[IronGhost]

Anyone using TRUECRYPT with WINDOWS or LINUX, do a google search, the creator of TRUECRYPT is urging everyone to re encrypt their private data with anything else, and abandon TRUECRYPT. The general belief is that the NSA is probably all over the creators of TRUECRYPT, and they can't come out and talk about it, just like LAVABIT a couple of years ago.

 

[juskom95]

Link?
Source?

It would not surprise me, but it would be nice to actually read something about it.

http://truecrypt.sourceforge.net/
Trucrypt was discontinued with WinXP's 'death'. They recommend BitLocker, which if you believe the federal government does not have the keys for, you are placing too much trust in Microsoft.

 

[Justme11]

I think it is a law that anyone selling an encryption program must provide a decryption program to the Feds.

 

[juskom95]

I think it is a law that anyone selling an encryption program must provide a decryption program to the Feds.

I have heard that as well, but have never been able to find the actual law. At the same time, if the encryption is not being sold/distributed in the US (a server/website based in the US) that pretty much goes out the window.

 

[Eugene]

Some say the bitlocker recommendation makes it look like the site was hacked as no one with any crypto knowledge would suggest it.
Perhaps .gov shut them down?
I'm looking for a replacement now.

 

[kscmac]

Try blowfish! works great

 

[maintenanceguy]

Truecrypt (1) functions flawlessly, better than many commercial software packages. (2) updates available as soon as new OS's come out that work just as flawlessly. (3) all supposedly coded by some unpaid guy in Russia who always gets it right the first time.

I've been skeptical for a while. I really became skeptical when the FBI announced publicly that they had failed to crack a truecrypt encrypted file after trying for months. Why would the FBI announce something this?

 

[Justme11]

I have heard that as well, but have never been able to find the actual law. At the same time, if the encryption is not being sold/distributed in the US (a server/website based in the US) that pretty much goes out the window.

it might be one of those laws that aren't written down, but if you break it some guys will show up in a black SUV and personally explain it to you.

 

[JustPlainT]

Guys,

Before you run off and replace TrueCrypt, I highly recommend waiting to hear back from the public audit of it. Currently ongoing is a professional, third party audit of TrueCrypt to see how secure it really is.

It passed Phase 1 so far, let's see how it does with phase 2.

Until I see evidence otherwise, I do believe the .gov cannot get in with a backdoor/decryption method because of a court case involving this. The FBI wanted to force an individual to decrypt his drives for their investigation. The courts threw it out saying that violated his 5th Amendment rights. Why would the FBI go through that public show if they could just bypass it on their own?

http://truecrypt.sourceforge.net/
Trucrypt was discontinued with WinXP's 'death'. They recommend BitLocker, which if you believe the federal government does not have the keys for, you are placing too much trust in Microsoft.

This "official story" has so many holes in it that it's pretty clear that the devs at TrueCrypt are screaming "something isn't right" with it to all the truly tech savvy. TrueCrypt was a cross-platform application, and therefore couldn't possible be tied to something in XP that had to be discontinued. Their recommendation was equally absurd given their past. It smells a rat, and almost certainly alphabet-soup agency involvement.

 

[juskom95]

Guys,

Before you run off and replace TrueCrypt, I highly recommend waiting to hear back from the public audit of it. Currently ongoing is a professional, third party audit of TrueCrypt to see how secure it really is.

It passed Phase 1 so far, let's see how it does with phase 2.

Until I see evidence otherwise, I do believe the .gov cannot get in with a backdoor/decryption method because of a court case involving this. The FBI wanted to force an individual to decrypt his drives for their investigation. The courts threw it out saying that violated his 5th Amendment rights. Why would the FBI go through that public show if they could just bypass it on their own?

Yup, I'm waiting to see the fallout from this or to see if the developers/creators make something new/different to replace it.

This "official story" has so many holes in it that it's pretty clear that the devs at TrueCrypt are screaming "something isn't right" with it to all the truly tech savvy. TrueCrypt was a cross-platform application, and therefore couldn't possible be tied to something in XP that had to be discontinued. Their recommendation was equally absurd given their past. It smells a rat, and almost certainly alphabet-soup agency involvement.

The whole website looks fake and/or hacked by someone else, or a disgruntled member of their team. For the website to recommend something as absurd as Bitlocker for a substitution raises alarms for me.

 

[JustPlainT]

The whole website looks fake and/or hacked by someone else, or a disgruntled member of their team. For the website to recommend something as absurd as Bitlocker for a substitution raises alarms for me.

If hacked, it's one impressive hack. The 7.2 on that site has the right signatures, so if it was hacked they got to everything at TrueCrypt before turning loose this site.

And if it was a hack, I'd imagine the site would be at least partially restored by now, and it isn't. Leads me to think this is at least coming from within the dev team of TrueCrypt.

The BitLocker bit to me was the whole "something is off and the official story is wrong" red flag. No way would they honestly recommend it unless there was something going on that isn't above board.

 

[juskom95]

If hacked, it's one impressive hack. The 7.2 on that site has the right signatures, so if it was hacked they got to everything at TrueCrypt before turning loose this site.

And if it was a hack, I'd imagine the site would be at least partially restored by now, and it isn't. Leads me to think this is at least coming from within the dev team of TrueCrypt.

May not be hacked, but might be a disgruntled member of the dev team. TrueCrypt even had instructions for Windows Vista/7/8 last month when I checked, so it is not a WinXp issue.

The BitLocker bit to me was the whole "something is off and the official story is wrong" red flag. No way would they honestly recommend it unless there was something going on that isn't above board.

That was mine as well, and with a brand new package accompanying that webpage is suspicious as hell. It could be MS purchased or forced the purchase of the rights/source? Maybe, but it is possible . . .

