Announcement

Collapse
No announcement yet.

TrueCrypt Has Been Potentially Compromised

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by nslay View Post
    Well, gee, how coincidental ... Just recently Sourceforge requested a mass password reset.
    Ignore that. SourceForge already commented on that.

    Originally posted by https://sourceforge.net/blog/forced-password-change/;
    On 2014-05-22, we triggered a forced password change for SourceForge users.

    *) We have adopted a longer minimum password length standard.
    *) There has been a change in our authentication layer, moving to a more modern Open Source platform.
    *) Password hashing algorithm and key length has changed.
    *) Forced password reset has occurred sitewide to ensure all stored password hashes meet these stronger standards.
    *) All site users have been sent email asking for password change.
    *) There has been no known breach or compromise of our systems.
    All opinions are my own not those of my employer if you know who they are.

    Comment


    • #22
      I checked the gpg signature of the 7.2 file using their older key from last year - the signature is correct :-/

      Comment


      • #23
        Their web-site, hosted on SourceForge, also encourages users to switch over to Microsoft's BitLocker encryption software as an alternative.
        I cannot image them being so naive and recommending a closed source software which besides being a no-go because of closed source alone, obviously very probably has backdoors because it's from M$. Maybe their acc has been hijacked, maybe they are trying to tell us something, we'll see.

        Comment


        • #24
          Originally posted by sarmad View Post
          So, if that turns out to be legitimate, what other alternatives do we have on Linux that works in a similar way? I need a tool that creates an encrypted file-based virtual drive as I am using it to encrypt USB thumbdrives that I may access on more than one machine.
          GPG. It was the best choice anyway

          Comment


          • #25
            Originally posted by araxth View Post
            GPG. It was the best choice anyway
            GPG is good but it is not convenient as a replacement for truecrypt. GPG is actually much better suited for signing/encrypting emails which you should do as well.

            LUKS (and cryptsetup in the userspace) is a much better and safer (full-disk encryption is always a safer option).
            Note that new versions of cryptsetup support opening truecrypt format volumes which might help you migrate.

            Comment


            • #26
              Originally posted by stikonas View Post
              GPG is good but it is not convenient as a replacement for truecrypt. GPG is actually much better suited for signing/encrypting emails which you should do as well.

              LUKS (and cryptsetup in the userspace) is a much better and safer (full-disk encryption is always a safer option).
              Note that new versions of cryptsetup support opening truecrypt format volumes which might help you migrate.
              Agree, i ain't seen so far many user friendly (aka GUI etc) GPG / PGP power-ed tools for linux to encrypt full disks. However I am quite pleased with the integration in such desktop environments as KDE etc. As you said, the emails too. Still needs to be digged it, the fun with FOSS is the fact that somewhere someone might have done it already .

              I wasnt a big fan of TCrypt as well since i always counted PGP a better choice for the next door Joe and Jane trying to provide a bit of security to his / her files.

              Good luck,
              n

              Comment


              • #27
                Matthew Green, who according to Heise.de is one of the TrueCrypt Auditors, claims on twitter:

                "I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite"


                Die Betreiber des Verschlüsselungsprogramms Truecrypt warnen offenbar urplötzlich vor ihrer eigenen Software. Auf der Projektseite wird derzeit erklärt, wie man zu Bitlocker wechseln kann. Was dahinter steckt, ist noch unklar.


                Citing Heise.de:
                "Der erste Teil der Quellcode-Pr?fung von Truecrypt hatte keine nennenswerten Probleme aufgedeckt; der zweite hat noch nicht begonnen."

                My translation:
                "The first part of the source code examination didn't uncover any noteworthy problems; the second part hasn't begun yet"

                Comment


                • #28
                  Originally posted by septianix View Post
                  Ok, I may be a little paranoid here but doesn't that remind you of when Lavabit shut down its operations?
                  YES! It could be that one of the developers, in possession of the release signing key, came under pressure from authorities; therefore puts out a brief warning without going into details or even discussing it with co-developers.

                  Comment


                  • #29
                    My reading of the message regarding unfixed security issues is that it's no longer being maintained. That said, it could also be a subtle indication that there are bugs in there they are being coerced not to fix.

                    It's also interesting that they're suggesting people use the integrated encryption support, which is closed source (for both Windows and OS X).
                    They haven't provided any links to alternative software for Linux, even though there are some fairly comprehensive summaries on both the Ubuntu and Arch websites. It's possible that they didn't want to recommend an open source program.

                    For now, the only conclusions that can be drawn are:
                    • we can't trust the latest version
                    • we can't trust any of the older versions, since they could be compromised
                    • we can't trust BitLocker, since that's what they want us to (plus it's closed source)


                    Therefore, anyone who's using Truecrypt for anything really important needs to change to another open source solution, like LUKS or ecryptfs. There are Windows programs compatible with both of those listed on the Arch wiki article posted earlier, though I imagine anyone doing anything really important probably isn't running Windows.

                    Comment


                    • #30
                      Originally posted by HeavensRevenge
                      Do you have any idea how bad this is? This better be false/FUD because this is no laughing matter. Also my subscription to your premium service will also end. If i cannot trust you and you're just gaining bullshit clicks I'll tell everyone to never trust this sites information again.
                      Originally posted by Ericg View Post
                      ...You're an idiot. Look around. This is being reported in all over. I first saw the story on Arstechnica. No one knows what is going on, everyone's just as surprised as everyone else. Don't hate Michael just because you don't like the news of the day.
                      Actually, I'm with HeavensRevenge. Even if the info on the Truecrypt site/redirected site is true, there is a big difference between "no longer supported, and may contain unfixed security vulnerabilities" and "potentially compromised". This is not the first time that Michael has used a sensationalist and innacurate headline to generate clicks to view more ads.

                      Either way, there is no need to call anyone an idoit. Nor a fourth grader or a dumb ass. Stop it, all of you!

                      Comment

                      Working...
                      X