TrueCrypt no longer supported?

dderidex

Supreme [H]ardness
Joined
Oct 31, 2001
Messages
6,328
Tried to access the TrueCrypt site, today, and it now states:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Uhhhh...wow. Anyone know what's up with that? I can't find any news on the TrueCrypt developer(s) giving up - would have thought that would be front-page news SOMEWHERE...
 
Apparently, a new version of the software has been posted, too, with a similar warning - hash checks out on it, so...if this is a case of a compromised site, it seems the entire project has been compromised.

Or maybe they really did find a serious problem and just gave up??

I'm baffled...can't find any independent word or confirmation on what's up, here...
 
Apparently, a new version of the software has been posted, too, with a similar warning - hash checks out on it, so...if this is a case of a compromised site, it seems the entire project has been compromised.

Or maybe they really did find a serious problem and just gave up??

I'm baffled...can't find any independent word or confirmation on what's up, here...

Says it right there in the statement. Modern OS's include encryption.
 
Says it right there in the statement. Modern OS's include encryption.

Sure, but OS-proprietary encryption. I can't encrypt a USB drive in Windows BitLocker and plug it into a Mac and read the data.

I *can* do that with TrueCrypt. Or could, anyway.
 
Wow that sucks. There is a great need for open source encryption solutions such as truecrypt, especially with all the NSA stuff. You can't trust commercial solutions as the odds are decent they got backdoors of sorts.
 
I would not download the alleged TrueCrypt 7.2 exe until more information is available. The site looks like it was compromised.

Just my two cents.
 
Well that sucks, if it's true. I can't find anything anywhere else indicating they gave up because modern OS's include encryption... and like dderidex said, with those solutions you can't easily (or sometimes at all) move encrypted data between platforms. So I dunno about this yet. I'll continue to use 7.1 and monitor the situation awaiting confirmation.
 
Sure, but OS-proprietary encryption. I can't encrypt a USB drive in Windows BitLocker and plug it into a Mac and read the data.

I *can* do that with TrueCrypt. Or could, anyway.

Same here between windows and linux.
 
My guess is that this is a site hack. But those doing the audit said they have big news this week which was posted 10 hours ago: https://www.indiegogo.com/projects/the-truecrypt-audit#activity

Ars confirms that the key used to sign the current TrueCrypt package IS the official TrueCrypt key, so...

I'm thinking this is legit for some reason.

I mean, if you had total access to the TrueCrypt site, AND the ability to sign a TrueCrypt installer with a valid key...which is what would be required to pull this off as a prank...why on earth would you waste that ability on a joke? Good grief, you'd be able to put a backdoor in to all kinds of private data...
 
Someone in the Ars comment section has an interesting alternate possibility...

jig said:
if this is real, then i don't think the proper deduction is that the audit(s) found something truecrypt would be upset about. rather, it's more likely that they were served something like an NSA letter or court order to insert a backdoor and they took the lavabit route (nuke the project, try to protect the users).
 
I'm surprised how quickly many people didn't question it without a news story. A full Kickstarter based independent audit is underway and came back clean and secure thus far. I do agree that Volume/Container based Encryption programs are hard to come by these days, even more so now that the FreeOTFE program seems to have gone tits up.
 
I call BS.
Either something related to the NSA, they are forced to shut down and "reccomend" MS
(which had confirmed NSA backdoors back in 2001)

Or the site was hacked.

I need to see if I still have an unmolested 7.1 copy.
 
Hmm wasn't there a service that was basically forced by the government to start spying on people, and they refused and had to shut down? I think it was encrypted email or something.

Could be a similar situation, and of course they're not allowed to say anything.
 
Hmm wasn't there a service that was basically forced by the government to start spying on people, and they refused and had to shut down? I think it was encrypted email or something.

Could be a similar situation, and of course they're not allowed to say anything.

Lavabit
 
I bet they received an NSL. The sudden nature of the change and suggestion to utilize built-in encryption reeks of a coverup.
 
I... I'm not sure what to think atm.
This is a very interesting development thus far.
 
I've been using Truecrypt for years and I still run 7.1a on my computers.

The reason being is that Truecrypt is cross-platform. My encrypted virtual disk can be read in Windows and Linux.

I cannot do that with Bitlocker.

If this, as another poster in this thread stated, a result of an NSA takedown or request to include a backdoor like what happened with Lavabit, then I'm more than disappointed at the NSA (and the US government at that) than TrueCrypt.

I keep sensitive documents in my virtual drive-- KeePass database file, tax documents, legal documents that were scanned.
 
With any luck a good alternative will crop up in the months to come (assuming this is legit).
 
So, should I consider my truecrypted files compromisable? These are made with various older versions.
 
This is all very bizzare.

But assuming you have a safe download from a few years ago, could one continue to use it? Or if this was truly compromised by a hacker or the NSA, does that mean all previously encrypted volumes, regardless of when they were encrypted, are now vulnerable to decryption?

I would hope not since its open source and the initial phase one of the audit didn't turn up anything really concerning.
 
