back to article TrueCrypt considered HARMFUL – downloads, website meddled to warn: 'It's not secure'

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised. It's feared the project, run by a highly secretive team of anonymous developers, has been …

COMMENTS

This topic is closed for new posts.

Page:

    1. John Tserkezis

      Re: This is ridiculous

      "TrueCrypt had a quite functional, if not very eye-catching website, which has been replaced by a primitive HTML page that you can throw together in two minutes."

      It's as if the developer-killed-himself-with-his-own-sword conspiracy theorists can't read. You've mentioned some of the more glaring points that clearly tell us perhaps some twat had nothing better to do on a sunday morning, got lucky with the server access, and cooked up a new version that doesn't work.

      Bitlocker. Funny.

    2. Mark .

      Re: This is ridiculous

      "(I mean... switch to Bitlocker? That's not even a good troll.)"

      Okay, I'll bite - what are the problems?

      Truecrypt is cross-platform, and also available on all versions of Windows. But for someone where this isn't an issue, what is it about Bitlocker that makes this laughable?

      1. Anonymous Coward
        Anonymous Coward

        Re: This is ridiculous

        To me it's the equivalent of Mozilla shutting up shop and recommending IE as a secure alternative to FF.

        I would seriously hope it's not gonna happen.

  1. DrM

    I'm from the government and I'm here to help you.

    So, this all comes about when XP is dead and now no user has a legitimate need for other than BitLocker?

    Sounds like once it could be said that no Windows user needed it -- we have BitLocker! - the Feds convinced them to pull pull the program. The Feds, the NSA HATE encryption. They don't like me and Eric using it.

    And, sure, why not use BitLocker? It only has 25% of the functionality and who can you trust more for secure code than Microsoft? Not only are they highly skilled -- they won't even talk to the NSA, I'll bet.

    1. Havin_it
      Windows

      Re: I'm from the government and I'm here to help you.

      >So, this all comes about when XP is dead and now no user has a legitimate need for other than BitLocker?

      Except for users of any edition of Windows Vista and 7 below Enterprise, and 8.* below Pro, IOW virtually every high-street-bought home computer in use today.

    2. PrivateCitizen

      Re: I'm from the government and I'm here to help you.

      " It only has 25% of the functionality"

      Agreed - Whole Disk Encryption was not the main reason I used truecrypt, and isnt the main reason almost everyone I know used truecrypt.

      If if if that was the whole reason, Bitlocker is even a poor alternative for truecrypts WDE.

  2. Anonymous Coward
    Anonymous Coward

    Key escrow

    They're advocating you move to a different product that supports NSA key escrow - that's pretty telling...

  3. Liam2

    fork();

    I'm not worried about TC going away. It's only a matter of time before a fork comes to light. Such is the magic of free software.

  4. thexfile

    SourceForge has been compromised for a least two months now.

    1. Destroy All Monsters Silver badge

      It's time to put a fork in it.

  5. John Smith 19 Gold badge
    Unhappy

    Rebuild from source code

    Isn't that the whole idea of open source?

    1. Blacklight

      Re: Rebuild from source code

      ISTR that the problem was that no-one could generally get it to build correctly from source....

      From : http://istruecryptauditedyet.com/ :

      "Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else. And it's not an easy process"

      1. MJB7

        Re: Rebuild from source code

        I don't think building from source is all that hard. What is hard is deterministically building from source. Thus given the same source files, you end up with the same (bit-wise identical) executable.

        There are a lot of tools that make that hard these days; there are good reasons, but it's not desirable in open source security software.

        1. Jamie Jones Silver badge

          Re: Rebuild from source code

          FreeBSD:

          cd /usr/ports/security/truecrypt && make install clean

  6. MostlyGordon

    The Conspiracy Theory

    1. Last week EBay gets hacked and losses their password database. But, says don't worry it was encrypted.

    2. This week IOS devices start getting hijacked.

    3. Hijacked users probably had the same EBay and iCloud passwords.

    4. Guess what EBay used for encryption...

    The burning question is, can anyone recommend a good alternative? Free, open source, and cross platform with similar functionality to TrueCrypt?

