Truecrypt is dead

[osi]

Check their source forge page for more info.

It was good while it lasted at least!

[SpAmRaY]

for those who don't want to look it up

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

http://truecrypt.sourceforge.net/

-the intererwebs seem to think this could be a hoax or hack however....

[osi]

Thank you sir for the extra info!

[Techno Trousers]

I'm dubious about this, but if it turns out to be true, it's a dark day indeed for the security of the little guy. I can't even remember how many people I've recommended TrueCrypt to.

[osi]

I'm dubious about this, but if it turns out to be true, it's a dark day indeed for the security of the little guy. I can't even remember how many people I've recommended TrueCrypt to.

Indeed. Truecrypt was the goto for open source encryption.

Time to checkout some other technologies

[katushkin]

Goddamit. Looks like I'm going to have to encrypt my porn important files some other way.

[osi]

This morning the truecrypt page is as it was last night. Will do some more reading today but it seems as if it IS true.

I wonder if the truecrypt audit turned up anything in terms of weakness in the implementation and that's why they shut it down??

[jdcarpe]

In my opinion, this is a signal. It's almost certainly a result of the NSA issuing a shutdown order to the TrueCrypt team. They first issue a statement that the software is insecure, to deter people from using the previous, secure version. Then they recommend BitLocker, which most likely has an NSA backdoor built in, so as to be easily broken by Big Brother. Why would Windows XP EOL make strong crypto insecure all of a sudden? It wouldn't.

[esoomenona]

A statement? Like destroying their lives bit by bit until they finally cave and lie to the people?

[hjkl_over_wasd]

I agree with jdcarpe. 

The last report from the security audit, showed that the software was very promising, but further tests had to be made in order to be completely certain of the implemented security standards.

[osi]

It also bothers me that the newly found vulnerability is not described yet. A possible explanation would be to allow a grace period to allow users to migrate existing encrypted data to other means.

The EOL of XP statement is really odd. JD like you said, this shouldn't be a factor here. My guess is it is simply ANY (not a good reason) reason just to announce the discontinuation of the product. Who knows what type of gag order the Truecrypt team may have applied against them.

The all of a sudden nature of this reminds me of the lavabit shutdown. Software can't be physically destroyed so the abruptness to move users away from Truecrypt may have been the best way for that team to get the message out to STOP USING THE PRODUCT!

Trust no one...

[blackbox]

If this turns out to be true, its very sad. I just read this article:
http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html

[Kayla]

Bitlocker? nope nope nope nope nope

The whole thing is way too fishy for me.

[D01]

Bummer.

[TheSoulhunter]

In my opinion, this is a signal. It's almost certainly a result of the NSA issuing a shutdown order to the TrueCrypt team. They first issue a statement that the software is insecure, to deter people from using the previous, secure version. Then they recommend BitLocker, which most likely has an NSA backdoor built in, so as to be easily broken by Big Brother. Why would Windows XP EOL make strong crypto insecure all of a sudden? It wouldn't.

+1

[SpAmRaY]

What if the NSA was really behind truecrypt all along?

[blackbox]

What if the NSA was really behind truecrypt all along?

And now it is trying to migrate it to the newest product bitlocker?

[SpAmRaY]

What if the NSA was really behind truecrypt all along?

And now it is trying to migrate it to the newest product bitlocker?

Just a smokescreen so people don't realize what's been going on this entire time.

[blackbox]

What if the NSA was really behind truecrypt all along?

And now it is trying to migrate it to the newest product bitlocker?

Just a smokescreen so people don't realize what's been going on this entire time.

Of course, why didnt I realize that?

[jdcarpe]

That's the beauty of open source encryption versus closed source. With open source, independent reviewers can audit the software to look for vulnerabilities. With closed source, a backdoor could be hidden easily, with no way of users knowing or being able to discover it, until it is too late.

[osi]

What if the NSA was really behind truecrypt all along?

Eeek, I hope not!

