TrueCrypt "not secure", shuts its doors

Don't see a specific place for your hardware question? This is the forum for you!

Moderators: mac_h8r1, Nemesis

TrueCrypt "not secure", shuts its doors

Postposted on Wed May 28, 2014 7:28 pm

http://arstechnica.com/security/2014/05 ... tly-warns/

For folks just tuning in, TrueCrypt--the gold standard of personal cryptography--has unexpectedly announced that it is not secure, redirected its URLs to the Sourceforge page, and posted a new version which is read-only and full of warnings. At this point there are more questions than answers about just what exactly is going on and I personally wouldn't recommend knee-jerk jumping to another solution (like what, anyway? Nothing else out there does quite what TC does) but folks need to be aware that something is rotten in the state of cryptoland.
NovusBogus
Gerbil XP
 
Posts: 492
Joined: Sun Jan 06, 2013 12:37 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Wed May 28, 2014 8:13 pm

NovusBogus wrote:http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/

For folks just tuning in, TrueCrypt--the gold standard of personal cryptography--has unexpectedly announced that it is not secure, redirected its URLs to the Sourceforge page, and posted a new version which is read-only and full of warnings. At this point there are more questions than answers about just what exactly is going on and I personally wouldn't recommend knee-jerk jumping to another solution (like what, anyway? Nothing else out there does quite what TC does) but folks need to be aware that something is rotten in the state of cryptoland.


Bleh. Quite a good tool, it was. Not sure where the story will go, but I have my bowl of popcorn.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1686
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: TrueCrypt "not secure", shuts its doors

Postposted on Wed May 28, 2014 8:59 pm

What the crap? My whole world just shuddered and torqued.
I've been here long enough that I think I can forgo a signature.
Forge
Darth Gerbil
 
Posts: 7959
Joined: Wed Dec 26, 2001 7:00 pm
Location: SouthEast PA

Re: TrueCrypt "not secure", shuts its doors

Postposted on Wed May 28, 2014 9:19 pm

I just started using TrueCrypt about 6 months ago. Damn.

I wonder what's up?
Ryhadar
Gerbil XP
Silver subscriber
 
 
Posts: 384
Joined: Tue Oct 21, 2008 9:51 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Wed May 28, 2014 11:11 pm

Ryhadar wrote:Damn.

+1

Until more is known, I'm taking this as a sign that TC <= 7.1a may have been too secure. The cryptanalysis part of the security audit has not started, and I sure hope it still happens. The code review part of the audit completed with nothing I found too worrisome.

The only thing clear at the moment is that TC > 7.1a should be avoided like the plague, even if the devs put out some newer version. As a project TC is dead, may it rest in peace.

Edit: Oh, and my sincere thanks to the devs up through 7.1a. A rock-solid, elegant piece work on all platforms.
MarkG509
Gerbil First Class
Gold subscriber
 
 
Posts: 113
Joined: Thu Feb 21, 2013 6:51 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Wed May 28, 2014 11:59 pm

Ryhadar wrote:I wonder what's up?


Three-letter word. Starts with N. Ends with A.
NeelyCam
Gerbil First Class
Gold subscriber
 
 
Posts: 133
Joined: Fri Oct 16, 2009 12:25 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 12:20 am

I am now carefully securing and guarding my 7.1a installer until I know more. I'm not quite ready to point fingers at the NSA or make any pronouncements about police states, but it does seem a valid hypothesis.
I've been here long enough that I think I can forgo a signature.
Forge
Darth Gerbil
 
Posts: 7959
Joined: Wed Dec 26, 2001 7:00 pm
Location: SouthEast PA

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 12:28 am

It's definitely strange. If the site has been hacked why haven't the devs responded? People who audited the code claim to have contact with the devs and no one has heard anything yet. Why hasn't the GPG key used to sign the binaries been revoked?
To me the thing that makes the most sense is that some three letter agency has decided to turn truecrypt into lavabit 2.0. Shutdown or sellout. Good thing we have secret courts to decided secret cases and make sure everything is aboveboard.

Either way I'll keep my 7.1 binary until I find out differently.

