TrueCrypt suggests migration to BitLocker?

Internet, computing and anything electronic and tech related discussed here

Moderator: Super Moderators

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

TrueCrypt suggests migration to BitLocker?

Post by SquidInk » 05-28-2014 04:04 PM

Does this make sense?

http://truecrypt.sourceforge.net/
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Post by SquidInk » 05-28-2014 07:36 PM

This turn of events is odd. TrueCrypt is
  • Written by murky/anonymous developers
  • Unbreachable by the FBI [1]
  • Protected under the 5th ammendment - you are not required to provide decryption keys [2]
Seems like a great target for the "Homeland" jackboots.


1 http://g1.globo.com/English/noticia/201 ... antas.html

2 http://en.wikipedia.org/wiki/TrueCrypt#Legal_cases
Last edited by SquidInk on 05-28-2014 09:22 PM, edited 1 time in total.
For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Post by SquidInk » 05-28-2014 09:08 PM

For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Post by SquidInk » 05-28-2014 09:18 PM

Some discussion from other places on the internet (apologies for the formatting) :
  • Adaptive 6 hours ago | link

    In order of likelihood:
    * Defaced site, timed to screw up a big announcement
    * Rogue content maintainer
    * Phase II of audit turned up something rather bad
    (edit: NO - see tptacek below)
    edit: Variations on "developer forced to do this" (cf simmerian's comment):
    * Developer was big brother all along and they are shutting it down
    * Security vuln about to be disclosed, dev scrambles to inform (albeit poorly)
    * Legally or otherwise compelled to compromise source code,
    dev complies and/or nukes project from orbit
    The last alternative would be suggested in part by the strange content of the page, assuming it is legit from the developer: Normally I'd expect at least something like "there's a major vuln that is unfixable and we'll disclose formally in a week/two, migrate now.".
    reply

    ultramancool 3 hours ago | link

    After examining all the facts, I think it's most likely they just didn't want to develop it anymore:
    * PGP matches
    * Authenticode matches
    * SourceForge data was modified
    * DNS records were modified
    And to top it off, let's put ourselves in the theoretical attacker's shoes, the binaries when run make no unexpected connection attempts or write to any unexpected places and don't appear to contain any unexpected imports, so if this was a hack, it's a very stealthy and very boring one. The most they achieved would be uninteresting to most attackers. It would only really be an effective attack against people who had TrueCrypt volumes but not a current copy of TrueCrypt as there's no compelling reason for anyone to upgrade to 7.2 and certainly they'd be skeptical after this. Any attacker with the intelligence and patience for such an attack would surely realize how poor an execution this would be. A better attack would be "here, it's TrueCrypt 8, it has loads of EFI support and mad security, everyone should install it, it's the best!". There's simply no reason to shut it down like this, unless the attack is just an elaborate practical joke.
    It's quite possible this came from 1 big developer hack, but considering how the release was done, with full source and everything for every supported platform... if it was a hack, it's a very, very good one. They've also decided to modify the license terms, perhaps bringing it into compatibility with more common FOSS licenses.
    I think it's far more likely at this point that the devs, who had not updated their software in years, finally decided to call the project over and have marked it insecure because the codebase is now unmaintained and should be assumed insecure.
    reply

    Lagged2Death 11 minutes ago | link

    I think it's most likely they just didn't want to develop it anymore...
    It would be so easy for the person(s) in question to just say that, though.
    I don't know what to think.
    reply

    voltagex_ 42 minutes ago | link

    Could you post the PGP & Authenticode details? I was unable to verify the 7.1 releases.
    reply

    mandelbulb 2 hours ago | link

    >>After examining all the facts, I think it's most likely they just didn't want to develop it anymore:
    So they decided to end things with such an extremely juvenile behavior devaluating the years they have invested in this project even if not recently?
    Unless the responsible one fell into clinical depression it's a pretty strange reason.
    reply

    rasz_pl 25 minutes ago | link

    Does National Security Letter sound depressing enough?
    reply

    mandalar12 3 hours ago | link

    I guess the new license only applies to the release it is distributed with and this latest version removed encryption features so I doubt it will make the truecrypt project more compatible with FOSS licenses.
    reply