Why don't these projects just "sell" to some foreign entity that isn't friends with the US, install a fictitious person and continue as business as usual? It's sad that this seems the safer route away from the NSA.
 
So, should I consider my truecrypted files compromisable? These are made with various older versions.

I'd consider them unsafe anyway if you're really that worried. I work for a company that recovers data on a large scale, and it's pretty rare we can't crack a truecrypt volume (and we don't have the NSA's budget lol).

No encryption is "unhackable", it'll just slow down someone with the means to get at your data. It will prevent the goofballs that steal laptops or the more casual common thieves from getting at it. Agencies such as the NSA it's a different story.

What made truecrypt great was the fact that it was platform independent. 7.1a is still perfect to stop common criminals and what not. I'll keep using that for now until someone else comes up with a package that will run anywhere.
 
I'd consider them unsafe anyway if you're really that worried. I work for a company that recovers data on a large scale, and it's pretty rare we can't crack a truecrypt volume (and we don't have the NSA's budget lol).

I really really really doubt that is true unless it's purely weak passwords.
 
I work for a company that recovers data on a large scale, and it's pretty rare we can't crack a truecrypt volume (and we don't have the NSA's budget lol).

I call bullshit.

If the FBI isn't able to crack TC I doubt a private company is.


Provide proof that your company is cracking TC volumes or GTFO.
 
I really really really doubt that is true unless it's purely weak passwords.

That'd be my guess.

As XKCD points out...

password_strength.png


...most passwords people use are a LOT easier to crack than you'd expect. The key is overall length of the password - no matter how 'random' you may the characters, passwords of 11-12 characters in length are just going to be pretty trivial to crack anymore.
 
I'd consider them unsafe anyway if you're really that worried. I work for a company that recovers data on a large scale, and it's pretty rare we can't crack a truecrypt volume (and we don't have the NSA's budget lol).

*sigh*

People really need to clarify themselves with they say completely opposite statements like this. Cracking encryption is all about time at the end of the day, however, there are quite a few flaws that TrueCrypt had which could be taken advantage of. Was pointed out a couple years ago and software exists to extract data from a reboot and the hibernation file.

No encryption is "unhackable", it'll just slow down someone with the means to get at your data. It will prevent the goofballs that steal laptops or the more casual common thieves from getting at it. Agencies such as the NSA it's a different story.

What made truecrypt great was the fact that it was platform independent. 7.1a is still perfect to stop common criminals and what not. I'll keep using that for now until someone else comes up with a package that will run anywhere.


That's all encryption is meant to do. The point isn't to be unhackable, in fact every encryption is hackable. It's a matter of using statistics, probability and time before you die as a method of security. A lot of trust goes into this. User having a strong encryption key, no flaws in the encryption formula, programmers building their software correctly, implementing other standards/protocols correctly, etc. This whole security business is all about "trust" and you'd be smart to be paranoid by trusting nobody. You just can't. Only a fool would. Hence a layered approach is often best.

FreeOTFE suited me just fine and had a portable version, not sure about being platform independent, but it was the only other competitor big enough that had similar features as TrueCrypt. Problem is the developers just stopped about 2-3 years ago and the past year the website domain just fell wayside. Unfortunate, but not as bad as this TrueCrypt story to say the least. I have this thing where I never used the #1 of anything. Always go for the #2 or #3 and in this case it once again turned out for the better.

Not saying TrueCrypt is corrupt and this can't be explained, but the silence is deafening. The damage is done. Anyone to trust TrueCrypt without them coming out of the shadows and explaining themselves would be a fool.

JFK was on the right track, to dismantle the CIA and probably the NSA if he were alive and in charge today. I'd say reformat our intelligence agencies: cut their budget, fire all employees, ban them from working in intelligence and the government and have them sign an NDA with consequence of life in prison if they disclose any details in their lifetime.

Drastic steps are needed because this is just getting out of hand. I don't think Ed Snowden is a hero or that crap, too loosely thrown around word, but he damn sure ain't a criminal for exposing criminals within our own government. Hopefully the NSA has nothing to do with this in any shape.
 
I really really really doubt that is true unless it's purely weak passwords.

That's over 95% of it. That and people/companies are typically dumb enough to have the keyfiles locally as well (if they even use them).
 
That's over 95% of it. That and people/companies are typically dumb enough to have the keyfiles locally as well (if they even use them).

Sounds like you're now using this excuse for such an absurd prior comment. So what's the other 5%? Show some actual proof or you're full of shit.
 
I call bullshit.

If the FBI isn't able to crack TC I doubt a private company is.


Provide proof that your company is cracking TC volumes or GTFO.
Yeah, I call double BS on this.

Prove that your company cracks TC volumes on a regular basis please.
 
Technically any local encryption can be cracked. Unlike trying to hack an online password where you can get locked out, locally you can keep trying and trying and trying and perhaps even write tools to make it easier and more efficient.

It's all a matter of how long it will take to brute force. The NSA can probably do it in under 5 minutes with all the computing power they have, for example. Some guy at home with a basic i7 computer, probably take years, if more.
 
I was just checking for the latest update yesterday too. Guess I'll wait and see what happens.
 
Back
Top