Feeds

back to article TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised. It's feared the project, run by a highly secretive team of anonymous developers, has been …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Oh bugger!

I hadn't upgraded to 7.2, I hope 7.1a is OK(ish)

0
0
Anonymous Coward

Re: Oh bugger!

Just checked "Help - About":

TrueCrypt 7.1a. Released February 7, 2012.

Phew...

2
0
(Written by Reg staff) Silver badge

Re: Re: Oh bugger!

"TrueCrypt 7.1a. Released February 7, 2012."

If you've downloaded 7.1a recently and not checked the code signing, I'd be worried. Not spreading FUD, just ... considering the worst-case scenario. How long has this project been compromised?

We're following the situation.

C.

19
0
Silver badge

Re: Oh bugger!

Fortunately (I hope) I haven't upgraded mine since 7.0a

1
0
Silver badge

Re: Oh bugger!

My basic philosophy of "If there isn't a good reason to update, leave it alone" seems to have worked - version 7.0a from 2010 here. I'm not going to move to a Microsoft "solution" unless there is a pressing need. I'll look for other options that might not be as compromised as anything coming from a company with strong links to people who want to know everything.

4
1
Silver badge

Re: Oh bugger!

Before the serial NSA apologist gets in to swing, I'll state that unless the audit shows up something fundamentally broken I'll carry on using 7.0a.

I'm not, after all, a terrorist or paedo, so for securing my personal and business data from accidental loss and use 7.0a should still be ok as far as I'm concerned*.

However, whichever way the verdict swings as to what has actually happened here, I think we can all at least agree it is 'significant'.

*This doesn't mean I wouldn't like the option of the spooks not having a backdoor into my private files, but there are simpler ways of achieving it than rooting TrueCrypt if I were a real target.

4
0
Silver badge
Joke

Re: Oh bugger!

Sir Spoon, you pinko commie terrorist loving liberal socislist unpatriotic pædo!

"Before the serial NSA apologist gets in to swing, "

*snigger* You know he will be!

1
1
Silver badge
Thumb Up

*Source validated 10th February 2012 is available*

As per this page ( http://svnweb.freebsd.org/ports/head/security/truecrypt/distinfo?revision=290882&view=markup ) , checked into the FreeBSD ports tree on 10th February 2012:

Revision 290882 - (show annotations) (download)

Fri Feb 10 22:09:24 2012 UTC (2 years, 3 months ago) by zi

File size: 623 byte(s)

SHA256 (TrueCrypt_7.1a_Source.tar.gz) = e6214e911d0bbededba274a2f8f8d7b3f6f6951e20f1c3a598fc7a23af81c8dc

SIZE (TrueCrypt_7.1a_Source.tar.gz) = 1949303

You can easily get a version that passes both the above criteria by googling 'TrueCrypt_7.1a_Source.tar.gz'

1
0
Silver badge
Big Brother

Re: Jamie Jones Re: Oh bugger!

Apologies if you were waiting for me to reply, I was too busy laughing at the sheeple getting in a state over this. If you seriously think the NSA did this then you really are beyond delusional, I suggest you consider a few more likely options:

1. A 'concerned activist', such as paedo Oliver Drage, got caught with a Truecrypt partition and found out it didn't save him from jail time, and is subsequently miffed enough to have hacked the site and added his 'warning'. You could add to the list of suspects such 'delightful' nonces as the Lultwatz, the Anonyputz 'no leaders' leaders, etc., etc. In which case you might want to worry that maybe the NSA and chums have backdoored Truecrypt, but it is still unlikely.

2. Some skiddie is having a laugh, you know, just for the 'lulz', and is probably pissing himself laughing at you and the rest of the sheeple as you bleat in fear. In this case the problem is security amongst the developers and, when you finish bleating, you can carry on as you were in your normal state of paranoid self-delusion.

3. A member of the Truecrypt team has found some incriminating evidence that he/she (OK, more likely 'he') actually shows that the app has been backdoored and has taken unilateral action to stop anyone downloading the backdoored version. Actually not that unlikely given the average Githubber's level of communication skills, but it could be a backdoor planted by anyone from the FSB to criminal hackers to the Chinese Army to members of the Lultwatz themselves (OK, the last is the least likely given their level of 'skillz'). In which case, ignore the reality that someone who had hacked Truecrypt would be unlikely to warn you they had, you ALL need to be very worried, immediately disconnect your self from the Internet and head for hidey-holes in the Ecuadorean Embassy.....

/Pointing and laughing and ROFLMAO.

0
8
Silver badge
Stop

Re: Jamie Jones Oh bugger!

I don't think the NSA have backdoored TC.

