Update: TrueCrypt is Dead, Long Live TrueCrypt!
Although no new news have come out of truecrypt.org there has been much speculation and commenting on the disappearance of TrueCrypt. Some speculation states the the original message on the TrueCrypt website itself was an indication that the NSA now controls the product in some way. See pastebin article.
The message on TrueCrypt’s new website got me thinking: Using TrueCrypt is not secure as it may contain unfixed security issues Let’s isolate the first letter of each word: (U)sing (T)rueCrypt (i)s (n)ot (s)ecure (a)s (i)t (m)ay (c)ontain (u)nfixed (s)ecurity (i)ssues Result? utinsaimcusi Let’s spread that! uti nsa im cu si That is latin for “If I wish to use the NSA” Stay away from future Truecrypt releases. This is clearly a warning from the developers.
One of the best assessments on the subject however is an article found on GRC.com. This correctly states that the original TrueCrypt 7.1a code base has not changed since Feb 2012, so if you have that specific version (that has not been altered), why is there cause for panic. Just make sure you verify the hash of the original downloaded package and continue to use TrueCrypt without worries. Read the full article here.
Additionally the TrueCrypt 7.1a code base has gone through a lot of independent auditing. The project launched by Matthew Green in Oct 2013 aims to audit the project, and they have made big strides. istruecryptauditedyet.com. The initial audit can be found here.
Additional resources of interest includes:
- TrueCrypt HASH’s
- Whither TrueCrypt
- Twit.tv – TrueCrypt WTH?
- Amazon Support for TrueCrypt on Import/Export of Data
The long and the short of the story is that TrueCrypt is not dead yet, apparently not by a long short. The future of develop is still uncertain, but some would-be owners have appeared to try and keep the project alive. See truecrypt.ch for more.
Apparently the developers of TrueCrypt have called it a day, and I must say I am truly sad about that. This week saw massive speculation in the security community when the TrueCrypt.org website started to redirect to this page on SourceForge. The article states the “TrueCrypt” is not secure and you should rather use BitLocker that is built into Windows. Even when trying to install the latest 7.2 version the following message appears.
For users that still wish to encrypt their content using TrueCrypt rather install version 7.1a. This can be found in numerous places or can be downloaded here. The biggest challenge is that operating system versions in the near future removes some kind of driver support for the TrueCrypt disk volumes.
Read more about the TrueCrypt sage:
- http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/
- http://www.tomsguide.com/us/truecrypt-may-be-compromised,news-18861.html
- http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/
- http://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-hack-hoax-none-of-the-above/
- http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/