TrueCrypt no longer supported?

Discussion in 'Networking & Security' started by dderidex, May 28, 2014.

  1. dderidex

    dderidex [H]ardness Supreme

    Messages:
    6,313
    Joined:
    Oct 31, 2001
    Tried to access the TrueCrypt site, today, and it now states:

    Uhhhh...wow. Anyone know what's up with that? I can't find any news on the TrueCrypt developer(s) giving up - would have thought that would be front-page news SOMEWHERE...
     
  2. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,759
    Joined:
    Feb 15, 2003
    Wow. Didn't see that one coming...
     
  3. dderidex

    dderidex [H]ardness Supreme

    Messages:
    6,313
    Joined:
    Oct 31, 2001
    Apparently, a new version of the software has been posted, too, with a similar warning - hash checks out on it, so...if this is a case of a compromised site, it seems the entire project has been compromised.

    Or maybe they really did find a serious problem and just gave up??

    I'm baffled...can't find any independent word or confirmation on what's up, here...
     
  4. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,759
    Joined:
    Feb 15, 2003
    Says it right there in the statement. Modern OS's include encryption.
     
  5. dderidex

    dderidex [H]ardness Supreme

    Messages:
    6,313
    Joined:
    Oct 31, 2001
    Sure, but OS-proprietary encryption. I can't encrypt a USB drive in Windows BitLocker and plug it into a Mac and read the data.

    I *can* do that with TrueCrypt. Or could, anyway.
     
  6. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Wow that sucks. There is a great need for open source encryption solutions such as truecrypt, especially with all the NSA stuff. You can't trust commercial solutions as the odds are decent they got backdoors of sorts.
     
  7. crusty_juggler

    crusty_juggler [H]ard|Gawd

    Messages:
    1,241
    Joined:
    Feb 11, 2014
    I would not download the alleged TrueCrypt 7.2 exe until more information is available. The site looks like it was compromised.

    Just my two cents.
     
  8. Phantum

    Phantum [H]ard|Gawd

    Messages:
    1,716
    Joined:
    Jul 25, 2001
    Well that sucks, if it's true. I can't find anything anywhere else indicating they gave up because modern OS's include encryption... and like dderidex said, with those solutions you can't easily (or sometimes at all) move encrypted data between platforms. So I dunno about this yet. I'll continue to use 7.1 and monitor the situation awaiting confirmation.
     
  9. drescherjm

    drescherjm [H]ardForum Junkie

    Messages:
    14,568
    Joined:
    Nov 19, 2008
    Same here between windows and linux.
     
  10. zerodamage

    zerodamage Limp Gawd

    Messages:
    171
    Joined:
    May 18, 2007
  11. dderidex

    dderidex [H]ardness Supreme

    Messages:
    6,313
    Joined:
    Oct 31, 2001
    Ars confirms that the key used to sign the current TrueCrypt package IS the official TrueCrypt key, so...

    I'm thinking this is legit for some reason.

    I mean, if you had total access to the TrueCrypt site, AND the ability to sign a TrueCrypt installer with a valid key...which is what would be required to pull this off as a prank...why on earth would you waste that ability on a joke? Good grief, you'd be able to put a backdoor in to all kinds of private data...
     
  12. dderidex

    dderidex [H]ardness Supreme

    Messages:
    6,313
    Joined:
    Oct 31, 2001
    Someone in the Ars comment section has an interesting alternate possibility...

     
  13. r-486

    r-486 Gawd

    Messages:
    556
    Joined:
    Nov 9, 2006
    I'd like to know more about this.
     
  14. Liger88

    Liger88 2[H]4U

    Messages:
    2,657
    Joined:
    Feb 14, 2012
    I'm surprised how quickly many people didn't question it without a news story. A full Kickstarter based independent audit is underway and came back clean and secure thus far. I do agree that Volume/Container based Encryption programs are hard to come by these days, even more so now that the FreeOTFE program seems to have gone tits up.
     
  15. okashira

    okashira [H]ard|Gawd

    Messages:
    1,798
    Joined:
    Jul 7, 2005
    I call BS.
    Either something related to the NSA, they are forced to shut down and "reccomend" MS
    (which had confirmed NSA backdoors back in 2001)

    Or the site was hacked.