I do think the developers have ditched TC in a 100%, no going back kind of way and queered the pitch for anyone else wishing to take it over using the new (less restrictive) licence.

As to why, well they might have had a NSL which could mean the next version *would* have a backdoor, or they could just be doing it to make it *look* like they received a NSL.

That there are bugs in the code that could be exploited is true. Are they serious? Not sure yet, we'll have to wait for the audit to complete to know for sure.

Are the developers bothered about updating TC to fix any bugs? Probably not, they don't get paid, they get lots of grief, and people have just handed over a ton of cash to find more things to beat them up with. Can't feel very nice.

As to the manner of the death of TC, I have no idea if this was a huge hissy fit to make it look like they got a NSL or if they actually got one - I don't think it really matters now.

That everyone knows they *could* have received a NSL leaves enough doubt to kill TC for good, and probably enough doubt to protect them from NSA reprisals, FUD is their business after all.

Time to start backing a true FOSS development that has a chance of remaining free of ghostly influences.

"/Pointing and laughing and ROFLMAO."

You are a strange dude Matt. Your laughter sounds a little forced with a hint of zealous hysteria to me. I really don't get you. You sometime argue your points well and can back them up with references, yet you constantly undermine your own credibility with asinine comments. I'd be interested in meeting you face to face just to satisfy my curiosity as to whether or not you really do live under a bridge :)

5
0
Silver badge
Happy

Re: Jamie Jones Oh bugger!

"Apologies if you were waiting for me to reply, I was too busy laughing at the sheeple getting in a state over this."

I was getting anxious.... You never phone, you never text.... :-(

But, apology accepted - I'm glad you're in a good mood!

"If you seriously think the NSA did this then you really are beyond delusional, I suggest you consider a few more likely options:"

..

I hope you are adressing the commentards generally - I don't think that at all, and I though it pretty obvious that Sir Spoon didn't either - even before he posted his clarification followup.

As for your 3 points, you may be surprised (and dissapointed?) to know that I basically agree with you... (Though of course, you had to make the aggreived person a pædo rather than someone who was the victim of corporate espionage, or fraud, or someone who just wants to keep his/her personal life.....errr...personal... You were doing so well up until then [I even overlooked your use of 'sheeple'] - do you write for the Daily Mail per-chance?)

"/Pointing and laughing and ROFLMAO."

I told them at the time that this would happen - but they went ahead and gave you that full length mirror anyway *rimshot*

Still, I'm glad you're having a good time! :-)

2
1
Silver badge
Happy

Re: Jamie Jones Oh bugger!

"....I hope you are adressing the commentards generally - I don't think that at all...." Maybe you should, seeing as the doubts over Truecrypt have been circulating for a while, and the recent drive to vet the code seems to have severely annoyed the developer(s). Probably not the Big Bad NSA, but maybe another Big Brother(ski) instead.

0
4
Silver badge
Thumb Up

Re: Jamie Jones Oh bugger!

Hmmmm. weren't they pleased about the audit then?

I'd assumed they'd welcome someone independent validating their work.... Unless they did have something to hide.....

As for my more personal theories, I haven't really given it much thought - I don't use encryption for much, other than ssh sessions, and that's mainly to protect the passwords, not my drivel.

It's funny - I agree with you that most people are overly paranoid that somone wants to read their personal emails. Where we disagree, though, is that I think it's somones right NOT to be spied on without proper due process. I also resent the constant bollocks from governments using the terrorost excuse for this overreach.

Remember the Bush administration? If you disagreed with them on just about any topic, you were a terrorist!

P.s; Why the downvote? It's true you never call..you never text...

1
0
Bronze badge

Re: Oh bugger!

This might be useful to someone. My versions are as follows:

TrueCrypt 6.1a:

– Modified: 28-12-2008, 07:48. – File size: 3,142,768 bytes

TrueCrypt 6.3

– Modified: 18-11-2009, 22:48. – File size: 3,358,808 bytes

TrueCrypt 6.3a

– Modified: 22-02-2010, 08:57. – File size: 3,358,880 bytes

TrueCrypt 7.1

– Modified: 07-09-2011, 00:21. – File size: 3,470,688 bytes

TrueCrypt 7.1a

– Modified: 10-02-2012, 03:30. – File size: 3,466,248 bytes

___

All files been on this system since: 29-11-2012

Local timezone: GMT: +10 (+11 summer, southern h.)

I'll do CRCs if anyone needs them. (BTW, I'm not using them on this system, storing EXE's only--nothing important enough to encrypt.)

0
0
Silver badge
Facepalm

Re: Jamie Jones Oh bugger!

