413 comments

[ 3.2 ms ] story [ 290 ms ] thread
(comment deleted)
This doesn't make any sense, and why just MS ?
So what was the point of raising money to audit TrueCrypt if they knew they would shut it down once XP was EOL? In fact why didn't they announce this earlier?
Different groups - the TrueCrypt audit initiative[0] is (was?) cooperating with the developers but remain independent of them.

  [0]: http://istruecryptauditedyet.com
Maybe the result of the audit is that it's not secure?
But without a similar audit on the alternatives proving their security, surely the most responsible action would be just to explain there is a problem and stop there.
But that's not what the audit found, and the guys who ran the audit are just as in the dark about this as we are, according to recent tweets.
Yes, it would be major douchbaggery not to tell the auditors that TC was about to shutdown.
Is that real? Is the web page just defaced?
(comment deleted)
truecrypt.org does a redirect to this sourceforge page, so perhaps it is the DNS that got hijacked, and not truecrypt website itself.

I don't remember TC ever being hosted on SF, so I think this is a bad redirect...

On the other hand, SourceForge lists the project as having been created in 2004: http://sourceforge.net/projects/truecrypt/
The SF account could have been compromised too.
Certainly, it just makes it less suspect that it’s on SourceForge at all. (Unless SourceForge lets you rename projects? Then it could be an old placeholder project that’s been renamed to truecrypt.)
My money is on the site being compromised. If this were a legit, why would they be doing a 302 redirect to a SourceForge page instead of keeping the notice it under their own domain? Also, if TC only existed for XP users, why even have a *nix version? None of this makes sense in the context of this being a legitimate notice.
I'm really confused. Which isn't unusual really, but in this case I think it is understandable.
I'm with you. This seems like an odd move, given that most likely only a minority of their users used XP for some time. Why haven't they been warning Windows Vista, 7 and 8 users to use Bitlocker for years (not to mention Mac OS X and Linux users)? Perhaps I just missed the warnings, but I am really puzzled.

I suppose the developers could have just found a massive vulnerability (perhaps they're doing their own audit in advance of the public one?).

If you scroll to the bottom, you'll find this link: http://truecrypt.sourceforge.net/OtherPlatforms.html
I saw that. It's just that taking this line at face value, it's not clear why they would port TrueCrypt to Linux and Mac OS X or suggest that people using later versions of Windows should use TrueCrypt:

>The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.

Turning on Bitlocker has been on my TODO list for quite some time now, but to me the real value of Truecrypt wasn't full disk encryption, it was having encrypted volumes and mounting them on a as-needed basis.

And how do I handle sensitive stuff wrt backups? I could burn a Truecrypt volume to a DVD or Blu-ray. I cannot do this in any way with Bitlocker, can I?

The page contains instructions for creating a virtual disk file (VHD) and encrypting that with BitLocker.
The paged linked in the post explains how to create a VHD file, mount it using windows disk management, and then encrypt it using bitlocker. It supports dynamically expanding disks as well as fixed size disks that can be manually grown and volumes extended at a later date.

Using this method you can easily burn or transfer your VHDs, you can also store VHDs inside of VHDs.

Well - this comes as a pretty big surprise.

Is this real? Is there a known vulnerability that catalyzed this? Money from Microsoft? Threats?

I'm not buying into conspiracy theories, but it does seem pretty out of place.

The binaries are properly GPG-signed with the same key as the previous binaries, check for yourself. [They] either compromised their private key too or the actual developer(s) did this. Be it voluntarily or by force of secret three-character agencies / a massive pay check.
Maybe something like the Lavabit scenario where they rather close the shop than sell their users out. On the other hand, proposing Bitlocker as an alternative would be rather suspect in that case.
Well, the thing is though, it's not that they were hosting users' data. It's not like they would be forced to provide the contents of users' communication.

I suppose they could be approached by someone to plant backdoor into the software, but I wonder if that can be done without someone noticing it...

considering heartbleed... yes
Yeah it could be a gag order from a secret court. maybe they folded because they were forced to compromise the code...
If they put a backdor on the binaries, but not source, lots of people will be compromissed, and for a really long time nobody may notice.

EDIT: I normaly don't care. But this time I'd be glad if who downmoded this post explained why.

IF THIS IS THE CASE and that's an IF then it seriously brings into suspect backdoors in larger proprietary software. Because really if they're going after trucrypt then they have to already have gone after the big players.

