCrypt since he was he was 20. He's certainly talented enough for that to be the case, but I find it hard to believe.
20. Re: Fishy by VTBlue · 2014-05-28 11:49 · Score: 4, Interesting
  
  As a former softie, all I can say is that i would trust bitlocker over pretty much any solution on the market and here are the reasons why:
  1. Microsoft would not knowingly backdoor bitlocker. The NSA pressured the team leads, but management was adamantly opposed and declined to acquiesce.
  2. Suppose bitlocker was knowingly backdoored, the amount of reputational harm that Microsoft would endure would literally be crippling. Crippling not with the OSS crowd, but enterprise customers. The only loser would be Microsoft and they would not recover.
  3. There simply not enough people involved in the Truecrypt project at the moment to make it a truly secure solution. This isn't the Linux Kernel. For FDE, I wouldn't trust an FOSS until more audits and testing has been done. The reason is not because of technicalities, but because of legal liability reasons. For an FDE solution I either would want a private company to back the product or I would want a strong and active community truly backing the continuing development of the FOSS.
  That said, I'm really hoping the audits come back positive and that development continues.
21. Re:Fishy by viperidaenz · 2014-05-28 11:57 · Score: 3, Informative
  
  It's only forkable if you keep the new fork under the TrueCrypt License
  
  You must not change the license terms of This Product in
  any way (adding any new terms is considered changing the
  license terms even if the original terms are retained),
  which means, e.g., that no part of This Product may be put
  under another license. You must keep intact all the legal
  notices contained in the source code files. You must include
  the following items with every copy of Your Product that You
  make and distribute: a clear and conspicuous notice stating
  that Your Product or portion(s) thereof is/are governed by
  this version of the TrueCrypt License, a verbatim copy of
  this version of the TrueCrypt License (as contained herein),
  a clear and conspicuous notice containing information about
  where the included copy of the License can be found, and an
  appropriate copyright notice.
22. Re: Fishy by mlts · 2014-05-28 12:40 · Score: 4, Interesting
  
  I have been slowly moving from TrueCrypt to Bitlocker just because I've had issues with permissions and Windows 8/8.1.
  It may not be as secure as TC, but it is a lot more recoverable, and to me, my main reason for using FDE is ensuring that a stolen HDD winds up "just" a hardware theft, and not something that can be used for extortion (yes... when I was in college, I was asked to help someone who had some private things stored on his laptop... and when the thieves stole it, they demanded $3000 or else they would post all the nudie pictures of his GF that the victim took to the Internet.)
  The recoverability issue is nice. I can enable BitLocker on a drive or image. Then, add a recovery key, and a certificate. Then, the image can be copied/used on a cloud provider, and due to no easy to guess password being used, brute force is off the table. To boot, one can have the computer automatically unlock the drive, so it is basically a set and forget mechanism (with good and bad points.) The BDE keys for recovery wind up stashed in an old smartphone that shed its Wi-Fi, BT, and 3G antenna. Less attack surface for a remote intruder.
  For file archives, tossing them into an expandable disk image and flipping on BitLocker may not be perfect, but it seems to do the job to keep people out.
  As for Linux and OS X, I'd say Apple's encrypted Sparse Images are useful (as only small 8 MB "bands" change.) LUKS is also decent on Linux.
  The nice thing about TC was the fact that it was one program that worked on three platforms, so you could stash your files in a TC container (assuming FAT32 for a filesystem) on your Mac, then access it on your Windows machine.
23. Re:Fishy by Anonymous Coward · 2014-05-28 12:42 · Score: 2, Interesting
  
  Um. Did anyone bother to go to the second page, for those who don't use windows?
  http://truecrypt.sourceforge.net/OtherPlatforms.html ""If you have files encrypted by TrueCrypt on Linux: Use any integrated support for encryption. Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation."
  I think this is a case of pwnership rather than national security letter. An NSL to truecrypt would only make sense if there were, in fact, a universal backdoor built in and the author was both identifiable and subject to US jurisdiction.
  The 7.1a code audit ran its first pass and found nothing obviously wrong. It's possible the tool is 'doored, but given the nature of public key cryptography it seems unlikely that it could be in the same way that a server running SSL is compromised when its key is extracted.
24. Re:Fishy by eean · 2014-05-28 12:46 · Score: 5, Insightful
  
  Um, anyone using Windows should trust Microsoft enough to use their disk encryption. Or they shouldn't be using Windows at all.
25. Re: Fishy by VTBlue · 2014-05-28 12:47 · Score: 3, Insightful
  
  Your last point is exactly why I want truecrypt to survive. Also i love the TC hidden volumes implementation.
26. Re: Fishy by Enigma2175 · 2014-05-28 12:51 · Score: 4, Insightful
  
  As a former softie, all I can say is that i would trust bitlocker over pretty much any solution on the market and here are the reasons why:
  1. Microsoft would not knowingly backdoor bitlocker. The NSA pressured the team leads, but management was adamantly opposed and declined to acquiesce.
  That was then. Nowadays we have (unconstitutional) things like a National Security Letter where they can force you to put in a backdoor and prohibit you from telling anybody about it under penalty of imprisonment. If you are a little guy like Lavabit you can just go out of business rather than comply but if you are Microsoft you put the backdoor in, telling only the actual people that need to know and informing them they are going to federal PMITA prison if they tell anyone. Unless you were the guy who put the code in you wouldn't know anything about it.
  
  2. Suppose bitlocker was knowingly backdoored, the amount of reputational harm that Microsoft would endure would literally be crippling. Crippling not with the OSS crowd, but enterprise customers. The only loser would be Microsoft and they would not recover.
  With only binaries to analyze it is certainly possible that a NSA backdoor could go undetected in bitlocker. Particularly if the backdoor was in the form of an intentional error in an algorithm or a purposefully weak cipher (hello RSA!).
  
  3. There simply not enough people involved in the Truecrypt project at the moment to make it a truly secure solution. This isn't the Linux Kernel. For FDE, I wouldn't trust an FOSS until more audits and testing has been done. The reason is not because of technicalities, but because of legal liability reasons. For an FDE solution I either would want a private company to back the product or I would want a strong and active community truly backing the continuing development of the FOSS.
  That said, I'm really hoping the audits come back positive and that development continues.
  I hope that development continues as well. More developers would be nice but on a mature project usually there is only low-glory bugfixing going on so a) less developers want to participate because there is less glory and bugfixes are boring and b) there doesn't need to be a lot of developers as there is less workload. Obviously an independant audit would be ideal but that generally means money and somebody has to pay.
  
  --
  Enigma
27. Re:Fishy by gweihir · 2014-05-28 13:56 · Score: 3, Interesting
  
  I don't think Sabu is capable of this kind of altruism, let alone this type of project.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
28. Re:Fishy by Anonymous Coward · 2014-05-28 14:05 · Score: 2, Insightful
  
  If it were a NSL that forced TrueCrypt to close up shop, there will be blowback, and not the good kind. This is reminding me of the crypto wars of the early to mid 1990s, maybe even with some Operation Sun Devil thrown in.
  What happened with the Clipper Chip fiasco was that crypto went from just something on the edges that geeks used... to something mainstream (the Streisand effect before it was called it.) Crypto development started moving offshore, where ITAR became pointless [1]. Luckily common sense came into play and ITAR was replaced by EAR, and US companies could use crypto with actual security.
  How does this pertain to TrueCrypt? There are a lot of countries that don't like the US now, and having a TrueCrypt fork [2] that would be developed, maintained, and funded by a government for their propaganda department ("hey, look what we are doing to foil the evil US, we have actual security software.") Now, TrueCrypt which could have been monitored is now a lot harder to police and watch with the backers going from an anonymous organization to a well-heeled nation.
  Encryption isn't new. One could grab code from a 1990s version of PGP, reference AES libraries and make something fairly easy. It would take time to test, but with all the anti-US press, people would pop out of the woodwork.
  I do worry though. If NSLs were used to shut down TrueCrypt (or force a backdoor), then the blowback can be enormous, and a nation hostile to the US could use this enormously for their propaganda departments [3]
  [1]: If people broke the law and used an encrypted mechanism, LEOs either had to tip their hand and break the encryption (which would mean people would stop using that mechanism), or just deal with it, as once the files were out of the US, they were legal. It was the bits leaving the US that was considered on the sale of exporting arms.
  [2]: The fork in theory could just copy the TC code and slap whatever license the fork-ees felt like. It is doubtful that anyone would come and enforce the copyrights at this stage.
  [3]: Russia's is doing so well, Putin has been damn proud of it. So far, their work has turned a solid country into a mass of people hating themselves and the government, which is a military objective success that could NEVER have been done by a previous Russian leader without a lot of nukes. Same with Snowden's handler... the Russian who got him to spill the beans accomplished an objective that could not have even been thinkable before the 2008 economic crash.
29. Re:Fishy by viperidaenz · 2014-05-28 14:45 · Score: 2
  
  Well if you fork it and change the license, it's a copyright violation. Expect the project to by shut down via DMCA or to be sued.
30. Re:Fishy by epyT-R · 2014-05-28 15:31 · Score: 2
  
  which probably has the non backdoored version.
31. Re:Fishy by epyT-R · 2014-05-28 15:41 · Score: 4, Informative
  
  Point is, with NSLs you can't trust anything they say.
32. Re:Fishy by callmetheraven · 2014-05-28 16:30 · Score: 3, Insightful
  
  Sued by?
  
