No announcement yet.

TrueCrypt Has Been Potentially Compromised

  • Filter
  • Time
  • Show
Clear All
new posts

  • zanny
    If there is ever suspicion that a distro is being coorced to ship crypto binaries built from modified source code, the counter is to distrust all prebuilt binaries and build your own directly from upstream source.
    You have to trust your compiler and linker, though. And what do you build those with? I'm unaware of if gcc compiles under clang and / or vice versa, and if you are using a prebuilt binary of either it could insert the same exploits into all compilers you build. At least we can hope that the predecessor to our modern compiler infrastructure had its compiled binaries audited enough to verify it at some point, and that the GCC shipped with every distro follows a faith chain from there of open compilations without injections to the one you're running.

    Leave a comment:

  • Luke
    Will governments target Linux and dm-crypt next?

    We might be next unless we make it damned plain that no attack and no court order directed at any one person can stop Linux native encryption projects like DM-crypt. The Truecrypt team was anonymous, wonder if they got discovered? The Linux developers are not anonymous, so they need to rely on forkability, auditability, and similar deterrents for defense. The GPL helps a lot, because if any word got out of an attempt to shut down development it would be forked in a different country.

    If there is ever suspicion that a distro is being coorced to ship crypto binaries built from modified source code, the counter is to distrust all prebuilt binaries and build your own directly from upstream source. If there is suspicion that the devs of any project would submit to a court order to insert a back door, than the source should be audited by someone skilled in detecting underhanded C, and all future changes subjected to fresh auditing. Takes more guts to force changes into human-readable source than into distro-built binaries.

    The experience of Sea Shepherd with US courts may be instructive here. In early 2013, Japanese whalers got an injunction from a US court against physical interference in their southern ocean slaughter. In response, the whole Sea Shepherd fleet was shifted to control of Sea Shepherd Australia and Paul Watson stepped down from command. Operations continued from beyond the reach of US courts, and the whalers were again defeated at sea. We need to be able to do the same: stay out of reach of any one nations court orders, gag orders, NSL's etc. That may require hosting projects in mutually antagonistic nations like China and Taiwan, Greece and Turkey. That's what ensures nobody can monitor all Tor exit nodes at once.

    We must also prepare for the possiblity of a future in which "unlicensed" crypto becomes illegal to use but used anyway by those like myself that intend to defy such laws and use it to protect other people without regard for legal consequences. Since the code is open, we can take it underground if we have to. It will be a lot safer than homebrewed crypto algorithms like those now reported to be used by some Middle East insurgent groups that quite reasonably don't trust crypto algorithms developed in cultures and countries they know little about and are at war with. Those groups probably would be safer with Twofish or AES but have no way of verifying that fact from their own skills.

    Probably all governments regard crypto as a munition, some of us in opposition movements do in fact rely on it like we would on any other munition for defense. I had an encrypted computer defeat police forensics after a 2008 raid on my house. The motive in government in trying to smash open-source crypto is obvious. Wonder if this round of shit means they can't beat Truecrypt and old versions are impenetrable to them? If so, we can't verify that fact unless someone from Truecrypt reaches a safe haven and blows the whistle, daring the US to respond with a drone strike.

    Anyway, my experience is that deterrence works. I have always made it plain that any NSL issued against any media organization I am part of will be published if I discover it, and any gag order or other data order publicly defied. I have had no more raids since my encryption beat the last one, and never got another subpeona after I responded to one in a civil suit by going directly to opposing counsel and getting it quashed. That was in a civil suit stemming from an illegal mass arrest of protesters. The 2008 raid probably was launched in the presumption that a subpeona would simply be advance notice to destroy data and hardware. Nobody has dared serve an NSL on any organization I am part of.

    Leave a comment:

  • Vistaus
    You mean "only Microsoft". Some people on here are not even following the news, it seems. NSA was crying at MS' door that they couldn't break through Bitlocker's encryption and they pressured the team leads, but management was adamantly opposed and declined to acquiesce... So it's NSA safe.

