TrueCrypt under Windows is NOT SECURE - "unfixed security issues"

Kalam

New Member
Was talking about this at work, and considering all of us use TC, it was kind of a big deal. We're taking a way and see approach for now though.
 
Last edited by a moderator:

raindog308

vpsBoard Premium Member
Moderator
TC is so much more than BL: hidden volumes, traveler mode, cross-OS volumes, command line...

My vote is that this is some sort of hack.  I'm very skeptical of any "the government forced them to do it" since the foundation's been around for 10-ish years.

The audit was not that bad - from my quick read it was 10% low-risk stuff that should be fixed and 90% usual nitpicky stuff that security-guru-wannabe auditors add to pad out their reports ("not enough comments in source code", "uses old version of some build tools", "this should be changed to provide a better error message", etc.)  There was nothing about (A) backdoors, or (B) scenarios where someone could grab a random TC volume and read it.

I find it hard to believe that after 10 years of work the project will just fold - and the current maintainers did move on, someone else will very likely pick it up.
 

kcaj

New Member
Title suggests that this problem is only reported to be present in the Windows version of TC. Is that correct?
 

Flapadar

Member
Verified Provider
Title suggests that this problem is only reported to be present in the Windows version of TC. Is that correct?
I'm fairly sure 7.1a is somewhat safe. If you're using truecrypt to prevent someone that isn't the NSA from getting access to your stuff, that is. 

The most feasible reason for this that I've seen so far is that:

1) NSA identified the developers

2) NSL'd the developers

3) Developers preferred to "warrant canary" and kill the project instead of complying fully. 

This being said: a lot of people used the change from U.S. to United States in the resources file as a reason for this; not the case: 

nah, the us -> united states is caused by the upgrade to VS 2010 from RC6. Example here:
http://4o4.nl/20140529WVUSQ.png
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
This...

1) NSA identified the developers

2) NSL'd the developers

3) Developers preferred to "warrant canary" and kill the project instead of complying fully.

I can see that being the situation in a big way
 

kcaj

New Member
Why would it not be safe from the NSA? TC Developers didn't store/keep the keys to any containers.
 
Last edited by a moderator:

Flapadar

Member
Verified Provider
Why would it not be safe from the NSA? TC Developers didn't store/keep the keys to any containers.
If the developers have been found by the NSA, they could be forced to reveal any weaknesses they were aware of. Plus - nothing the US can get their hands on can be treated as safe from the NSA. If they can't crack something they're interested in now; they'll store it indefinitely until they can. 
 

drmike

100% Tier-1 Gogent
Well TrueCrypt's website still bears the same warning....   Doesn't look like a hack....

This oddness I saw on wire today too:

"Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future."

Interesting that the intelligence infrastructure was utilizing such...  Wonder who else is/was using TrueCrypt...
 

kcaj

New Member
We still run it on all our laptops in the field and in the offices.
I'm just a bit more careful about where I store my TC volumes now. Used to replicate them across a few servers but am only storing them on servers if absolutely vital too.
 
Top