Check the Truecrypt website.
Not quite sure what to make of that yet...
Check the Truecrypt website.
Not quite sure what to make of that yet...
The Register article on it: link
Probably done by a disgruntled development team member?
Am I incorrect in saying that Microsoft likely has some sort of master key, that they can unlock any Bitlocker vault?
Last edited by SUMMONER; 28-05-2014 at 11:22 PM.
Or some *really* thorough site compromise? Like gaining access to their domain and requesting new signing keys? Or I wonder if it has anything to do with a data breach due to Heartbleed? After all, TC would likely be one of the most desirable sites to compromise.
Then again I'm not sure who would want to go to that sort of length to deface the website in such a specific way? Unless of course that new binary is hiding something.
As it stands though, it's jarring enough to be deeply suspicious, and there isn't exactly a ton of provided evidence to prove validity. I currently don't see a reason to start panicking and ditching TC you may already be using, provided you've had it for a while (presumably the 7.1a binaries haven't changed before this all happened). Also I wouldn't touch that '7.2' release with a bargepole - and I would have expected the developers to know people would react in just that way, so why release it?
Acording to The Register the new 7.2 executable refuses to encrypt new data, it can only be used to "read" your existing TrueCrypt vaults.
If this was a simple website jacking, they would likely just have bolted some malware onto the installer. The fact that they have extensively modified the Truecrypt code prior to creating new executables demonstrates an in depth familiarity with said code.
Well it was open sourced, so any number of people could have examined the code, familiarised themselves with it, and made the planned modifications well before an attack took place. But from what I've seen, they've basically just stripped out a load of functionality and added some message boxes; it wouldn't necessarily take a huge effort to do that.
Edit: Here's the before/after code: https://github.com/warewolf/truecryp...e/master...7.2
Edit2: I missed the edit to your first reply. That's likely what a lot of people are currently thinking (but AFAIK there's only speculation there). However, if it was some gov't conspiracy to get people to use something backdoor'd, surely they'd expect immediate paranoia and distrust in Bitlocker from such a startling post (which has already happened, it seems)? It also seems peculiar to me, that the devs would recommend specifically Bitlocker, why not just 'use something else' - and drive encryption was present on XP anyway, and like with XP, it's still not available to the 'home' versions of Vista/7 (not sure about 8?), so the XP EoL explanation smells very off to me.
In addition, despite EoL, people are still using XP. And for a system kept offline and whole-disk-encrypted, XP is no more or less secure than any other OS inside a TC container.
Last edited by watercooled; 29-05-2014 at 12:01 AM.
May be it was the guy/gal that made Bitlocker for Microsoft?
No, but apparently it's been digitally signed with the TrueCrypt key which means that someone from the team has done it. Or someone's nicked the key, and made this their priority. Or, because I have no idea what I'm talking about, a third scenario that hasn't been dreamed up yet by the big tech sites.
Apparently the key was swapped shortly before the new binaries were published though, hence my domain hijack theory. I'm also not sure how driver signing works, but I wonder if possessing the domain would enable them to gain a new 'legitimate' key?
The reg suggest a new untrusted key was used to sign the binaries.
It's odd. A truly malicious/govt./coporate hack would be far more subversive. The bitlocker stuff I would guess is just trolling.
Question is who? Could be a TrueCrypt guy/gal throwing their toys out the pram, or someone they've annoyed personally somehow.
There is a (conspiracy?) theory that it may be a similar situation to lavabit - the developers have been forced to terminate development.
Details of lava bit here: http://en.wikipedia.org/wiki/Lavabit
Anyone who still wants TrueCrypt 7.1a might find this link useful
http://www.akselvoll.net/2014/05/how...crypt-71a.html
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
Indeed, and thanks.
The one possible flaw in that is that it relies on you having a trustworthy reference system. Problem is, for most people, how sure can they be? If the system you use is not secure, not will anything you check against it be.
Having said that, nothing every is 100% secure, including Truecrypt. There always are weaknesses. Not necessarily hacks, malware or backdoors, but weaknesses. Like someone learning your Truecrypt password, because they saw you enter it, or you wrote it down, or because the user is a complete muppet and used "password" as a password.
How paranoid should we be?
I thought this bit, in that link, was interesting ....So, migrate away? Fine. The big question is, obviously .... to what? Who do you trust? MS & Bitlocker (with or without TPM)?I still think you should take TrueCrypts advice and migrate away from the software, but you probably don't have to rush. Until then, use a trusted version of 7.1a.
If Truecrypt (as a project) is finished, it's a crying shame. But personally, I think "you don't have to rush" is my approach, at lest for now .... not least because my most sensitive data is airgapped anyway.
To some extent you can verify the reference though, provided you trust the signing key - but that is true of any signature system. The author does state that in the article.
Yes, true crypt does have some weaknesses, it is possible to deduce the structure of an encrypted container from artefacts left when it was accessed, even though the actual contents are hidden. That may also be true of other encryption systems.
But I will be using True crypt for a while, simply because there are few alternative cross platform products - gpg is one, although the windows implementation isn't particularly good.
The beauty of True crypt is that a file or partition can be encrypted on OSX, Linux or windows, and decrypted on any other of those platforms, or sent to another user.
A great pity if development really is being stopped.
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
DiskCryptor is a possible alternative, although I don't know too much about it yet, and it's unlikely to have had as much attention paid to the code as TrueCrypt, for now at least.
Absolutely.
I would like to know why, if it is the case. Whether, for instance ir's the Lavabit scenario. And frankly, short of a hack that's lasting too long, it's about the only thing that makes much sense, in the fact that there's naff-all explanation, perhaps because of legal measures preventing them from explaining.
It is, but getting hold of the source code may be tricky now, and this article indicates why that might not be a panacea!
http://www.forbes.com/sites/jameslyn...ud-of-mystery/
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
There are currently 1 users browsing this thread. (0 members and 1 guests)