Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 47

Thread: TrueCrypt Has Been Potentially Compromised

  1. #11
    Join Date
    Jul 2013
    Posts
    7

    Default

    Quote Originally Posted by sarmad View Post
    So, if that turns out to be legitimate, what other alternatives do we have on Linux that works in a similar way? I need a tool that creates an encrypted file-based virtual drive as I am using it to encrypt USB thumbdrives that I may access on more than one machine.
    https://wiki.archlinux.org/index.php...mparison_table

  2. #12
    Join Date
    Jun 2011
    Posts
    840

    Default

    Quote Originally Posted by chuckula View Post
    LMFAO... this is transparently and obviously BS that a fourth grader could spot.

    When Heartbleed came out last month, was there an amateur-hour scare announcement on the OpenSSL website to abandon OpenSSL in favor of Microsoft(!!???!?)

    Real security vulnerabilities in a program... and Truecrypt might have them, just like practically every complex program in existence has, are handled professionally through a disclosure and patching/mitigation process. Ever see "CVE" numbers? (http://cve.mitre.org/)

    This is basically a hack on a sourceforge website that anyone can see is intended as a bad joke. That host could very well be compromised and any "updated" software that has been through zero vetting process is OBVIOUSLY the malware.
    I'm well-aware that this is just a hack on their sf.net account [ it probably isn't a coincidence that SF.net sent out a security notice to all users to reset their passwords just a couple of days ago, due to security / password protection changes in their service ]... But whether or not their account was hacked has NOTHING to do with the audit that has been happening with TrueCrypt... Hell, you even just brought up OpenSSL, having gone through the same thing, after heartbleed [ which was legit.. ie: TrueCrypt is not secure]... and yes, i know what CVE's are - why don't you google "CVE + TrueCrypt + 2014"??? ...

    fourth grader? go fuck yourself, dumb ass.

  3. #13

    Default

    Quote Originally Posted by sarmad View Post
    So, if that turns out to be legitimate, what other alternatives do we have on Linux that works in a similar way? I need a tool that creates an encrypted file-based virtual drive as I am using it to encrypt USB thumbdrives that I may access on more than one machine.
    TrueCrypt encrypted volume format is well documented and there are FOSS tools that can open and create TrueCrypt volumes.This means the TrueCrypt project may go under but its volume format may still be used by other projects.

    a project called zuluCrypt[1] makes it possible to create and open TrueCrypt volumes as well as luks volumes using a GUI tool.

    [1] https://code.google.com/p/zulucrypt/

  4. #14
    Join Date
    Jan 2009
    Posts
    1,395

    Default

    Quote Originally Posted by sarmad View Post
    So, if that turns out to be legitimate, what other alternatives do we have on Linux that works in a similar way? I need a tool that creates an encrypted file-based virtual drive as I am using it to encrypt USB thumbdrives that I may access on more than one machine.
    ...gpg

  5. #15
    Join Date
    Dec 2012
    Posts
    532

    Default

    Quote Originally Posted by sarmad View Post
    So, if that turns out to be legitimate, what other alternatives do we have on Linux that works in a similar way? I need a tool that creates an encrypted file-based virtual drive as I am using it to encrypt USB thumbdrives that I may access on more than one machine.
    luks for entire disks or partitions.

    ecryptfs for directory hierarchies

    gpg for single files

  6. #16
    Join Date
    Aug 2012
    Location
    Pennsylvania, United States
    Posts
    1,888

    Default

    Quote Originally Posted by HeavensRevenge View Post
    Do you have any idea how bad this is? This better be false/FUD because this is no laughing matter. Also my subscription to your premium service will also end. If i cannot trust you and you're just gaining bullshit clicks I'll tell everyone to never trust this sites information again.
    ...You're an idiot. Look around. This is being reported in all over. I first saw the story on Arstechnica. No one knows what is going on, everyone's just as surprised as everyone else. Don't hate Michael just because you don't like the news of the day.

  7. #17
    Join Date
    Sep 2007
    Location
    Connecticut,USA
    Posts
    962

    Default

    Hopefully we'll see a statement from TrueCrypt developers attesting to whether this is true or a dangerous hoax. Right now we don't need lies, hacks and bs to undermine the trust people place in such encryption software.

    So lets not get our panties in a bunch till we get clarification on this.

