I hadn't upgraded to 7.2, I hope 7.1a is OK(ish)
The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised. It's feared the project, run by a highly secretive team of anonymous developers, has been …
My basic philosophy of "If there isn't a good reason to update, leave it alone" seems to have worked - version 7.0a from 2010 here. I'm not going to move to a Microsoft "solution" unless there is a pressing need. I'll look for other options that might not be as compromised as anything coming from a company with strong links to people who want to know everything.
Before the serial NSA apologist gets in to swing, I'll state that unless the audit shows up something fundamentally broken I'll carry on using 7.0a.
I'm not, after all, a terrorist or paedo, so for securing my personal and business data from accidental loss and use 7.0a should still be ok as far as I'm concerned*.
However, whichever way the verdict swings as to what has actually happened here, I think we can all at least agree it is 'significant'.
*This doesn't mean I wouldn't like the option of the spooks not having a backdoor into my private files, but there are simpler ways of achieving it than rooting TrueCrypt if I were a real target.
Apologies if you were waiting for me to reply, I was too busy laughing at the sheeple getting in a state over this. If you seriously think the NSA did this then you really are beyond delusional, I suggest you consider a few more likely options:
1. A 'concerned activist', such as paedo Oliver Drage, got caught with a Truecrypt partition and found out it didn't save him from jail time, and is subsequently miffed enough to have hacked the site and added his 'warning'. You could add to the list of suspects such 'delightful' nonces as the Lultwatz, the Anonyputz 'no leaders' leaders, etc., etc. In which case you might want to worry that maybe the NSA and chums have backdoored Truecrypt, but it is still unlikely.
2. Some skiddie is having a laugh, you know, just for the 'lulz', and is probably pissing himself laughing at you and the rest of the sheeple as you bleat in fear. In this case the problem is security amongst the developers and, when you finish bleating, you can carry on as you were in your normal state of paranoid self-delusion.
3. A member of the Truecrypt team has found some incriminating evidence that he/she (OK, more likely 'he') actually shows that the app has been backdoored and has taken unilateral action to stop anyone downloading the backdoored version. Actually not that unlikely given the average Githubber's level of communication skills, but it could be a backdoor planted by anyone from the FSB to criminal hackers to the Chinese Army to members of the Lultwatz themselves (OK, the last is the least likely given their level of 'skillz'). In which case, ignore the reality that someone who had hacked Truecrypt would be unlikely to warn you they had, you ALL need to be very worried, immediately disconnect your self from the Internet and head for hidey-holes in the Ecuadorean Embassy.....
/Pointing and laughing and ROFLMAO.
I don't think the NSA have backdoored TC.
I do think the developers have ditched TC in a 100%, no going back kind of way and queered the pitch for anyone else wishing to take it over using the new (less restrictive) licence.
As to why, well they might have had a NSL which could mean the next version *would* have a backdoor, or they could just be doing it to make it *look* like they received a NSL.
That there are bugs in the code that could be exploited is true. Are they serious? Not sure yet, we'll have to wait for the audit to complete to know for sure.
Are the developers bothered about updating TC to fix any bugs? Probably not, they don't get paid, they get lots of grief, and people have just handed over a ton of cash to find more things to beat them up with. Can't feel very nice.
As to the manner of the death of TC, I have no idea if this was a huge hissy fit to make it look like they got a NSL or if they actually got one - I don't think it really matters now.
That everyone knows they *could* have received a NSL leaves enough doubt to kill TC for good, and probably enough doubt to protect them from NSA reprisals, FUD is their business after all.
Time to start backing a true FOSS development that has a chance of remaining free of ghostly influences.
"/Pointing and laughing and ROFLMAO."
