You are not logged in.

#1 2014-05-28 22:03:50

Jacek Poplawski
Member
From: Poland
Registered: 2006-01-10
Posts: 736
Website

Truecrypt website probably compromised

Warning!!!
Truecrypt website was probably compromised.
Don't upgrade anything, new version is probably a hoax/trojan.
Wait for an official info.

http://www.reddit.com/r/sysadmin/commen … t_is_dead/
http://www.reddit.com/r/netsec/comments … ed_052814/
http://it.slashdot.org/story/14/05/28/2 … -bitlocker

Last edited by Jacek Poplawski (2014-05-28 22:04:41)

Offline

#2 2014-05-28 22:09:34

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Truecrypt website probably compromised

...or use tcplay to manage those containers.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2014-05-28 22:13:05

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Truecrypt website probably compromised

The general impression is that this is a hoax.  Beware.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#4 2014-05-28 22:21:00

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Truecrypt website probably compromised

https://projects.archlinux.org/svntogit … /truecrypt

Or just keep using the current Arch version 7.1 from Jan of this year.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2014-05-28 22:29:13

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Truecrypt website probably compromised

jasonwryan wrote:

...or use tcplay to manage those containers.

http://jasonwryan.com/blog/2013/01/10/truecrypt/ :-)

Offline

#6 2014-05-28 23:18:00

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: Truecrypt website probably compromised

I'm looking at this wondering whether it is a hoax...

This analysis seems reasonable accurate.

EDIT: If anything, at least the Arch Developers have a copy of truecrypt 7.1 and 7.1a tar's for Linux holed up on the archlinux's ftp server.

Last edited by clfarron4 (2014-05-28 23:23:35)


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#7 2014-05-29 08:05:57

ninian
Member
From: United Kingdom
Registered: 2008-02-24
Posts: 726
Website

Re: Truecrypt website probably compromised

Anyone know if it would be sensible to try using realcrypt with Arch instead of Truecrypt?
I presume the Fedora folks will keep this open-source fork going ... and does systemd support realcrypt volumes, surely?!
Many things to ponder if Truecrypt really has bit the dust (à la Lavabit?) ...
sad

Offline

#8 2014-05-29 08:11:04

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Truecrypt website probably compromised

IMHO whichever version is true, Truecrypt should be considered compromised.

If the message comes from the authors - either intentionally and directly, as a dead-man switch or as a notice of things they can't tell about for legal reasons - then we should believe them.
If the message is hoax, the attacker has developer's key and since the devs were anonymous, all possibilities of verifying their identity were lost.

Of course there is a possibility that some other trusted party will fork Truecrypt in future.

truecrypt package is already marked as out of date. While I would refrain from pushing 7.2 until things got clear or at least the latest source code is verified, I believe it might be a good idea to increment pkgrel and give users a warning about the issue.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#9 2014-05-29 09:26:04

clfarron4
Member
From: London, UK
Registered: 2013-06-28
Posts: 2,163
Website

Re: Truecrypt website probably compromised

mpan wrote:

truecrypt package is already marked as out of date. While I would refrain from pushing 7.2 until things got clear or at least the latest source code is verified, I believe it might be a good idea to increment pkgrel and give users a warning about the issue.

I was going to go onto the Wiki and write this as a warning, but it was midnight and my brain needed sleep.


Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository

Offline

#10 2014-05-29 10:26:31

mhogomchungu
Member
Registered: 2013-03-29
Posts: 87

Re: Truecrypt website probably compromised

ninian wrote:

Anyone know if it would be sensible to try using realcrypt with Arch instead of Truecrypt?
I presume the Fedora folks will keep this open-source fork going ... and does systemd support realcrypt volumes, surely?!
Many things to ponder if Truecrypt really has bit the dust (à la Lavabit?) ...
sad

cryptsetup[1] can unlock TrueCrypt volumes and more recent versions of systemd supports unlocking TrueCrypt volumes through cryptsetup but think is useful only if you want them unlocked at boot time.

A GUI alternative solution for management of TrueCrypt volumes already exists in arch repository and can be installed from here[2]

[1]  https://code.google.com/p/zulucrypt/

[2] https://aur.archlinux.org/packages/zulucrypt/

Offline

#11 2014-05-29 10:32:38

ninian
Member
From: United Kingdom
Registered: 2008-02-24
Posts: 726
Website

Re: Truecrypt website probably compromised

mhogomchungu wrote:

cryptsetup[1] can unlock TrueCrypt volumes and more recent versions of systemd supports unlocking TrueCrypt volumes through cryptsetup but think is useful only if you want them unlocked at boot time.

Yes - that's what I do on a laptop where systemd unlocks the Truecrypt volume on boot, and then I mount it as /home.
Will have a look at Zulucrypt again, thanks for suggestion.