I'm not going to jump the gun just yet but after snowden it's not out of the question.

Not "backdoors" but it seems Microsoft stores the BitLocker decryption key, based on this leaked slide (just found on twitter): https://twitter.com/TheBlogPirate/status/471759810644283392/...

edit: Confirmed Microsoft stores your recovery key on their servers if you're not connected to a domain: http://windows.microsoft.com/en-AU/windows-8/bitlocker-recov...

Microsoft storing your key is opt-in and optional.

Whether or not they superstitiously store it anyway is a different question.

If their site/dns/whatever was compromised than there's no way you can trust the GPG signature at this point. I'll await a proper press release.
If this is a hack, then the truecrypt.org site (or dns) and sourceforge site are both compromised, suggesting a dev got hacked who would have had access to both, and perhaps the TC signing key as well (not everyone practices good signing key hygiene, like keeping it offline, even for important software projects).

Even if it's a legit announcement, I wouldn't run that 7.2 binary. Anyone running truecrypt already has truecrypt, right? I don't know why they'd release a new version at the same time as such a dire and panic-inducing announcement.

SourceForge recently forced their users to change their passwords [1] because of an attack on their infrastructure [2]. Pure speculation but I'm not sure if that had anything to do with this?

[1] http://sourceforge.net/blog/sourceforge-net-global-password-...

[2] http://sourceforge.net/blog/sourceforge-net-attack/

> Anyone running truecrypt already has truecrypt, right?

I frequently reformat my boot volumes—but I've had a .tc file laying around on an external HD since forever, with my websites' X.509 private keys and such inside.

I'm probably going to do exactly as this announcement says: download the export-only binary, create a loop-mounted LUKS volume, and migrate everything over.

Recent versions of cryptsetup support decrypting truecrypt volumes, just use cryptsetup for both.
A much simpler explanation is someone defaced the site around the same time a new release was coming out. Is there anything in the signed release package to corroborate what the site says?
Yes. See the sibling poster's image link. I also installed 7.2 in a VM and received the same warning. It also looks like I can't encrypt anything, just decrypt.
(comment deleted)
Time to call in the underhanded C contest (http://underhanded.xcott.com/) participants on a special bugfinding challenge :)
Not needed.

Just quickly scroll through the diff (better version here: https://gist.github.com/anonymous/e5791d5703325b9cf6d1) and you will immediately see that all that was done is disable/remove a majority of the functionality.

    AbortProcess ("INSECURE_APP");
    Print ("WARNING: Using TrueCrypt is not secure");
They added exceptions/rose errors/printed warnings everywhere where you could possibly encrypt and all of it reflects their intent at the Sourceforge page.
The whole point of the underhanded c contest is that the code looks extremely benign, and you wouldn't know that it's doing something evil by staring at it for a short time. Example: http://underhanded.xcott.com/?page_id=22

Anyway, it was a joke.

edit: But I'm not touching that binary with a 10 foot pole, thank you. There isn't even any guarantee yet that that source compiles into the given binary.

Same key as the previous binaries? I doubt it, given that the keys were replaced mere 3 hours before the new binaries were published:

http://sourceforge.net/p/truecrypt/activity/?page=0&limit=10...

Anyone have key fingerprints for pub keys used for the 7.1a vs 7.2 signing? Preferably pub key from a while ago I guess.
There's a "TrueCrypt Foundation" key on the keyservers from 2004, the ID is E3BA73CAF0D6B1E0.
The time stamp on key servers can not be trusted. Anyone can spoof keys in anyone elses name, with any timestamp they want.

The only way to verify is if you have the previous key stored somewhere, or can find a trustpath to it.

I have the key stored in my local keychain:

E3BA73CAF0D6B1E0 C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0

Checks out.

