Author Topic: TrueCrypt is Now Abandonware?! (Read 52418 times)

J-Mac · « **on:** May 29, 2014, 03:49 AM »

Their webpage at SourceForge now contains this "cryptic" message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

http://truecrypt.sourceforge.net/

And this article at BoingBoing explains why:

http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html?utm_source=dlvr.it&utm_medium=twitter

Jim

40hz · « **Reply #1 on:** May 29, 2014, 04:37 AM »

My best guesses:

Whoever was developing TrueCypt

is scared to death of being 'outed' for several (probably valid) reasons
has been threatened by some intelligence agency
has started working for some intelligence agency
was already working for some intelligence agency - and TrueCrypt was one of its products all along
completed their mission and will soon board the flying saucer that will return to their homeworld

I think these are all equally likely considering how cagey and reluctant the developers of True Crypt were about anybody ever knowing who they were...

J-Mac · « **Reply #2 on:** May 29, 2014, 05:35 AM »

Nice post! I didn't know much about the issues with the developers, which is why I posted only the links. I had heard that they had opened a "back door" for the NSA but didn't know the details.

Whatever the case, I guess a lot of folks will now be scrambling for a new encryption program.

Jim

40hz · « **Reply #3 on:** May 29, 2014, 05:48 AM »

Of course, it could also be a prank if somebody got their key...just sayin'

40hz · « **Reply #4 on:** May 29, 2014, 05:50 AM »

Whatever the case, I guess a lot of folks will now be scrambling for a new encryption program.
-J-Mac (May 29, 2014, 05:35 AM)

Change "will now be" to "are" and you're spot on the sugar.

But seriously...who knows?

If TrueCrypt works - but people start distrusting and ultimately abandon it - the spooks win.

If the spooks already own it, they'll just slip something else in (because there's always a Plan-B with those guys) so they win again.

The big problem is we're using technology that wasn't intended or designed to be secure. And everything we do to try to make it secure is bolted and duct taped on.

If we're serious, the entire global network - and probably at least 85% of the rest of our computer technology - needs to be re-engineered from the ground up.

Problem is, with a project that massive, gremlins and backdoors are bound to sneak in. And the disruption and expense such a project would entail - and the degree of cooperation and gooodwill needed to keep it from becoming a joke - makes it unlikely to the point of "that is so not gonna happen."

Besides - signal privacy and security aren't technical problems - they're "people problems." And as long as invasions of privacy are tolerated (when not condoned) somebody somewhere will try snooping.

mouser · « **Reply #5 on:** May 29, 2014, 06:02 AM »

What the heck!?!?!?
Bizarre. I can't wait to hear more about this.

From the boingboing page, this sums up my reaction:

"The Sourceforge project page for Truecrypt now sports a cryptographically signed notice that Truecrypt should no longer be used as it is not secure. The news came on the heels of a crowdfunded $70K security audit of the open source, anonymously maintained software giving it a relatively positive initial diagnosis. The announcement -- signed by the same key that has been used to sign previous, legitimate updates -- links Truecrypt's deprecation to Microsoft's decision to cease supporting Windows XP, though no one seems to have a theory about how these two facts relate to one another."

40hz · « **Reply #6 on:** May 29, 2014, 06:07 AM »

^ So bizarre I keep thinking it's a prank.

Tuxman · « **Reply #7 on:** May 29, 2014, 06:18 AM »

AFAIK the download provided there probably contains a trojan.

(Well, the spirit of Open Source, right? Secure and trustable and everything.)

Stoic Joker · « **Reply #8 on:** May 29, 2014, 07:13 AM »

^ So bizarre I keep thinking it's a prank.
-40hz (May 29, 2014, 06:07 AM)

Either that, or the real reason Vista took so long to release was due to protracted negotiations on how big of a back door to put where.

40hz · « **Reply #9 on:** May 29, 2014, 07:44 AM »

^ So bizarre I keep thinking it's a prank.
-40hz (May 29, 2014, 06:07 AM)

Either that, or the real reason Vista took so long to release was due to protracted negotiations on how big of a back door to put where.
-Stoic Joker (May 29, 2014, 07:13 AM)

rgdot · « **Reply #10 on:** May 29, 2014, 08:13 AM »

I keep looking at calendar and it doesn't say April 1

Shades · « **Reply #11 on:** May 29, 2014, 10:27 AM »

^ So bizarre I keep thinking it's a prank.
-40hz (May 29, 2014, 06:07 AM)

Either that, or the real reason Vista took so long to release was due to protracted negotiations on how big of a back door to put where.
-Stoic Joker (May 29, 2014, 07:13 AM)

I was thinking that they couldn't agree if the door needed to be made out of mahogany or oak... $:-\$

40hz · « **Reply #12 on:** May 29, 2014, 10:40 AM »

^ So bizarre I keep thinking it's a prank.
-40hz (May 29, 2014, 06:07 AM)

Either that, or the real reason Vista took so long to release was due to protracted negotiations on how big of a back door to put where.
-Stoic Joker (May 29, 2014, 07:13 AM)

I was thinking that they couldn't agree if the door needed to be made out of mahogany or oak... $:-\$
-Shades (May 29, 2014, 10:27 AM)

I think the NSA was arguing for something more along the lines of a glass or flimsy screen door.

Renegade · « **Reply #13 on:** May 29, 2014, 12:37 PM »

Has just how terrifying this is sunk in for anyone yet?

This is truly one of the most horrifying things and is way up there with Heartbleed.

40hz · « **Reply #14 on:** May 29, 2014, 12:45 PM »

^I think it's less it's being seen as terrifying and more as a nasty and serious problem that needs to be solved. And pronto. At least on the part of the people with sufficient mathematical and technical chops to pull it off.

