Auditors Release Verified Repositories of TrueCrypt

Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.

Truecrypt authors-WARNING: TrueCrypt is not secure

[raymorris]

> Doesn't get much more secure than that.

The authors of Truecrypt said "WARNING: TrueCrypt is not secure".

I learned a long time ago that if you go on a date with a woman and she says "I'm crazy", BELIEVE HER. She IS crazy. Even if she's hot, she's probably telling the truth when she says she's crazy. I think the same principle may apply here. If the Truecrypt project page says "Truecrypt is not secure", believe them - it probably is not secure.

Other options seem to be more secure. Personally, I use dm-crypt (cryptsetup) with 256 bit ESSIV AES CBC, plus a little magic I've thrown in.

Subscribe

[tepples]

What are the hashes for your copy?

In order for a post of the hashes to be of any use, both the poster and anybody reading the post would have to pay Dice for a subscription to Slashdot. This is because Slashdot redirects all non-subscribers' HTTPS pageviews to HTTP. If the poster does not subscribe, a man in the middle could modify the hash on its way from the poster's computer to Slashdot's server. If the reader does not subscribe, a man in the middle could modify the hash on its way from the poster's computer to the reader's computer.

Re:7.1a for x64 linux

[lgw]

If the developers left this "message" that 7.2 might be compromised, what kind of guarantee is there that 7.1 isn't also compromised

The only kind of guarantee there is: an open, publically funded audit of the code. That's the point of this exercise, even before people realized that blindly trusting the TrueCrypt code was a mistake, and that an audit by non-government researchers was needed.

Re:7.1a for x64 linux

[Z00L00K]

It depends on the level of security you expect. To make sure that your documents don't get into the open when someone steals your laptop it may be sufficient since most thieves just don't worry about the contents and just reformats it after a cursory glance on the contents. So everything that's not obviously visible or takes more than 5 minutes to access is probably safe.

If you are targeted by the authorities I would say that no wide-spread security system is safe. The authorities are even more likely to have backdoors into bitlocker than TrueCrypt, even though I suspect that they have TrueCrypt backdoors as well.

Re:Truecrypt authors-WARNING: TrueCrypt is not sec

[rogoshen1]

i think you're confusing 'spontaneous' (which is fun) with 'crazy' which is bunny-burning, jealous lunacy.

Re:7.1a for x64 linux

[Kjella]

First of all, they said TrueCrypt has unfixed critical bugs not that it was compromised. It wouldn't really make a lot of sense either, if it was compromised back in 2012 and you wanted to be a whistleblower why wait well over 2 years to do it? It's not like NSA or whomever would let that sort of gag order expire. And if they're under any kind of pressure now, it would be to discredit the software they made years ago that doesn't contain any backdoors. Which brings us over to the next issue, they claim there's critical bugs but they won't tell anyone where they are so others can fix them nor fix them themselves. I mean they don't just want to shut down their project, they want tarnish the name, burn it to the ground and salt the earth after them and you really have to ask: Why?

I don't think and you probably also don't think that it's because XP support has ended and we should now all go use Bitlocker, so they're lying to us now. Why are they lying to us? I don't know, either they're pressured to it or working for commercial alternatives or threw a hand grenade to start conspiracy theories and get everyone reviewing the code or just went plain nuts I don't know. But there's no reason for any agency to kill off a version that has a backdoor and if there really was a government backdoor wouldn't the best way to be a whistleblower be to point it out? Why this ominous yet vague FUD? The answer that makes the most sense is that they're lying about everything. The developers don't know of any critical issues with 7.1a, but they're being pressured to or want to kill it.

That doesn't mean TrueCrypt is bug free, of course it may have bigger and smaller issues. But I think they're lying about knowingly withholding anything, that they're not working on the code and not maintaining it isn't the same as deliberately avoiding fixing issues. If they had said nothing at all and TrueCrypt had stayed at versjon 7.1a for another few years I'd still use it and despite what looks to me like a best effort they can't go back in time and sabotage their old release. So while I wouldn't trust anything they do from now on, the older code looks good. Why else would they go through so much effort to get rid of it? Somebody badly wants TrueCrypt 7.1a to disappear and be abandoned, the question is who and why.

Re:Subscribe

[sillybilly]

That's gay