    1. Destroy All Monsters Silver badge

      I shiggedy

      I seriously hope they didn't ENCRYPT password with TrueCrypt instead of HASHING them in an irrecoverable manner using "openssl passwd -1 -salt $SALT $PASSWORD" then putting them into a RELATIONAL DATABASE!

  7. Anonymous Coward
    Anonymous Coward

    Thing is...

    Last year, I was messing about and installed TrueCrypt (from a download link on the .org site) on a system to try something out and well... it ended up putting Wajam on the PC, which despite its company acting like it's a legit piece of software has this habit of acting a lot like malware and for all intents and purposes should be considered as such, as far as I'm concerned.

    1. pepper

      Re: Thing is...

      Heh, I just did a quick search for that Wajam company, I ended up on the wiki page and started reading the talk pages(which are often quite informative).

      That company is massively trolling wikipedia in the hopes of getting any positive PR.

  8. ici.chacal

    With regard to platform-provided security...

    As well as using Truecrypt, I also use home directory encryption when I install Ubuntu. Does anyone know how secure that is..?

    1. mourner

      Re: With regard to platform-provided security...

      As far as I remember it uses AES encryption with a 128 bit key by default. So presuming the implementation has been done correctly it's relatively robust i.e. an opponent would need to brute force the encryption which would take a very long time provided you choose to use a sensible / strong password.

    2. robmobz

      Re: With regard to platform-provided security...

      It is ecryptfs which is audited here: https://defuse.ca/audits/ecryptfs.htm

      There are several vulnerabilitis but still better than nothing.

  9. Shaha Alam

    very, very triksy.

    just goes to show, you can have the best safe in the world, but it's no good if someone can replace it without you knowing.

    security isn't about locks and safe and encryption. it's a state of mind. a mind constantly on the edge of paranoia.

  10. TopOnePercent

    The real questions

    Seems to me there's 2 likely possible triggers for all this:

    1) The audit has indeed found something big and has notified the developers ahead of time. That would be courteous and professional, so not unexpected *IF* the audit found something.

    2) Its just a hack of the site rather than the software.

    I suspect #1 is rather more likely than #2, but both surely spell the end of TrueCrypt. so the real question is to what should everyone migrate? TrueCrypt was pretty much the universal standard, so is there anything waiting in the wings to take over, and if so, will it now be audited?

    1. Destroy All Monsters Silver badge
      Headmaster

      Re: The real questions

      Clearly, if it's (2) then rolling back to earlier versions and moving to a serious hosting environment that is not the weakest link in the chain may re-normalize the situation.

      1. Destroy All Monsters Silver badge
        Flame

        Re: The real questions

        Mr. William Hague, please stop the downvoting, kthx.

  11. Sir Runcible Spoon

    Exclusion from Wayback machine

    It has been removed since at least Feb 10th 2014

    From Wayback FAQ:

    Why isn't the site I'm looking for in the archive?

    Some sites may not be included because the automated crawlers were unaware of their existence at the time of the crawl. It's also possible that some sites were not archived because they were password protected, blocked by robots.txt, or otherwise inaccessible to our automated systems. Siteowners might have also requested that their sites be excluded from the Wayback Machine. When this has occurred, you will see a "blocked site error" message. When a site is excluded because of robots.txt you will see a "robots.txt query exclusion error" message.

    The actual response from Wayback is

    "

    Sorry.

    This URL has been excluded from the Wayback Machine."

    Note, not 'blocked site error'. Unless they have updated their processes and the faq is incorrect.

    I'd like to know how far back this goes and determine if it is in anyway linked to the current situation. It might be important.

    1. Sir Runcible Spoon

      Re: Exclusion from Wayback machine

      For future reference, an archive of the TC binaries

      https://github.com/DrWhax/truecrypt-archive

      Also, check out this interesting thread on the matter..

      http://www.metafilter.com/139452/FalseCrypt

      Especially the bit about the 410 page when trying to retrieve the truecrypt.org/robot.txt file

      1. Destroy All Monsters Silver badge
        Trollface

        Re: Exclusion from Wayback machine

        I like this:

        The best explanation I've seen is a rage-quit, based on the commit history; as if someone was making changes and then decided "fuck you people" because the audit kickstarter got all kinds of money and Truecrypt got nothing.