    I need to see if I still have an unmolested 7.1 copy.
     
  16. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Hmm wasn't there a service that was basically forced by the government to start spying on people, and they refused and had to shut down? I think it was encrypted email or something.

    Could be a similar situation, and of course they're not allowed to say anything.
     
  17. Phantum

    Phantum [H]ard|Gawd

    Messages:
    1,716
    Joined:
    Jul 25, 2001
    Lavabit
     
  18. klank

    klank Killer of Killer NIC Threadz

    Messages:
    2,147
    Joined:
    Aug 22, 2011
    I bet they received an NSL. The sudden nature of the change and suggestion to utilize built-in encryption reeks of a coverup.
     
  19. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Yep that's the one I was thinking of.
     
  20. AMD T-type

    AMD T-type [H]ardness Supreme

    Messages:
    4,591
    Joined:
    Aug 26, 2002
    I... I'm not sure what to think atm.
    This is a very interesting development thus far.
     
  21. IceDigger

    IceDigger [H]ardForum Junkie

    Messages:
    10,621
    Joined:
    Feb 22, 2001
  22. octoberasian

    octoberasian 2[H]4U

    Messages:
    4,082
    Joined:
    Oct 13, 2007
    I've been using Truecrypt for years and I still run 7.1a on my computers.

    The reason being is that Truecrypt is cross-platform. My encrypted virtual disk can be read in Windows and Linux.

    I cannot do that with Bitlocker.

    If this, as another poster in this thread stated, a result of an NSA takedown or request to include a backdoor like what happened with Lavabit, then I'm more than disappointed at the NSA (and the US government at that) than TrueCrypt.

    I keep sensitive documents in my virtual drive-- KeePass database file, tax documents, legal documents that were scanned.
     
  23. Darakian

    Darakian [H]ardness Supreme

    Messages:
    4,699
    Joined:
    Apr 12, 2004
    With any luck a good alternative will crop up in the months to come (assuming this is legit).
     
  24. jabbernotty

    jabbernotty n00b

    Messages:
    43
    Joined:
    Sep 2, 2013
    So, should I consider my truecrypted files compromisable? These are made with various older versions.
     
  25. ChedWick

    ChedWick Gawd

    Messages:
    596
    Joined:
    Sep 16, 2011
    This is all very bizzare.

    But assuming you have a safe download from a few years ago, could one continue to use it? Or if this was truly compromised by a hacker or the NSA, does that mean all previously encrypted volumes, regardless of when they were encrypted, are now vulnerable to decryption?

    I would hope not since its open source and the initial phase one of the audit didn't turn up anything really concerning.
     
  26. shade91

    shade91 Guest

    Why don't these projects just "sell" to some foreign entity that isn't friends with the US, install a fictitious person and continue as business as usual? It's sad that this seems the safer route away from the NSA.
     
  27. Steelgrave

    Steelgrave Limp Gawd

    Messages:
    253
    Joined:
    Jan 11, 2005
    I'd consider them unsafe anyway if you're really that worried. I work for a company that recovers data on a large scale, and it's pretty rare we can't crack a truecrypt volume (and we don't have the NSA's budget lol).

    No encryption is "unhackable", it'll just slow down someone with the means to get at your data. It will prevent the goofballs that steal laptops or the more casual common thieves from getting at it. Agencies such as the NSA it's a different story.

    What made truecrypt great was the fact that it was platform independent. 7.1a is still perfect to stop common criminals and what not. I'll keep using that for now until someone else comes up with a package that will run anywhere.
     
  28. Brak710

    Brak710 [H]ard|Gawd

    Messages:
    1,424
    Joined:
    Oct 27, 2008
    I really really really doubt that is true unless it's purely weak passwords.
     
  29. JaiWebb

    JaiWebb Gawd

    Messages:
    601
    Joined:
    Feb 8, 2014
    Agreed. There would be no point to encryption if it was that easy.
     
  30. klank

    klank Killer of Killer NIC Threadz

    Messages:
    2,147
    Joined:
    Aug 22, 2011
    I call bullshit.

    If the FBI isn't able to crack TC I doubt a private company is.


