Press "Enter" to skip to content

Heads-up for TrueCrypt users

Nobody seems sure what’s going on, not even the spectacularly well-informed Bruce Schneier. But TrueCrypt, the whole-disc encryption program many have relied on for a decade, has either been mysteriously compromised or somebody’s pulled off a hoax. Brian Krebs thinks it’s the real deal and that the secretive TrueCrypt team is sending us all a warning.

As some have pointed out, the cryptic “official” announcement that “TrueCrypt is not secure as it may contain unfixed security issues …” could be read as “Not Secure As …”

Let’s hope for a hoax. TrueCrypt being subverted would be a major heartbreaker. And always … be careful out there.

(Tip o’ hat to S.)

10 Comments

  1. jed
    jed May 29, 2014 5:47 pm

    … warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.

    That’s just a bizarre statement. Anything I can come up with for why that might be true is immediately refuted by the other voice in my head.

    Prediction: we’ll never know what really happened.

    And, most people will just go ahead and use BitLocker, or stay with their older version of TrueCrypt. Maybe the audit will come up with something that will cause any sensible person to stop using it — even older versions. But, it will eventually just fade from use, as eventually, old versions will not run on newer versions of the OS.

  2. Stephen
    Stephen May 29, 2014 9:24 pm

    I uses LUKS and dmcrypt for my personal machines but my employer does use TrueCrypt so I’m following this pretty closely. There is very little reliable information right now and, so far, the hypotheses beng floated are a mixture of speculation and ignorance.

  3. Pat
    Pat May 30, 2014 6:06 am

    “TrueCrypt is not secure as it may contain unfixed security issues …” could be read as “Not Secure As …”

    And “unfixable”, if nothing later than XP can be protected by TrueCrypt. TrueCrypt (probably under another name) will have to do a complete overhaul of its security features ― and keep frequent updates ― in order to compete and remain viable and trustworthy. Right now, speculation indicates it has been left behind.

  4. ILTim
    ILTim May 30, 2014 8:00 am

    The part that makes me most uneasy about this, is the advice to move to a Microsoft product. I don’t know anything about BitLocker, but isn’t that a closed source product from a company known to collude with the government?

  5. ILTim
    ILTim May 30, 2014 8:30 am

    A quote from reddit:
    “It’s really terrifying though realizing that something such as an encryption platform can just be silently destroyed by the government at will.”

    Gives me the willies. I can’t wait until the history books are written about this time period, I suspect it will be fascinating. The possibilities I imagine for the future of this country are much more colorful and plausible lately than ever before. There is so much confirmed federal activity which outrages so many different people, groups, and governments, so suddenly…..

  6. Paul Bonneau
    Paul Bonneau May 30, 2014 10:07 am

    Claire, here’s an OT.

    I was poking around looking for low tax counties in Oregon. First I found this, which has an interesting map on p7:

    http://www.oregon.gov/dor/STATS/docs/303-405-12/property-tax-stats_303-405_2011-12.pdf

    I decided to look at Gilliam County which has the lowest property tax in the state. The wikipedia entry says, “The largest individual employers in the county are two subsidiaries of Waste Management Inc., Chemical Waste Management of the Northwest and Oregon Waste Systems, Inc., who run two regional waste disposal landfills. By levying a fee of $1 a ton, Gilliam County receives enough money to pay the first $500 of the property tax bills of its inhabitants, an amount that covers the full tax bill for almost half of the county inhabitants, as well as funding other county projects.” In other words, Arlington gets all Portland’s garbage.

    Of course, you have to put up with that gigantic windfarm, sure to depress the county property values in perpetuity. On the other hand, if SHTF, a wind farm in your back yard is not a bad thing to have…

    Amusingly, the county has lost control of its official site. Take a look at
    http://www.co.gilliam.or.us/

    My kind of place! Low/no property tax, no sales tax, and if you are retired or have no visible source of income, no income tax. Also, Linus Pauling was born and grew up there in Condon.

    I’ve also been following Josephine and Curry Counties, prominent on that map for low property taxes, and resistant to tax hikes. I think retirees end up there and vote that crap down. Former “state” of Jefferson…

    I’ve been pushing Tillamook County but my wife says, “too farmy”, sheesh. Guess she thinks Tillamook Cheese comes from the store rather than from cows. I like that cow smell, reminds me of Wisconsin as a kid.

  7. S
    S May 31, 2014 5:12 am

    A comment on Schneneir’s blog points to GRC.com that claims to have heard from the developers:

    And then the TrueCrypt developers were heard from . . .
    Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

    * TrueCrypt Developer “David”: “We were happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
    * Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
    * Steven Barnhart: “I asked and it was clear from the reply that “he” believes forking’s harmful because only they are really familiar w/code.”
    * Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
    * TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
    * Quoting TrueCrypt Developer David: “There is no longer interest.”

    If this is accurate, it reflects rather poorly on the TrueCrypt developers.

  8. Borepatch
    Borepatch June 2, 2014 9:39 am

    Looks like Truecrypt got a National Security Letter. That comes with a gag order.

  9. Claire
    Claire June 2, 2014 11:35 am

    Thanks for the heads-up, Borepatch. So their strange instructions to migrate to a Microsoft product and that oddly phrased “…Not Secure As…” would be cryptic messages to hint at what they’re not allowed to say.

    Makes sense. Well, as much as anything makes sense when cryptographers and the NSA are involved.

  10. ILTim
    ILTim June 3, 2014 7:07 am

    Being that TrueCrypt was first released in 2004, I rather like the theory that the oddly phrased message is “TrueCrypt IS NSA”, initially developed by and wholly owned by that particular agency. Perhaps via careful constructs to avoid any traceable ties, which permitted a whistle blower enough control to deface the whole project.

Leave a Reply