Forgot your password?
typodupeerror
Encryption Software

Auditors Release Verified Repositories of TrueCrypt 146

Posted by Soulskill
from the still-not-sure-what's-going-on dept.
Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
This discussion has been archived. No new comments can be posted.

Auditors Release Verified Repositories of TrueCrypt

Comments Filter:
  • SHA2 Preimage Attack Discovered
  • by bungo (50628) on Tuesday June 10, 2014 @03:30PM (#47205621)

    From my perspective, it appears that both China and the US are willing to bend to their control any IT organization that they can.

    I'm happy that a verified source have been made, but sad to think that it has now come to this - the US, China, Russia, ..... so many countries that it is no longer safe to host security projects.

    If only I could get a CISCO router build in China, packages in the US and sold through a reseller in Russia.... it could be marketed are the ultimate freedom router*.

    (* Note: freedom is not for the end user)

  • Has anyone looked at the differences between 7.1a and 7.2a? It seems unlikely that the TC authors would intentionally release 7.2a with security-compromising bugs...
    • by droptone (798379) <droptone@nosPaM.gmail.com> on Tuesday June 10, 2014 @03:34PM (#47205667)
      Yep [github.com].
    • by Anonymous Coward on Tuesday June 10, 2014 @03:39PM (#47205713)

      The most obvious difference is that 7.2a will only decrypt files previously encrypted with earlier versions of TrueCrypt. 7.2a is crippled in that it cannot create new encrypted folders, files or whole disks. It was apparently engineered to be broken and serve only as a tool to recover previously encrypted volumes.

  • Match (Score:5, Informative)

    by Anonymous Coward on Tuesday June 10, 2014 @03:46PM (#47205769)

    Only anecdotal, but I have a copy of "TrueCrypt Setup 7.1a.exe" that I downloaded from truecrypt.org on May 25, 2012, with a SHA-1 sum of 7689d038c76bd1df695d295c026961e50e4a62ea, which matches the same file in this repository.

    • by antdude (79039) on Tuesday June 10, 2014 @05:11PM (#47206473) Homepage Journal

      Here's mine:

      2667681 Apr 9 2013 truecrypt-7.1a-linux-x64.tar.gz
      9526318 Jan 20 2013 TrueCrypt 7.1a Mac OS X.dmg
      3466248 Jan 20 2013 TrueCrypt Setup 7.1a.exe

      $ sha1sum *
      086cf24fad36c2c99a6ac32774833c74091acc4d truecrypt-7.1a-linux-x64.tar.gz
      16e6d7675d63fba9bb75a9983397e3fb610459a1 TrueCrypt 7.1a Mac OS X.dmg
      7689d038c76bd1df695d295c026961e50e4a62ea TrueCrypt Setup 7.1a.exe

  • But this time it will be compromised and costly commercial SW.

  • I find it truly delightful that the NSA has accidentally accomplished one small aspect of their cover-story mission through their bad PR of late...

    By making us paranoid of the documented snooping of our own government, the NSA has managed to do what the likes of Bruce Stirling and Phil Zimmerman failed to accomplish for decades - Get us to finally start encrypting everything possible, from end-to-end. This code audit of TrueCrypt counts as only one tiny part of that whole, but attitudes have changed for
    • Did TrueCrypt go down because the NSA pulled their programmers off the team?

      • by rwa2 (4391) *

        I don't know why I don't see more of this... is it not obvious that TrueCrypt is most likely made by whitehats at the NSA? And that the blackhats at the NSA probably finally strongarmed them into abandoning their hobby project?

        This seems consistent with the TrueCrypt End-of-Life announcement.

  • I have TrueCrypt 7.0.0.0 timestamped July 19, 2010 at 1:23:31PM
    • I have TrueCrypt 7.0.0.0 timestamped July 19, 2010 at 1:23:31PM

      The latest I have is TrueCrypt Setup 7.1aWindows-2000-Win7.exe
      with a time stamp of Tuesday, November 19, 2013, 3:10:47 PM Modified Sunday, July 07, 2013, 5:05:54 PM another one modified: Monday, May 21, 2012, 12:43:08 AM

      I also have a version of Linux truecrypt-7.1a-linux-console-x64.tar and x86 Modified and created Wednesday, November 27, 2013, 3:10:40 AM
      I had plans on going to Linux at the time.

      I don't expect money for anything I have, if anybody wants (them) I'll upload em someplace until I get a nasty gr

  • by Anonymous Coward

    thankfully I use windows and bitlocker and don't have to worry about any of this.

  • So who exactly is "the OCAP team?" I admit not following crypto research very closely so the only name I recognize on their site [opencryptoaudit.org] is Bruce Schneier, and though there's a few comments mentioning them on his blog he hasn't as far as I can tell said anything about being involved.

  • the auditors?
    .
    .
    .
    .
    .

    • by amigabill (146897)

      I'm sure that the NSA would be happy to appoint someone to check the work of the NSA appointed auditors doing the current investigation. :)

  • SUUURE, this new verified installer is legit.
    Love, the NSA (who wrote the thing in the first place) ..tries to download it...
    "Using GitHub on Windows has never been this easy."

    Sad Internet user has a sad.

  • But I have come to the conclusion the devs just got sick of giving us free stuff, especially when these auditors came along and got PAID to review code the TrueCrypt devs have been toiling on without pay for years.

    All your NSA conspiracy theories are fun to read, but really.. I'm pretty convinced there's nothing wrong with 7.1a that will come to reveal it's fundamentally flawed and insecure.

    I think I'd be giving you all the finger too if I worked 10 years without pay and some hooha's came along and got paid

  • Does anyone know who the devs are? Why such a strange webpage and release? Are they trying to hint that the NSA has forced a backdoor upon them with the latest release and they've just nuked it? I use truecrypt and I want to know what the hell happened.
  • To me the most likely and simplest explanation of the strange canary-like behavior is to assume a warrant canary is indeed what we are seeing. Which probably means that 7.1a has not been compromised, but that a compromised version of 7.1a will eventually be introduced into the wild. Hence the need for a trusted repo for windows.

    Nevertheless are the changes between 7.0 and 7.1 so significant that it is worth the additional risk of a more recent release? I'm thinking of using my 7.0 download from 2011 instead

"If it ain't broke, don't fix it." - Bert Lantz

Working...