TrueCrypt compromised by ?????

alexntg

@StrongBad said:

Not sure that that clears anything up. If the site was hacked that would explain this. Something is very fishy. And what about non-Windows users. XP retirement would mean nothing for them.

OS X has had disk encryption for years.

Dashrender

@alexntg said:

@technobabble said:

Well everyones talking about it on twitter and other websites. Here's what PC World is saying: http://www.pcworld.com/article/2241300/truecrypt-now-encouraging-users-to-use-microsofts-bitlocker.html

That makes sense, as Windows has the same functionality built-in.

Sure, but it's closed source.. so it's really not trustworthy!

alexntg

@Dashrender said:

@alexntg said:

@technobabble said:

Well everyones talking about it on twitter and other websites. Here's what PC World is saying: http://www.pcworld.com/article/2241300/truecrypt-now-encouraging-users-to-use-microsofts-bitlocker.html

That makes sense, as Windows has the same functionality built-in.

Sure, but it's closed source.. so it's really not trustworthy!

Until recently, no one had actually audited TrueCrypt's code, so for a very long time, it could have had massive backdoors that no one cared to look for. Whether it's open source or close source, it doesn't really matter. On one side, you hope the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. On the other hand, you hope that the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. Unless you're manually auditing the code yourself, what does it matter?

JaredBusch

This seems too coordinated for a hack IMO. There are way too many pieces being changed at the same time. Yeah if it was just the website or just the source code, but the way back machine has no info? That is abnormal. The new executable being signed with the correct but recently reissued key? Unusual.

This is a lot of stuff to change and would be an unprecedented public hack.

scottalanmiller

@alexntg said:

@Dashrender said:

@alexntg said:

@technobabble said:

Well everyones talking about it on twitter and other websites. Here's what PC World is saying: http://www.pcworld.com/article/2241300/truecrypt-now-encouraging-users-to-use-microsofts-bitlocker.html

That makes sense, as Windows has the same functionality built-in.

Sure, but it's closed source.. so it's really not trustworthy!

Until recently, no one had actually audited TrueCrypt's code, so for a very long time, it could have had massive backdoors that no one cared to look for. Whether it's open source or close source, it doesn't really matter. On one side, you hope the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. On the other hand, you hope that the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. Unless you're manually auditing the code yourself, what does it matter?

No one published an audit. Doesn't imply that it wasn't audited.

scottalanmiller

@JaredBusch said:

This seems too coordinated for a hack IMO. There are way too many pieces being changed at the same time. Yeah if it was just the website or just the source code, but the way back machine has no info? That is abnormal. The new executable being signed with the correct but recently reissued key? Unusual.

This is a lot of stuff to change and would be an unprecedented public hack.

True it is seemingly more and more likely to be legit.

It's not really a needed product anymore across any platform. But still very odd.

alexntg

@scottalanmiller said:

@alexntg said:

@Dashrender said:

@alexntg said:

@technobabble said:

Well everyones talking about it on twitter and other websites. Here's what PC World is saying: http://www.pcworld.com/article/2241300/truecrypt-now-encouraging-users-to-use-microsofts-bitlocker.html

That makes sense, as Windows has the same functionality built-in.

Sure, but it's closed source.. so it's really not trustworthy!

Until recently, no one had actually audited TrueCrypt's code, so for a very long time, it could have had massive backdoors that no one cared to look for. Whether it's open source or close source, it doesn't really matter. On one side, you hope the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. On the other hand, you hope that the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. Unless you're manually auditing the code yourself, what does it matter?

No one published an audit. Doesn't imply that it wasn't audited.

Nor does it imply that it was audited.

scottalanmiller

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

technobabble

Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.

alexntg

@technobabble said:

Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.

BitLocker's available with 8.1 Pro.

alexntg

@scottalanmiller said:

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

Have you used TrueCrypt before?

scottalanmiller

@technobabble said:

Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.

And requires different tools on different platforms.

scottalanmiller

@alexntg said:

@scottalanmiller said:

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

Have you used TrueCrypt before?

Long ago just a little. Use LUKS now.

alexntg

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

Have you used TrueCrypt before?

Long ago just a little. Use LUKS now.

Did you audit TrueCrypt?

scottalanmiller

@alexntg said:

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

Have you used TrueCrypt before?

Long ago just a little. Use LUKS now.

Did you audit TrueCrypt?

Not relevant. I'm not and was not on the security team. That's redirection.

Companies that I've worked at did code audits, certainly.

technobabble

@alexntg Good to know, thanks!

alexntg

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

Have you used TrueCrypt before?

Long ago just a little. Use LUKS now.

Did you audit TrueCrypt?

Not relevant. I'm not and was not on the security team. That's redirection.

Companies that I've worked at did code audits, certainly.

Completely relevant! Did the company you were working for when you used TrueCrypt audit the source code for it? If they did, great. If not, there's no difference from using a closed source product, in that you assumed/trusted that it was secure.

alexntg

@scottalanmiller said:

@technobabble said:

Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.

And requires different tools on different platforms.

For Windows 8/8.1, all it requires is a computer running Windows Pro or better. Windows 7 required a computer running Windows Enterprise and either a TPM or thumb drive.

Nic

Looks like someone might pick up the torch on TrueCrypt: https://au.news.yahoo.com/thewest/business/technology/a/23969633/

scottalanmiller

@alexntg said:

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

@alexntg said:

@scottalanmiller said:

No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.

Have you used TrueCrypt before?

Long ago just a little. Use LUKS now.

Did you audit TrueCrypt?

Not relevant. I'm not and was not on the security team. That's redirection.

Companies that I've worked at did code audits, certainly.

Completely relevant! Did the company you were working for when you used TrueCrypt audit the source code for it? If they did, great. If not, there's no difference from using a closed source product, in that you assumed/trusted that it was secure.

Still different in that you can audit anytime and others can audit. And you can monitor changes over time.