Conspiracy theory : While NIST was deciding on a standard for AES, they happened upon a bug in either the twofish or serpent implementations. This information got swept under the rug and the public was told they simply weren't qualified to be used as a standard. NSA happily looked under the rug and grabbed the details that were hidden from view.

</theory>

Yes, I know the review was fully public ☺

[IvanIvanovich]

I also suspect the NSA is behind it's shutdown... but the nice thing about opensource is after further code audits, and any needed fixes forks will appear shortly and NSA can play cat and mouse with those releasing them.

[jdcarpe]

Information is power, people. Don't let government bullies take your power. Make them respect the people they are supposed to serve.

[James35]

I agree.  TrueCrypt's open source has been examined by so many people for so long, there has never been any security holes found. I suspect pressure from the outside has made them close down the site.

[Kayla]

Information is power, people. Don't let government bullies take your power. Make them respect the people they are supposed to serve.

Easier said than done.

[Coreda]

From everything I've been keeping up with it's obvious they were contacted by the government and forced to make changes, so they decided to make it obvious to everyone. Still pretty shocking, and as the license is strict it makes things more difficult for forking, apparently.

As for the audits I'm glad they'll continue (of the previous 7.1a version) according to Matthew Green, who confirmed it. After all they still have the money people raised for it.

[tbc]

I also suspect the NSA is behind it's shutdown... but the nice thing about opensource is after further code audits, and any needed fixes forks will appear shortly and NSA can play cat and mouse with those releasing them.

sorta.  OSS doesn't work quite as well with security provider applications.

there really aren't that many people qualified to do an audit and to implement the code changes necessary.  especially as standards get updated.

the prime rule of software programming is to never write your own security, you're just not good enough to do it right.  you're going to do it wrong, and then your false confidence will screw everyone over.

[Techno Trousers]

I don't really understand the conspiracy theory that the NSA was forcing them to put in a backdoor. Under what authority could something like that happen? We don't even know if the authors are within U.S. jurisdiction.

Of the conspiracy theories I've seen, my favorite is that TrueCrypt has been stolen from the original authors by some nefarious spook agency, and they are trying to convince some person or persons to unencrypt their stuff, ostensibly to convert it to a "safer" encryption solution.

I think this appeals to me since there's no evidence of any backdoors or weaknesses so far. I'm hoping I can safely keep using v. 6x until a good open source alternative for Windows is available. Hopefully they will continue with the in-depth code audit this summer as planned, so we'll know for sure one way or the other.

[jdcarpe]

I don't really understand the conspiracy theory that the NSA was forcing them to put in a backdoor. Under what authority could something like that happen? We don't even know if the authors are within U.S. jurisdiction.

Of the conspiracy theories I've seen, my favorite is that TrueCrypt has been stolen from the original authors by some nefarious spook agency, and they are trying to convince some person or persons to unencrypt their stuff, ostensibly to convert it to a "safer" encryption solution.

I think this appeals to me since there's no evidence of any backdoors or weaknesses so far. I'm hoping I can safely keep using v. 6x until a good open source alternative for Windows is available. Hopefully they will continue with the in-depth code audit this summer as planned, so we'll know for sure one way or the other.

No one is saying that TrueCrypt had a backdoor. Quite the contrary - I believe TrueCrypt was secure. Which is why the NSA forced the TrueCrypt team to shut the project down. The NSA likely has backdoors into closed source encryption technologies, such as Microsoft's BitLocker.

[James35]

Exactly.  There is no back door.  The source was open for examination by anyone.

[Kayla]

TrueCrypt has been contacted by authorities countless times before and has refused to work with them and kept their methods a secret. If it was NSA from the start then this stunt wouldnt be necessary. There is a story we're missing here and I have a feeling it will turn up eventually. We just have to sit tight and let the internet detectives detect.

[jwaz]

We are considering several scenarios, including potentially supporting a fork under appropriate free license, w/ a fully reproducible build.

We are continuing forward with formal cryptanalysis of TrueCrypt 7.1 as committed, and hope to deliver a final audit report in a few months.