".....Why the downvote?....." Because you want to pretend Truecrypt and other tools are not also used by terrorists, criminals and the like. And all the stories you hear about Truecrypt are not about innocent businessmen protecting industry secrets or Joe Average using Truecrypt and being victimised by The Man, they are always about criminals using Truecrypt in an attempt to avoid prosecution.

".... It's true you never call..you never text..." Stop it, you'll make Boring Green jealous. He is my flock-designated, rabid, stalker sheep, doncha know.

0
5
Bronze badge

Re: Jamie Jones Oh bugger!

NSL? Not a user myself, I know one who is. From him, the earlier version of the web site, or Wikipedia I had the distinct impression that TrueCrypt was not developed in the US. Aside from that, the customary use of NSLs seems to be to require production of information without disclosure. It is unclear how that would be useful in the case of a software producer whose product is freely available in source code (presumably along with effective procedures for building the binaries). I never felt comfortable using it due to developer anonymity.

It seems possible, maybe even plausible, that one or more of the developers became aware of a compromise but did not, out of fear or for other reasons, wish to disclose that.

1
0
Anonymous Coward

Re: Oh bugger!

Digests of unauthenticated origin via insecure channel not particularly interesting. However, have you had a copy of the authentication key sitting with them, for as long? A comparison (PKI "fingerprints" or just file digests) between an old copy and the one offered now would be of anecdotal interest as there have been suggestions that the key has changed.

0
0
Silver badge

Re: Jamie Jones Oh bugger!

".....Why the downvote?....." Because you want to pretend Truecrypt and other tools are not also used by terrorists, criminals and the like. And all the stories you hear about Truecrypt are not about innocent businessmen protecting industry secrets or Joe Average using Truecrypt and being victimised by The Man, they are always about criminals using Truecrypt in an attempt to avoid prosecution."

Not at all. I fully agree that they are probably mainly used for dodgy and illegal purposes.

My issue was that *you* keep implying that that is their *only* use.

The problem is, do you ban/break something because terrorists can use them?

Do we ban social gatherings, because terrorists can use them to recruit? Do we track and store the movements of every vehicle because criminals use cars as getaway vehicles? Do we stop selling fertilizer because it can be used to make bombs? etc.

".... It's true you never call..you never text..." Stop it, you'll make Boring Green jealous. He is my flock-designated, rabid, stalker sheep, doncha know."

:-)

Sorry, not sure who that is, but I don't want to upset your designated stalker! I'll suffer in silence from now on instead!

P.s. For what it's worth, I didn't downvote you

0
1
Anonymous Coward

Re: Jamie Jones Oh bugger!

"Not at all. I fully agree that they are probably mainly used for dodgy and illegal purposes.

Don't be daft! They are probably widely used for dodgy and illegal purposes... just like cars and phones and watches and computers and pens and so on... but "mainly used for dodgy and illegal purposes" seems almost Matt-Bryant bonkers. If we're going to speculate, they are probably mainly used by teenagers messing about or keeping their pr0n stash out of sight of mum.

Or did you mean ...for dodgy or illegal purposes?.. which could probably include both messing about and perfectly legal pr0n sequestration.

1
1
Silver badge

Re: Jamie Jones Oh bugger!

Yeah. replace 'mainly' with 'wildly'. My vocabulary was out of sync with what I meant.

Cheers, Matt ;-)

1
0
Silver badge
Facepalm

Re: Jamie Jones Oh bugger!

".....Do we ban social gatherings, because terrorists can use them to recruit? Do we track and store the movements of every vehicle because criminals use cars as getaway vehicles? Do we stop selling fertilizer because it can be used to make bombs?....." There are already many laws regulating social gatherings, especially protests. In times of war they have been extended to cover even small gatherings and the Government retains the right to issue an order banning any gathering it likes. We also already do record most car journeys in cities on cameras that can recognise both number plates and the face of the driver. And we already have a system in place that monitors the purchase of 'dual-purpose' goods such as fertiliser. I didn't down vote you but you are displaying an alarming lack of insight into the systems already in place.

0
3
Anonymous Coward

Re: Jamie Jones Oh bugger!

Speak of the devil!

Cheers for the downvote Matt.

Right backatcha.

0
1
Silver badge

Re: AC Re: Jamie Jones Oh bugger!

".....Cheers for the downvote Matt....." I didn't down vote you. I didn't think your post was interesting enough or contained sufficient original thought to rate a vote either way, TBH. I also note you childishly down voted on a presumption of slight rather than the actual points I raised, which shows you are not interested in merit only in who bleats the way you do.

0
3
Anonymous Coward

Re: AC Jamie Jones Oh bugger!

