[Cryptography] What is going on with TrueCrypt?
Peter Trei
petertrei at gmail.com
Wed May 28 23:05:01 EDT 2014
[I get the 'digest' form of this list around noon each day, so I'm probably
throwing this into an already active discussion.]
1.0 What do we know?
1.1 The truecrypt.org website has been redirected to a SourceForge
page, which claims
"WARNING: Using TrueCrypt is not secure as it may contain unfixed
security issues."
1.2 It goes on to recommend that users migrate to BitLocker or
OsX encrypted virtual drives. No particular recommendation is made
for Linux.
1.3 Includes TrueCrypt binaries ("version 7.2") for Windows,
Mac, and Linux. The 7.2 version has only decrypt functionality,
it cannot encrypt.
1.3.1 These binaries are signed with a 2004 truecrypt gpg key.
https://gist.github.com/daveio/14f7d40f05ac68bb2e63
1.4 A post has been made to HackerNews by a person claiming to be a
SourceForge employee, to the effect that there doesn't seem to be
anything unusual in recent traffic and usage of the TrueCrypt account.
https://news.ycombinator.com/item?id=7813121
1.5 This is odd, seeing as the site has been only sporadically
available due to exceeding bandwidth limits; this not 'not unusual'.
1.6 The TC devs are haven't been heard from yet (but that would
not be too unusual, in the *normal* run of things).
2.0 Theories (just off the top of my head):
2.1 This is a hack attack.
2.1.1 ...as a prank.
2.1.2 ...to spread FUD about TC.
2.2 This is real; a serious compromise has been found in TC.
2.3 This is a Warrant Canary of some kind.
... I'm sure this list can be extended.
(the following is just speculation on my part)
The suddenness with which the shutdown occurred, the elaborateness
of the effort (setting up modified binaries, and getting them signed),
along with the non-explanations from the TC devs, tend to suggest that
this is not a simple prank. It also fits poorly with a real fault have been
found - the communications are all wrong.
That leaves an attempt to spread FUD about TC, or a Warrant Canary
scenario. The statement at the top of the current TrueCrypt.org page
is trivially true; *all* security related programs 'may' be insecure due
to 'unfixed security issues'. (Yes, I know this isn't a proper 'Warrant
Canary', but TC sadly didn't have one in place; it may be this is the
best they could legally do.)
I'll throw in that TC recently passed the first round of an independent
audit with good grades, and in the courts LEAs have been treating it as
secure when carefully used.
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140528/f87ef2a8/attachment.html>
More information about the cryptography
mailing list