Yes, I can confirm that F0D6B1E0 was on the Truecrypt web site about a year or two ago, since it's been on my keyring for at least that long. I've installed Truecrypt multiple times over the past few years, and have always used this key to verify (or its signing subkey, I suppose).
I have 7.1a binaries, source, sigs and pub key from September 2013.

  pub   1024D/F0D6B1E0 2004-06-06
        Key fingerprint = C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0
  uid                  TrueCrypt Foundation <contact@truecrypt.org>
  sub   4077g/6B136ECF 2004-06-06
My version from September is identical to the pub key at http://sourceforge.net/projects/truecrypt/files/TrueCrypt/Ot... .
Could you post the SHA1s of those? I'm failing to use GPG properly.

  tc/linux$ sha1sum *
  c2a8c78a23f97ffb17bf47448c9f2daa3c8f80cd  truecrypt-7.1a-linux-console-x64.tar.gz
  078cdd4a58f0342cb872d7456c0ba49e310fcad9  truecrypt-7.1a-linux-console-x64.tar.gz.sig
  a53a7a609a25d9a1e33f720ce5c0265ddd4e8b25  truecrypt-7.1a-linux-console-x86.tar.gz
  66060f9444d5df70b4fcdeb655dc60131fce5ad1  truecrypt-7.1a-linux-console-x86.tar.gz.sig
  086cf24fad36c2c99a6ac32774833c74091acc4d  truecrypt-7.1a-linux-x64.tar.gz
  45f65bf755d9481d8afa0d17de6a034062b7a7bd  truecrypt-7.1a-linux-x64.tar.gz.sig
  0e77b220dbbc6f14101f3f913966f2c818b0f588  truecrypt-7.1a-linux-x86.tar.gz
  9efcd79e963126d6d8ef242857b4fafb06eb8ff0  truecrypt-7.1a-linux-x86.tar.gz.sig
  d43e0dbe05c04e316447d87413c4f74c68f5de24  TrueCrypt 7.1a Source.tar.gz
  caeb2bb1d5605d1fc960e936a06e52611033788c  TrueCrypt 7.1a Source.tar.gz.sig
  c871f833d6c115f4b4861eed859ff512e994b9fc  TrueCrypt-Foundation-Public-Key.asc

  tc/windows$ sha1sum *
  06961d83e39c7248df09c132cb6e9b9f528ce69a  Configuration.xml
  88b323b416290924621901a10da3f4f7482e3f77  License.txt
  4c4891f5eafcf9b96be01e31031992d9e98d39c3  TrueCrypt.exe
  34442e400e6cb2534f33a0b1599defe36eefef2a  TrueCrypt Format.exe
  7689d038c76bd1df695d295c026961e50e4a62ea  TrueCrypt Setup 7.1a.exe
  e1e3efaeac2fbcdbff0c2c62ac33233bd356edfa  TrueCrypt Setup 7.1a.exe.sig
  62fc4f76540740e63c7f0a33e3a1b66411f0a303  truecrypt.sys
  17249d979b3bc52d0a33821cc7f810337ddea2b6  TrueCrypt User Guide.pdf
  17c46ebc6f4977afbcf4aa11eccee524fd95b1c8  truecrypt-x64.sys
Can you please make these available for download, the Linux ones at least?
All of the files available here: http://truecrypt.ch/ have the same hashes as provided by this person.
Don't just trust my SHA1s, verify with the sigs and the TrueCrypt Foundation public key. Ensure the key has the fingerprint shown in the great-great-great grandparent of this comment, independently verified by others in this thread.

  gpg --import TrueCrypt-Foundation-Public-Key.asc
  gpg --fingerprint F0D6B1E0
  gpg --verify truecrypt-7.1a-linux-x64.tar.gz.sig
You should see:

  gpg: Signature made Tue 07 Feb 2012 12:45:26 PM PST using DSA key ID F0D6B1E0
  gpg: Good signature from "TrueCrypt Foundation <contact@truecrypt.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0
Thanks!
There's no way this is legit, but if it is, what other kind of cross-platform solution is available? I need to be able to encrypt/decrypt on all 3 major OSes.
I'm in a similar position. I dualboot and have a truecrypt volume I share between Linux mint and Win7. Works great.
Maybe EncFS [0]? Its Windows port is experimental, alas. I suppose it would be suitable if you were willing to make frequent backups.

[0]: https://en.wikipedia.org/wiki/EncFS

There is a relatively recent audit[1] of EncFS with some damning results. I really wouldn't use it.

[1]: https://defuse.ca/audits/encfs.htm

> damning results

They didn't seem that severe to me, they seemed pretty minor actually. Especially if your attack vector is solely a read attack rather than a read-write attack.

Which one got you worried?

