The strange death of TrueCrypt
I just became aware of this. Seems pretty strange. Maybe worse than strange. Comments?
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
http://lifehacker.com/truecrypts-web-site-updates-with-ominous-warning-detai-1582879439
And this. Over the top, or not?
http://www.theregister.co.uk/2014/05/28/truecrypt_hack/
Even more:
https://news.ycombinator.com/item?id=7812133
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
http://lifehacker.com/truecrypts-web-site-updates-with-ominous-warning-detai-1582879439
And this. Over the top, or not?
http://www.theregister.co.uk/2014/05/28/truecrypt_hack/
Even more:
https://news.ycombinator.com/item?id=7812133
Comments
I don't plan on changing my use of TrueCrypt until the auditors find something REALLY bad in phase two of the audit. I sure as hell don't trust the MS encryption tools.
"Someone else suggested that the suggestion to use bitlocker is so
unlikely, it’s a signal of shenanigans. Perhaps it’s their dead canary?"
http://steve.grc.com/2014/05/28/whither-truecrypt/
I read changelogs to everything. But Truecrypt 7.2 has none published. And the site is a circle-jerk of BS about a feature available by no more than the wealthiest of idiots. Seriously, this is without a doubt the dead canary.
According to other people, Truecrypt 7.2 cannot make volumes. It can *ONLY* mount volumes in a read only state so you can recover your data. Why the fuck would anyone use this when 7.1a has worked without failure for years now?
Whatever happened to the people behind Truecrypt, I hope they are well. As for me, I and others will keep our archived copies of Truecrypt 7.1a forevermore.
Here is the only likely hope for any improvement to Truecrypt. (Well, not Truecrypt, but this is comparable.)
Here is the entire thing, including the source. And I made a hash of every type I know of for those of you who want to check it out too.
https://www.grc.com/misc/truecrypt/TrueCrypt_v7.1a.zip
Adler32: BF6744A6
BTIH: C06BDB71FF8620DD278B4EBE2A1767EE88C615F9
CRC32: 033C7658
ED2K: 102E460CE6F19C004936DC9CF1CBB67C
GOST: C1D05279987D9657A0D3D08DBEC73ED0368690AF9D61E17B2E5C83ECF795775C
MD2: AD1E086C7BBC02720814D010172313AC
MD4: 682B5B54C1C985370F72B23AC6EAB35B
MD5: 2C664C527EE622B17DA6FCD76979FBA4
RIPEMD-128: E424F42E40363A8E79B4BE832186D43F
RIPEMD-256: 8C6722575380D4D5A3A2EAD9AB6642A988B3A935A930009A864665A087BB6404
RIPEMD-320: 8B64E686B8063459D0ACDB4DF774592D5E383A4BC4F052282B4B078E33249A497E0A3521893D8841
SHA-1: 1D503DDB5F619CA868EA42BD7435F0DFF5975997
SHA-256: 4B87892BF9F217DEB28EB67570803664512613AEE7CF92DF6E31DCCA6E26FAB7
SHA-384: BE9868B291E47CA9E90FC002EBDB15897F61D2AC80A352E3D6922A56B96C8517D5769F332DDF3D4A28D3E0AFC436CBEF
SHA-512: 009A1FBBC1521411F86B5A77D1BE3B9DCCA3D88C6A484E8AF449560A255F3C1788A6460964B7A532EED46CE553D793E5DB668C5A48C101CB5E2ED54CB4B05A45
SHA3-224: 4B8D4C3C14CCE4B1BADDF90DCBBA882135532A5793F2A5A63DEA1AF5
SHA3-256: C3EB42B46AC24F0894AFF281B316E2B3D0D781E540B141A466DFBA54406A25FC
SHA3-384: A05CD9943715DD804530D22EB81E544391996D9F11F4BDD5A8F76E545149F847905CB4091EDB9BC60873DB67372D6C36
SHA3-512: F0446E909EDA8064D40B802C7AF3D1B11E9E6D890C250C0BD03294634A7B8D7FAD7B929BC7ED82F1D62BE2E7963EAD25C6C91D973424E5C58A95240AF19F1F76
TTH: SR3ZGEXXUYJPZCOLHDKNXBRSMT6ZHLWUIRVW4YA
Tiger: 4B472BDF16B2DB0C0A6034ED88197AA708F93E1AF50D43E6
Whirlpool: DE011837B66AEC6DFF80DCBEE4D19841AAA81483E6583094A60901792F877116AABCACB225F3CCBA9C32FD6BF5FA579831347C3F96120776A7963FC47DDF8D56
Overkill. I know. But this is the single most important thing made in the last few decades.
https://github.com/0xPoly/Centry
It is described here.
http://www.theregister.co.uk/2014/05/28/police_at_the_door_hit_the_panic_button/
*Edit* Oh. Linux and Mac only. That explains why I never heard of it.
I know that Steve Gibson and others say it
is for real but from everything I read it looks like the site was
hacked. Yeah, the hackers would need the keys, but that ain't impossible if they had remote control of a developer's computer via a trojan.
My other theory is the developers got pissed over the audit so they
said "screw you" to the world. I read the first audit and imo the dudes who wrote it were ASSHOLES.
They basically said the code sucks and there were not enough comments.
There is a difference between
being paid to write code and writing code as a hobby. When you are paid
you tend to document more and be more organized. I have posted code on
forums before and there were not many comments in the code.
Why should I care if someone else can read the code or not? What are
they going to do, not pay me?
If someone came along and replaced every screw in my home with a new one that is slightly different from normal, I would have to buy the bit, but there is no fucking way I am going to retool what works for a newer version that does the same job. (Like a Torx screw. They are good, but a standard Phillips bit works fine for me and costs far less.)
So those scumbags want to rave about how everything is not coded the way they want? They can take the code and re-write it. But they would rather throw a fucking fit because some old people with old tools made something well beyond their capacity to make.
The biggest complaint was the recurring theme of mixing signed and unsigned integers. They see that as blasphemy. They try everything they can to demonstrate how it could be used against the user. But they fail to deliver anything more than sheer speculation of what could be done.
I trust TrueCrypt. I remember before it came around the best solution was Jetico's BestCrypt. And it was fully closed source and commercial. Then all out of no-where cam TrueCrypt. Suddenly Jetico looked like a scam. (And they were after TC came around.)
I have also read the "Audit". And I am unconvinced they were even remotely reasonable. Hell, they mentioned this garbage with gleeful ignorance that this function does not exist on all the systems TrueCrypt can be installed on.
"Audit the code for other instances of memset() calls that should be re-
placed with calls to burn() to prevent potential information leakage."
https://www.grc.com/misc/truecrypt/truecrypt.htm
For info, follow:
https://twitter.com/matthew_d_green
TrueCrypt is not going away. But this turn has brought the problem into the spotlight. TC cannot handle volumes larger than 2.25 TB. And that is a big problem for a very few people at the moment, and quite a few in the future. While you can always make multiple partitions/files, that is at best a poor solution. The Linux side has the best solution, but no-one has so far bothered to make it for TC.
LUKS is very good, but it needs cascaded encryption with all the ciphers used by TC, as well as hidden volume support and keyfile support, as well as a Mac and Windows port to really replace TC. (And anyone doing that much work would probably be able to trivially squeeze in more ciphers too, like Threefish, and SHA3-512 hashing.)
In case that ever dies, I have it on my Dropbox account for anyone that needs it. And if some crazy shit happens and that also goes away I can and will find another host for it, or just make and seed a torrent of it. (Although I am not a torrent person, so a webhost would be a better option by far.)
https://www.dropbox.com/s/fedkv6qsgvdqi6f/TrueCrypt_v7.1a.zip
needs it. And if some crazy shit happens and that also goes away I can
and will find another host for it, or just make and seed a torrent of it"
-----
Here https://truecrypt.ch/
https://www.livebusinesschat.com/smf/index.php?topic=5629.0
Years ago I would argue with robert_lazar about images of the moon or Mars and he saw things that I thought were meaningless. But at least he was actually seeing something.
I suspect the Truecrypt devs just got pissed at all the people for all the years of work they did for free, not donating enough to support them, while they exceeded all the money TC ever got in a period of a few months when people started screaming bloody-murder and insisting upon an audit. (TC got roughly 50K in the entire lifetime of the project, but the audit got 70K in mere months.)
I would be insulted too. I probably would not have released TC 7.2 as retaliation, I probably would have done much the same but have it scramble data when used. (Luckily I am not a TC dev. I would have been equally pissed, and far less civil.)
Two vulnerabilities in TrueCrypt for Windows found:
http://www.theregister.co.uk/2015/09/29/google_flaks_find_admin_elevation_holes_that_gave_truecrypt_audit_the_slip/
https://veracrypt.codeplex.com/wikipage?title=Release Notes