Offline

#12 2014-05-29 11:36:52

Viper_Scull
Member
From: London, UK
Registered: 2011-01-15
Posts: 153

Re: Truecrypt website probably compromised

From reddit:

The binary on the website is capable only to decode encrypted data, not encode, and may contain trojan (seems like it doesn't, but don't believe me). The binary is signed with the valid (usual) key. All old versions are wiped, the repository is wiped too.
Assumption #1 The website is presumed hacked, the keys are presumed compromised. Please do not download or run it. And please don't switch to bitlocker.
Latest working version is 7.1a. Version 7.2 is a hoax
On the SourceForge, the keys were changed before any TrueCrypt files uploaded, but now they are deleted and the old keys got reverted back.
Why I think so: strange key change, why bitlocker?
Assumption #2 Something bad happened to TrueCrypt developers (i.e. take down or death) or to TrueCrypt itself (i.e. found the worst vulnerability ever) which made them do such a thing. So this version is legit
Why I think so: all files are with valid signatures, all the releases are available (Windows; Linux x86, x86_64, console versions, Mac OS, sources), the binaries seems like was built on the usual developer PC (there are some paths like c:\truecrypt-7.2\driver\obj_driver_release\i386\truecrypt.pdb, which were the same for 7.1a). License text is changed too (see the diff below).
Why is it ridiculous for TrueCrypt developers to suggest moving to BitLocker? Well, TrueCrypt was strictly against of using TPM because it may contain extra key chains which allow agencies like NSA to extract your private key. So why would they suggest such a thing and not other open-source alternatives? It looks like a clear sign that the developer can't say he's in danger so he did this. As many suppose, this could be the sort of warrant canary
Assumption #2 is more likely true than assumption #1. Sad but true.
Assumption #3 7.1a is backdoored and the developer wants all users to stop using it.
Why I think so: there is a website http://truecryptcheck.wordpress.com which contains all the hash sums for TrueCrypt 7.1a. Is has only 1 blog record from August 15, 2013, only for TrueCrypt and only for 7.1a. It's a bit strange to make a website with the hash sums for only one program and only one version of it.
SourceForge sent emails on 22 May, they said they changed password algorithms and everybody should change their passwords.
SourceForge claims everything is as usual (from https://news.ycombinator.com/item?id=7813121):
Providing some details from SourceForge:
We have had no contact with the TrueCrypt project team (and thus no complaints).
We see no indicator of account compromise; current usage is consistent with past usage.
Our recent SourceForge forced password change was triggered by infrastructure improvements not a compromise. FMI see http://sourceforge.net/blog/forced-password-change/
Thank you,
The SourceForge Team communityteam@sourceforge.net
TrueCrypt developers are unknown and currently there is no way to know who is who and who should we listen to.
From wikileaks twitter https://twitter.com/wikileaks/status/471769936038461440:
(1/4) Truecrypt has released an update saying that it is insecure and development has been terminated http://truecrypt.sf.net
(2/4) the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement
(3/4) the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict..
(4/4) in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys.
From Matthew Green (one of TrueCrypt auditor) twitter https://twitter.com/matthew_d_green/sta … 8147519488:
@SteveBellovin @mattblaze @0xdaeda1a I think this is legit.
TrueCrypt Setup 7.1a.exe:
sha1: 7689d038c76bd1df695d295c026961e50e4a62ea
md5: 7a23ac83a0856c352025a6f7c9cc1526
TrueCrypt 7.1a Mac OS X.dmg:
sha1: 16e6d7675d63fba9bb75a9983397e3fb610459a1
md5: 89affdc42966ae5739f673ba5fb4b7c5
truecrypt-7.1a-linux-x86.tar.gz:
sha1: 0e77b220dbbc6f14101f3f913966f2c818b0f588
md5: 09355fb2e43cf51697a15421816899be
truecrypt-7.1a-linux-x64.tar.gz:
sha1: 086cf24fad36c2c99a6ac32774833c74091acc4d
md5: bb355096348383987447151eecd6dc0e
Diff between latest version and the hoax one: https://github.com/warewolf/truecrypt/c … ster...7.2
Screenshot: http://habrastorage.org/getpro/habr/pos … 038fc1.png
Topics: https://news.ycombinator.com/item?id=7812133
http://www.reddit.com/r/netsec/comments … ed_052814/
http://www.reddit.com/r/sysadmin/commen … t_is_dead/
http://www.reddit.com/r/crypto/comments … truecrypt/
http://arstechnica.com/security/2014/05 … tly-warns/
http://krebsonsecurity.com/2014/05/true … ot-secure/
Twitter stream: https://twitter.com/search?q=truecrypt&src=typd
You may join IRC #truecrypt@irc.freenode.net, although there is no OPs right now.


Athlon II X4 620 + Gigabyte 785GPM-UD2H + 4GB DDR3 + SSD OCZ Vertex2 60GB

Archlinux x86_64 + Openbox

Offline

#13 2014-05-29 13:02:25

jskier
Member
From: Minnesota, USA
Registered: 2003-07-30
Posts: 383
Website

Re: Truecrypt website probably compromised

Some more insight today, appears more likely original devs threw in the towel:
https://krebsonsecurity.com/2014/05/tru … ot-secure/


--
JSkier

Offline

#14 2014-05-29 18:51:11

Rob_H
Member
Registered: 2012-06-19
Posts: 72

Re: Truecrypt website probably compromised

Hard to believe the message is authentic given what they're saying and doing with 7.2. Recommending closed-source alternatives and LOUDLY declaring their own hard work to be "insecure" is just bizarre behavior. I agree with mpan: No matter what really happened, consider TrueCrypt compromised.

