TrueCrypt Potentially Compromised

[DngrMs]

Read into what you will but proceed with caution.

http://forums.theregister.co.uk/foru...ruecrypt_hack/
http://www.idigitaltimes.com/article...ed-defaced.htm
http://nakedsecurity.sophos.com/2014...tion-software/

I say that for the time being:

* Don't use version 7.2 for anything (including decryption), don't even download it.
* Don't follow the advice to wholesale migrate your encrypted data to another product (for the time being at least).
* If you're (really) concerned then envelope your TrueCrypt encrypted volumes with another product (edit: note this will undermine plausible deniability!!).

Will be interesting to see what develops.

[anon]

Thanks for posting this.

[piercerseth]

Yikes. Posters on slashdot were speculating this is their warrant canary, after having been served a national security letter or something similiar. Lavabit redux.

[DngrMs]

Yikes. Posters on slashdot were speculating this is their warrant canary, after having been served a national security letter or something similiar. Lavabit redux.

Yes, this is the focus of many discussions on IRC as well. I'm not sure it's the way I'd do it but they may have felt it was their only option if they were served.

Related information:

Phase 1 TrueCrypt (v7.1a) Audit (PDF): https://opencryptoaudit.org/reports/...Assessment.pdf

Nothing for anyone to really concern themselves with in there although I encourage you to make your own assessment, if absolute security is important to you, rather than taking my word for it.

Furthermore, if you're concerned and using Windows (sorry to other OS folks) then you could, again after reassuring yourselves rather than accepting my word, consider either of these:

https://diskcryptor.net/wiki/Main_Page
http://www.exlade.com/cryptic-disk

But really, unless you're storing "Pass_NSA_backd00r_key_primary!_bitch.sec" or "CAM_schoolgirl_sh0wer_14yo.avi" then you probably don't need to be too concerned.

More: http://www.reddit.com/r/netsec/comme..._ended_052814/

[DngrMs]

Can't vouch for them but watch this space:

http://truecrypt.ch/

Edit: the SHA-1 for the original 7.1a Windows Binary originally posted on TrueCrypt.org in 2012 (TrueCrypt Setup 7.1a.exe) is:

Code:

7689d038c76bd1df695d295c026961e50e4a62ea

This has been independently verified as a valid compile from source (link).

Given recent events, if you have sensitive data check your copy before installing it!

[anon]

I can confirm that hash too.

DiskCryptor is what I've been using for full disk encryption under Windows for nearly a year now. If it had container support, I'd have ditched TrueCrypt, as the latter is way slower and I don't need its extra functionality.

[DngrMs]

Analysis of the situation here:

https://www.grc.com/misc/truecrypt/truecrypt.htm