truecrypt.org hacked or real?

News sites are reporting that it looks legit, but not confirmed - http://arstechnica.com/security/201...ure-official-sourceforge-page-abruptly-warns/

The warnings have also been included in the source code. Something that a site hacker wouldn't have bothered to do, and would be easily reverted if not real.

Edit - actually, after reading more I'm swaying towards them being hacked. But if so, they also lost their signing keys, which is a big deal.
 
Last edited:
This isn't a hack, it's a warning. A warning that it isn't safe from the government.

Remember how they infiltrated Google? They had agents on the inside because Google's internal communications used to be unencrypted. Easy-peasy - even a dumb gang from East London can infiltrate a Bank's data. And the bigger the corporation, the easier it was to infiltrate. Now all the big data corporations have started using encryption even on internal networks so they are targeting the very forms of encryption as we use them today. They're not going to be running multi-billion pound operations such as Tempora (to name one of hundreds) so they can sit and stare at encrypted data. They're already lightyears ahead with quantum cryptography at their disposal.
 
Last edited:
OMG "hacked".... of all the places for the 4 year old level responses.

It's exceptionally fishy. Warrant Canary is the first thing that crossed my mind and have now seen a few hints of it on various areas. The point to BitLocker seems the massively obvious tongue in cheek give away that it is deliberately and most definitely not a serious statement from the devs. Rather a huge hint to something untoward in the background.

I stuck with and will continue with 7.1a for obvious reasons and for peace of mind, kind of, also. If any such thing can exist in this world any more...

I can't get anything cached for truecrypt.org.... When did the re-dir to the sourceforge sub-domain occur on that site? Was that long ago/recently or coincide with this being noticed last night?
 
I suspect the devs have been visited by the men in black and truecrypt have decided to do exactly the same thing that lavabit / Ladar Levison did.
 
RedvGreen said:
You do realise that TrueCrypt is used internationally by many law enforcement agencies, right? Why would they shut them down?
Click to expand...

Who said anything about shutting anyone down? The feds didn't shut down Lavabit. Levison shut it down himself rather than give up user privacy after he was approached by various law enforcement departments wanting keys and taps put in place.
 
OhEsEcks said:
Who said anything about shutting anyone down? The feds didn't shut down Lavabit. Levison shut it down himself rather than give up user privacy after he was approached by various law enforcement departments wanting keys and taps put in place.
Click to expand...

It was your comment concerning 'men in black' - there are also systems and processes in place that can crack TC containers which bog standard law enforcement have - I couldn't even begin to imagine what the security agencies can do.

Remember this: http://news.uk.msn.com/uk/intelligence-experts-cracked-ian-watkins-password
 
Last edited:
RedvGreen said:
It was your comment concerning 'men in black' - there are also systems and processes in place that can crack TC containers which bog standard law enforcement have - I couldn't even begin to imagine what the security agencies can do.

Remember this: http://news.uk.msn.com/uk/intelligence-experts-cracked-ian-watkins-password
Click to expand...

Watkins, who used a sick reference to his own perversion as his password
Click to expand...

infosec fail. His password was probably embarrassingly weak

EDIT: Google "ian watkins password". First result. NSFW.
 
Last edited:
xdcx said:
OMG "hacked".... of all the places for the 4 year old level responses.
Click to expand...

Hacked is the logical conclusion. Conspiracy theory is not.

RedvGreen said:
It was your comment concerning 'men in black' - there are also systems and processes in place that can crack TC containers which bog standard law enforcement have - I couldn't even begin to imagine what the security agencies can do.

Remember this: http://news.uk.msn.com/uk/intelligence-experts-cracked-ian-watkins-password
Click to expand...

Remember what? A brute force attack that revealed a weak password?

Lol.
 
Re Bitlocker.
Is it really that lolworthy?
Considering many users/companies probably simply used Truecrypt to protect data should something go missing, rather than because they worried about the NSA/CIA et al looking at it.
For that purpose Bitlocker works, and works well. I don't believe the actual encryption is in question? Just the potential for backdoors. Is that actually proven too, or just assumed?
 
ajf said:
Re Bitlocker.
Is it really that lolworthy?
Considering many users/companies probably simply used Truecrypt to protect data should something go missing, rather than because they worried about the NSA/CIA et al looking at it.
For that purpose Bitlocker works, and works well. I don't believe the actual encryption is in question? Just the potential for backdoors. Is that actually proven too, or just assumed?
Click to expand...
Unless you have access to the source code (the entire program, not just the encryption algorithm) and you know what to look for, it's just "assumed," but that's kind of the point - if you have a real need for the maximum security these apps can theoretically provide, then you have to assume a worst-case scenario. Given recent revelations, you'd have to be naive to the point of imbecility to dismiss at least the *possibility* that backdoors were built in at the insistence of the NSA (or whoever).

If you're just worried about leaving your company laptop on the train, then I guess BitLocker would normally be considered "good enough" ... I think the "lolworthy" aspect comes from the fact that it seems a little peculiar/suspicious for TC to be (apparently) advocating its use, given their previous emphasis on the relative trustworthiness of open-source encryption.

As regards what's actually going on with TrueCrypt, none of the main theories floating around seem to make much sense, although I'm leaning towards "the devs just got fed up maintaining it and bailed" at the moment. Doesn't explain why they'd have done so in such a cryptic manner though... :confused:
 
KIA said:
infosec fail. His password was probably embarrassingly weak

EDIT: Google "ian watkins password". First result. NSFW.
Click to expand...

Nice guy Ian Watkins huh?

I can't imagine a GCHQ Cryptographer running brute-force over the full disk encryption. It is a likely assumption, nigh, an expectation, that you would give it an attempt at cracking with bruteforce/dictionary before escalation. Perhaps the GCHQ guy tracked some of his other activity that GCHQ had logged, and found he used the same password elsewhere?

Concerning the security of encrypted devices, hiberfile and pagefile is the common go-to for forensics; for the more specialist response units out there, you pull the RAM and super cool it and pray as you hand it over to your specialists.

Of course, if the device is powered on at the time of seizure this is a whole lot easier. If the device is off, and the encrypted disk isn't a portable one (where keys could reside in other devices' hiber/page files), then you'll be considering brute forcing it for a while, and then if that fails, see if anyone knows a cryptographer.
 
You must log in or register to reply here.
Back
Top Bottom