New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
So...what happened to TrueCrypt?
raindog308
Administrator, Veteran
in General
Current page redirects to a sourceforge page saying (paraphrased) "TC is insecure, it's been discontinued, use BitLocker".
Weird.
Comments
So what do I use now? Not Bitlocker.
Until this is clear, keep using TrueCrypt for the immediate future and don't upgrade to v7.2 seems like sensible advice. BitLocker is worse for sure.
Well the audit team seems baffled too so probably not a huge vulnerability... C&D? Dunno.
O.o
Use disk cryptor
http://sourceforge.net/projects/diskcryptor/ It even opens tc.
For Linux there is also https://github.com/bwalex/tc-play which is even in wheezy-backports. Interestingly it looks like Tails was already preparing to replace TrueCrypt earlier this month: https://tails.boum.org/blueprint/replace_truecrypt/
Just seems weird to me that this would come a decade after they started.
First Hearbleed, now TrueCrypt?! What's going on?! Why can't they just let us keep our secrets??
Well I don't wanna get too conspiracy and not necessarily saying I believe it but Snowdens backing of TrueCrypt got it a lot of attention recently, plus the whole general upswing of privacy concerns.
It's probably not a C&D, it's just hard to imagine what else.
I wouldn't trust the site or the 7.2 version of TrueCrypt. Give it a day or two and we'll know if the site has been hacked.
A year or so ago I ran across a forum for people who work in data forensics. For example, "we seized this guy's computer, recover what's on it". There were numerous comments about TrueCrypt and how it was unbreakable unless you knew (or could brute force) the password.
The diff looks clean, but decrypt-only.
I would not trust anyone offering a decrypt only tool and recommend migrate to closed source from a collaborator company. Especially when there is 0 evidence presented about vulnerabilities, yet claiming it is insecure.
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
What about the other OS's?
I want to know whether my files are still secure.
Well, that was unexpected, to say the least. If you're on Linux, go for dm-crypt. The Arch Wiki is a fantastic resource in that regard.
I think they are. If that was done by the developers, they would have fixed the code. There was no need to make a decryptor, the 7.1 was fully able to decrypt anything, this looks like they were seized somehow and forced to do this as part of some plea bargain. It is really sad Microsoft is part of something like this, in the last years my view of them improved quite a bit.
Microsoft ends support for xp and this makes tc insecure? Pfft... What a joke.
Someone named bill cole has a good review of the situation:
The iSec initial audit report was very critical of the TC code quality, and implied that it looks like the work of a single coder. There was no update for 2 years. The build process requires a 20 year old MS compiler, manually extracted from an exe installer.
Imagine yourself as the lead/solo developer working on TC. No one pays you for this, governments hate you, much of the crypto community is throwing rocks at you while your user community spends half of its time joining in with clueless paranoia and the other half whining about feature gaps (e.g. GPT boot disks.) You have to eat, so you have a real paying job. You’re not so young any more (doing the TC crap for a decade) and maybe the real job now includes responsibilities that crowd out side work. Or maybe you’ve got a family you love more than the whiny paranoids you encounter via TC. And now iSec is telling you your code is sloppy and unreadable, and that you should take on a buttload of mind-numbing work to pretty it up so they will have an easier time figuring out where some scotch-fueled coding session in 2005 ( or maybe something you inherited from a past developer) resulted in a gaping exploitable hole that everyone will end up calling a NSA backdoor.
Maybe you just toss it in. Why not? Anyone with a maintained OS has an integrated alternative and as imperfect as they may be, they are better than TC for most users. Maintaining TC isn’t really doing much good for many people and the audit just pushed a giant steaming pile of the least interesting sort of maintenance into top priority. Seems like a fine time to drop it and be your kids’ soccer coach.
I agree with what you're saying basically @Harzem but when you write security software, especially cryptographic software, it absolutely deserves to be picked apart in every piece. The real tragedy I guess is so many corporate entities with so much money have been reaping the benefits of these free and open source products without contributing enough back.
Like you said, this person has a life and maybe a family as do most of the regular users and contributors. It should be up to the big companies who use this software to try and help give back and do things like this audit from the start and periodically. People working for free and out of love can only do so much.
I know that's a dream world but that's how the OS/free software community should work.
Ouch! Not sure what kind of options exist for Windows/cross-platforms.
i'vebeen using encfs and boxcryptor on windows and feel fine.
btw, since source is available anyone with enough knowledge can pick it up and update and can keep it free.
Store anything you care about somewhere with physical security! My away from home laptop has just RDP, x2go and OpenVPN installed so I can connect to my home PC over fairly secure protocols.
And how secure do you think is that?
Do I understand correct that Truecrypt 7.1a is secure, but the issues is with the "new" 7.2 version?
I have used Truecrypt for years, so if 7.1a also is affected of this, I have a big job ahead, changing it to BC Crypt from Jetico.
No, 7.2 just basically disables the app. The audit team says no bad discoveries really, the development team just say there are unfixed bugs in their dead software. If there are issues it's likely they've been there for 2+ years since the last update.
Not by far. The so called 7.2 is superfluous, most likely put there so people wont wonder why, if it is insecure, you put us use the same tools for decrypting the stuff.
Wow...haven't heard that name in a long time.
just read the comments... 70% of post seems to be from the same person