> EncFS is probably safe as long as the adversary only gets one copy of the ciphertext and nothing more. EncFS is not safe if the adversary has the opportunity to see two or more snapshots of the ciphertext at different times. EncFS attempts to protect files from malicious modification, but there are serious problems with this feature.

Which, seeing as my current major use case is to lock down Dropbox, kind of renders it useless for me.

The advice for Linux is "Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation."

So... just any of them, then? Sure, ok.

Call me paranoid but this just looks like really good evidence that Truecrypt was secure.
...or that BitLocker isn't.
I know everyone likes to bash MS around here but is there any actual proof of Bitlocker's insecurity that is more recent than 2008? If you look at wikipedia it seems like the only known real vulnerability requires someone with physical access to boot via USB into another OS within a few minutes of turning the computer off. When is this a real risk for anyone? I am not a security expert but unless you are doing things shady enough to get raided by the FBI, it seems like Bitlocker is pretty secure. The same problem occurs in other encryption programs on Linux and OSX. Also, it may not be open source like what we want, but MS lets its partners and enterprise customers audit the code subject to an NDA.

http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption#Secu...

It's not open source so who knows what's lurking in there? It's not like anyone has been able to audit the source of Bitlocker.
It's really not that hard to imagine scenarios where this might happen. Simply leaving your notebook unattended after a shutdown might leave you compromised. Besides, government agencies in other countries might have a slightly different view on what constitutes "shady behaviour" (think regime critics).
Put it this way. There's no proof that BitLocker is any more effective than rot13.
Don't forget that M$ gives you the great 'service' to store your BL-key in your M$-account (on their servers) as soon as a) your machine is not connected to a domain and b) you're [...] enough (most are!) to log on with an M$-account to Win8.x.
...and that BitLocker isn't.
wow this is a kick in the nuts. i've been using truecrypt for years. i probably won't stop just because development has ceased... but i'm still curious to know what the real story is behind this. seems sketchy.
I missed the part where this document lists the vulnerabilities in TrueCrypt.
exactly. This makes no sense. Security Audit. XP support ended in April not May. Also Truecrypt is open source... when it is not secure why not fix it? And why care of XP support? There are more open questions than answers.
It says 'may', which is a responsible message if you're abandoning security software. Never know what the future holds; don't want to encourage people to rely on it if bugs will never be fixed.
I remember TrueCrypt from several years ago when I was looking into various options for encryption. Haven't used encryption for a while, but if this is true, is there now an encryption software/service that doesn't involve being authored by a large corporation in the country that gave us the NSA, and which allows things like hidden volumes/partitions, algorithm choices, and use with various portable devices?
FreeBSD has GEOM/geli, which is a block-level (sub-filesystem) encryption method written by Paweł Jakub Dawidek (a Pole). It allows your choice of several data integrity verification algorithms, several encryption algorithms, and the usage of zero or more key files and/or a passphrase. And you can use it on external devices if you like. Also supports hardware acceleration via AES/NI with recent Intel CPUs.

Since it's block-level, you can use any filesystem you like. Since it's BSD, you might as well use ZFS (but don't use data integrity verification if you do, since ZFS has that built in.)

Downside is that you have to use FreeBSD to get it. Upside is that you get to use FreeBSD =)

(comment deleted)
Why have they only talk about how to secure a partition in Windows. Would the developers, or persons who took over the project, not care about other operating systems?!

Of course, by 'they', I mean the fake development team that the hijacker of the site wanted to portray... no way this is real

TrueCrypt is, to be honest, Windows software. The Linux version is a port and used to lag far behind the Windows version featurewise (for some time it was command line and even read-only).
There's a link at the bottom for Mac and Linux. For Mac they recommend the built-in encryption as well.

I'm having trouble taking any of that page seriously however -- to be recommending closed-source solutions like Bitlocker as 'more secure'.

Wow this is a real surprise
(comment deleted)
In case this is legit: Bitlocker so far so good, but neither Bitlocker nor any other crypto solution offer plausible deniability (aka hidden volumes).
I've heard multiple rumors that the NSA has a backdoor in Bitlocker. I don't trust any of this.
I suppose this leaves yet another possible explanation: A secret order with the intention of getting people to stop using truecrypt and start using bitlocker (possibly either bl and/or tpm has some convenient back doors in them...)?
Another issue is that Bitlocker is most likely not compatible with non-Windows OSes, while a Truecrypt volume works fine in Windows, OSX and Linux as long as the file system is supported.
We should strive not to trust closed crypto.