**edit: changed spelling mistake
Last edited by sironomus on Thu May 29, 2014 1:06 am, edited 1 time in total.
sironomus
Gerbil
 
Posts: 65
Joined: Sun Feb 22, 2009 9:33 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 12:35 am

Anyone remember Lavabit? That encrypted email service?

Assuming a hacker didn't just steal TrueCrypt's ID keys to allow him/her to create fake, insecure TCs, it is possible that the authors of TC received a secret court order to turn over everything to a secret group, and was not allowed to disclose the information.
UnfriendlyFire
Gerbil
 
Posts: 43
Joined: Sat Aug 03, 2013 7:28 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 3:23 am

UnfriendlyFire wrote:Assuming a hacker didn't just steal TrueCrypt's ID keys to allow him/her to create fake, insecure TCs, it is possible that the authors of TC received a secret court order to turn over everything to a secret group, and was not allowed to disclose the information.


This being open source, what would TrueCrypt have to turn over that's not already publicly available?
kumori
Gerbil Team Leader
Silver subscriber
 
 
Posts: 280
Joined: Sun Dec 18, 2011 12:11 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 6:37 am

kumori wrote:
UnfriendlyFire wrote:Assuming a hacker didn't just steal TrueCrypt's ID keys to allow him/her to create fake, insecure TCs, it is possible that the authors of TC received a secret court order to turn over everything to a secret group, and was not allowed to disclose the information.


This being open source, what would TrueCrypt have to turn over that's not already publicly available?


The keys used to sign TrueCrypt releases.

I'm alternating between the "secret court order" and "a really odd way of ending a project" explanations.

--SS
SecretSquirrel
Gerbil Jedi
Gold subscriber
 
 
Posts: 1686
Joined: Tue Jan 01, 2002 7:00 pm
Location: The Colony, TX (Dallas suburb)

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 7:24 am

SecretSquirrel wrote:The keys used to sign TrueCrypt releases.

I'm alternating between the "secret court order" and "a really odd way of ending a project" explanations.

--SS

Surely Snowden wasn't stupid enough to use TrueCrypt's public key to encrypt his "CYA" file?
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20117
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 8:15 am

Captain Ned wrote:Surely Snowden wasn't stupid enough to use TrueCrypt's public key to encrypt his "CYA" file?


I highly doubt Snowden sent a copy of his files to the TrueCrypt team.

No, what's being suggested is that if the TrueCrypt's signing keys are in someone else's possession, it would be possible to engineer a backdoor/weakness into TrueCrypt and release it, making it look it came from the original team. Of course, this would also mean that either the source code would no longer be released, or the backdoor simply would be left out of the source. The former would be suspicious, but the latter would be very risky as it has been shown that deterministic builds of TrueCrypt from source are more or less possible.
TwistedKestrel
Gerbil Team Leader
 
Posts: 241
Joined: Mon Jan 06, 2003 4:29 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 8:48 am

For what it's worth, as things stand now Matt Green is still going to go through with the audit as he already has the money for it. It could be that 7.1a will work well enough for the years to come... though now it might be good to get into the habit of verifying the signature of it when downloading it, if you weren't before!

For reference, for their last known good key (which at the time of writing, is still available from the Sourceforge site):

Key-ID:
F0D6B1E0
Fingerprint:
C5F4BAC4A7B22DB8B8F85538E3BA73CAF0D6B1E0
TwistedKestrel
Gerbil Team Leader
 
Posts: 241
Joined: Mon Jan 06, 2003 4:29 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 9:17 am

Wouldn't it be possible for someone to take the original code, change the signing keys, and release it as TrueCrypt2?
UnfriendlyFire
Gerbil
 
Posts: 43
Joined: Sat Aug 03, 2013 7:28 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 9:21 am

This news is spooky.
Pun gratuitous.

