Slashdot Mirror

← Back to Stories (view on slashdot.org)

Auditors Release Verified Repositories of TrueCrypt

Posted by Soulskill on from the still-not-sure-what's-going-on dept.

Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.

15 of 146 comments (clear)

  1. What's the difference between the US and China? by bungo · · Score: 4, Funny

    From my perspective, it appears that both China and the US are willing to bend to their control any IT organization that they can.

    I'm happy that a verified source have been made, but sad to think that it has now come to this - the US, China, Russia, ..... so many countries that it is no longer safe to host security projects.

    If only I could get a CISCO router build in China, packages in the US and sold through a reseller in Russia.... it could be marketed are the ultimate freedom router*.

    (* Note: freedom is not for the end user)

    --
    "The best part? I became an ordained minister while not wearing pants." -- CleverNickName
  2. Re:Differences between 7.1a and 7.2a by droptone · · Score: 4, Informative

    Yep.

    --
    Every post I make begins with the assumption P=~P.
  3. Re:Differences between 7.1a and 7.2a by Anonymous Coward · · Score: 4, Interesting

    The most obvious difference is that 7.2a will only decrypt files previously encrypted with earlier versions of TrueCrypt. 7.2a is crippled in that it cannot create new encrypted folders, files or whole disks. It was apparently engineered to be broken and serve only as a tool to recover previously encrypted volumes.

  4. Match by Anonymous Coward · · Score: 5, Informative

    Only anecdotal, but I have a copy of "TrueCrypt Setup 7.1a.exe" that I downloaded from truecrypt.org on May 25, 2012, with a SHA-1 sum of 7689d038c76bd1df695d295c026961e50e4a62ea, which matches the same file in this repository.

  5. Re:7.1a for x64 linux by lister+king+of+smeg · · Score: 4, Interesting

    Luckily I have a copy of 7.1a for x64 linux. Because this is a great opportunity to release a trojan horse version of Truecrypt and many people would be affected

    I wonder was its source in any of repositories for the larger Linux distros? Perhaps Debian, Gentoo,or Arch would have a cryptographically signed copy of it if so that would be a simple matter of grabbing the source with a apt-get source command.

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  6. Subscribe by tepples · · Score: 5, Insightful

    What are the hashes for your copy?

    In order for a post of the hashes to be of any use, both the poster and anybody reading the post would have to pay Dice for a subscription to Slashdot. This is because Slashdot redirects all non-subscribers' HTTPS pageviews to HTTP. If the poster does not subscribe, a man in the middle could modify the hash on its way from the poster's computer to Slashdot's server. If the reader does not subscribe, a man in the middle could modify the hash on its way from the poster's computer to the reader's computer.

  7. Re:7.1a for x64 linux by lgw · · Score: 4, Insightful

    If the developers left this "message" that 7.2 might be compromised, what kind of guarantee is there that 7.1 isn't also compromised

    The only kind of guarantee there is: an open, publically funded audit of the code. That's the point of this exercise, even before people realized that blindly trusting the TrueCrypt code was a mistake, and that an audit by non-government researchers was needed.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  8. Re:Truecrypt authors-WARNING: TrueCrypt is not sec by cyn1c77 · · Score: 5, Funny

    I learned a long time ago that if you go on a date with a woman and she says "I'm crazy", BELIEVE HER. She IS crazy. Even if she's hot, she's probably telling the truth when she says she's crazy. I think the same principle may apply here.

    Suddenly I am less interested in my privacy and more interested in your anecdotal story!

  9. Re:7.1a for x64 linux by Z00L00K · · Score: 4, Insightful

    It depends on the level of security you expect. To make sure that your documents don't get into the open when someone steals your laptop it may be sufficient since most thieves just don't worry about the contents and just reformats it after a cursory glance on the contents. So everything that's not obviously visible or takes more than 5 minutes to access is probably safe.

    If you are targeted by the authorities I would say that no wide-spread security system is safe. The authorities are even more likely to have backdoors into bitlocker than TrueCrypt, even though I suspect that they have TrueCrypt backdoors as well.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  10. Re:7.1a for x64 linux by lgw · · Score: 5, Informative

    That was actually the first step of the audit - to ensure repeatable builds and ensure the source matched the object (well, the Windows version - the Linux version was built and verified by many people over the years, but the Windows build took some non-default make setting and then it matched, so confirmation of that was ~1 year ago).

    --
    Socialism: a lie told by totalitarians and believed by fools.
  11. Re:7.1a for x64 linux by nmb3000 · · Score: 4, Interesting

    Luckily I have a copy of 7.1a for x64 linux

    I noticed something the other day when looking for a copy of the install on my own system. It turns out that when you install TrueCrypt for Windows, it puts a copy of the installer in the destination directory! If you're on Windows, take a look in your %ProgramFiles%\TrueCrypt directory. You will probably find a TrueCrypt Setup.exe file (at work so not sure of the exact filename). This can be used to install/repair/reinstall TrueCrypt on any computer.

    There have been some good attempts to create a trustworthy TrueCrypt archive, but nothing beats your original installation source, which you can use to verify against various signatures found online.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  12. Re:Truecrypt authors-WARNING: TrueCrypt is not sec by rogoshen1 · · Score: 4, Insightful

    i think you're confusing 'spontaneous' (which is fun) with 'crazy' which is bunny-burning, jealous lunacy.

  13. Re:7.1a for x64 linux by Kjella · · Score: 5, Insightful

    First of all, they said TrueCrypt has unfixed critical bugs not that it was compromised. It wouldn't really make a lot of sense either, if it was compromised back in 2012 and you wanted to be a whistleblower why wait well over 2 years to do it? It's not like NSA or whomever would let that sort of gag order expire. And if they're under any kind of pressure now, it would be to discredit the software they made years ago that doesn't contain any backdoors. Which brings us over to the next issue, they claim there's critical bugs but they won't tell anyone where they are so others can fix them nor fix them themselves. I mean they don't just want to shut down their project, they want tarnish the name, burn it to the ground and salt the earth after them and you really have to ask: Why?

    I don't think and you probably also don't think that it's because XP support has ended and we should now all go use Bitlocker, so they're lying to us now. Why are they lying to us? I don't know, either they're pressured to it or working for commercial alternatives or threw a hand grenade to start conspiracy theories and get everyone reviewing the code or just went plain nuts I don't know. But there's no reason for any agency to kill off a version that has a backdoor and if there really was a government backdoor wouldn't the best way to be a whistleblower be to point it out? Why this ominous yet vague FUD? The answer that makes the most sense is that they're lying about everything. The developers don't know of any critical issues with 7.1a, but they're being pressured to or want to kill it.

    That doesn't mean TrueCrypt is bug free, of course it may have bigger and smaller issues. But I think they're lying about knowingly withholding anything, that they're not working on the code and not maintaining it isn't the same as deliberately avoiding fixing issues. If they had said nothing at all and TrueCrypt had stayed at versjon 7.1a for another few years I'd still use it and despite what looks to me like a best effort they can't go back in time and sabotage their old release. So while I wouldn't trust anything they do from now on, the older code looks good. Why else would they go through so much effort to get rid of it? Somebody badly wants TrueCrypt 7.1a to disappear and be abandoned, the question is who and why.

    --
    Live today, because you never know what tomorrow brings
  14. Re:7.1a for x64 linux by WaywardGeek · · Score: 4, Informative

    I believe I read about this guy on slashdot a year-ish ago. He verified the Windows binary comes from the official source. I replicated most of his steps, until I became a believer. It is the actual source used to compile the 7.1a binary.

    Now, if you're afraid of back-doors, be afraid of what is already in the official source, all 110K+ lines of it.

    --
    Celebrate failure, and then learn from it - Nolan Bushnell
  15. Re:Differences between 7.1a and 7.2a by WaywardGeek · · Score: 4, Interesting

    7.2 was stripped of encryption functions. Even if it was without bugs, what good is it? Not to mention the weird way they walked away from their software.

    It really was weird. Here's my new theory:

    These guys released their best version ever, 7.1a, in Febuary 2012. They had a party, said goodbye, and moved on with their lives. Everyone assumed that since it's open source, some new guys would come along to take over the project. Instead, for two years, there were no security updates, and no credible fork. TrueCrypt was languishing. One of the developers decided to force the world to take action. He pulled that amazing stunt, complete with recommending everyone use Microsoft BitLocker. Now he's kicking back with a beer and watching the world go nuts. It's like kicking an ant hill.

    Did it work? You bet! A bunch of geeks like me said, "I want to help!" A couple of Swiss Pirate Party dudes said, "We'll lead the effort", and before the weekend was over, they had thousands of offers for help. True to the Pirate Party spirit, they even pirated the TrueCrypt name: truecrypt.ch. Also true to the Pirate Party spirit, they don't really know how to organize a team of geeks to work together in a common direction. So, I said "Follow me!" on the forum, and signed up geeks as fast as I could at the site that became CipherShed.org. Now they're self-organizing like some sort of slime mold, creating order out of chaos. It's really fascinating to watch! I hope the original authors are enjoying the drama :-) At this point, I think the new team is going to do amazing things.

    --
    Celebrate failure, and then learn from it - Nolan Bushnell