You are a strange dude Matt. Your laughter sounds a little forced with a hint of zealous hysteria to me. I really don't get you. You sometime argue your points well and can back them up with references, yet you constantly undermine your own credibility with asinine comments. I'd be interested in meeting you face to face just to satisfy my curiosity as to whether or not you really do live under a bridge :)
NSL? Not a user myself, I know one who is. From him, the earlier version of the web site, or Wikipedia I had the distinct impression that TrueCrypt was not developed in the US. Aside from that, the customary use of NSLs seems to be to require production of information without disclosure. It is unclear how that would be useful in the case of a software producer whose product is freely available in source code (presumably along with effective procedures for building the binaries). I never felt comfortable using it due to developer anonymity.
It seems possible, maybe even plausible, that one or more of the developers became aware of a compromise but did not, out of fear or for other reasons, wish to disclose that.
I assume the issue preventing you from posting a thorough, detailed and referenced analysis of the arguments presented in this thread was your mother telling you it was time for bed? I presume that, when you have more time, you will be posting a longer précis that will give a greater insight into more than just the limits of your intellectual capabilities. I, for one, simply can't wait to experience the eloquence and intelligence which, no doubt, you will dazzle us all with.
/Your biggest fan. Honest.
"Apologies if you were waiting for me to reply, I was too busy laughing at the sheeple getting in a state over this."
I was getting anxious.... You never phone, you never text.... :-(
But, apology accepted - I'm glad you're in a good mood!
"If you seriously think the NSA did this then you really are beyond delusional, I suggest you consider a few more likely options:"
I hope you are adressing the commentards generally - I don't think that at all, and I though it pretty obvious that Sir Spoon didn't either - even before he posted his clarification followup.
As for your 3 points, you may be surprised (and dissapointed?) to know that I basically agree with you... (Though of course, you had to make the aggreived person a pædo rather than someone who was the victim of corporate espionage, or fraud, or someone who just wants to keep his/her personal life.....errr...personal... You were doing so well up until then [I even overlooked your use of 'sheeple'] - do you write for the Daily Mail per-chance?)
"/Pointing and laughing and ROFLMAO."
I told them at the time that this would happen - but they went ahead and gave you that full length mirror anyway *rimshot*
Still, I'm glad you're having a good time! :-)
"....I hope you are adressing the commentards generally - I don't think that at all...." Maybe you should, seeing as the doubts over Truecrypt have been circulating for a while, and the recent drive to vet the code seems to have severely annoyed the developer(s). Probably not the Big Bad NSA, but maybe another Big Brother(ski) instead.
Hmmmm. weren't they pleased about the audit then?
I'd assumed they'd welcome someone independent validating their work.... Unless they did have something to hide.....
As for my more personal theories, I haven't really given it much thought - I don't use encryption for much, other than ssh sessions, and that's mainly to protect the passwords, not my drivel.
It's funny - I agree with you that most people are overly paranoid that somone wants to read their personal emails. Where we disagree, though, is that I think it's somones right NOT to be spied on without proper due process. I also resent the constant bollocks from governments using the terrorost excuse for this overreach.
Remember the Bush administration? If you disagreed with them on just about any topic, you were a terrorist!
P.s; Why the downvote? It's true you never call..you never text...
".....Why the downvote?....." Because you want to pretend Truecrypt and other tools are not also used by terrorists, criminals and the like. And all the stories you hear about Truecrypt are not about innocent businessmen protecting industry secrets or Joe Average using Truecrypt and being victimised by The Man, they are always about criminals using Truecrypt in an attempt to avoid prosecution.
".... It's true you never call..you never text..." Stop it, you'll make Boring Green jealous. He is my flock-designated, rabid, stalker sheep, doncha know.
".....Why the downvote?....." Because you want to pretend Truecrypt and other tools are not also used by terrorists, criminals and the like. And all the stories you hear about Truecrypt are not about innocent businessmen protecting industry secrets or Joe Average using Truecrypt and being victimised by The Man, they are always about criminals using Truecrypt in an attempt to avoid prosecution."
Not at all. I fully agree that they are probably mainly used for dodgy and illegal purposes.
My issue was that *you* keep implying that that is their *only* use.