And my porn collection is in serious jeopardy.
4670K@4.5GHz | Asus Z87-A | G.Skill 8GB 2400MHz CL10 | GTX 660 2GB | Samsung 840 120GB |Thermalright Macho | Lancool PC-K59
puppetworx
Gerbil XP
Silver subscriber
 
 
Posts: 484
Joined: Tue Dec 02, 2008 5:16 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 9:53 am

Wow. That's just... bizarre. I'd say it rates an 11 on the "WTF" scale.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37516
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 9:54 am

Well this just screams out a cover up / secretive removal. TC was deemed so secure 4 years ago, even the governments most deterred Pc forensic experts tried to bust into a protected drive. They gave up after almost 3 years trying. There may be more to this than meets the eye, and I don't buy that whole "It's not secure" tagline. Maybe it was too secure. I've got a few encrypted containers on work's laptops, but it's still working for me after all these years so I will preserve the 7.1a installer!!!

My ISP (PlusNet UK) has blocked this page, fwiw: http://truecrypt.sourceforge.net/ :o

Edit: Added screenie. It redirects in seconds.

Edit 2: If I use OpenDNS the site works. Seems simple enough to see what's going on there. Still leaves me wondering why though...

Image
Intel C2E QX9770 @ 4.2Ghz, 1.4v | Gigabyte GA-X38T-DQ6 | 8GB Corsair DDR3 1600 | GTX 750 Ti 2GB | Crucial 512GB M550 SSD
geekl33tgamer
Gerbil Elite
 
Posts: 543
Joined: Tue Aug 25, 2009 7:25 pm
Location: England

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 10:28 am

I wonder if anybody can post a link to the latest trusted installer?
Thanks!
Fractal Design Arc Midi|Antec EA-650|Asus P7P55D Premium|Core i5-750|Gigabyte HD6950 unlocked|X-Fi XtremeMusic|24" Iiyama ProLite B2403WS|Logitech Z-5500|Logitech G11|Logitech G9x
glacius555
Gerbil XP
Silver subscriber
 
 
Posts: 300
Joined: Sat Apr 26, 2008 6:45 pm
Location: Copenhagen, Denmark

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 10:29 am

glacius555 wrote:I wonder if anybody can post a link to the latest trusted installer?
Thanks!

I'm on it...
Intel C2E QX9770 @ 4.2Ghz, 1.4v | Gigabyte GA-X38T-DQ6 | 8GB Corsair DDR3 1600 | GTX 750 Ti 2GB | Crucial 512GB M550 SSD
geekl33tgamer
Gerbil Elite
 
Posts: 543
Joined: Tue Aug 25, 2009 7:25 pm
Location: England

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 10:33 am

Made easier download page, rather than a long of links on here. :-)

All OS versions (Win, Mac, Linux):
http://www.geekl33tgamer.co.uk/truecrypt_71a/

Files are signed by TrueCrypt Foundation 7th Feb 2012 21:56:09.

Long live TC. :-)

*Thanks to Forge for some of the files.
Last edited by geekl33tgamer on Thu May 29, 2014 4:07 pm, edited 10 times in total.
Intel C2E QX9770 @ 4.2Ghz, 1.4v | Gigabyte GA-X38T-DQ6 | 8GB Corsair DDR3 1600 | GTX 750 Ti 2GB | Crucial 512GB M550 SSD
geekl33tgamer
Gerbil Elite
 
Posts: 543
Joined: Tue Aug 25, 2009 7:25 pm
Location: England

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 10:34 am

NovusBogus wrote:TrueCrypt--the gold standard of personal cryptography


It wouldn't say it's the gold standard as there have been questions about it's legitimacy for sometime. PGP, now Gnu PGP, is probably the closest thing to a gold standard for personal encryption.

TrueCrypt team has always been rather shadowy, so this isn't totally out of character.
Flatland_Spider
Gerbil Elite
 
Posts: 816
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 10:42 am

Thanks, mate!


geekl33tgamer wrote:TrueCrypt 7.1a - Last release that allows creating whole drive encryption and containers (Windows XP, Vista, 7, 8, 8.1):
http://www.geekl33tgamer.co.uk/truecryp ... p_7.1a.exe

File is signed by TrueCrypt Foundation 7th Feb 2012 21:56:09.

