Announcement

Collapse
No announcement yet.

TrueCrypt Has Been Potentially Compromised

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by HeavensRevenge View Post
    Do you have any idea how bad this is? This better be false/FUD because this is no laughing matter. Also my subscription to your premium service will also end. If i cannot trust you and you're just gaining bullshit clicks I'll tell everyone to never trust this sites information again.
    ...You're an idiot. Look around. This is being reported in all over. I first saw the story on Arstechnica. No one knows what is going on, everyone's just as surprised as everyone else. Don't hate Michael just because you don't like the news of the day.

    Comment


    • #17
      Hopefully we'll see a statement from TrueCrypt developers attesting to whether this is true or a dangerous hoax. Right now we don't need lies, hacks and bs to undermine the trust people place in such encryption software.

      So lets not get our panties in a bunch till we get clarification on this.

      Originally posted by Ericg View Post
      ...You're an idiot. Look around. This is being reported in all over. I first saw the story on Arstechnica. No one knows what is going on, everyone's just as surprised as everyone else. Don't hate Michael just because you don't like the news of the day.
      This...we need to get at the truth

      Comment


      • #18
        Bitlocker is guaranteed untrusted, rthe Truecrypt report may nor may not be true

        Originally posted by DeepDayze View Post
        Hopefully we'll see a statement from TrueCrypt developers attesting to whether this is true or a dangerous hoax. Right now we don't need lies, hacks and bs to undermine the trust people place in such encryption software.

        So lets not get our panties in a bunch till we get clarification on this.

        This...we need to get at the truth
        I cannot vouch for the Truecrypt site, but certainly nobody should use binaries from a webpage suspected of being hacked until this is sorted out. In the meantime, any transition to Bitlocker would expose users to known Microsoft-provided tools to do things like easily fish keys out of RAM without rebooting if a Bitlocker encrypted machine is captured running. Also assume Bitlocker uses NSA algorithms to weaken random number generation and limit keyspace. That way the NSA can brute force the remaining keyspace without anyone else being able to do so and prove Bitlocker was compromised.

        The only way MS could ever prove Bitlocker not to be compromised would be to open the code and subject it to a security audit like the Truecrypt audit. ANY and ALL closed-source encryption programs should be presumed compromised by the security forces of their countries of origin, as the deterrent of finding drop-in "bugs" discovered is largely removed. Microsoft in particular has a record of cooperation with the NSA, with the FBI, and even with police departments. If the Truecrypt website was hacked, Microsoft, the NSA, or their supporters are the suspects.

        Even if the Truecrypt website was hacked and is proven to have been, that will cause people to distrust Truecrypt, fearing the retraction to be the hoax. That's how FUD works. Anyone switching to Bitlocker is doing exactly what the NSA wants! The only fix if Truecrypt really was compromised is of course to dump Windows and use Linux with our open-source encryption like dm-crypt/luks. This also solved the problem that even if Truecrypt is secure, Windows itself is not and things like getting the disk keys out of ram and exporting them online could be enabled by Windows kernel changes aimed at compromising Truecrypt by finding and exporting the keys. If you can't trust the kernel, you can't trust your crypto while connected to a network or to any unencrypted write-capable block device no matter how small.

        Therefore, even if this whole thing is FUD and bullshit by a hacked website, my advice is not to open Truecrypt volumes on Windows, nor to open any other encrypted volumes on Windows regardless of cipher or implementation. At least don't do so when the NSA or FBI are potential adversaries.

        Lastly, if the website turns out to have been hacked, the modified version of Truecrypt then becomes presumed malicious. The payload must be assumed in such a case to include both keyloggers and disk key export, requiring the replacement of any volumes ever opened with it with new volumes used with new passphrases from a known good version. Speaking of such hacks, if your package management system ever complains of an unsigned encryption package you did not write yourself, DO NOT INSTALL IT!
        Last edited by Luke; 05-28-2014, 10:34 PM.

        Comment


        • #19
          Looks like BJAODN. Did they decide to end development because the audit showed it was going to be ridiculously hard to fix? Then they might have said so. There's no "code" link to browse svn, etc. (but I don't know if it was ever there, and some projects don't enable that anyway e.g. pm4linux, PaleMoon source is elsewhere) and every other download has been removed. The "latest" links don't work and in the usual place, SF says "Looking for the latest version? Download Downloads"

          I can't find a place to download source code. This is exceedingly suspicious. So "audit" 7.2, right? Downloaded for the lulz. oldversion.com has 7.1, but how am I going to know it's original... maybe my TC-loving friend has a recent one.

          Comment


          • #20
            Ok, I may be a little paranoid here but doesn't that remind you of when Lavabit shut down its operations?

            The reason they give for shutting down does sound bogus and maybe it's because they can't tell us the real reason. Let's say a secret court order that can't be legally talked about.
            Maybe the current software is not compromised (they don't give any details whatsoever) but any future version would have been.

            So instead of starting to provide back doors for one the agencies they just push the auto-destruct button.

            Comment


            • #21
              Well, gee, how coincidental ... Just recently Sourceforge requested a mass password reset.

              Subject: SourceForge.net Password Reset Required

              SourceForge.net Team <noreply@sourceforge.net>

              May 21 (7 days ago)

              Greetings,

              To make sure we're following current best practices for security, we've
              made some changes to how we're storing user passwords. As a result, the
              next time you go to login to your SourceForge.net account, you will be
              prompted to change your password. Once this is done, your password will be
              stored more securely. We recommend that you do this at your earliest
              convenience by visiting the SourceForge website and logging in.