        1. Destroy All Monsters Silver badge
          Pint

          All along the watchtower...

          And also...

          The TC devs have been willing to labor in obscurity for 10 years on an ideological project that almost certainly hasn't earned them a living, that is wasted on and unappreciated by most computer users, that could earn the devs some pretty powerful enemies, and the importance of which has arguably been steadily eroded by the feature creep of popular operating systems.

          It would not be shocking to learn that the devs were fairly eccentric. Socially idiosyncratic. Crotchety. Grouchy. Zealots. Justified paranoids. Assholes, even. And I say this with affection: I've used TrueCrypt for years. It warms my heart to imagine that my security software was designed by grouchy zealot paranoid assholes.

          I point this out because most of the "something is UP" vibe this story seems to radiate really just comes down to "But this is so abrupt and confusing!" That is, it comes down to the social signals connected to the event, or lack thereof. But the devs have never been very forthcoming with any sort of social signals. If they're grouchy zealot paranoids, they may see social signals as weakness. Well, in this newfangled game, where every detail of your writing style is preserved for all time, for later analysis by computers and programs that don't even exist yet, maybe they can be.

          I'm coming around to the point of view that this isn't as crazy a way for the devs to quit the TC project as it seems at first blush. TC is open source and I'm sure the program will continue to be developed to some degree by someone. Probably several projects, several someones. Maybe the TC devs (who haven't updated TC at all in nearly two years) have a new project they view as more important. Maybe being a grouchy zealot is really tiring.

          posted by Western Infidels at 9:24 PM on May 28 [18 favorites]

          1. Sir Runcible Spoon

            Re: All along the watchtower...

            This is the best archive info of TC I've found so far..

            www.domaintools.com/research/screenshot-history/true-crypt.org/

            www.domaintools.com/research/screenshot-history/truecrypt-foundation.org/

            1. Sir Runcible Spoon

              Where?

              Domain Name: TRUECRYPT.BIZ

              Domain ID: D11969768-BIZ

              Sponsoring Registrar: GODADDY.COM, INC.

              Sponsoring Registrar IANA ID: 146

              Registrar URL (registration services): whois.godaddy.com

              Domain Status: clientDeleteProhibited

              Domain Status: clientRenewProhibited

              Domain Status: clientTransferProhibited

              Domain Status: clientUpdateProhibited

              Registrant ID: CR19068119

              Registrant Name: TrueCrypt Foundation

              Registrant Organization: TrueCrypt Foundation

              Registrant Address1: NAVAS Station

              Registrant City: Marie Byrd Land

              Registrant Postal Code: 80S 120W

              Registrant Country: Antarctica

              Registrant Country Code: AQ

              Registrant Phone Number: +672.0000

              Registrant Email:

              Administrative Contact ID: CR19068121

              Administrative Contact Name: TrueCrypt Foundation

              Administrative Contact Organization: TrueCrypt Foundation

              Administrative Contact Address1: NAVAS Station

              Administrative Contact City: Marie Byrd Land

              Administrative Contact Postal Code: 80S 120W

              Administrative Contact Country: Antarctica

              Administrative Contact Country Code: AQ

              Administrative Contact Phone Number: +672.0000

              Administrative Contact Email: domain.admin@truecrypt-foundation.org

              80S 120W is quite literally, the middle of nowhere.

              And this one looks a bit fishy..

              http://whois.domaintools.com/truecrypt.us

              Registered on March 3rd 2014 from Hong Kong...why would that be?

              1. Sir Runcible Spoon

                Re: Where?

                From the comparison code analysis from 7.2 to 7.1a I noticed this little nugget from the licence..

                - name truecrypt.org is associated with Your Product.

                + name truecrypt is associated with Your Product.

                There are a few other instances where truecrypt.org has been truncated to just truecrypt.