That's because you didn't make a point. Just a rambling observation that the surveillance state is already out of control. If I was supposed to infer from that that you think it's a good thing, then I'm sorry, I'm afraid have better things to do than attempt to psychoanalyse random Daily Mail nut jobs.

0
1
Silver badge
FAIL

Re: AC Jamie Jones Oh bugger!

"That's because you didn't make a point....." The point I made, which obviously got filtered by your woolly blinkers, was that the majority of sheeple posting here know SFA about either the capabilities of our authorities or what they use them for.

"....Just a rambling observation that the surveillance state is already out of control....." Not so, it is under very tight and overseen control, it's just you want to baaaah-lieve otherwise. As I pointed out to another member of your flock, if you want to insist all this is being used for 'evil' please do show evidence of how it is being used to harm you.

"....I'm afraid have better things to do...." Like finishing primary school, I assume?

"...,,than attempt to psychoanalyse random Daily Mail nut jobs." Apart from the fact I don't read the Daily anything, I would laugh at the idea of you attempting to psychoanalyse anything give your obvious analytical and observational shortcomings.

0
3

Re: Oh bugger!

So a SF page hacked, just post up a new one, use a better password (to keep[ from getting the page hacked again) then post up 7.1a, as obviously there is no such legit version from the team called 7.2 - let's fix this FUD!

0
0

This post has been deleted by a moderator

Silver badge
Facepalm

Re: Goopy Re: Jamie Jones Oh bugger!

I assume the issue preventing you from posting a thorough, detailed and referenced analysis of the arguments presented in this thread was your mother telling you it was time for bed? I presume that, when you have more time, you will be posting a longer précis that will give a greater insight into more than just the limits of your intellectual capabilities. I, for one, simply can't wait to experience the eloquence and intelligence which, no doubt, you will dazzle us all with.

/Your biggest fan. Honest.

0
2

This post has been deleted by a moderator

This post has been deleted by a moderator

Headmaster

If you were the NSA...

If you were the NSA, how would you set about neutralising things like Truecrypt?

One option might be what we see today.

Food for thought.

37
5
Anonymous Coward

Re: If you were the NSA...

They could endorse it. That would neutralize any security program.

I don't think the NSA had anything to do with this as they work with a lot more subtlety and this work is very loud and amateurish. You can hate them all you want but they do their job in the shadows very well.

29
4

Re: If you were the NSA...

Or it's a red herring for you think it couldn't possibly be them

8
1
Anonymous Coward

Re: If you were the NSA...

No need and too public.

You just bring pressure to bear. A bit if extra judicial extraction, bit of torture; job done. Standard USA foreign policy stuff.

3
2
142

Re: If you were the NSA...

>You can hate them all you want but they do their job in the shadows very well.

Yeah, that's a fair statement. So who was it - assuming it's a hack? Patriot Hackers? Seems like a slightly odd target.

Thoughts?

Some obscure Anonymous fringe perhaps? They're not averse to taking down things for fun on occasion, especially things that claim to be secure.

3
0
Bronze badge

Yet...

History would show a different story, not disagreeing, just pointing out that human stupidity is common.

1
0
Silver badge

Re: If you were the NSA...

>Or it's a red herring for you think it couldn't possibly be them

Or that's what they want you to think !

6
0
Silver badge

Re: If you were the NSA...

Yes, particularly since "they" (whoever "they" may be) recommends Bitlocker, a system which has advertised back doors which are commonly used in companies. The back doors are there to still get to the data on your disks even after forgetting your password.

Since Bitlocker is not just closed source software, but also relies on the TPM chip (which is closed source hardware) it's naive to think the NSA doesn't have an easy way to break this.

26
6
Black Helicopters

Re: If you were the NSA...

Yes, but anonymous groups tend to get the grammar wrong and spell things wrong, but this seems fairly well written which makes me doubly suspicious, although of what I'm not sure!

3
0
Anonymous Coward

learn..

Everyone who's said "I don't think the NSA ..." in the past ended up eating their words when Snowden showed us what's really going on...

22
3
Silver badge

Re: If you were the NSA...

>>"Yes, particularly since "they" (whoever "they" may be) recommends Bitlocker, a system which has advertised back doors which are commonly used in companies. The back doors are there to still get to the data on your disks even after forgetting your password."

That's not a Backdoor. A "backdoor" is a secret route in that isn't documented, or at least isn't public knowledge and it outside the system owner's control. The whole notion of "advertised back doors" is pretty silly. Bitlocker allows you to select if you wish the storing of secondary keys on a third party system so that the data can still be unlocked if you, e.g. suffer a hard disk failure and your local keys are corrupted, you forget your password to the data, you're in an enterprise environment and your company wants to give you an encrypted store on your laptop but still open it themselves if you wish.