We will be making an announcement later today on the TrueCrypt audit and our work ahead.

via https://twitter.com/OpenCryptoAudit

[Techno Trousers]

Thanks jwaz, I just came here to post that. Great news, because they would certainly have revealed if they'd found a serious bug found in TrueCrypt that they'd already reported and the TrueCrypt team threw in the towel on the project rather than fix it (one of the conspiracy theories out there). I'm going to continue to use it until it's been proven to be compromised.

[James35]

I would bet money that it hasn't been compromised.

[davkol]

TC isn't open source, it's "source available". Anyway, the source is still on Github: https://github.com/DrWhax/truecrypt-archive

The weird part is that the site is blocked at Archive.org. Three-letter organization indeed.

At least we still have EncFS.

[madhias]

That's new: http://truecrypt.ch/

Also some interesting read about the name, creators, etc (russian translation):
https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fnews.softodrom.ru%2Fap%2Fb19702.shtml

[osi]

That's new: http://truecrypt.ch/

Also some interesting read about the name, creators, etc (russian translation):
https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fnews.softodrom.ru%2Fap%2Fb19702.shtml

This is interesting and I see it is based out of Switzerland. But can we really trust this application now considering the past week? My body want's to trust it as I've been using truecrypt for some years now but my mind is still confused.

: patiently waits for the 2nd phase of public audit to finish:

[Techno Trousers]

I think it would be prudent to wait until the OpenCryptoAudit group talks about their future plans. Personally, I'd be more likely to trust a new project started by or spun off from them. I'm sure we will be seeing a lot of new forks popping up in the coming weeks, and the problem with cryptography implentations is that they are about the most difficult software to get right.

[katushkin]

Can't trust the Swiss.

Well you can, but you will never know who else they are working with...

[Eszett]

Let's think about it. The developers of the most secure encryption software on earth warn about their own software, and recommend the software of their competitor, which is known to come with a backdoor to the NSA. And you take this serious? Kiddin'? It stinks to high heaven. Use TrueCrypt 7.1a or DiskCryptor.

Anyway, you know that the warning is bull, when it comes
-- with red letters and block writing.
-- without specific reasons.
-- without the author's name.
-- with a surreptitious advertising

[roaduck]

There are alternatives out there.

http://alternativeto.net/software/truecrypt/

General Net Privacy Advice

https://www.wefightcensorship.org/article/fifteen-minutes-online-anonymityhtml.html




I am also considering the following : secure cloud storage / secure email / secure webmail /secure social media etc :

Protonmail

https://protonmail.ch/

Tresorit

https://tresorit.com/

Lavaboom

https://lavaboom.com/en/

Wuala

http://wuala.com/en/pricing/

Vole

http://vole.cc/

Getsync

http://getsync.com/

BitTorrent Chat

http://labs.bittorrent.com/experiments/bittorrent-chat.html

Maidsafe

http://maidsafe.net/overview


--------------------------------------------------------------------------------------------------------------------------------------
Here are some Encryption Links
__________________________

http://www.snuko.com/en/gb
http://www.robotronic.de/elevate.html
http://www.hbgary.com/products/responder_pro
http://www.gwebs.com/mailcloak/mailcloak_for_mail_clients.html
http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/14/nsa-proof-encryption-exists-why-doesnt-anyone-use-it/
https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone
http://www.forbes.com/sites/jonmatonis/2012/07/19/5-essential-privacy-tools-for-the-next-crypto-war/
http://allfacebook.com/encrypt-your-facebook-postings-with-uprotect-it_b30477
http://www.hermetic.ch/eee/eee.htm
http://www.badphorm.co.uk/e107_plugins/forum/forum_viewforum.php?25
http://www.badphorm.co.uk/e107_plugins/forum/forum_viewtopic.php?14983
http://gimfmedia.com/tech/en/download-mobile-encryption/
http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption
http://news.cnet.com/2300-1029_3-6230933.html?tag=ne.gall.pg
https://en.wikipedia.org/wiki/Deniable_encryption
https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
http://aluigi.freeforums.org/post11991.html
http://www.valeso.com/
https://www.infoencrypt.com/
http://www2.rpost.com/encrypt_with_rmail
https://www.sendinc.com/
http://www.mxcsoft.com/
http://www.bytefusion.com/products/ens/cryptoanywhere/whatiscryptoanywhere.htm
http://www.mailvelope.com/
http://free.antivirus.com/us/email-encryption-service/index.html
http://www.secureaction.com/encryption_free/
http://www.nchsoftware.com/encrypt/index.html
http://www.safehousesoftware.com/SafeHouseExplorer.aspx
http://www.cbc.ca/news/technology/anti-nsa-blackphone-commendable-but-will-consumers-buy-it-1.2544562
http://www.skycrypt.com/
https://torrentfreak.com/how-nsa-proof-are-vpn-providers-131023/
https://lockbin.com/
http://thenextweb.com/apps/2014/04/18/tresorit-opens-end-end-encryption-file-sharing-service-public/
https://tresorit.com/
https://help.ubuntu.com/community/FullDiskEncryptionHowto
http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