              And, as always, be vigilant about password security. Use a secure password,
              never include your password in an email, and don't click on links for
              unsolicited password resets.

              If you have any concerns about this, please contact SourceForge support at
              sfnet_ops@slashdotmedia.com

              Best regards,
              SourceForge Team

              ----------------------------------------------------------------------
              SourceForge.net has made this mailing to you as a registered user of
              the SourceForge.net site to convey important information regarding
              your SourceForge.net account or your use of SourceForge.net services.

              We make a small number of directed mailings to registered users each
              year regarding their account or data, to help preserve the security of
              their account or prevent loss of data or service access.

              If you have concerns about this mailing please contact our Support
              team per: http://sourceforge.net/support

              Comment


              • #22
                Originally posted by nslay View Post
                Well, gee, how coincidental ... Just recently Sourceforge requested a mass password reset.
                Ignore that. SourceForge already commented on that.

                Originally posted by https://sourceforge.net/blog/forced-password-change/;
                On 2014-05-22, we triggered a forced password change for SourceForge users.

                *) We have adopted a longer minimum password length standard.
                *) There has been a change in our authentication layer, moving to a more modern Open Source platform.
                *) Password hashing algorithm and key length has changed.
                *) Forced password reset has occurred sitewide to ensure all stored password hashes meet these stronger standards.
                *) All site users have been sent email asking for password change.
                *) There has been no known breach or compromise of our systems.

                Comment


                • #23
                  I checked the gpg signature of the 7.2 file using their older key from last year - the signature is correct :-/

                  Comment


                  • #24
                    Their web-site, hosted on SourceForge, also encourages users to switch over to Microsoft's BitLocker encryption software as an alternative.
                    I cannot image them being so naive and recommending a closed source software which besides being a no-go because of closed source alone, obviously very probably has backdoors because it's from M$. Maybe their acc has been hijacked, maybe they are trying to tell us something, we'll see.

                    Comment


                    • #25
                      Originally posted by sarmad View Post
                      So, if that turns out to be legitimate, what other alternatives do we have on Linux that works in a similar way? I need a tool that creates an encrypted file-based virtual drive as I am using it to encrypt USB thumbdrives that I may access on more than one machine.
                      GPG. It was the best choice anyway

                      Comment


                      • #26
                        Originally posted by araxth View Post
                        GPG. It was the best choice anyway
                        GPG is good but it is not convenient as a replacement for truecrypt. GPG is actually much better suited for signing/encrypting emails which you should do as well.

                        LUKS (and cryptsetup in the userspace) is a much better and safer (full-disk encryption is always a safer option).
                        Note that new versions of cryptsetup support opening truecrypt format volumes which might help you migrate.

                        Comment


                        • #27
                          Originally posted by stikonas View Post
                          GPG is good but it is not convenient as a replacement for truecrypt. GPG is actually much better suited for signing/encrypting emails which you should do as well.

                          LUKS (and cryptsetup in the userspace) is a much better and safer (full-disk encryption is always a safer option).
                          Note that new versions of cryptsetup support opening truecrypt format volumes which might help you migrate.
                          Agree, i ain't seen so far many user friendly (aka GUI etc) GPG / PGP power-ed tools for linux to encrypt full disks. However I am quite pleased with the integration in such desktop environments as KDE etc. As you said, the emails too. Still needs to be digged it, the fun with FOSS is the fact that somewhere someone might have done it already .

                          I wasnt a big fan of TCrypt as well since i always counted PGP a better choice for the next door Joe and Jane trying to provide a bit of security to his / her files.

                          Good luck,
                          n

                          Comment


                          • #28
                            Matthew Green, who according to Heise.de is one of the TrueCrypt Auditors, claims on twitter:

                            "I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite"

                            https://twitter.com/matthew_d_green/...41836722073600
                            http://www.heise.de/newsticker/meldu...r-2211037.html

                            Citing Heise.de:
                            "Der erste Teil der Quellcode-Prüfung von Truecrypt hatte keine nennenswerten Probleme aufgedeckt; der zweite hat noch nicht begonnen."

                            My translation:
                            "The first part of the source code examination didn't uncover any noteworthy problems; the second part hasn't begun yet"

                            Comment


                            • #29
                              Originally posted by septianix View Post
                              Ok, I may be a little paranoid here but doesn't that remind you of when Lavabit shut down its operations?
                              YES! It could be that one of the developers, in possession of the release signing key, came under pressure from authorities; therefore puts out a brief warning without going into details or even discussing it with co-developers.

                              Comment


                              • #30
                                My reading of the message regarding unfixed security issues is that it's no longer being maintained. That said, it could also be a subtle indication that there are bugs in there they are being coerced not to fix.

                                It's also interesting that they're suggesting people use the integrated encryption support, which is closed source (for both Windows and OS X).
                                They haven't provided any links to alternative software for Linux, even though there are some fairly comprehensive summaries on both the Ubuntu and Arch websites. It's possible that they didn't want to recommend an open source program.

                                For now, the only conclusions that can be drawn are:
                                • we can't trust the latest version
                                • we can't trust any of the older versions, since they could be compromised
                                • we can't trust BitLocker, since that's what they want us to (plus it's closed source)

                                Therefore, anyone who's using Truecrypt for anything really important needs to change to another open source solution, like LUKS or ecryptfs. There are Windows programs compatible with both of those listed on the Arch wiki article posted earlier, though I imagine anyone doing anything really important probably isn't running Windows.

                                Comment

                                Working...
                                X