I use Apple's FileVault on my laptop, but for particularly sensitive data (work code, financial info, etc) I always used truecrypt. We have no idea if apple is actually doing what they claim to be doing. The same applies to MS and bitlocker.

A significant concern of mine with this is that Windows 8 has support for syncing your bitlocker encryption keys with microsoft. If privacy is something a user is seeking, how easy would it be to subpoena bitlocker keys for a user under duress?
Trivial. It's the same as any other business record.
(comment deleted)
Well, if red Times New Roman on a Sourceforge page says so...
http://truecrypt.org/ redirects there, too.
(comment deleted)
Tom has a point, though. The nature of the message (abandoning truecrypt rather than fixing it simply because XP is end-of-lifed?) and the unwillingness to fix it rather than post a dire message about its insecurity and recommend migrating to other solutions that don't have hidden volume functionality -- it suggests it's either very poorly handled, or a fake message.

It might be more likely that a dev got hacked, compromising the signing key, sourceforge project, and truecrypt.org site.

We don't know much about the TC developers, do we? It's also possible that they're just really cavalier about this stuff, and that this is their response to the TC audit process ("stop bothering us about it and use something that's maintained").
Certainly possible, although this from the audit web page doesn't sound like that would be a big problem:

"Wed, Oct 24, 2013: We have made contact with the TrueCrypt development team. They have stated a commitment to a thorough, independent security audit and cryptanalysis of the code."

Since TC developers were unknown for a long time. Perhaps the audit effort, or someone involved with it, intentionally or not, somehow opened some clue that allowed some 3-letters agency go after the developers and they receive those weird proposals like Lavabit ??
True. Security announcements have been botched in the past, for all sorts of reasons, not that you have any experience with that, of course. But what does XP being EOL'd have to do with anything? That and the blithe recommendation to use other solutions, even though they don't have hidden volume functionality which is a main selling point of TC, is what changed my mind, from thinking this is probably a legit mishandled disclosure, to thinking it's probably fake.

On the other hand, as pointed out in other subthreads, if the devs are tired of maintaining it, this could be a legit, unappreciated-developer version of a temper tantrum. Nobody seems to know (yet).

> But what does XP being EOL'd have to do with anything?

Every version of Windows after XP has a native disk encryption utility. TrueCrypt was built to bring full disk encryption to Windows, which didn't exist at the time - this is the developers way of saying "you don't need us anymore, Windows now does what we did"

Not every version... In case of Vista and 7 only Enterprise and Ultimate editions have it and in case of 8/8.1 you need to have Pro or Enterprise edition.
True, but if you need disk encryption you probably use one of those already.

I mean, a normal use case is a corporate laptop used when traveling or similar. Normal home users certainly have no need of it, for them it's just something else that can go wrong and destroy all their data.

FDE was available from different vendors (I bought DriveCrypt PlusPack more than 15 yr ago and tried CompuSec (free) more than 10 yr ago, Comodo FDE is around since ~2k8). So availability of FDE software can hardly be the reason. Neither the credibility of M$, in matters of quality of code as well as especially being an US based company.
Or the NSA was maintaining it the whole time, and they've just sent everyone to the next best thing for them, because of the coming audit.
OP here, I came across this link via this Tweet [0] and it's probably a good idea to stay away from the linked TrueCrypt version on the site. It's version 7.2 and afaik the last version for Mac was 7.1.1 (At least that's what I installed recently).

I really hope it's "just" a defacement/DNS issue.

[0] https://twitter.com/maclemon/status/471727027356434432

Edit: Just saw the comment that they are properly signed. I'll just sit tight and wait for an announcement then.

8 hours ago on the IndieGoGo TrueCrypt Audit page [1]

> p.s. We hope to have some big announcements this week, so stay tuned.

[1] https://www.indiegogo.com/projects/the-truecrypt-audit#activ...

Although Kenn White, who wrote that message, has no idea what's going on [1]

> .@FiloSottile @matthew_d_green no idea. It's doing a 301 perm to a static pg @ SF, now blocked. Possibly compromised. pic.twitter.com/g5tSFUuXzu

[1] https://twitter.com/kennwhite/status/471740840478797824

(comment deleted)
(comment deleted)