I'll make a page in a bit, but that root path won't change. Does anyone have the OSX version?
Fractal Design Arc Midi|Antec EA-650|Asus P7P55D Premium|Core i5-750|Gigabyte HD6950 unlocked|X-Fi XtremeMusic|24" Iiyama ProLite B2403WS|Logitech Z-5500|Logitech G11|Logitech G9x
glacius555
Gerbil XP
Silver subscriber
 
 
Posts: 300
Joined: Sat Apr 26, 2008 6:45 pm
Location: Copenhagen, Denmark

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 11:33 am

geekl33tgamer wrote:TrueCrypt 7.1a - Last release that allows creating whole drive encryption and containers (Windows XP, Vista, 7, 8, 8.1):

File is signed by TrueCrypt Foundation 7th Feb 2012 21:56:09.

I'll make a page in a bit, but that root path won't change. Does anyone have the OSX version?


I May have the installer for OSX still. Don't have access to my laptop ATM, but I can check on that this evening.

Really hope we get some clarification on this whole situation. TrueCrypt is such a great piece of software, and what with current events, one I feel we really need right now.
dutchessPeanut
Gerbil In Training
 
Posts: 1
Joined: Thu May 29, 2014 11:29 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 1:24 pm

Flatland_Spider wrote:TrueCrypt team has always been rather shadowy, so this isn't totally out of character.

Shadowy how? Protecting their identities, in case the NSA comes around to blackmail strongly suggest that they add a backdoor to it?

</tinfoil>
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
morphine
Gerbil Khan
Silver subscriber
 
 
Posts: 9934
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: TrueCrypt "not secure", shuts its doors

Postposted on Thu May 29, 2014 5:07 pm

Shoadowy as in the entire team is anonymous, they don't communicate with the outside world, and they use a unique license that is not free by the standards of the FSF or OSI. No one knows who they are, what they are trying to accomplish, or why they are doing it. There has been tons of questions about the project, but no one on the team has ever stepped forward to give any answers. For instance, they don't use a public build system, so there were questions about if the binaries hosted on the site were actually compiled from the published code or a separate compromised code base.

It's like the Georgia Guidestones (http://en.wikipedia.org/wiki/Georgia_Guidestones), except more useful.
Flatland_Spider
Gerbil Elite
 
Posts: 816
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: TrueCrypt "not secure", shuts its doors

Postposted on Fri May 30, 2014 11:34 pm

Around the time when the first part of the TC audit was being done and folks were complaining about how hard it was to build, I did a Linux build of the 7.1a source (including the gui code). Slightly annoying, but not as hard as some have made it out to be.

Binaries compared within reason, given updated Linux and compilers. That same evening, I found the reference implementations of AES and a few other encryption methods, and built those too. Most of (but not all of) the math behind these is beyond me. Long sequences of bit twiddling/swizzling can be followed, given adequate caffeine. Aside from the (en|de)cryption, the mechanics of how TC works is complex but straightforward.

My point is that given a trusted RNG and trusted reference implementations of AES, etc., forking TC (perhaps including fixing any identified exposures) is not impossible.
MarkG509
Gerbil First Class
Gold subscriber
 
 
Posts: 113
Joined: Thu Feb 21, 2013 6:51 pm

Re: TrueCrypt "not secure", shuts its doors

Postposted on Sat May 31, 2014 1:27 am

The fork is already happening. It's Swiss now. (http://truecrypt.ch/)

Then there is tcplay which is a "free and simple TrueCrypt Implementation based on dm-crypt." (https://github.com/bwalex/tc-play) (http://leaf.dragonflybsd.org/cgi/web-man?command=tcplay)
Flatland_Spider
Gerbil Elite
 
Posts: 816
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: TrueCrypt "not secure", shuts its doors

Postposted on Sat May 31, 2014 2:26 am

Still nothing official, probably never will be, but the auditor is now saying that he was able to contact the developers and they're simply tired of running the project.
NovusBogus
Gerbil XP
 
Posts: 492
Joined: Sun Jan 06, 2013 12:37 am

Re: TrueCrypt "not secure", shuts its doors

Postposted on Sat May 31, 2014 8:36 am

The mystery is solved, which is unfortunate. They wrote a perfect ending, and then unravelled it. No sense of the dramatic. :)
Flatland_Spider
Gerbil Elite
 
Posts: 816
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Next

Return to General Hardware

Who is online

Users browsing this forum: No registered users and 4 guests