    Provide proof that your company is cracking TC volumes or GTFO.
     
  31. dderidex

    dderidex [H]ardness Supreme

    Messages:
    6,313
    Joined:
    Oct 31, 2001
    That'd be my guess.

    As XKCD points out...

    [​IMG]

    ...most passwords people use are a LOT easier to crack than you'd expect. The key is overall length of the password - no matter how 'random' you may the characters, passwords of 11-12 characters in length are just going to be pretty trivial to crack anymore.
     
  32. Liger88

    Liger88 2[H]4U

    Messages:
    2,657
    Joined:
    Feb 14, 2012
    *sigh*

    People really need to clarify themselves with they say completely opposite statements like this. Cracking encryption is all about time at the end of the day, however, there are quite a few flaws that TrueCrypt had which could be taken advantage of. Was pointed out a couple years ago and software exists to extract data from a reboot and the hibernation file.


    That's all encryption is meant to do. The point isn't to be unhackable, in fact every encryption is hackable. It's a matter of using statistics, probability and time before you die as a method of security. A lot of trust goes into this. User having a strong encryption key, no flaws in the encryption formula, programmers building their software correctly, implementing other standards/protocols correctly, etc. This whole security business is all about "trust" and you'd be smart to be paranoid by trusting nobody. You just can't. Only a fool would. Hence a layered approach is often best.

    FreeOTFE suited me just fine and had a portable version, not sure about being platform independent, but it was the only other competitor big enough that had similar features as TrueCrypt. Problem is the developers just stopped about 2-3 years ago and the past year the website domain just fell wayside. Unfortunate, but not as bad as this TrueCrypt story to say the least. I have this thing where I never used the #1 of anything. Always go for the #2 or #3 and in this case it once again turned out for the better.

    Not saying TrueCrypt is corrupt and this can't be explained, but the silence is deafening. The damage is done. Anyone to trust TrueCrypt without them coming out of the shadows and explaining themselves would be a fool.

    JFK was on the right track, to dismantle the CIA and probably the NSA if he were alive and in charge today. I'd say reformat our intelligence agencies: cut their budget, fire all employees, ban them from working in intelligence and the government and have them sign an NDA with consequence of life in prison if they disclose any details in their lifetime.

    Drastic steps are needed because this is just getting out of hand. I don't think Ed Snowden is a hero or that crap, too loosely thrown around word, but he damn sure ain't a criminal for exposing criminals within our own government. Hopefully the NSA has nothing to do with this in any shape.
     
  33. Steelgrave

    Steelgrave Limp Gawd

    Messages:
    253
    Joined:
    Jan 11, 2005
    That's over 95% of it. That and people/companies are typically dumb enough to have the keyfiles locally as well (if they even use them).
     
  34. JaiWebb

    JaiWebb Gawd

    Messages:
    601
    Joined:
    Feb 8, 2014
    Sounds like you're now using this excuse for such an absurd prior comment. So what's the other 5%? Show some actual proof or you're full of shit.
     
  35. crusty_juggler

    crusty_juggler [H]ard|Gawd

    Messages:
    1,241
    Joined:
    Feb 11, 2014
    Yeah, I call double BS on this.

    Prove that your company cracks TC volumes on a regular basis please.
     
  36. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Technically any local encryption can be cracked. Unlike trying to hack an online password where you can get locked out, locally you can keep trying and trying and trying and perhaps even write tools to make it easier and more efficient.

    It's all a matter of how long it will take to brute force. The NSA can probably do it in under 5 minutes with all the computing power they have, for example. Some guy at home with a basic i7 computer, probably take years, if more.
     
  37. crusty_juggler

    crusty_juggler [H]ard|Gawd

    Messages:
    1,241
    Joined:
    Feb 11, 2014
    Ok then, point us to a example in which the NSA cracked a TC volume in 5 minutes. Or...ever.
     
  38. -PK-

    -PK- [H]ard|Gawd

    Messages:
    1,798
    Joined:
    Aug 6, 2004
    I was just checking for the latest update yesterday too. Guess I'll wait and see what happens.
     
  39. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,211
    Joined:
    Nov 29, 2009
    Do you think they would actually disclose this?