|
Earlier today, the popular disk encryption tool Truecrypt was essentially removed from Sourceforge, and replaced with a warning that Truecrypt is no longer secure and people should switch to Bitlocker (with instructions as to how to do this). The source code was updated and essentially all functionality was removed but the installer will now just show a message similar to the one displayed on the homepage. What you probably are asking first about: What does this mean for me if I use Truecrypt? At this point, there are many rumors, and few facts. It is my recommendation (as always) to stay calm. One thing you want to do right away: Get a copy of the last working version and burn it to CD (actually: 3 CDs) in case it is no longer available and you need to access offline media that are encrypted using Truecrypt. Find out what your alternatives are. In Windows you have Bitlocker, in OS X you got FileVault and in Linux you got LUKS. Sadly, these are not compatible with each other. You will need to find a replacement for portable media that need to move between operating systems. PGP/GnuPG comes to mind as an option. Now back to what we know so far: Recently, a community effort was launched to review the Truecrypt code, in particular to check for backdoors and incorrectly implemented crypto algorithms. As far as I know, no significant issue was found to date. This very much smells to me like a compromised Sourceforge repository. Truecrypt uses Sourceforge for all of its content. At this point, sit back, don't visit the Truecrypt Sourceforge page or download the crippled version, but don't panic (yet). But, via twitter and e-mail, some additional disturbing facts came in that make this look worse then a simple web site compromise:
Correction about the earlier note that Sourceforge was compromised: Turns out that they asked users to change passwords NOT because of a compromise, but because they changed the hashing algorithm.
------ |
Johannes 4479 Posts ISC Handler May 28th 2014 |
| Thread locked Subscribe |
May 28th 2014 7 years ago |
|
Sounds like someone with a tin foil hat has decided that even TrueCrypt has been back-doored by the NSA, so they've used an existing exploit against Sourceforge to make their point.
|
Kaldek 12 Posts |
| Quote |
May 29th 2014 7 years ago |
|
A post has been made to HackerNews by a person claiming to be a SourceForge employee, to the effect that there doesn't seem to be anything unusual in recent traffic and usage of the TrueCrypt account: https://news.ycombinator.com/item?id=7813121
|
Alex Stanford 136 Posts |
| Quote |
May 29th 2014 7 years ago |
|
FreeOTFE can be used, with a bit of effort, to create and access encrypted Linux volumes on Windows (including LUKS). Unfortunately not maintained any more but still available on Sourceforge: http://sourceforge.net/projects/freeotfe.mirror/. Drivers are unsigned, though, which causes problems with Windows 7 and later.
|
Anonymous |
| Quote |
May 30th 2014 7 years ago |
|
"Truecrypt development team is anonymous"
Put your trust in the shadows, secure your secrets with ignorance. Sorry, but the code was never truly open source, could have been anyone in major nation-state espionage including the NSA creating it. |
Anonymous |
| Quote |
Jun 2nd 2014 7 years ago |
|
"Truecrypt is alive and well and living in Switzerland" found via packetstormsecurity.com
http://www.theinquirer.net/inquirer/news/2347787/truecrypt-is-alive-and-well-and-living-in-switzerland |
acbeko 13 Posts |
| Quote |
Jun 3rd 2014 7 years ago |
|
The German website: heise.de post some news about the further "development"/existence of *crypt"
"Deutscher Nachfolger für TrueCrypt angekündigt" - http://heise.de/-2224105 (sorry for this German only link, I haven't found one in English yet.) |
acbeko 13 Posts |
| Quote |
Jun 16th 2014 7 years ago |
|
Yes, I am agree with you. And now we can ask: what to do? Possible to find a good alternative? What applications can we use, to not be depending from NSA?
|
acbeko 1 Posts |
| Quote |
Aug 21st 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
