# TrueCrypt under Windows is NOT SECURE - "unfixed security issues"



## drmike (May 28, 2014)

Fresh off the paranoid presses, TrueCrypt has security issues and looks now to be dead and unsupported.

source: http://truecrypt.sourceforge.net/

The issue revolves around Microsoft dumping support for old version and BitLocker becoming Microsoft's crypto stuff.

Oddly, even the Linux download area bears scarey language: (URL: http://truecrypt.sourceforge.net/OtherPlatforms.html)

Downloads:

[SIZE=x-large]WARNING: Using TrueCrypt is not secure[/SIZE]


----------



## Kakashi (May 28, 2014)

I was just about to come here and post this after making a thread on WHT.

http://www.webhostingtalk.com/showthread.php?t=1379810

Rumor mill is going strong. The audit carried out recently exposed a fair few vulnerabilities. I think that might have lead to them just throwing in the towel.


----------



## Patrick (May 28, 2014)

Apparently it's been compromised, advised not to download latest version. 

http://www.theregister.co.uk/2014/05/28/truecrypt_hack/


----------



## Francisco (May 28, 2014)

I thought it was assumed that bitlocker was backdoored anyway?

Francisco


----------



## TruvisT (May 28, 2014)

Francisco said:


> I thought it was assumed that bitlocker was backdoored anyway?
> 
> Francisco


Why I use TC. BL is too based around TPM *shuders*


----------



## Kalam (May 28, 2014)

Was talking about this at work, and considering all of us use TC, it was kind of a big deal. We're taking a way and see approach for now though.


----------



## raindog308 (May 28, 2014)

TC is so much more than BL: hidden volumes, traveler mode, cross-OS volumes, command line...

My vote is that this is some sort of hack.  I'm very skeptical of any "the government forced them to do it" since the foundation's been around for 10-ish years.

The audit was not that bad - from my quick read it was 10% low-risk stuff that should be fixed and 90% usual nitpicky stuff that security-guru-wannabe auditors add to pad out their reports ("not enough comments in source code", "uses old version of some build tools", "this should be changed to provide a better error message", etc.)  There was nothing about (A) backdoors, or (B) scenarios where someone could grab a random TC volume and read it.

I find it hard to believe that after 10 years of work the project will just fold - and the current maintainers did move on, someone else will very likely pick it up.


----------



## drmike (May 28, 2014)

Francisco said:


> I thought it was assumed that bitlocker was backdoored anyway?
> 
> 
> Francisco


It's a Microsoft product.   Do I need to say anything more than that?


----------



## raindog308 (May 28, 2014)

drmike said:


> It's a Microsoft product.   Do I need to say anything more than that?


At least it's not an Apple product:  https://www.eff.org/who-has-your-back-2013


----------



## drmike (May 28, 2014)

raindog308 said:


> At least it's not an Apple product:  https://www.eff.org/who-has-your-back-2013


Yeah Apple did much better in the 2014 report.  Unsure if the scandals caused the change or if they figured out how to falsely comply to save face.

I protest and avoid both Microsoft and Apple.


----------



## kcaj (May 29, 2014)

Title suggests that this problem is only reported to be present in the Windows version of TC. Is that correct?


----------



## Flapadar (May 29, 2014)

1e10 said:


> Title suggests that this problem is only reported to be present in the Windows version of TC. Is that correct?


I'm fairly sure 7.1a is *somewhat* safe. If you're using truecrypt to prevent someone that isn't the NSA from getting access to your stuff, that is. 

The most feasible reason for this that I've seen so far is that:

1) NSA identified the developers

2) NSL'd the developers

3) Developers preferred to "warrant canary" and kill the project instead of complying fully. 

This being said: a lot of people used the change from U.S. to United States in the resources file as a reason for this; not the case: 



> nah, the us -> united states is caused by the upgrade to VS 2010 from RC6. Example here:
> http://4o4.nl/20140529WVUSQ.png


----------



## drmike (May 30, 2014)

This...

1) NSA identified the developers

2) NSL'd the developers

3) Developers preferred to "warrant canary" and kill the project instead of complying fully.

I can see that being the situation in a big way


----------



## kcaj (May 30, 2014)

Why would it not be safe from the NSA? TC Developers didn't store/keep the keys to any containers.


----------



## Flapadar (May 30, 2014)

1e10 said:


> Why would it not be safe from the NSA? TC Developers didn't store/keep the keys to any containers.


If the developers have been found by the NSA, they could be forced to reveal any weaknesses they were aware of. Plus - nothing the US can get their hands on can be treated as safe from the NSA. If they can't crack something they're interested in now; they'll store it indefinitely until they can.


----------



## TruvisT (Jun 3, 2014)

https://www.grc.com/misc/truecrypt/truecrypt.htm

Just some more content to throw in for ref.


----------



## drmike (Jun 15, 2014)

Well TrueCrypt's website still bears the same warning....   Doesn't look like a hack....

This oddness I saw on wire today too:

"_Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future."_

Interesting that the intelligence infrastructure was utilizing such...  Wonder who else is/was using TrueCrypt...


----------



## kcaj (Jun 15, 2014)

I'm still using TC.


----------



## TruvisT (Jun 16, 2014)

1e10 said:


> I'm still using TC.


We still run it on all our laptops in the field and in the offices.


----------



## kcaj (Jun 16, 2014)

TruvisT said:


> We still run it on all our laptops in the field and in the offices.


I'm just a bit more careful about where I store my TC volumes now. Used to replicate them across a few servers but am only storing them on servers if absolutely vital too.


----------



## k0nsl (Jun 16, 2014)

Hop onto CipherShed, it'll be the successor to TC. They seem to be great guys.


----------



## TruvisT (Jun 17, 2014)

k0nsl said:


> Hop onto CipherShed, it'll be the successor to TC. They seem to be great guys.


Good share. I do like this: https://ciphershed.org/Audit


----------



## drmike (Apr 3, 2015)

An audit of TrueCrypt has come back clean, no backdoors. Yippies!!! Perhaps from the ashes it shall rise again.

https://opencryptoaudit.org/reports/TrueCrypt_Phase_II_NCC_OCAP_final.pdf


----------