The problem is, do you ban/break something because terrorists can use them?
Do we ban social gatherings, because terrorists can use them to recruit? Do we track and store the movements of every vehicle because criminals use cars as getaway vehicles? Do we stop selling fertilizer because it can be used to make bombs? etc.
".... It's true you never call..you never text..." Stop it, you'll make Boring Green jealous. He is my flock-designated, rabid, stalker sheep, doncha know."
Sorry, not sure who that is, but I don't want to upset your designated stalker! I'll suffer in silence from now on instead!
P.s. For what it's worth, I didn't downvote you
"Not at all. I fully agree that they are probably mainly used for dodgy and illegal purposes.
Don't be daft! They are probably widely used for dodgy and illegal purposes... just like cars and phones and watches and computers and pens and so on... but "mainly used for dodgy and illegal purposes" seems almost Matt-Bryant bonkers. If we're going to speculate, they are probably mainly used by teenagers messing about or keeping their pr0n stash out of sight of mum.
Or did you mean ...for dodgy or illegal purposes?.. which could probably include both messing about and perfectly legal pr0n sequestration.
".....Do we ban social gatherings, because terrorists can use them to recruit? Do we track and store the movements of every vehicle because criminals use cars as getaway vehicles? Do we stop selling fertilizer because it can be used to make bombs?....." There are already many laws regulating social gatherings, especially protests. In times of war they have been extended to cover even small gatherings and the Government retains the right to issue an order banning any gathering it likes. We also already do record most car journeys in cities on cameras that can recognise both number plates and the face of the driver. And we already have a system in place that monitors the purchase of 'dual-purpose' goods such as fertiliser. I didn't down vote you but you are displaying an alarming lack of insight into the systems already in place.
".....Cheers for the downvote Matt....." I didn't down vote you. I didn't think your post was interesting enough or contained sufficient original thought to rate a vote either way, TBH. I also note you childishly down voted on a presumption of slight rather than the actual points I raised, which shows you are not interested in merit only in who bleats the way you do.
That's because you didn't make a point. Just a rambling observation that the surveillance state is already out of control. If I was supposed to infer from that that you think it's a good thing, then I'm sorry, I'm afraid have better things to do than attempt to psychoanalyse random Daily Mail nut jobs.
"That's because you didn't make a point....." The point I made, which obviously got filtered by your woolly blinkers, was that the majority of sheeple posting here know SFA about either the capabilities of our authorities or what they use them for.
"....Just a rambling observation that the surveillance state is already out of control....." Not so, it is under very tight and overseen control, it's just you want to baaaah-lieve otherwise. As I pointed out to another member of your flock, if you want to insist all this is being used for 'evil' please do show evidence of how it is being used to harm you.
"....I'm afraid have better things to do...." Like finishing primary school, I assume?
"...,,than attempt to psychoanalyse random Daily Mail nut jobs." Apart from the fact I don't read the Daily anything, I would laugh at the idea of you attempting to psychoanalyse anything give your obvious analytical and observational shortcomings.
As per this page ( http://svnweb.freebsd.org/ports/head/security/truecrypt/distinfo?revision=290882&view=markup ) , checked into the FreeBSD ports tree on 10th February 2012:
Revision 290882 - (show annotations) (download)
Fri Feb 10 22:09:24 2012 UTC (2 years, 3 months ago) by zi
File size: 623 byte(s)
SHA256 (TrueCrypt_7.1a_Source.tar.gz) = e6214e911d0bbededba274a2f8f8d7b3f6f6951e20f1c3a598fc7a23af81c8dc
SIZE (TrueCrypt_7.1a_Source.tar.gz) = 1949303
You can easily get a version that passes both the above criteria by googling 'TrueCrypt_7.1a_Source.tar.gz'
This might be useful to someone. My versions are as follows:
– Modified: 28-12-2008, 07:48. – File size: 3,142,768 bytes
– Modified: 18-11-2009, 22:48. – File size: 3,358,808 bytes
– Modified: 22-02-2010, 08:57. – File size: 3,358,880 bytes
– Modified: 07-09-2011, 00:21. – File size: 3,470,688 bytes
– Modified: 10-02-2012, 03:30. – File size: 3,466,248 bytes
All files been on this system since: 29-11-2012
Local timezone: GMT: +10 (+11 summer, southern h.)
