Auditors Release Verified Repositories of TrueCrypt 146
Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
7.1a for x64 linux (Score:0, Interesting)
Luckily I have a copy of 7.1a for x64 linux. Because this is a great opportunity to release a trojan horse version of Truecrypt and many people would be affected
Re:Differences between 7.1a and 7.2a (Score:4, Interesting)
The most obvious difference is that 7.2a will only decrypt files previously encrypted with earlier versions of TrueCrypt. 7.2a is crippled in that it cannot create new encrypted folders, files or whole disks. It was apparently engineered to be broken and serve only as a tool to recover previously encrypted volumes.
Re:7.1a for x64 linux (Score:5, Interesting)
Luckily I have a copy of 7.1a for x64 linux. Because this is a great opportunity to release a trojan horse version of Truecrypt and many people would be affected
I wonder was its source in any of repositories for the larger Linux distros? Perhaps Debian, Gentoo,or Arch would have a cryptographically signed copy of it if so that would be a simple matter of grabbing the source with a apt-get source command.
Cross-platform (Score:4, Interesting)
Personally, I use dm-crypt (cryptsetup) with 256 bit ESSIV AES CBC, plus a little magic I've thrown in.
Might this magic happen to let you write files to an encrypted volume on one operating system and read it on another?
Re:7.1a for x64 linux (Score:5, Interesting)
Luckily I have a copy of 7.1a for x64 linux
I noticed something the other day when looking for a copy of the install on my own system. It turns out that when you install TrueCrypt for Windows, it puts a copy of the installer in the destination directory! If you're on Windows, take a look in your %ProgramFiles%\TrueCrypt directory. You will probably find a TrueCrypt Setup.exe file (at work so not sure of the exact filename). This can be used to install/repair/reinstall TrueCrypt on any computer.
There have been some good attempts [grc.com] to create a trustworthy TrueCrypt archive, but nothing beats your original installation source, which you can use to verify against various signatures found online.
Re:Differences between 7.1a and 7.2a (Score:5, Interesting)
It really was weird. Here's my new theory:
These guys released their best version ever, 7.1a, in Febuary 2012. They had a party, said goodbye, and moved on with their lives. Everyone assumed that since it's open source, some new guys would come along to take over the project. Instead, for two years, there were no security updates, and no credible fork. TrueCrypt was languishing. One of the developers decided to force the world to take action. He pulled that amazing stunt, complete with recommending everyone use Microsoft BitLocker. Now he's kicking back with a beer and watching the world go nuts. It's like kicking an ant hill.
Did it work? You bet! A bunch of geeks like me said, "I want to help!" A couple of Swiss Pirate Party dudes said, "We'll lead the effort", and before the weekend was over, they had thousands of offers for help. True to the Pirate Party spirit, they even pirated the TrueCrypt name: truecrypt.ch. Also true to the Pirate Party spirit, they don't really know how to organize a team of geeks to work together in a common direction. So, I said "Follow me!" on the forum, and signed up geeks as fast as I could at the site that became CipherShed.org. Now they're self-organizing like some sort of slime mold, creating order out of chaos. It's really fascinating to watch! I hope the original authors are enjoying the drama :-) At this point, I think the new team is going to do amazing things.