Unfortunately, finding that new encryption algorithm may prove trickier than originally thought. Look here.

Mark0 · « **Reply #15 on:** May 29, 2014, 01:09 PM »

That's really a bizarre situation!

Renegade · « **Reply #16 on:** May 29, 2014, 01:12 PM »

^I think it's less it's being seen as terrifying and more as a nasty and serious problem that needs to be solved. And pronto. At least on the part of the people with sufficient mathematical and technical chops to pull it off.

Unfortunately, finding that new encryption algorithm may prove trickier than originally thought. Look here.
-40hz (May 29, 2014, 12:45 PM)

And what if Glenn Greenwald's partner had TrueCrypt info when he was intercepted in London?

In that case, this is all just theatre, and we're being played like a fiddle. What then? What agenda?

These are terrifying thoughts.

rgdot · « **Reply #17 on:** May 29, 2014, 02:52 PM »

Wait a second - yes I am slow - the warning also exists when you run the setup of the version on the sourceforge page? I just checked ghacks (http://www.ghacks.ne...yption-alternatives/) and saw

That's a different level of WTF as far as I am concerned

40hz · « **Reply #18 on:** May 29, 2014, 02:59 PM »

^Now that is a true WTF???? if I ever saw one.

Did Microsoft just buy these guys out or what?

40hz · « **Reply #19 on:** May 29, 2014, 05:23 PM »

Looks like whatever happened, TrueCrypt really is gone - as in 'game over.'

From the folks at LinuxBSDos.com comes this. (Emphasis added.)

Is TrueCrypt dead?
in news & announcements / on May 29, 2014 at 5:29 am /

Based on the wording of its license, there was always a question mark surrounding the open source-ness of Truecrypt. But that’s not the topic of this brief article. What prompted me to write this is an article that appeared in the Washington Post suggesting that TrueCrypt may have seen its last days as an (“open source”) software project.

TrueCrypt was a cross-platform (Linux, Mac OS X, and Windows) disk encryption software. The last article I wrote about it on this website was Should Truecrypt be audited?.

A quick trip to the project’s website, or what used to be the project’s website, confirmed the gist of the Washington Post article. If you try to visit http://truecrypt, you’ll actually be redirected to http://truecrypt.sourceforge.net. And the only conclusion that I can draw by looking at the contents of the website is that TrueCrypt is dead. Microsoft Windows users are encouraged to migrate to BitLocker, that operating system’s disk encryption utility, while Linux users are encouraged to “use any integrated support for encryption.” The latest download links are only for users “migrating data encrypted by TrueCrypt.” That really seals it. You cannot encrypt a disk using the latest version of TrueCrypt, only decrypt.

"Curiouser and curiouser," said Alice.

mwb1100 · « **Reply #20 on:** May 29, 2014, 05:39 PM »

I'd suggest keeping whatever downloads of TrueCrypt 7.1a that you might have safe until people figure out what's going on.

At this point I don't think we know if what's happening is due to problems that might be in 7.1a that the devs don't want (or can't) fix, or if 7.1a is OK to just continue using.

Either way, it looks like official downloads of a TrueCrypt that can encrypt data are probably gone for good.

Deozaan · « **Reply #21 on:** May 30, 2014, 02:37 AM »

I don't get what the big deal is. It seems pretty simple to me:

1. The developer of TrueCrypt has decided it is no longer worth continuing development since every modern OS supports hard drive encryption natively, making TrueCrypt redundant. Use the OS's native encryption instead of TrueCrypt. That's what this means:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images

To reiterate: It means that TrueCrypt filled a need in XP because XP didn't support encrypted disks (or at least not to the extent that TrueCrypt provided). But now that Windows XP is a "dead" OS, everybody (who uses Windows) should be on Vista or newer. Vista or newer all support encrypted disks, so use the OS's integrated encryption.

That's why it gives so much detail on how to enable encryption on the OS level (BitLocker or whatever it's called).

2. Since 7.2 is the final release of TrueCrypt, that means that this latest version (7.2) will be the last update of TrueCrypt that people will be able to find on the internet. As such, 5 years from now when 7.2 is still the "latest version" and security flaws are found or encryption breaking/cracking schemes advance enough to make breaking the encryption in TrueCrypt trivial, people should be aware that it is not a secure program. In other words, TrueCrypt is no less secure in 7.2 than it was in 7.1a. It just has a warning now about its inevitable insecurity in the future.

Or, in other words, to avoid having to release an update in a few years when TrueCrypt truly is no longer secure due to not being developed, the developer just put one in there right now so he can be done with it.

To put it yet another way, the developer can feel like he is being morally responsible by putting that warning in there now so that he won't feel accountable for the actions of some idiot who in X years tries to use it while thinking that encryption is magical security.

Of course, I'm no security expert. I could be wrong about all this. But that's how I see it from reading the warning.

J-Mac · « **Reply #22 on:** May 30, 2014, 02:50 AM »

One problem with that theory: TC 7.2 only allows for decryption; it will not encrypt.

Jim

Deozaan · « **Reply #23 on:** May 30, 2014, 03:04 AM »

Then I think I still was mostly right, but somehow missed that important detail. I think the developer did what he felt was the morally right thing by making sure nobody would use his abandonware security software since security is an ongoing process and just the fact that it is no longer being developed will make it insecure relatively quickly.

tomos · « **Reply #24 on:** May 30, 2014, 03:30 AM »

^ a very logical explanation Deozaan, especially with regard to XP. (In fairness to the rest of us who didnt figure that out, they could have spelled it out a little more $:-\$ )