Basically, useful, advertised and voluntary features. We'll file this particular silly distortion of yours along with those other posts of yours I recall about Secure Boot and Bing copying Google's search results - posts of yours I recall recently that similarly misrepresent things. Misinformation is damaging. Your agenda is obvious.

15
6
Silver badge
Black Helicopters

Re: If you were the NSA...

It could all be a double-bluff by NSA protesters.

Try and make it look like an act of oppression by removing or compromising a trusted tool, then actively recommending alternatives from a company that likes to lick the NSA's ring-piece would probably do the trick - but they may have over-egged the pudding. It is fairly crude, but it will certainly get attention beyond the tech-world..eventually. Expect a garbled account from the Beeb in about 6 weeks or so.

6
0
Anonymous Coward

Re: learn..

>ended up eating their words when Snowden showed us what's really going on...

But is Snowden a modern double agent? and has actually been working for a US agency all along...

1
2
Silver badge
Boffin

Re: If you were the NSA...

Interesting concept, but I can see where this particular one is likely to fail - the crowd funded investigation into the integrity of TrueCrypt. Assuming the investigation finds (presumably 7.1a) to be good then everyone in the world can trust that the correctly signed version is safe, and you end up with a tool the NSA can never discredit.

Techies have long had a "toolbox" that often has older but known reliable tools in it. El Reg had just such an article this week,.

2
0
Silver badge

Re: If you were the NSA...

"Techies have long had a "toolbox" that often has older but known reliable tools in it. El Reg had just such an article this week"

If I were to take a longer view of things, removing avenues of escape (for data) would definitely be something I did if I were going to embark on a round-up exercise of miscreants at some point in the future.

Whilst techies have skills and old tools, lack of new tools will severely hamper developments in this area. People who are not techies to start with will probably end up being stuffed.

Imagine if you wanted to learn how to encrypt your personal data *today*. What would you find? No archives for TC, warnings about it being unsafe, recommendations for other software that is proprietary.

This isn't about the people who already have the skills and tools, it's about stopping people without those skills and tools from obtaining them*.

*imho - time will tell

6
1

@142

Yeah, that's a fair statement. So who was it - assuming it's a hack? Patriot Hackers? Seems like a slightly odd target.

It could be:

*State sponsored hacking (pick your nation of choice)

*Criminal sponsored hacking

*A lone hacker

*A dev received a secret court order and is doing what (s)he can to announce it, as someone below suggested

*A dev found a security hole being exploited and yanked that version off the site

*Dev infighting causing one dev to get his/her revenge

*Ballmer and Gates playing a prank on the OS community

Without more information it is hard to say who did what and the reasons behind it but I'm sure Occam's razor is involved somewhere.

0
0
Silver badge

Re: If you were the NSA...

"If you were the NSA, how would you set about neutralising things like Truecrypt?

One option might be what we see today.

Food for thought."

Not a very good option.

If I were the NSA, firstly I'd be extremely under-provisioned in the human assets department.

Secondly, I'd secretly subvert Truecrypt 7.0 and let it mature to a couple of upgrades. Then I'd hack the latest version really obviously and put out lost of messages to switch to Microsoft software so all the knee-jerk unterrorist nonpaedos would dig in, smugly secure in the knowledge that they were using the "good" version.

But I'm not the NSA (which does not exist).

1
2
Bronze badge

Re: learn..

Everyone who's said "I don't think the NSA ..." in the past ended up eating their words when Snowden showed us what's really going on...

Everyone? Snowden's revelations validated every single thing the NSA has ever been accused of?

I know critical thinking doesn't come easily to many Reg commentators, and that goes double for the ACs, but really - try to have a little perspective, won't you?

2
4
Bronze badge

Re: If you were the NSA...

Food for thought.

Junk food. Really, you think there's some insight in suggesting "hey, the NSA might be behind this" for every security-related incident? There are already plenty of folks on that bandwagon.

Surely we can find some new bugbear du jour. Can we blame the "Dark Web"?

1
4
Anonymous Coward

Maybe the NSA IS being extra sneaky

So, what if, hypothetically, the NSA was pulling its hair out over TC's unbreakability?

Why not do something, like sending some sort of NS letter to the supposedly anonymous developers, which makes them freak out and close down like this.

End result: most people they're interested in move to another, possibly less secure solution....

Not that this helps with TC volumes already in their possession, but it proves you don't have to actually break a solution's implementation to defeat it.

2
0

Page:

This topic is closed for new posts.