    Plus the fact that Linux usage would skyrocket *if* MS didn't oppose to the NSA. The amount of reputational harm that Microsoft would endure would literally be crippling. Crippling not with the OSS crowd, but enterprise customers. The only loser would be Microsoft and they would not recover.

    Leave a comment:

  • Danny3
    This is bullshit. Only Microsoft or NSA would recommend you to use BitLocker.

    Leave a comment:

  • droidhacker
    Originally posted by rdnetto View Post
    anyone doing anything really important probably isn't running Windows.
    LOL, best line ever!

    Leave a comment:

  • madbiologist
    Originally posted by HeavensRevenge
    Do you have any idea how bad this is? This better be false/FUD because this is no laughing matter. Also my subscription to your premium service will also end. If i cannot trust you and you're just gaining bullshit clicks I'll tell everyone to never trust this sites information again.
    Originally posted by Ericg View Post
    ...You're an idiot. Look around. This is being reported in all over. I first saw the story on Arstechnica. No one knows what is going on, everyone's just as surprised as everyone else. Don't hate Michael just because you don't like the news of the day.
    Actually, I'm with HeavensRevenge. Even if the info on the Truecrypt site/redirected site is true, there is a big difference between "no longer supported, and may contain unfixed security vulnerabilities" and "potentially compromised". This is not the first time that Michael has used a sensationalist and innacurate headline to generate clicks to view more ads.

    Either way, there is no need to call anyone an idoit. Nor a fourth grader or a dumb ass. Stop it, all of you!

    Leave a comment:

  • rdnetto
    My reading of the message regarding unfixed security issues is that it's no longer being maintained. That said, it could also be a subtle indication that there are bugs in there they are being coerced not to fix.

    It's also interesting that they're suggesting people use the integrated encryption support, which is closed source (for both Windows and OS X).
    They haven't provided any links to alternative software for Linux, even though there are some fairly comprehensive summaries on both the Ubuntu and Arch websites. It's possible that they didn't want to recommend an open source program.

    For now, the only conclusions that can be drawn are:
    • we can't trust the latest version
    • we can't trust any of the older versions, since they could be compromised
    • we can't trust BitLocker, since that's what they want us to (plus it's closed source)

    Therefore, anyone who's using Truecrypt for anything really important needs to change to another open source solution, like LUKS or ecryptfs. There are Windows programs compatible with both of those listed on the Arch wiki article posted earlier, though I imagine anyone doing anything really important probably isn't running Windows.

    Leave a comment:

  • stevenc
    Originally posted by septianix View Post
    Ok, I may be a little paranoid here but doesn't that remind you of when Lavabit shut down its operations?
    YES! It could be that one of the developers, in possession of the release signing key, came under pressure from authorities; therefore puts out a brief warning without going into details or even discussing it with co-developers.

    Leave a comment:

  • edgar_wibeau
    Matthew Green, who according to is one of the TrueCrypt Auditors, claims on twitter:

    "I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite"

    "Der erste Teil der Quellcode-Pr?fung von Truecrypt hatte keine nennenswerten Probleme aufgedeckt; der zweite hat noch nicht begonnen."

    My translation:
    "The first part of the source code examination didn't uncover any noteworthy problems; the second part hasn't begun yet"

    Leave a comment:

  • araxth
    Originally posted by stikonas View Post
    GPG is good but it is not convenient as a replacement for truecrypt. GPG is actually much better suited for signing/encrypting emails which you should do as well.

    LUKS (and cryptsetup in the userspace) is a much better and safer (full-disk encryption is always a safer option).
    Note that new versions of cryptsetup support opening truecrypt format volumes which might help you migrate.
    Agree, i ain't seen so far many user friendly (aka GUI etc) GPG / PGP power-ed tools for linux to encrypt full disks. However I am quite pleased with the integration in such desktop environments as KDE etc. As you said, the emails too. Still needs to be digged it, the fun with FOSS is the fact that somewhere someone might have done it already .

    I wasnt a big fan of TCrypt as well since i always counted PGP a better choice for the next door Joe and Jane trying to provide a bit of security to his / her files.

    Good luck,

    Leave a comment: