Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
AstroZombie1

TrueCrypt has been compromised...

Recommended Posts

Posted · Original PosterOP

 

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

 

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to a SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:

 

Source - theregister.co.uk

Link to post
Share on other sites

O__O

 

This doesn't affect me, but that sucks.


The Main Rig

Main Rig: CPU: AMD Ryzen 5 3600X | RAM: 32GB (4x8GB) Ripjaws V DDR4-3200 | Motherboard: Gigabyte B550 AORUS ELITE | Storage: 1TB Samsung 970 EVO Plus, 1.2TB Fusion ioDrive2, 3x1TB HDDs | GPU: NVIDIA GTX 970 Strix (soon to be RTX 3080) | Cooling: Reeven Ouranos with Noctua NF-A15 Chromax | Case: Cooler Master NR600 | PSU: NZXT C 750W

Oculus Rift CV1: 2x Sensors


Apple Corner

MacBook Pro (Early 2015, A1502) 13": CPU: Intel Core i5-5257U | RAM: 16GB DDR3-1867 | Storage: 256GB SM0256G SSD | GPU: Intel Iris 6100 | iPhone XS Max 64GB (Space Grey) | Apple Watch Series 2 (42mm) | AirPods (2nd Generation)

Other Assorted Tech

Nintendo Switch (Gray, HAC-001) with modded Joy-Cons (Blue housings and D-Pad) | Creality Ender 3 Pro 3D Printer | PS4 Fat | PS Vita PCH-1000 (Henkaku 3.60 CFW)

Link to post
Share on other sites

Didn't even know this existed..but that sucks. Doesn't sound good. Seems pretty pointless why though.

Link to post
Share on other sites

Possible malware served after SourceForge switcheroo


If your grave doesn't say "rest in peace" on it You are automatically drafted into the skeleton war.

Link to post
Share on other sites

I feel as if the devs are trying to tell us some government agency is to blame:

https://en.wikipedia.org/wiki/Warrant_canary


▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to post
Share on other sites

This seems highly suspect that encryption software that's been secure is suddenly bowing down and suggesting you use Microsoft's solution...a company well known to bow down to NSA whims and is part of project PRISM. This gives a foul odor.


SNOWHEART - laptop

Model: TRACER III 17R XTREME VR 800 || CPU: Intel i7-8750H  || RAM: HyperX Impact 16GB || GPU: Nvidia RTX 2070 || Storage: Intel 660P 512GB +  AData SX8200 1TB + Samsung 850 Evo 250GB || Display: 1920x1080p 144hz

 

 

PRISIMHEART 2.0 - desktop

Case: FD Meshify C Mini || PSU: EVGA Supernova P2 750w || MB: Asrock Fata1ity AB350 Gaming-ITX/ac || CPU: AMD Ryzen R5 1600 || CPU Cooler: Scythe Choten TUF edition || RAM: G.Skill Flare X 16GB || GPU: Galax GTX 1070 EXOC-SNPR || Storage: Samsung 860 Evo 1TB + Crucial MX500 1TB + SG Firecuda 2TB

 

PERIPHERALS / DISPLAY

Keyboard: Razer Blackwidow Elite || Mouse: Logitech G502 Proteus Spectrum + Steelseries RIval 650 || Monitor: HP Omen 32

 

Link to post
Share on other sites

So is it possible the website has been hijacked but the software hasn't actually been cracked?

Seems fishy.

Link to post
Share on other sites

So is it possible the website has been hijacked but the software hasn't actually been cracked?

Seems fishy.

Well, an update was released with TrueCrypt's signed key. The new "Update" disallows encrypting disks, only decrypting disks. The new binaries also have popup messages informing the user that "Truecrypt is no longer secure".

 

This all seems out of place.

 

My two hypotheses are:

Also of note is the twitter account of Matthew Green, who was auditing TrueCrypt:

https://twitter.com/matthew_d_green

 

He has a few posts which seem to imply a message:

post-419-0-49130500-1401343417.png

post-419-0-23199400-1401343420.png

post-419-0-66649700-1401343420.png

 

Infer what you want, but it does seem as if TrueCrypt has been compromised at some level.


▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to post
Share on other sites

Well, an update was released with TrueCrypt's signed key. The new "Update" disallows encrypting disks, only decrypting disks. The new binaries also have popup messages informing the user that "Truecrypt is no longer secure".

 

This all seems out of place.

 

My two hypotheses are:

Also of note is the twitter account of Matthew Green, who was auditing TrueCrypt:

https://twitter.com/matthew_d_green

 

He has a few posts which seem to imply a message:

attachicon.gifCapture.PNG

attachicon.gifCapture2.PNG

attachicon.gifCapture3.PNG

 

Infer what you want, but it does seem as if TrueCrypt has been compromised at some level.

 

Yes I would agree, it just seems to be evidence that a power shift has occured behind the scenes, and just the face of the situation is being altered.

Link to post
Share on other sites

Yes I would agree, it just seems to be evidence that a power shift has occured behind the scenes, and just the face of the situation is being altered.

Also, another sign that TrueCrypt may have been compromised:

One of the security analysts, Kenn White, involved with the truecrypt audit tweeted that the timestamp of the compiled binary for Windows is showing UTC-7 hrs, or better known as PDT (USA -West Coast).

It was believed that one of the developers may have been located in Poland, explaining why all of the binaries were built and timestamped with UTC+1 or UTC+2 previously.

Box5evKIMAAWs_9.png

post-419-0-67858800-1401348809.png

 

If the timestamp is to be believed, it means that the latest version of TrueCrypt may have been compiled by someone other than the true developers, more specifically someone located in the west coast of the United States, rather than in Europe.

 

As of now my personal advice to everyone is to not touch the latest 7.2 binary. Given that TrueCrypt's signing key may have been compromised, there may be malware hidden in the latest release.

post-419-0-67858800-1401348809.png


▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to post
Share on other sites

In theory, the 7.1 installer should still be fine. Never really hardcore used Truecrypt, but I kept an installer just in case. If this 7.2 is all pandering to Microsoft and their blatant NSA ties, I want nothing to do with this entire mess. I have confidence that pre pandering Truecrypt should still be fine.


SNOWHEART - laptop

Model: TRACER III 17R XTREME VR 800 || CPU: Intel i7-8750H  || RAM: HyperX Impact 16GB || GPU: Nvidia RTX 2070 || Storage: Intel 660P 512GB +  AData SX8200 1TB + Samsung 850 Evo 250GB || Display: 1920x1080p 144hz

 

 

PRISIMHEART 2.0 - desktop

Case: FD Meshify C Mini || PSU: EVGA Supernova P2 750w || MB: Asrock Fata1ity AB350 Gaming-ITX/ac || CPU: AMD Ryzen R5 1600 || CPU Cooler: Scythe Choten TUF edition || RAM: G.Skill Flare X 16GB || GPU: Galax GTX 1070 EXOC-SNPR || Storage: Samsung 860 Evo 1TB + Crucial MX500 1TB + SG Firecuda 2TB

 

PERIPHERALS / DISPLAY

Keyboard: Razer Blackwidow Elite || Mouse: Logitech G502 Proteus Spectrum + Steelseries RIval 650 || Monitor: HP Omen 32

 

Link to post
Share on other sites

This smells really fishy.

My guess is that something happened to the developer and he thought this was the best way of dealing with it.

That he recommends bitlocker is really strange though.

Guess everyone will have to change over to GnuPG or something similar now. It's a shame TrueCrypt uses its own stupid license as well, otherwise someone would just have been able to fork it.

Link to post
Share on other sites

Well i kinda saw this happening due Heartbleed and such. Also the latest Trucrypt version what i got few months back was dated to year 2012 or something (Downloaded from truecrypt)

Link to post
Share on other sites

This smells really fishy.

My guess is that something happened to the developer and he thought this was the best way of dealing with it.

That he recommends bitlocker is really strange though.

Guess everyone will have to change over to GnuPG or something similar now. It's a shame TrueCrypt uses its own stupid license as well, otherwise someone would just have been able to fork it.

The latest release had the license changed actually. It no longer contains the advertising clause. Strangely enough it encourages people to now fork the latest release.

 

Although this may imply that the latest 7.2 binaries are safe to use, there is no way of knowing if the latest binaries were compiled from the source code provided. After doing some research, it seems the latest binaries cannot be recreated from the source provided because of signature differences. 


▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to post
Share on other sites

The latest release had the license changed actually. It no longer contains the advertising clause. Strangely enough it encourages people to now fork the latest release.

 

Although this may imply that the latest 7.2 binaries are safe to use, there is no way of knowing if the latest binaries were compiled from the source code provided. After doing some research, it seems the latest binaries cannot be recreated from the source provided because of signature differences. 

Truecrypt's Windows binaries have always been really hard to reproduce (which have lead people to believe that the precompiled binaries don't use the source code posted on the website) so there isn't really any surprise there.

If they changed the license to clearly allow forking then that's good news.

Link to post
Share on other sites

in after NSA

 

Soon enough we will have no decently secure software to use. Compromising SSL and now one of the popular drive encryption tools.


Desert Storm PC | Corsair 600T | ASUS Sabertooth 990FX AM3+ | AMD FX-8350 | MSI 7950 TFIII | 16GB Corsair Vengeance 1600 | Seasonic X650W I Samsung 840 series 500GB SSD

Mobile Devices I ASUS Zenbook UX31E I Nexus 7 (2013) I Nexus 5 32GB (red)

 

Link to post
Share on other sites

I'm not at all a conspiracy nut, but I must admit that this has

me rather severely worried.

Or, in technical terms: Holy shit! :wacko: :blink:


BUILD LOGS: HELIOS - Latest Update: 2015-SEP-06 ::: ZEUS - BOTW 2013-JUN-28 ::: APOLLO - Complete: 2014-MAY-10
OTHER STUFF: Cable Lacing Tutorial ::: What Is ZFS? ::: mincss Primer ::: LSI RAID Card Flashing Tutorial
FORUM INFO: Community Standards ::: The Moderating Team ::: 10TB+ Storage Showoff Topic

Link to post
Share on other sites

What if they just said that Trucrypt has be comprimised but it actually isn't?

it's a possibility

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×