 

[Eugene]

(2) updates available as soon as new OS's come out that work just as flawlessly.

Which is the issue now if its no longer being developed. The old versions will still work for now. It just let me see that I have a single point of failure in my preps. If LibreOffice were to stop development today I can use Apache OpenOffice or KDEOffice. If Firefox or Thunderbird stops today I can use Chromium or Konqueror and Kmail. If Slackware stops today I can use Unbuntu or Deadrat or whatever. But if Truecrypt dies I realized I haven't installed or tested any other programs. I suppose I could still decrypt on my tablet and have them unencrypted but I could just do that today with TrueCrypt, it doesn't future proof me.

 

[maintenanceguy]

...The FBI wanted to force an individual to decrypt his drives for their investigation. The courts threw it out saying that violated his 5th Amendment rights. Why would the FBI go through that public show if they could just bypass it on their own?

The same reason the NSA would own Tor nodes, the FBI would own proxy servers, and in the 90's owned email anonymizers. Opsec so they can see what people are trying to hide.

But maybe I'm wrong and they wouldn't do anything sneaky to spy on their own people.

 

[Nift]

You can make and sell an encryption program without giving the access to the recovery key system to anyone, so long as it is not being exported out of the US. No strong encryption made and sold in the US can be exported without the US govt ok. That will require giving them a way in. This also means if the program originated in the US it can. Not be posted on public access sites due to someone from other countries being able to access it, that is technically exporting it.

See here http://www.bis.doc.gov/index.php/policy-guidance/encryption/encryption-faqs

 

[FoxOne]

It has something to do with the audit IMO. Phase 1 was completed 20 days before this announcement. If it was the NSA then why not a year ago?

Link?
Source?

It would not surprise me, but it would be nice to actually read something about it.

http://truecrypt.sourceforge.net/
Trucrypt was discontinued with WinXP's 'death'. They recommend BitLocker, which if you believe the federal government does not have the keys for, you are placing too much trust in Microsoft.

Bitlocker is not in the same class as Truecrypt with respect to civil liberties and protections against the state. Using Bitlocker the gov/cops can see your drive is encrypted and can potentially compel you to provide the keys. Truecrypt is much more resilient to this kind of attack. Bitlocker is better for businesses and corporations as keys can be managed and employees don't get God like control of your data.

Truecrypt (1) functions flawlessly, better than many commercial software packages. (2) updates available as soon as new OS's come out that work just as flawlessly. (3) all supposedly coded by some unpaid guy in Russia who always gets it right the first time.

I've been skeptical for a while. I really became skeptical when the FBI announced publicly that they had failed to crack a truecrypt encrypted file after trying for months. Why would the FBI announce something this?

Because they couldn't crack it and were unable to help in the investigation. All they did was run password guessers on clusters for a few months then gave up after exhausting all the obvious options. In another similar case in the UK the cops cracked some terrorist's password, amazingly enough a verse from the Qu'arn

 

[juskom95]

It has something to do with the audit IMO. Phase 1 was completed 20 days before this announcement. If it was the NSA then why not a year ago?

It is still a drastic website change, and suspicious that a new version suddenly coupled with a recommendation for Bitlocker

Bitlocker is not in the same class as Truecrypt with respect to civil liberties and protections against the state. Using Bitlocker the gov/cops can see your drive is encrypted and can potentially compel you to provide the keys. Truecrypt is much more resilient to this kind of attack. Bitlocker is better for businesses and corporations as keys can be managed and employees don't get God like control of your data.

For most encryption purposed, Bitlocker also stores the keys on another device which can become compromised etc. It is not nearly as an effective security/encryption program as Truecrypt is/was.

Because they couldn't crack it and were unable to help in the investigation. All they did was run password guessers on clusters for a few months then gave up after exhausting all the obvious options. In another similar case in the UK the cops cracked some terrorist's password, amazingly enough a verse from the Qu'arn

To be fair, they were both the same type of attacks. I am sure that when investigation an Islamic terrorist group, the use common/relevant phrases from the Qu'arn.

 

[Eugene]

Bitlocker is also Windows only. So how do you read your encrypted files on your phone with Bitlocker

 

[FoxOne]

For most encryption purposed, Bitlocker also stores the keys on another device which can become compromised etc. It is not nearly as an effective security/encryption program as Truecrypt is/was.

Bitlocker seems to be a compromise between security and data protection. TC is definitely better, particularly on the civil liberties front.

To be fair, they were both the same type of attacks. I am sure that when investigation an Islamic terrorist group, the use common/relevant phrases from the Qu'arn.

I think the Brazilians were hoping the FBI had access to something a bit more special, like a crack to AES from the NSA. The NSA just seems to step around the crypto.

Bitlocker is also Windows only. So how do you read your encrypted files on your phone with Bitlocker

You don't. You send them plaintext so the government and it's paramilitary agencies can read them.

 

[juskom95]

Bitlocker seems to be a compromise between security and data protection. TC is definitely better, particularly on the civil liberties front.

I use bitlocker at a corporate level, and can tell you it is very secure . . . unless you have the decryption key, which is generally stored on an external device/location. An IT professional does not even need to know if it is a pin, password or token to bypass it with that.

I think the Brazilians were hoping the FBI had access to something a bit more special, like a crack to AES from the NSA. The NSA just seems to step around the crypto.

I'm sure there is some crypto that the NSA can step around, that is one reason TrueCrypt was so popular, plus it was free and very configurable. I'm still not convinced at the website's claims, especially when it is recommending bitlocker as a replacement. I have a feeling the devs changed the site/software for a reason we are not aware of.