___________________________________________________________________________________________________________
Free PGP Resources
--------------------

http://www.pa.msu.edu/reference/pgp-readme-1st.html - probably the best version - Illegal for use in USA
http://www.bytefusion.com/products/ens/cryptoanywhere/whatiscryptoanywhere.htm - CryptoAnywhere
http://www.heureka.clara.net/sunrise/pgp.htm
https://www.wefightcensorship.org/article/sending-encrypted-emails-using-thunderbird-and-pgphtml.html - Sending encrypted emails using Thunderbird and PGP
https://www.mailvelope.com/ - OpenPGP for Webmail
http://www.pgpguide.20m.com/ - An Unauthorised Guide to PGP Cryptography
___________________________________________________________________________________________________________
Secure Browsers Proxies and Anonymous Surfing
--------------------------------------------------

https://www.whitehatsec.com/aviator/ - Whitehat Security - Aviator Browser
http://www.deepnetsecurity.com/products/dualtrust/ - Deepnet Security - DualTrust
http://download.sirrix.com/content/pages/bbdl-en.htm - Sirrix AG security technologies - Browser in the Box
http://anonymous-proxy-servers.net/en/jondofox.html - Anonymous Surfing with JonDoFox
https://anonymous-proxy-servers.net/wiki/index.php/Censorship-free_DNS_servers - Censorship-free DNS servers
http://dnslookup.me/dynamic-dns/ - Free Dynamic DNS Providers
http://www.noip.com/free/ - No-IP Free Dynamic DNS
http://www.dnsexit.com/Direct.sv?cmd=ipClients - Dynamic DNS Clients - Software, Specifications and Guidelines
https://github.com/castleproject/Core/blob/master/src/Castle.Core/DynamicProxy/ProxyGenerator.cs - Castle.DynamicProxy
http://www.mousematrix.com/ - Mousematrix

https://ultrasurf.us/ - Ultrasurf
http://www.internetfreedom.org/GPass - GPass
http://darknet.se/about-darknet/?lang=en - Darknet
http://null-byte.wonderhowto.com/inspiration/anonymity-darknets-and-staying-out-federal-custody-part-one-deep-web-0133455/ - Darknet Tutorial part 1
http://mute-net.sourceforge.net/ - Simple, Anonymous File Sharing
https://freenetproject.org/download.html - Freenet
http://www.cyberghostvpn.com/en_gb - CyberGhost
http://alternativeto.net/software/hidemyass-vpn/ - HideMyAss! - Alternative To
https://uwnthesis.wordpress.com/2012/12/02/the-amnesic-incognito-live-system-linux-base-anonymous-os/?preview=true&preview_id=1685&preview_nonce=9bed3b4cca - TAILS – The Amnesic Incognito Live System – Anonymous OS
___________________________________________________________________________________________________________

[noisyturtle]

Let us all don out tinfoil hats and dance around our bunkers shouting at cans of beans!

[angelic_sedition]

There's tcplay. I'm still using truecrypt for now.