                It's almost as if whoever wrote it was anticipating TC code being hosted on sites other than truecrypt.org, or anything that re-directs to it.

                Something else I noticed, not only does the new installer not install the setup guide (understandable if it's only there to decrypt everything you already have) but it also deletes any existing one you might have in the install directory (such as from a previous version).

                At least that's what it looks like, I'm no coder.

                Everything I've read and looked up all points to the coders distancing themselves from the project as much as possible, but to do that in such a dramatic way without any credible explanation screams 'Lavabit exit strategy' to me, and not something done on a whim - this was well planned, including removing all the cached archives of the site.

  12. Anonymous Coward
    Mushroom

    Replacement?

    1. Ideally you understand all the crypto algorithms and write your own software, as simple as possible. You write your own OS, compiler, everything. You fab your own CPU and chipset.

    2. Too hard? Ok, download something from the internet, examine the source code until you understand every line of it and know for a fact that it's flawless, and compile it yourself. Do that with the whole OS. Audit your hardware, somehow.

    3. Still too hard? YES. You're screwed. Assume all electronic devices are 100% insecure.

    1. Bartholomew

      Re: Replacement?

      You forgot about making your own keyboard. From your brain to your hands is where the trust begins and ends.

      1. Michael Wojcik Silver badge

        Re: Replacement?

        From your brain to your hands is where the trust begins and ends.

        Wrong (see e.g. Descartes' Evil Genius argument) and dumb. There is no "trust", in any absolute sense, any more than there's any absolute "security".

        1. Anonymous Coward
          Anonymous Coward

          Re: Secure from our brain to our hands?

          "Don't tell him Pike!"

          http://youtu.be/0V3SqxUomwk

      2. Destroy All Monsters Silver badge

        Re: Replacement?

        From your brain to your hands is where the trust begins and ends.

        Dr. Strangelove is of a different opinion.

  13. Anonymous Coward
    Anonymous Coward

    Arch Linux still on v7.1a...

    ...and I'm not upgrading until I hear otherwise. There's a discussion on the Arch forum (https://bbs.archlinux.org/viewtopic.php?id=182128) - a couple of possible alternatives are mentioned, but one poster put forward the view that whether or not this is a hoax, either way it suggests TC is compromised (by The Spooks or The Hackers... or even both?).

    It would be a bit of a hassle to look for an alternative volume-encryption solution - I use both TC and EncFS to encrypt files in my cloud-storage account (financial info, etc.). The main difference for me, is that files encrypted with EncFS are easily identifiable, whilst a TC volume doesn't have to "stand out" so clearly.

    Still, if we have to migrate, we have to. I'll be keeping a close eye on developments here, and hope that whatever the true story may be, we'll be permitted to find out what it is...

  14. 0765794e08
    Terminator

    TrueCrypt Forum

    I just want to mention that this has wiped out the TrueCrypt forum too.

    There were hundreds of users at the TC forum (myself included), which contained a goldmine of information, not just about TrueCrypt itself but also crypto and computer security in general.

    Many people put in many hours of work in the forum, and it would seem that that repository of knowledge is gone at a stroke.

    So farewell Dan, pepak, Nicky and all the others…. “Sic transit gloria mundi”.

    bae24d3fff

  15. Jim 59

    md5sum

    The md5sum of the bad binary matches the one advertised on the SourceForge site. Not surprising I guess (8af39ed9c2080fa9b3061fa7c0ff792f)

  16. Anonymous Coward
    Anonymous Coward

    Food for thought

    If there are unfixed security issues with TrueCrypt, without knowing what they are it would be stupid to fork the project. Maybe it is time to rethink everything back to first principals, for a new virgin whiteboard to be sacrificed to the gods of trust. Since trust in god is dead, in the U.S. anyhow.

  17. David Kelly 2

    Cross Platform

    One of the most attractive features of TrueCrypt was that it is/was cross platform.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cross Platform

      That's one reason why I use TC - I can access the encrypted content from our Mac and my Linux netbook.