  --
  You can have my SIG when you pry it from my cold, dead hands.
33. Re: Fishy by lister+king+of+smeg · 2014-05-28 16:32 · Score: 2
  
  As a former softie, all I can say is that i would trust bitlocker over pretty much any solution on the market and here are the reasons why:
  1. Microsoft would not knowingly backdoor bitlocker. The NSA pressured the team leads, but management was adamantly opposed and declined to acquiesce.
  2. Suppose bitlocker was knowingly backdoored, the amount of reputational harm that Microsoft would endure would literally be crippling. Crippling not with the OSS crowd, but enterprise customers. The only loser would be Microsoft and they would not recover.
  I would have thought that point valid until RSA backdoored their encryption for chump change from the NSA. Or if I had not remembered MS having _NSAKEY in their software.
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
34. Re:Fishy by SuricouRaven · 2014-05-28 17:42 · Score: 4, Insightful
  
  Because the short pause it signifies, used verbally, implies "I'm just stating the bloody obvious, but..."
35. Re: Fishy by Bert64 · 2014-05-28 19:19 · Score: 4, Insightful
  
  Automatically unlock the drive to boot is a false sense of security, if the computer can boot autonomously then it has the key and therefore so does anyone who steals the whole machine (as opposed to stealing just the drive)... You're no longer relying on the strength of the encryption, but rather the strength of the obfuscation used to hide the key.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
36. Re:Fishy by grep+-v+'.*'+* · 2014-05-28 19:32 · Score: 5, Interesting
  
  I'll join the chorus of people speculating about them getting a court order they couldn't bring themselves to follow.
  I think that's exactly wrong -- I think he DID follow the court order and actually gave up the keys.
  
  And therein lies :-) the trick: in order to keep them from actually using their new keys to create TC-NextGen -- with New! and Improved! Holes for Your Convenience! -- he trashed the brand. Now, *NO ONE* will trust new versions of TC.
  
  "I gave you the keys just like the order said. But you never said that I couldn't make any new version worthless."
  
  This is an analog to a groups' public secretary who in every meeting says they haven't received an NSL, and then in one fine meeting doesn't say that.
  
  Lets see who now up-and-disappears on some weird charge.
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
37. Re: Fishy by jones_supa · 2014-05-28 19:55 · Score: 3, Interesting
  
  Correct. But there is a downside. In order to use BitLocker without one, you will require using a USB drive for unlocking the system. A big security risk with using that method in a company environment would be how many simply leave the key in the computer. That would be like leaving the key to your house in the keyhole on the outside of your house. If you have to go that route, you can also add a password with the USB drive to unlock.
  Source: Experience
  That is true for Windows 7, but Windows 8 does not need an USB key. I have tested this personally.
38. Re:Fishy by Threni · 2014-05-28 20:28 · Score: 2
  
  How would a NSL oblige you to make changes to software? I keep hearing this, but that's not what it's for, plus it can be challenged in court; I'd imagine the ACLU, EFF etc are onto this already.
39. Re:Fishy by badzilla · 2014-05-28 21:53 · Score: 2
  
  I detest "um" or "erm" because the intended inference is "I am soo smarter than you and having to bite my tongue to avoid delivering a scathing denunciation of your failure to understand what to me is instantly obvious". Take that, ummers.
  
  --
  "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
40. Re:Fishy by johanw · 2014-05-29 01:14 · Score: 3, Insightful
  
  So what? The author of TrueCrypt is not known and does want to remain anonymous. So suppose I create a fork and distribute it under GPLv3, who is going to complain? A lawyer has to represent someone who can prove he has the rights to the code, he won't be able to do that while representing someone who wants to remain anonymous.
41. Re: Fishy by godefroi · 2014-05-29 02:49 · Score: 2
  
  I'm a senior TrueCrypt developer, and I have access to the Master Keys that can unlock any TrueCrypt encrypted data.
  Now do you feel better?
  
  --
  Karma: Poor (Mostly affected by lame karma-joke sigs)
42. Re: Fishy by Aaden42 · 2014-05-29 03:41 · Score: 2
  
  Won’t comment on unsubstantiated “senior developer” claims, but as for the encrypting malware issue, recovery of older versions of Cryptodefense was possible because the malware itself had a bug which leaked the necessary decryption keys somewhere on the target system. After the bug was made public, future versions of the malware fixed it and are no longer recoverable using that technique. It wasn’t a Bitlocker backdoor or similar. Not that I have evidence to contradict the existence of such backdoors, but the particular malware case didn’t rely on one.
  http://www.symantec.com/connec...
43. Re: Fishy by godefroi · 2014-05-29 03:46 · Score: 2
  
  Some random AC claiming to be informed by someone claiming to have access to master keys, it's not exactly a reliable source, is it? ;)
  
  --
  Karma: Poor (Mostly affected by lame karma-joke sigs)
44. Re: Fishy by bluefoxlucid · 2014-05-29 03:55 · Score: 2
  
  You have no liability for using OpenSSL. That it was affected by a bug does not put you at legal risk, as it is a reasonable product decision.
  If you had used JerrysSSLMadeInMyBasementAsACollegeProject, and it was found vulnerable, and you leaked personal information, a court would likely find you negligent. Of consideration would be an analysis of the product on the face: if it looks like a Geocities site done in FrontPage and says "I made this SSL implementation as a college project", you are negligent. If it boasts tons of security research and explanations on why this is much more secure and reliable and resistant to attack and programming bugs than other SSL libraries, you could be found not-negligent.
  Liability doesn't mean shit went wrong and you're responsible; it means shit went wrong and you did something any sane person would know not to do. Enterprise would not be liable for personal injury caused by Toyota Priuses in their fleet if the court case found that Enterprise maintained the cars properly and discovered that Priuses had an inherent issue: Toyota is a respected brand and, until the Prius issue was discovered, the Prius was considered a safe car. Once the issue was discovered, Enterprise would have to send them for recall, after which they could issue Priuses again without exposing themselves to liability from Prius manufacturer defects.
  TrueCrypt is well-known and respected as a secure product. As long as nobody tells you not to use it, it's reasonable to use it to secure data. If a serious TrueCrypt security flaw comes out and you deploy new TrueCrypt installations knowing the flaw won't be fixed, you're negligent and liable--as TrueCrypt is now out of maintenance forever, migrating onto TrueCrypt would now be considered negligent and carry liability.
  
  --
  Support my political activism on Patreon.
45. Re:Fishy by viperidaenz · 2014-05-29 09:07 · Score: 2
  
  The rights to the code belong to "TrueCrypt Foundation" don't they?
I wonder... by halfEvilTech · 2014-05-28 09:41 · Score: 4, Interesting

If the dev's decided to go full Lavabit mode after getting a NSL for the keys. So instead of letting people know that specifically they did this.
Also in the new version they removed all of the code to encrypt data, only the decryption remains.
1. Re:I wonder... by CelticWhisper · 2014-05-28 09:45 · Score: 3, Informative
  
  But TrueCrypt doesn't have master keys as I understand it. It's not like Dropbox. There's nothing an NSL (plague be upon whoever got the idea to legalize that) could discover that would do NSA/DHS/USA any good.
  
  --
  Help protect civil rights from abuse by the TSA - visit TSA News Blog.
  http://www.tsanewsblog.com
2. Re:I wonder... by halfEvilTech · 2014-05-28 09:47 · Score: 2
  
  yes but there is still the private signing key that allows for trusted uploads of new (possibly compromised) versions.
3. Re:I wonder... by mlts · 2014-05-28 14:15 · Score: 3, Interesting
  
  Even more concerning is that both their code signing keys were used. If an Authenticode key got compromised, that is one thing. However, both their gpg and Authenticode keys were used to sign that last release, so it either was a very sophisticated intruder, or the TC Foundation dropped their cards on the table and stopped playing ball for some reason.
4. Re:I wonder... by cultiv8 · 2014-05-28 15:08 · Score: 4, Interesting
  
  Also in the new version they removed all of the code to encrypt data, only the decryption remains.
  They also changed all references from "U.S." to "United States"
  
  --
  sysadmins and parents of newborns get the same amount of sleep.
5. Re:I wonder... by dinfinity · 2014-05-29 00:43 · Score: 2
  
  There are quite a number of minor changes to the strings in the code (grammar fixes, additions of code comments).
  Also, the specific changes you're talking about all concern changing 'English (U.S.) resources' to 'English (United States) resources'. That line is apparantly auto-generated by VS: https://www.reddit.com/r/priva...
  Or just Google search for it:
  https://www.google.com/webhp?s...
  https://www.google.com/webhp?s...
So, what now? by Archeron · 2014-05-28 09:48 · Score: 2

So what do we use to replace TC as a multi-platform solution for things like external drives? There are many decent products, but TC seemed to be alone as far as OpenSource tools capable of running on Windows, Linux and Mac. Suggestions?
1. Re:So, what now? by TCM · 2014-05-28 09:56 · Score: 3, Insightful
  
  It's not as if 7.1a is suddenly unexecutable...
  
  --
  Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
2. Re:So, what now? by cbhacking · 2014-05-28 10:01 · Score: 4, Interesting
  
  That works fine for now, but it's a terrible idea to just keep using software that has known flaws (which will continue to accumulate) but no longer gets patches. At some point, while 7.1a will still be executable, it will no longer be safe in any way.
  I took Archeron's question to mean "So, what should we start migrating to now?" That's a very good question, sadly...
  
  --
  There's no place I could be, since I've found Serenity...
3. Re:So, what now? by TCM · 2014-05-28 10:04 · Score: 2
  
  They're not only not convenient, they're also not secure in the sense that in order to work with your data, you have to decrypt it _somewhere_. Unless you secure erase your free drive space after zipping your files back up and deleting the unencrypted copies, I wouldn't consider that data to be secure anymore, at all.
  
  --
  Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
4. Re:So, what now? by Qzukk · 2014-05-28 10:50 · Score: 5, Funny
  
  You can get your copy from www.totallynotnsa.com/truecrypt.7.1.nsa.zip
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
5. Re:So, what now? by Darinbob · 2014-05-28 14:15 · Score: 2
  
  I thought it really hadn't been updated much for over a year.
  And will flaws continue to accumulate, or do you mean flaws continuing to be discovered?
6. Re:So, what now? by Anonymous Coward · 2014-05-28 15:19 · Score: 2, Funny
  
  This version is safer: https://www.totallynotnsa.com/truecrypt.7.1.no-nsa-backdoor.zip?evil=false
7. Re:So, what now? by cbhacking · 2014-05-28 19:01 · Score: 2
  
  Hadn't been updated much... but there's a big ongoing audit of the code that already turned up some findings. Nothing major, certainly not enough that I'd say it warrants the kind of warnings currently all over the site, but enough that there really *should* be a newer version to patch them.
  Flaws will continue to be discovered, including after the audit. They don't even have to be flaws in TC itself, properly speaking; if somebody finds a major break in some cryptographic primitive (cipher, hash function, etc.) that TC uses, then TC needs to stop using that primitive even if it implemented it correctly (or consider something like DES, which was secure 30 years ago but today can be brute-forced quickly and inexpensively, though none of the current primitives we use should be *that* weak anymore). In any case, if flaws do not get patched as they are discovered, they will accumulate, and sooner or later there will be one that's either too big to accept or some combination of them that makes attacks on the software or its data practical.
  
  --
  There's no place I could be, since I've found Serenity...
What! by rock56501 · 2014-05-28 09:52 · Score: 2

The website itself says that integrated encryption is supported in Windows 8/7/Vista, but when you go to MS's website about Bitlocker for Win 7, it says that it's only supported in Enterprise and Ultimate versions of Windows 7. Guess everyone on Home / Pro versions gets screwed!
1. Re:What! by cbhacking · 2014-05-28 09:56 · Score: 3, Informative
  
  Yeah.. the TC site gives you a step-by-step on how to upgrade your Windows edition, but they don't seem inclined to hand over the money it costs. Not that they're under any obligation to - it's not as if they were under any obligation to develop TC in the first place, either - but as a guide its usefulness is severely limited.
  Win8 at least has BL in the Pro edition (having reduced the range of SKUs considerably from Win7) but... yeah. Vista doesn't even (officially) support BL on removable media at all, in addition to (like Win7) only offering it on Enterprise and Ultimate SKUs.
  
  --
  There's no place I could be, since I've found Serenity...
2. Re:What! by harrkev · 2014-05-28 10:00 · Score: 2
  
  So, assuming that this IS real, any suggestions on FOSS encryption for those without access to BitLocker?
  On a side-note, how could TrueCrypt be actually broken? Even if the encryption is broken, that can be fixed in a later release. There is a LOT of stuff in TC (boot manager, GUI, etc.), and you cannot tell me that ALL of it is bad.
  
  --
  "-1 Troll" is the apparently the same as "-1 I disagree with you."
Bummer by I'm+just+joshin · 2014-05-28 09:55 · Score: 5, Insightful

The best aspect of Truecrypt was the cross-platform compatibility. Being able to open an encrypted drive on any platform was the killer feature.
1. Re:Bummer by Darinbob · 2014-05-28 14:23 · Score: 2
  
  BSD license is FOSS, and the truecrypt was also FOSS. Even the FSF says that BSD license really is a free license only that it's not as good as their GPL is.
2. Re:Bummer by Zanadou · 2014-05-28 17:32 · Score: 2
  
  https://diskcryptor.net/wiki/F...
  " Q: What operating systems are supported?
  DiskCryptor supports any Microsoft operation system since Windows 2000. Windows 2000 support will cease with the release of DiskCryptor 1.0 which will require Windows XP or newer.
  Other operation systems (like Linux, etc.) are currently not supported and no plans exist to add support.
What's in my TrueCrypt volume? by Cruciform · 2014-05-28 09:57 · Score: 4, Insightful

The only things in my TrueCrypt volume are password lists, tax info, etc.
And those are encrypted separately before being put in the Truecrypt volume.
That way if my machine were to be hijacked while I have the volume mounted, I wouldn't lose all the data to nefarious purposes.
And if the device is stolen, there's two layers of security to get through. (Which around here would just be the thieves deleting everything and selling it for Oxy)
1. Re:What's in my TrueCrypt volume? by rvw · 2014-05-28 10:19 · Score: 2
  
  Noob. I put my TrueCrypt volumes in TrueCrypt volumes in TrueCrypt volumes.
  Good that you do this three times, as you probably know that twice simply undos the first attempt! I'm a little confused as to why you put your "volumes" in "volumes", so plural. Is that a confusing tactic?
2. Re:What's in my TrueCrypt volume? by rainmaestro · 2014-05-28 16:25 · Score: 3, Insightful
  
  Tax returns contain the following:
  Name, address, Social Security number, income, employer info, spouse and dependent names and Social Security numbers, bank account number and routing number (if using direct deposit for your refund). Surely you can see why you wouldn't want that information falling into the hands of whoever stole your laptop, right? A tax return is basically the golden snitch of identity theft.
Hacked or NSA? by Dega704 · 2014-05-28 09:57 · Score: 2

Taking all bets! I also offer video poker! -Kudos if you can name who I'm quoting.
1. Re:Hacked or NSA? by PrimaryConsult · 2014-05-29 00:26 · Score: 3, Funny
  
  ... and *you're* the reason they have to ban smartphones during trivia night at the local bar...
Million-dollar question by CelticWhisper · 2014-05-28 09:58 · Score: 2

I think what a lot of people want to know is whether 7.1a is still reliable and, if not, how many versions back one must go to get a release that's still feature-complete but not questionable in security.
In the meantime, if you need to encrypt a file, you can use GPG and Cryptophane if you want a GUI. Nowhere near as elegant as TC but it should get the job done.

--
Help protect civil rights from abuse by the TSA - visit TSA News Blog.
http://www.tsanewsblog.com
Truecrypt was the hardest thing for the NSA by ourlovecanlastforeve · 2014-05-28 10:05 · Score: 5, Insightful

Truecrypt was the hardest thing for the NSA and the US government to deal with when seizing storage equipment. It makes sense that they would pressure the project to shutter.
1. Re:Truecrypt was the hardest thing for the NSA by cryptizard · 2014-05-28 10:46 · Score: 2
  
  Not like there aren't a ton of other disk encryption options, so not sure what they would hope to accomplish if that were the case.
2. Re:Truecrypt was the hardest thing for the NSA by AmiMoJo · 2014-05-28 11:28 · Score: 2
  
  What other open source and somewhat trustworthy options are there for Windows?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Truecrypt was the hardest thing for the NSA by Anonymous Coward · 2014-05-28 13:16 · Score: 2, Interesting
  
  Please provide proof for any of the following:
  1. There exists a method to detect a hidden volume within an unmounted TC container file.
  2. There exists a method to detect a hidden volume in a TC container file when the outer volume is mounted.
  Otherwise, stop wasting our time.
Dumb reasoning? by K.+S.+Kyosuke · 2014-05-28 10:13 · Score: 2

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues ... Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Am I the only one to see a problem with that juxtaposition?

--
Ezekiel 23:20
1. Re:Dumb reasoning? by creepynut · 2014-05-28 13:24 · Score: 2
  
  All the major platforms can create virtual disk images, it's just not one of them is cross platform.
  Windows 7 (not sure about previous) lets you create VHD disk images in Disk Management. I assume BitLocker can be enabled on these, more cumbersome than TrueCrypt since you'd need to attach the VHD then mount the BitLocker volume. Not sure how correct this is as I have Windows 7 Home Premium which doesn't do BitLocker.
  Alternatively you could GPG encrypt the VHD file, but that would require decrypting it before attaching and would require that it be stored on disk in a decrypted state. TrueCrypt is purely on-the-fly, the data never touches the disk without being encrypted.
  Macs support easily creating encrypted disk images through Disk Utility and mounting+unmounting them is painless. Even more so than TrueCrypt.
  Linux you can create encrypted loopback files with losetup or cryptsetup. Cryptsetup supports mounting TrueCrypt volumes so there's that.
Foul Play by rock56501 · 2014-05-28 10:15 · Score: 5, Informative

The Register [theregister.co.uk] suggests that the version 7.2 binary has in fact been compromised and is suggesting not to touch that binary.
1. Re:Foul Play by Anonymous Coward · 2014-05-28 10:27 · Score: 2, Interesting
  
  The Register has no idea what it's talking about.
  This is pure speculation.
  Yes, they might have been compromised. But very early analysis shows they aren't blatantly backdoored, but that's all we know and they have no business claiming the changes are "eyebrow-raising" and hinting that it is malware. The changes are mostly removing the encryption/volume creation part of TrueCrypt.
  Wait and see. They probably just want to "make the buzz".
my 2p conspiracy theory by s0litaire · 2014-05-28 10:24 · Score: 2

OK
Main currently accepted theory is the NSA or whoever (insert your fave 3 letter agency here!) tried to get the signing keys TC decides all it can do is "salt the field" and shut up shop.
may as well throw in my 2 theories :
[less likely]
1) one lucky scammer/hacker got the mother-load of a hack and got access to one of the developers systems and managed to get the signing keys as well as full access to the TC sites.
[more likely]
2) Due to internal ego's and in-fighting one of the development team did a "Eric Cartman" on the others and go "Screw you guys I'm outta here!" putting up the "closed for business sign" and issuing a suspect (but officially signed!) version that only decrypts, killing the brand in the process.

--
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
1. Re:my 2p conspiracy theory by Anonymous Coward · 2014-05-28 10:59 · Score: 5, Informative
  
  They REUPLOADED a new key file, that contains the SAME key they used before.
  The new files were signed with that key (the new and old key are the SAME, but they wiped everything and reuploaded new key files, then the TC 7.2)
2. Re:my 2p conspiracy theory by Anonymous Coward · 2014-05-28 18:19 · Score: 5, Interesting
  
  Alas, one or more of the TrueCrypt devs (syncon?) have been located and are acting under duress, as a 'canary' previously agreed upon has been published:
  1. Compiling with VC2010, and then not manually changing the .rc's language from "English (United States)" to "English (U.S.)" as it was in VC6;
  2. Changing the published release date from "on " to "in ";
  3. Format/InPlace.c #12, remove reference in comment to "(likely an MS bug)" - changing this parenthetical should not be counted as canary, but removing it should
  TC's build process is surprisingly arcane (includes old software due to bootloader code size, etc), and while a lot of it is accumulated dust, some of the dust is deliberately placed.
  I do not know precisely what this means, as I have no contact with the developers anymore: but this is what was agreed upon.
  They should no longer be trusted, their binaries should not be executed, their site should be considered compromised, and their key should be treated as revoked. It may be that they have been approached by an aggressive intelligence agency or NSLed, but I don't know for sure.
  While the source of 7.2 does not appear to my eyes to be backdoored, other than obviously not supporting encryption anymore, I have not analysed the binary and distrust it. It shouldn't be distributed or executed.
TrueCrypt screwed me by Trax3001BBS · 2014-05-28 10:28 · Score: 2

I figure it was my fault but still not sure what I did wrong. I read all of the text on trueCrypt from the site and thought I had a handle on it, so two hard drives were organized and TrueCrypted.
I had just assumed a password would allow one to access the/a device.
I install Windows when it starts doing odd thing, about every 6 months. I installed a new clean install of Win7, hooked up the drives and the passwords wouldn't allow me access to the drives. Ended up formatting both drives as I couldn't access them no matter what I tried.
So I am very reluctant to try TrueCrypt again, yet BitLocker isn't an option.
1. Re:TrueCrypt screwed me by dargaud · 2014-05-29 07:35 · Score: 2
  
  I remember when I was still using windows (a long time ago), if you connected a TC-encrypted disk (at the device level), it of course wouldn't recognise it, but would ask to 'sign' it (or some other similar term), which would actually write some tag in the first sector and nuke the TC header, thus rendering the drive unusable. 99% Windows fault, but maybe TC should have a backup of the header in some later sectors.
  Anyway, I've been using TC on linux for a decade, very happy about it, and just like everybody else I wonder what's coming.
  
  --
  Non-Linux Penguins ?
Re:I'll ask... by Anonymous Coward · 2014-05-28 10:30 · Score: 2, Informative

From my Software folder. I don't have the keys to help you verify them, but feel free to Virus Total or them or something if you're totally paranoid.
7.1: http://www.sendspace.com/file/rjeukf
7.1a: http://www.sendspace.com/file/ihsea5
Convenient by javajeff · 2014-05-28 10:39 · Score: 2

What makes TrueCrypt Convenient is that I can have an encrypted envelope that I can drop on a usb drive and then access it from Linux or Windows. I do not always want to encrypted a HDD or partition.
Yawn... by davmoo · 2014-05-28 10:42 · Score: 4, Informative

Until such time as the iSEC audits turn up an actual problem, I'll keep using 7.1a as usual.

--
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
1. Re:Yawn... by ProzacPatient · 2014-05-29 09:48 · Score: 2
  
  I've had copies of TrueCrypt 7.1a on my TrueCrypt'd external HDD (I tend to save everything I download) from about a year ago predating this event so I'll provide MD5 and SHA-1 hashes of them if that helps at all. I'm just a random guy on the internet so you may want to take this with a grain of salt but hopefully it'll help you find legit copies or validate any downloads that you find somehow.
  TrueCrypt Setup 7.1a.exe
  MD5: 7A23AC83A0856C352025A6F7C9CC1526
  SHA-1: 7689D038C76BD1DF695D295C026961E50E4A62EA
  truecrypt-7.1a-linux-x64.tar.gz
  MD5: BB355096348383987447151EECD6DC0E
  SHA-1: 086CF24FAD36C2C99A6AC32774833C74091ACC4D
  TrueCrypt 7.1a Mac OS X.dmg
  MD5: 89AFFDC42966AE5739F673BA5FB4B7C5
  SHA-1: 16E6D7675D63FBA9BB75A9983397E3FB610459A1
distinction without a difference by AdamWill · 2014-05-28 10:45 · Score: 4, Insightful

So, either they got attacked by someone who was able to both deface the website and *sign code with their GPG key*, or the announcement is genuine.
I think the obvious response is precisely identical in either case...
Here's something interesting... by Anonymous Coward · 2014-05-28 10:48 · Score: 5, Interesting

truecrypt.org
>This URL has been excluded from the Wayback Machine.
1. Re:Here's something interesting... by Anonymous Coward · 2014-05-28 11:43 · Score: 4, Interesting
  
  truecrypt.org
  >This URL has been excluded from the Wayback Machine.
  and it's vanished from google cache as well...
2. Re:Here's something interesting... by Xolvix · 2014-05-28 14:29 · Score: 2
  
  The Wayback Machine honors a site's robots.txt file, and it's quite possible (and perfectly allowed by archive.org if you read their FAQ) to prevent an entire site from being archived. Given it has no history it stands to assume the site was being excluded from the beginning.
  Remember - the people/person who made TrueCrypt is still anonymous. Perhaps that paranoia also meant they wanted greater control over how the site is run, which includes preventing it from being archived automatically.
SourceForge problem? by CygnusTM · 2014-05-28 10:54 · Score: 5, Interesting

Hmmm. SourceForge forced a password reset last week citing "changes to how we're storing user passwords." Coincidence?
Linux section odd by Anonymous Coward · 2014-05-28 11:16 · Score: 5, Informative

Crypsetup-LUKS is the obvious recommendation; you can even mount Truecrypt volumes in recent versions. Or copy data over to a loop-AES encrypted volume but that requires patching the kernel.
Re:I'll ask... by mirix · 2014-05-28 13:16 · Score: 4, Insightful

Nice try, NSA. You're not gonna fool us that easily.

--
Sent from my PDP-11
Re:I'll ask... by hodet · 2014-05-28 13:33 · Score: 2

If this is legit you can certainly understand why nobody could ever download these right?
The reason is... by myforwik · 2014-05-28 13:33 · Score: 5, Informative

They probably just decided to end the project. My experience is that it has been slowly dieing for a long time. I have been heavily involved with truecrpyt and its source code for many years. I make programs to custom edit the boot screen and otherwise customise TC's appearance. My programs are not forks, rather they edit the actual binary code installed, so that users can easily use it on existing installations. What you have to understand is that truecrypt has added very little functionality for a very long time. In particular they seem to have lost the key developers who did the code in the boot sectors. For those who don't know, along time ago the program was to big to fit into the boot sectors, and a special deflate algorithm was added to decompression the boot sector code. My code to unzip the boot program and edit its string display strings is still the same code from tc 5.0, and it still works on the latest edition. The guys who code this section appear to be long gone from the project, hence absolutely nothing done over UEFI. The changes that have occured look questionable, in that the people making them seem to have very limited assembly understanding and were hacking on bits instead of properly modifing the programs flow. Secondly getting TC to work with operating systems is extremely complicated, especially for windows. It was micorosoft who eventually released the API's that were used to make truecrypt properly handle sleep/hibernate. These API's are not forthcoming to Win8 or beyond, and in all honesty - windows is the only market that matters. I am going to guess that one of the last known developers knows there is a bug that they can not longer believe they have the experience or skill to fix properly, and hence has decided to shut it down.
1. Re:The reason is... by thegarbz · 2014-05-28 20:10 · Score: 3, Insightful
  
  Yes that would be a sensible excuse except, programs which are abandoned typically do not cause:
  - the website to be defaced and debranded.
  - a new version of the software to be released with gutted functionality.
  - old versions to be removed.
  - recommend commercial alternatives to open source programs.
  - pretend that the announcement happened due to loss of support for an OS still used by 20% of all machines.
  - not get in contact with the outside world.
  Someone went to great lengths to make this look as nefarious as possible. This isn't the typical project shutting down. Actually my first thought was hacked, and my second through was NSA'd even though I swore not to follow the typical Slashdot NSA paranoia.
NSA by plazman30 · 2014-05-28 15:51 · Score: 2

What if the TrueCrypt authors found a flaw the NSA was already exploiting and are doing this as a pre-emptive strike against the NSA by trying to get people off TrueCrypt?
Nicely done, Truecrypt team! by Anonymous Coward · 2014-05-29 07:53 · Score: 5, Interesting

From the "new" website, in red letters: ...TrueCrypt is not secure as...
Now, with added emphasis: ...TrueCrypt is Not Secure As...
NSL for sure. Nicely sidestepped.
(Captcha: "collects" Really.)