I'll do CRCs if anyone needs them. (BTW, I'm not using them on this system, storing EXE's only--nothing important enough to encrypt.)
Digests of unauthenticated origin via insecure channel not particularly interesting. However, have you had a copy of the authentication key sitting with them, for as long? A comparison (PKI "fingerprints" or just file digests) between an old copy and the one offered now would be of anecdotal interest as there have been suggestions that the key has changed.
They could endorse it. That would neutralize any security program.
I don't think the NSA had anything to do with this as they work with a lot more subtlety and this work is very loud and amateurish. You can hate them all you want but they do their job in the shadows very well.
>You can hate them all you want but they do their job in the shadows very well.
Yeah, that's a fair statement. So who was it - assuming it's a hack? Patriot Hackers? Seems like a slightly odd target.
Some obscure Anonymous fringe perhaps? They're not averse to taking down things for fun on occasion, especially things that claim to be secure.
Yeah, that's a fair statement. So who was it - assuming it's a hack? Patriot Hackers? Seems like a slightly odd target.
It could be:
*State sponsored hacking (pick your nation of choice)
*Criminal sponsored hacking
*A lone hacker
*A dev received a secret court order and is doing what (s)he can to announce it, as someone below suggested
*A dev found a security hole being exploited and yanked that version off the site
*Dev infighting causing one dev to get his/her revenge
*Ballmer and Gates playing a prank on the OS community
Without more information it is hard to say who did what and the reasons behind it but I'm sure Occam's razor is involved somewhere.
Everyone who's said "I don't think the NSA ..." in the past ended up eating their words when Snowden showed us what's really going on...
Everyone? Snowden's revelations validated every single thing the NSA has ever been accused of?
I know critical thinking doesn't come easily to many Reg commentators, and that goes double for the ACs, but really - try to have a little perspective, won't you?
Unless you had a bit of insight and knew with a good amount of certainty what they were doing and weren't surprised at all.
I think he's a distraction from something as most of the programs he revealed were newish versions of activity that had been carried out during the Cold War and immediately following it, it didn't touch on anything really groundbreaking like what they used to call NONSTOP, and I don't know what the purpose behind a distraction like Edward Snowden would be. Probably something any sane intelligence professional wouldn't touch.
That or they're getting so much content that analyzing it has become truly impossible, and having a whistleblower get the public and congresscritters to pressure the agency to reform its self and cut back on the massive amount of data they collect and never analyze suits the agenda of someone with some pull, but that upper level management will not listen to for whatever reason. Seems plausible enough for me, plus I've seen many War College and Command and General Staff College papers across all five services explore the possibilities of that happening.
Yes, particularly since "they" (whoever "they" may be) recommends Bitlocker, a system which has advertised back doors which are commonly used in companies. The back doors are there to still get to the data on your disks even after forgetting your password.
Since Bitlocker is not just closed source software, but also relies on the TPM chip (which is closed source hardware) it's naive to think the NSA doesn't have an easy way to break this.
>>"Yes, particularly since "they" (whoever "they" may be) recommends Bitlocker, a system which has advertised back doors which are commonly used in companies. The back doors are there to still get to the data on your disks even after forgetting your password."
That's not a Backdoor. A "backdoor" is a secret route in that isn't documented, or at least isn't public knowledge and it outside the system owner's control. The whole notion of "advertised back doors" is pretty silly. Bitlocker allows you to select if you wish the storing of secondary keys on a third party system so that the data can still be unlocked if you, e.g. suffer a hard disk failure and your local keys are corrupted, you forget your password to the data, you're in an enterprise environment and your company wants to give you an encrypted store on your laptop but still open it themselves if you wish.