      I've also been using EncFS, but I never quite got my head around the Mac support (which there is, I know). Apparently, I understand a security audit of EncFS revealed significant weaknesses as well, so I'm looking for an open-source alternative which can operate under both Linux and Mac OS X. eCryptFS is one option I'm reading up on, but TrueCrypt is going to be a tough act to follow.

  18. Christian Berger

    They probably had to give out their private key

    This is something that can easily be done in the US with security letters and you can combine it with a "gag order".

    In that case, particularly with open source software, one sane idea is to "just give up". The project will then be forked and people in other countries, where signing keys don't have to be given out, can continue it.

    If you step back a few steps you can see the 2 main problems with software distribution today.

    One is that most software packages are so huge a single person cannot understand them, the other is that some platforms don't ship with compilers.

    Imagine TrueCrypt would only consist of 100-1000 lines of code and everyone would just download the source code and compile it themselves. It would be a _lot_ more likely people would take a look at it. And it would be a lot more likely they'd find a back door or bug door.

  19. Rick Giles
    Linux

    Bitlocker

    I can't quit laughing... "Use Bitlocker..."

    Since it is a Microsoft product, it is about as useful as a sieve to bail water...

  20. Anonymous Coward
    Anonymous Coward

    If I were the NSA

    I would get someone to make a Truecrypt fork with a backdoor in it. Post it anon from someplace off the US map so to speak. Lots of idiots would then believe they have a fixed and secure version but they do not.

    I think the only way you can be sure of something is to 1. program something yourself or 2. have the source code and only be able to compile it on one compiler (possibly including version) per platform. That way people can inspect the code and still have comparable output. Only a guess mind since I do not know much of anything about programming.

  21. Nuno trancoso

    Sad if true

    And there's another quite dark avenue. If TC really has/had no backdoors, at maximum strength it would make spooks job if not outright impossible, at the very least immensely resource consuming.

    Now, if i was the spooks, and kinda found myself between the rock and the hard place with nowhere to turn, would i be tempted to take the easy way out and turn the FUD dial up to eleven?

    Leaning hard on someone to get the signing keys, lill site hijack, "bombastic news", and suddenly the "tabloid news" worshiping masses are running away from what we don't want them to use. Sounds like a decent plan with low resource usage...

    Anyway, kinda non-event. After all, no tinfoil hat brigade member would ever take a TC volume after usage and NOT use another encryption layer on it, would they.

  22. Daniel B.
    Boffin

    Hm...

    Sounds fishy. Wonder what happened? I've been using FileVault2 ever since I switched to OSX, but TrueCrypt was my one true multi-platform crypto option. What should I use now?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hm...

      A safe and a decoder ring?

  23. FrankAlphaXII
    Pirate

    Hmm.

    This sounds like plain old vandalism and criminality to me. I really strongly doubt any State actor was involved here. If one was, you'd probably never be able to tell. I'd be willing to bet its something traditionally criminal and they're seeking to drop a fuckload of malicious software on your machine when you install what you think is a new version of TrueCrypt.

    Instead its Malicious porn toolbars, Trojans, Bot programs, Malicious Cryptocurrency miners, and Bootkits ahoy!

    I'd avoid it like the plague and plan to do exactly that permanently at this point, and I'd suggest that users use something else as well. TBH, I was never a big fan of TrueCrypt anyway. I use quite a number of encryption programs on the job and at home, and it just never struck my fancy I guess. I don't know if I'm the only one, but it felt to me to be as clunky as a post-2005 Symantec product last time I used it.

    The brightside is that there are other full disk encryption suites out there, and even some file systems like ZFS and Btrfs offer a built in full disk encryption functionality for *BSD and Linux. As well as standalone programs for *BSD and Linux which sometimes leverage that capability, which doesn't help a Windows User at all, but other Windows full disk encryption technologies than TrueCrypt do exist at varying levels of trustworthiness and quality, as well as expense.

    I have no idea about OS X though I'd imagine that as long as the right libraries are installed in Darwin that you could use one of the *BSD full disk encryption packages.

Page:

This topic is closed for new posts.

Other stories you might like