TrueCrypt Taken Offline Doesn't Pass My Smell Test

Subject: Editorial, General Tech | May 29, 2014 - 02:17 AM |
Tagged: TrueCrypt

It should not pass anyone's smell test but it apparently does, according to tweets and other articles. Officially, the TrueCrypt website (which redirects to their SourceForge page) claims that, with the end of Windows XP support (??), the TrueCrypt development team wants users to stop using their software. Instead, they suggest a switch to BitLocker, Mac OSX built-in encryption, or whatever random encryption suite comes up when you search your Linux distro's package manager (!?). Not only that, but several versions of Windows (such as 7 Home Premium) do not have access to BitLocker. Lastly, none of these are a good solution for users who want a single encrypted container across multiple OSes.

A new version (don't use it!!!) called TrueCrypt 7.2 was released and signed with their private encryption key.

View Full Size

The developers have not denied the end of support, and its full-of-crap reason. (Seriously, because Microsoft deprecated Windows XP almost two months ago, they pull support for a two year old version now?)

They have also not confirmed it. They have been missing since at least "the announcement" (or earlier if they were not the ones who made it). Going missing and unreachable, the day of your supposedly gigantic resignation announcement, does not support the validity of that announcement. 

To me, that is about as unconfirmed as you can get.

Still, people are believing the claims that TrueCrypt 7.1a is not secure. The version has been around since February 2012 and, beyond people looking at its source code, has passed a significant portion of a third-party audit. Even if you believe the website, it only says that TrueCrypt will not be updated for security. It does not say that TrueCrypt 7.1a is vulnerable to any known attack.

In other words, the version that has been good enough for over two years, and several known cases of government agencies being unable to penetrate it, is probably as secure today as it was last week.

"The final version", TrueCrypt 7.2, is a decrypt-only solution. It allows users to unencrypt existing vaults, although who knows what else it does, to move it to another solution. The source code changes have been published, and they do not seem shady so far, but since we cannot even verify that their private key has not leaked, I wouldn't trust it. A very deep compromise could make finding vulnerabilities very difficult.

So what is going on? Who knows. One possibility is that they were targeted for a very coordinated hack, one which completely owned them and their private key, performed by someone(s) who spent a significant amount of time modifying a fake 7.2 version. Another possibility is that they were legally gagged and forced to shut down operations, but they managed to negotiate a method for users to decrypt existing data with a neutered build.

One thing is for sure, if this is a GoG-style publicity stunt, I will flip a couple of tables.

We'll see. ┻━┻ \_()_/ ┻━┻

Source: TrueCrypt

May 29, 2014 | 03:44 AM - Posted by wujj123456

I am not in panic, and as a backer of TrueCrypt audit project, I know what we can do. Once audit finishes, second step was to make sure a deterministic build process that can build exact same binary from the exact same source that was audited.

So if there is a bug in 7.1a, community should have the chance to fix it, build it, and have a new organization to maintain a new private key and sign it.

The only risk is that the OSS license audit hasn't finished (I think), so maybe, we can not legally fork that code. Well, I guess if a deterministic build process is in place, people can download a hashed source tarball, and build it themselves. This won't be too hard for security-aware folks I believe. Afterall we are willing to compromise convenience for security, and patch & compile is just one more inconvenience.

May 29, 2014 | 05:16 AM - Posted by Anonymous (not verified)

"They have been missing since at least "the announcement" (or earlier if they were not the ones who made it). Going missing and unreachable, the day of your supposedly gigantic resignation announcement, does not support the validity of that announcement. "

TrueCrypt's developers have been 'missing' since the start of development. Releasing builds while staying completely anonymous and nigh-uncontactable has been their standard MO.

May 29, 2014 | 07:34 AM - Posted by billeman

Smells very fishy indeed.

I'll stick with 7.1a for some time to come, can't really trust bitlocker do we ?

May 29, 2014 | 10:44 AM - Posted by Randal_46

Ugh that GoG publicity stunt. It made me stop buying games on GoG. What a boneheaded marketing move.

May 29, 2014 | 12:17 PM - Posted by Pholostan

The devs (the dev?) have abandoned the project. The post on sourceforge is so people won't come crying in the future when a fix is needed. Nothing special really.

May 29, 2014 | 12:45 PM - Posted by Anonymous (not verified)

Considering the web site is removed completely from the WayBack Machine, SourceForge coming out saying nothing suspicious has been going on with their account, and even the third-party audit dude thinking this may be real, the project is dead.

Their silence and anonymity only makes it worse. Nobody will trust anything from them again and now the search for those to find 7.1a to archive begins. Integrity has been completely ruined for them at this point.

May 29, 2014 | 03:15 PM - Posted by Anonymous (not verified)

Well, it's back to one time pads, generated from randomly purchased and custom numbered by myself, Ping Pong Balls. All randomly mixed in a random pattern, dictated by running gerbils in a mad dash for the randomly tossed feed pellets as they cross a randomly labeled grid of tuples derived from randomly paired dungeons and dragons dies!

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.