Basically, useful, advertised and voluntary features. We'll file this particular silly distortion of yours along with those other posts of yours I recall about Secure Boot and Bing copying Google's search results - posts of yours I recall recently that similarly misrepresent things. Misinformation is damaging. Your agenda is obvious.
It could all be a double-bluff by NSA protesters.
Try and make it look like an act of oppression by removing or compromising a trusted tool, then actively recommending alternatives from a company that likes to lick the NSA's ring-piece would probably do the trick - but they may have over-egged the pudding. It is fairly crude, but it will certainly get attention beyond the tech-world..eventually. Expect a garbled account from the Beeb in about 6 weeks or so.
So, what if, hypothetically, the NSA was pulling its hair out over TC's unbreakability?
Why not do something, like sending some sort of NS letter to the supposedly anonymous developers, which makes them freak out and close down like this.
End result: most people they're interested in move to another, possibly less secure solution....
Not that this helps with TC volumes already in their possession, but it proves you don't have to actually break a solution's implementation to defeat it.
By Jove, I think he's cracked it!
"Expect a garbled account from the Beeb in about 6 weeks or so."
Well spotted Sir Spoon! That's why this has been done! It was never about destroying TrueCrypt. TrueCrypt lives on. The cryptography is as strong today as it was yesterday and as it was twenty years ago. NO vulnerability has been disclosed. No vulnerability will be disclosed. This is because no vulnerability has been discovered. This is COINTELPRO
This is an exercise in "controlling the story" and the story is bigger than TrueCrypt.
There are two ways the BBC could run this:
1) The pre-Neo-Labour : balanced information public service broadcaster...
"The website of the popular encryption application 'TrueCrypt' has been defaced and replaced with a page citing unspecified failures and recommending Microsoft(TM) Bitlocker(TM) as an alternative. Security experts are puzzled by the events and caution users not to upgrade to the suspicious 7.2 release offered on the new page. They also advise users not to act in haste as no weaknesses have been disclosed or are known in previous versions of the software. An independent audit of the software is already underway and so far has found nothing suspicious. The BBC will bring you more information on this story, as it develops. " (i.e. The facts - remember those?)
2) The post-Neo-Labour : government propaganda mouthpiece...
"Developers of 'TrueCrypt' - the encryption software recommended by Edward Snowden are warning users that the software is not secure. The TrueCrypt website alerts users to the problem and is advising them to move their data to Microsoft(TM) Bitlocker(TM) immediately. The BBC will indoctrinate you further on this story, as it is ordered. "
Ad-lib: "Makes you wonder who Edward Snowden is really working for, doesn't it?"
We'll get version two.
Snowden is the story. Snowden is the target. Any damage to TrueCrypt merely gravy.
Interesting concept, but I can see where this particular one is likely to fail - the crowd funded investigation into the integrity of TrueCrypt. Assuming the investigation finds (presumably 7.1a) to be good then everyone in the world can trust that the correctly signed version is safe, and you end up with a tool the NSA can never discredit.
Techies have long had a "toolbox" that often has older but known reliable tools in it. El Reg had just such an article this week,.
"Techies have long had a "toolbox" that often has older but known reliable tools in it. El Reg had just such an article this week"
If I were to take a longer view of things, removing avenues of escape (for data) would definitely be something I did if I were going to embark on a round-up exercise of miscreants at some point in the future.
Whilst techies have skills and old tools, lack of new tools will severely hamper developments in this area. People who are not techies to start with will probably end up being stuffed.
Imagine if you wanted to learn how to encrypt your personal data *today*. What would you find? No archives for TC, warnings about it being unsafe, recommendations for other software that is proprietary.
This isn't about the people who already have the skills and tools, it's about stopping people without those skills and tools from obtaining them*.
*imho - time will tell
Biting the hand that feeds IT © 1998–2019