Jump to content
Thai Visa Forum

Mysterious announcement from Truecrypt declares the project insecure and dead


Recommended Posts

http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html

in part,

"The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world--after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai'i."

Edited by mesquite
Link to post
Share on other sites

Is it insecure?

There seems to be some doubt about the announcement regarding, the reason it was made, who made it and if genuine what it actually means. Proposed reason vary from a hacked site (unlikely) to a discreet warning from the creators that pressure has been put upon them to create a back door that can be used by everybody's favourite spy agency who's name I will Not Speak Aloud here. It will also be interesting to see what the ongoing audit result of the programme is.

I for one will continue to use it until an equally good open source cross platform alternative is offered.

but then again I use it only to keep prying eyes away from personal information and I am not hiding anything from people who would water-board me for the password anyway.

  • Like 1
Link to post
Share on other sites

And the plot thickens.

See the warning on the TrueCrypt Site: http://truecrypt.sourceforge.net/

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

There is a hidden message! Take the first letters of the warning:

“uti nsa im cu si” now put this in the google translator, from Latin to English and you receive…

“If I wish to use the NSA”

Coincidental? Hmm.

  • Like 1
Link to post
Share on other sites

Very strange announcement indeed. And telling users to use Microsoft Bitlocker!! <deleted>! Nobody seriously uses MS products for security, now do they? MS has been practically in bed with NSA for years now.

However, not all is lost. The TrueCrypt project has been restarted on http://truecrypt.ch with v7.1a download, and the source is now available on github. Doubt that NSA has much jurisdiction in Switzerland.

Link to post
Share on other sites

And the plot thickens.

See the warning on the TrueCrypt Site: http://truecrypt.sourceforge.net/

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

There is a hidden message! Take the first letters of the warning:

“uti nsa im cu si” now put this in the google translator, from Latin to English and you receive…

“If I wish to use the NSA”

Coincidental? Hmm.

Your point is well taken. I find this quote , taken from the truecrypt link you posted, particularly telling: "The development of TrueCrypt was ended in 5/2014 after "Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images""

The bolding is my own. Methinks the "integrated support" that MS is so generously offering may contain some unwanted components.

Link to post
Share on other sites

Has anyone ever lost any data in a Truecrypt volume by virtue of the hard disk it was on becoming bad? If you ever run Scandisk from time to time, it will as you know occasionally pick up bad sectors and offer to fix them.

I once tried to simulate a disk going bad and losing a few sectors by editing a couple of bytes of a large Truecrypt volume in a hexeditor. Once you do this, you can no longer open the volume with the password and the data is lost.

It seems to me if you have a large Truecrypt volume of several gigabytes sitting on a hard disk for long enough, it's only a matter of time before a couple of sectors go bad and you lose all your data?

Or is this unlikely to happen?

Edited by katana
Link to post
Share on other sites

Is it true that the developers of Truecrypt have never identified themselves? If so, then it was never to be trusted.

It is well known that the FBI could not decrypt these hard drives. So I trust the developers. Something went terribly wrong this week with those guys and I hope they are ok.

Link to post
Share on other sites

Is it true that the developers of Truecrypt have never identified themselves? If so, then it was never to be trusted.

It is well known that the FBI could not decrypt these hard drives. So I trust the developers. Something went terribly wrong this week with those guys and I hope they are ok.

My post above may have been premature, for which I apologise wai.gif.pagespeed.ce.ptXUXgG4cA.gif

This article and the links within http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/ are very interesting. The Register is a very reliable source in my experience.

I am following this story with great interest, and as I have no further FACTS to offer won't conjecture further.

Link to post
Share on other sites

Has anyone ever lost any data in a Truecrypt volume by virtue of the hard disk it was on becoming bad? If you ever run Scandisk from time to time, it will as you know occasionally pick up bad sectors and offer to fix them.

I once tried to simulate a disk going bad and losing a few sectors by editing a couple of bytes of a large Truecrypt volume in a hexeditor. Once you do this, you can no longer open the volume with the password and the data is lost.

It seems to me if you have a large Truecrypt volume of several gigabytes sitting on a hard disk for long enough, it's only a matter of time before a couple of sectors go bad and you lose all your data?

Or is this unlikely to happen?

I do not know the answer but I can say I have had a completely encrypted hard disk (and the laptop/disk is at least 7 years old) and several containers in various storage devices for a few years and I have not come across this situation yet.

  • Like 2
Link to post
Share on other sites

topt

Thanks. I currently use an old encryption program called Kruptos but it doesn't allow you direct access to the files like Truecrypt does after you mount the container. It would be nice to change over to a progam giving you easier access to encrypted files..

Link to post
Share on other sites

I have been using Truecrypt for some time

and also following this story

Whilst is a shame that there will be no further support for TC I do not feel that it means that it is unfit for use.

Unless you are a terrorist or involved in espionage, I do not think there is a great deal to worry about.

In fact I would be a lot more worried about BitLocker. bah.gif

As for the disk corruption concern, surely you back up your data

and have a second copy on another disk??

Here are a few links for more information

https://www.grc.com/misc/truecrypt/truecrypt.htm

http://www.pcworld.com/article/2304851/so-long-truecrypt-5-encryption-alternatives-that-can-lock-down-your-data.html

http://www.pcworld.com/article/2012853/review-diskcryptor-a-worthwhile-encryption-program-thats-easy-to-use.html

  • Like 2
Link to post
Share on other sites

Only a fool would think TC hides anything but smallest files.

Search all files...

Sort by size

Oh lookie at 6gb Word file hmmm?

A 4gb dat or dll...

Weak.

Oh look, you have six files on drive X, storage shows 80gb hmmmmm...

Link to post
Share on other sites

Only a fool would think TC hides anything but smallest files.

Search all files...

Sort by size

Oh lookie at 6gb Word file hmmm?

A 4gb dat or dll...

Weak.

Oh look, you have six files on drive X, storage shows 80gb hmmmmm...

Of course the truecrypt container is visible, but the point is that its contents are unreadable without the key or some very sophisticated hacking tools.

If you really want to hide something so that it is not obvious that it even exists then the documentation describes how to make a truecrypt container inside a truecrypt container which they describe as plausible deniability

  • Like 1
Link to post
Share on other sites

Only a fool would think TC hides anything but smallest files.

Search all files...

Sort by size

Oh lookie at 6gb Word file hmmm?

A 4gb dat or dll...

Weak.

Oh look, you have six files on drive X, storage shows 80gb hmmmmm...

Agreed, a 6 GB Word file would be a dead giveaway. But what about a 6 GB AVI video file nestled in amongst 30 or more 6-8 GB AVI video files? Not so obvious then.

Edited by Rice_King
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...