    Quote Originally Posted by Ericg View Post
    ...You're an idiot. Look around. This is being reported in all over. I first saw the story on Arstechnica. No one knows what is going on, everyone's just as surprised as everyone else. Don't hate Michael just because you don't like the news of the day.
    This...we need to get at the truth

  8. #18
    Join Date
    May 2013
    Posts
    530

    Default Bitlocker is guaranteed untrusted, rthe Truecrypt report may nor may not be true

    Quote Originally Posted by DeepDayze View Post
    Hopefully we'll see a statement from TrueCrypt developers attesting to whether this is true or a dangerous hoax. Right now we don't need lies, hacks and bs to undermine the trust people place in such encryption software.

    So lets not get our panties in a bunch till we get clarification on this.

    This...we need to get at the truth
    I cannot vouch for the Truecrypt site, but certainly nobody should use binaries from a webpage suspected of being hacked until this is sorted out. In the meantime, any transition to Bitlocker would expose users to known Microsoft-provided tools to do things like easily fish keys out of RAM without rebooting if a Bitlocker encrypted machine is captured running. Also assume Bitlocker uses NSA algorithms to weaken random number generation and limit keyspace. That way the NSA can brute force the remaining keyspace without anyone else being able to do so and prove Bitlocker was compromised.

    The only way MS could ever prove Bitlocker not to be compromised would be to open the code and subject it to a security audit like the Truecrypt audit. ANY and ALL closed-source encryption programs should be presumed compromised by the security forces of their countries of origin, as the deterrent of finding drop-in "bugs" discovered is largely removed. Microsoft in particular has a record of cooperation with the NSA, with the FBI, and even with police departments. If the Truecrypt website was hacked, Microsoft, the NSA, or their supporters are the suspects.

    Even if the Truecrypt website was hacked and is proven to have been, that will cause people to distrust Truecrypt, fearing the retraction to be the hoax. That's how FUD works. Anyone switching to Bitlocker is doing exactly what the NSA wants! The only fix if Truecrypt really was compromised is of course to dump Windows and use Linux with our open-source encryption like dm-crypt/luks. This also solved the problem that even if Truecrypt is secure, Windows itself is not and things like getting the disk keys out of ram and exporting them online could be enabled by Windows kernel changes aimed at compromising Truecrypt by finding and exporting the keys. If you can't trust the kernel, you can't trust your crypto while connected to a network or to any unencrypted write-capable block device no matter how small.

    Therefore, even if this whole thing is FUD and bullshit by a hacked website, my advice is not to open Truecrypt volumes on Windows, nor to open any other encrypted volumes on Windows regardless of cipher or implementation. At least don't do so when the NSA or FBI are potential adversaries.

    Lastly, if the website turns out to have been hacked, the modified version of Truecrypt then becomes presumed malicious. The payload must be assumed in such a case to include both keyloggers and disk key export, requiring the replacement of any volumes ever opened with it with new volumes used with new passphrases from a known good version. Speaking of such hacks, if your package management system ever complains of an unsigned encryption package you did not write yourself, DO NOT INSTALL IT!
    Last edited by Luke; 05-28-2014 at 10:34 PM.

  9. #19
    Join Date
    Apr 2014
    Location
    Ohio
    Posts
    28

    Default

    Looks like BJAODN. Did they decide to end development because the audit showed it was going to be ridiculously hard to fix? Then they might have said so. There's no "code" link to browse svn, etc. (but I don't know if it was ever there, and some projects don't enable that anyway e.g. pm4linux, PaleMoon source is elsewhere) and every other download has been removed. The "latest" links don't work and in the usual place, SF says "Looking for the latest version? Download Downloads"

    I can't find a place to download source code. This is exceedingly suspicious. So "audit" 7.2, right? Downloaded for the lulz. oldversion.com has 7.1, but how am I going to know it's original... maybe my TC-loving friend has a recent one.

  10. #20
    Join Date
    May 2012
    Posts
    11

    Default

    Ok, I may be a little paranoid here but doesn't that remind you of when Lavabit shut down its operations?

    The reason they give for shutting down does sound bogus and maybe it's because they can't tell us the real reason. Let's say a secret court order that can't be legally talked about.
    Maybe the current software is not compromised (they don't give any details whatsoever) but any future version would have been.

    So instead of starting to provide back doors for one the agencies they just push the auto-destruct button.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •