2014-05-29, 12:35 AM
Lots of drama today about TrueCrypt.org redirecting to a rushed-quality SourceForge page encouraging the use of alternatives such as Microsoft's BitLocker or the encryption options built into OS X, and for Linux:
A new release (7.2) was subsequently put out, signed with what appears to be the actual TrueCrypt signing key. All past versions were wiped, and 7.2 dropped all encryption functionality, now only aborting with the error that TrueCrypt "is not secure as it may contain unfixed security issues." You're only able to decrypt volumes for migration to other solutions at the moment.
Some theorize that this may be a sign of an NSL (National Security Letter), or in other words, a subpoena, with a confidentiality clause (allowed by the wonderful PATRIOT Act) that would suppress the service (TrueCrypt) from notifying users of the ongoing dispute. Others think that it may be defacing by the NSA or other organization in order to encourage people to use BitLocker or other closed-source, probably-backdoored solutions. Then there are some who believe it was a dispute among the developers. And finally, you have a small population who believe a legitimate security issue was found.
My greatest issue with the thought of this being legitimate are that the development was allegedly ended because of Windows XP EOL. This makes absolutely no sense, since TC is cross-platform, and that's its main selling point. TrueCrypt writeups on the site before were very detailed, technical, and complete, whereas the new documents seem very rushed, almost intentionally.
My personal opinion is that it is a NSL with a confidentiality clause, and that the feds want the project dead. Seems like the changes may have been intentional by the devs, and flawed to sound the alarms in the community, but within legal provisions. The changes and the description of NSLs seem to align too much with this, and TrueCrypt is known well for being very difficult to crack.
Think I'm about to convert my casual computing to Linux and only video editing and necessary things on OS X.
Opinions?
Links:
https://news.ycombinator.com/item?id=7812133 (Hacker News)
http://lifehacker.com/truecrypts-web-sit...1582879439 (Lifehacker)
http://www.reddit.com/r/netsec/comments/...ed_052814/ ( /r/netsec )
http://arstechnica.com/security/2014/05/...tly-warns/ (Ars Technica)
Quote:If you have files encrypted by TrueCrypt on Linux:First of all.... those Linux directions!
Use any integrated support for encryption. Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation.
A new release (7.2) was subsequently put out, signed with what appears to be the actual TrueCrypt signing key. All past versions were wiped, and 7.2 dropped all encryption functionality, now only aborting with the error that TrueCrypt "is not secure as it may contain unfixed security issues." You're only able to decrypt volumes for migration to other solutions at the moment.
Some theorize that this may be a sign of an NSL (National Security Letter), or in other words, a subpoena, with a confidentiality clause (allowed by the wonderful PATRIOT Act) that would suppress the service (TrueCrypt) from notifying users of the ongoing dispute. Others think that it may be defacing by the NSA or other organization in order to encourage people to use BitLocker or other closed-source, probably-backdoored solutions. Then there are some who believe it was a dispute among the developers. And finally, you have a small population who believe a legitimate security issue was found.
My greatest issue with the thought of this being legitimate are that the development was allegedly ended because of Windows XP EOL. This makes absolutely no sense, since TC is cross-platform, and that's its main selling point. TrueCrypt writeups on the site before were very detailed, technical, and complete, whereas the new documents seem very rushed, almost intentionally.
My personal opinion is that it is a NSL with a confidentiality clause, and that the feds want the project dead. Seems like the changes may have been intentional by the devs, and flawed to sound the alarms in the community, but within legal provisions. The changes and the description of NSLs seem to align too much with this, and TrueCrypt is known well for being very difficult to crack.
Think I'm about to convert my casual computing to Linux and only video editing and necessary things on OS X.
Opinions?
Links:
https://news.ycombinator.com/item?id=7812133 (Hacker News)
http://lifehacker.com/truecrypts-web-sit...1582879439 (Lifehacker)
http://www.reddit.com/r/netsec/comments/...ed_052814/ ( /r/netsec )
http://arstechnica.com/security/2014/05/...tly-warns/ (Ars Technica)