Offline

#15 2014-05-29 22:58:02

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Truecrypt website probably compromised

I think this is the most likely scenario:

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/comment-page-1/#comment-255908 wrote:

The iSec initial audit report was very critical of the TC code quality, and implied that it looks like the work of a single coder. There was no update for 2 years. The build process requires a 20 year old MS compiler, manually extracted from an exe installer.

Imagine yourself as the lead/solo developer working on TC. No one pays you for this, governments hate you, much of the crypto community is throwing rocks at you while your user community spends half of its time joining in with clueless paranoia and the other half whining about feature gaps (e.g. GPT boot disks.) You have to eat, so you have a real paying job. You’re not so young any more (doing the TC crap for a decade) and maybe the real job now includes responsibilities that crowd out side work. Or maybe you’ve got a family you love more than the whiny paranoids you encounter via TC. And now iSec is telling you your code is sloppy and unreadable, and that you should take on a buttload of mind-numbing work to pretty it up so they will have an easier time figuring out where some scotch-fueled coding session in 2005 ( or maybe something you inherited from a past developer) resulted in a gaping exploitable hole that everyone will end up calling a NSA backdoor.

Maybe you just toss it in. Why not? Anyone with a maintained OS has an integrated alternative and as imperfect as they may be, they are better than TC for most users. Maintaining TC isn’t really doing much good for many people and the audit just pushed a giant steaming pile of the least interesting sort of maintenance into top priority. Seems like a fine time to drop it and be your kids’ soccer coach.

Offline

#16 2014-05-29 23:23:13

GI Jack
Member
Registered: 2010-12-29
Posts: 92

Re: Truecrypt website probably compromised

truecrypt has been marked as "out of date" on the repo tracker, this needs to be undone. There will be no more valid releases of truecrypt.

tcplay + zulucrypt seem like the best alternative so far.

whiny paranoids you encounter via TC.

haha, what a pretenious prick. he's gotta feel so self-important. Woah, look at me, people are worried about security, they must be paranoid. what a dick. I mean these people must be terrorists living in their mothers basement, 14 years old, and everything.

way to go champ.

what about whiny dullheaded "skeptics".

Last edited by GI Jack (2014-05-29 23:28:23)

Offline

#17 2014-05-30 03:52:53

ANOKNUSA
Member
Registered: 2010-10-22
Posts: 2,141

Re: Truecrypt website probably compromised

Be fair, GI Jack. Many of us who use encryption in different ways aren't necessarily paranoid, but take an hour to look around the internet for recent discussions on the matter. You're bound to come across a lot of people looking to completely wipe themselves from existence. Then consider that the most vocal individuals tend to be malcontents who contribute next to nothing to others.  Now, imagine you're responsible for developing and maintaining a widely used piece of security software (all on your own, it seems). What do you suppose the bulk of your correspondence will be like? Seems to me the author of that quote was trying to empathize.

Offline

#18 2014-05-31 00:33:18

Jacek Poplawski
Member
From: Poland
Registered: 2006-01-10
Posts: 736
Website

Re: Truecrypt website probably compromised

Offline

#19 2014-05-31 20:08:02

MickeyRat
Member
Registered: 2011-11-15
Posts: 128

Re: Truecrypt website probably compromised

It's hard to say what's going on with Truecrypt but, I really haven't used Truecrypt all that much.  I use LUKS on partitions but, I did have a couple TC containers laying around.  So, this morning I decided to get rid of Truecrypt altogether and go with loop devices encrypted with LUKS.  Set up the new LUKS containers, get them mounted, mount the TC containers, copy the files, blow away the TC containers, pacman -Rns truecrypt.  I'm no shell script wizard but, it wasn't hard to work up a script to make mounting with the LUKS containers easy enough.  I may go with whatever replaces Truecrypt in a year or two but, this serves my needs just fine so maybe not.


Some cause happiness wherever they go; others whenever they go.
- Oscar Wilde

Offline

#20 2014-06-10 04:16:51

chaonaut
Member
From: Kyiv, Ukraine
Registered: 2014-02-05
Posts: 382

Re: Truecrypt website probably compromised

truecrypt was the only block device-level encryption solution that could be called cross-platform (windoze, linux, mac os).
so i continue using it al least on my usb drive.

Last edited by chaonaut (2014-06-10 05:10:33)


— love is the law, love under wheel, — said aleister crowley and typed in his terminal:
usermod -a -G wheel love

Offline

#21 2015-10-01 02:08:30

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Truecrypt website probably compromised

So if anyone of you is using TrueCrypt to share encrypted volumes between ArchLinux and Windows: two critical bugs has been found on Windows: CVE-2015-7358 and CVE-2015-7359. VeraCrypt has fixed those already.

Last edited by mpan (2015-10-01 02:08:55)


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#22 2015-10-01 22:34:53

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,442
Website

Re: Truecrypt website probably compromised

This thread is old, and I don't see how the new content realates specifically to this thread.

Closed.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

Board footer

Powered by FluxBB