    ultramancool 3 hours ago | link

    True, but they likely intended it for all releases and I highly doubt the dev(s) are going to burn their anonymity to go after you even if they didn't.
    Though I suppose that's not the best legal rationale, now is it?
    reply

    tghw 3 hours ago | link

    What if this is an attempt to smoke out the TrueCrypt devs?
    While this move seems odd, the new binaries are properly signed and the domains have been updated accordingly. If this was another project, like Rails, the maintainer could come out and say they were hacked and the last good version was X. Otherwise, the project would likely die off.
    But since we know so little about the TrueCrypt maintainers, there's little way for us to hear that this isn't legitimate. In order to keep the project from dying (if this is a hoax), they would have to prove that they are the maintainers, because any plausible deniability would undermine their claim that the change was not legitimate.
    reply

    ColinDabritz 3 hours ago | link

    Wouldn't they just have to published a signed message stating that the change was not theirs and the key is compromised? Or better yet, revoke the key?
    If two groups with opposing messages control the key, it's pretty clear that the key is compromised in some manner.
    reply

    tghw 1 hour ago | link

    If 7.2 is part of the hoax, then they would be signing with a compromised key. This would be evidence, but would not be conclusive.
    reply

    monokrome 2 hours ago | link

    No, because the suggested "hackers" have published a signed message.
    reply

    jcrawfordor 1 hour ago | link

    > If two groups with opposing messages control the key, it's pretty clear that the key is compromised in some manner.
    reply

    hamburglar 1 hour ago | link

    Doesn't matter. Publish another message signed with the same key saying "this key is compromised."
    reply

    asdkl234890 1 hour ago | link

    My order of likelihood is #1. This is a canary. https://en.wikipedia.org/wiki/Warrant_canary
    reply

    tptacek 6 hours ago | link

    Phase 2 of the audit hasn't started yet.
    reply

    Adaptive 5 hours ago | link

    Seems to point towards compromised SF account.
    reply

    zorked 5 hours ago | link

    There's a new binary that recommends moving to BitLocker during install, and the signature matches.
    Edit: with a new, compromised key.
    reply

    Alupis 5 hours ago | link

    Project on SF is still available if you have a direct link:
    http://sourceforge.net/projects/truecry ... TrueCrypt/
    http://sourceforge.net/projects/truecry ... rce=navbar
    http://sourceforge.net/p/truecrypt/acti ... imit=10...
    Odd, 6 hours ago someone updated the TruCrypt-key.asc files, then 3 hours later posted all the new binaries.
    Also odd is whoever posted the new binaries completely yanked all the previous ones, leaving only the new and questionable binary available for download.
    hmm...
    reply

    bspar 4 hours ago | link

    Looks like it's the same key as before (F0D6B1E0)
    reply

    elmindreda 3 hours ago | link

    On a day like this, compare the entire key.
    reply

    bspar 2 hours ago | link

    It's the same. Original key: http://pgp.mit.edu/pks/lookup?op=get&se ... AF0D6B1...
    And the new key can be found on the SF site.
    reply

    CodeMage 5 hours ago | link

    Yes, but did they sign it using the same key they were using before?
    edit: Apparently not, according to the link @Alupis posted.
    reply

    Alupis 5 hours ago | link

    Is source still available? Can we check the commit tree for anything suspicious lately? Can someone compile it and check the hash against the 7.2 binary being offered?
    reply

    Canada 2 hours ago | link

    It's not that simple. It won't match anyway. Signatures, compiler versions, SDK versions, etc.
    reply

    guan 42 minutes ago | link

    This guy managed to compile a previous version and have it match the released binaries https://madiba.encs.concordia.ca/~x_dec ... binarie...
    reply

    quasque 4 hours ago | link

    It could be that they've simply lost interest in developing it. It's quite the ongoing responsibility, and they may well be tired of working on it - a decade is a long time in anyone's life.
    If this is true, then perhaps such listlessness was also catalysed by the ongoing audit. Maybe seeing such a mass of crowdfunding income towards a project to pick Truecrypt apart, in contrast to the scant donations to its development, disheartened the authors towards further work?
    Abandoning it in this rather dramatic way ensures that Truecrypt's users are warned against using unsupported software where any bugs will remain unfixed. This is especially important when such bugs revealed in the future (and maybe ones already known) have the possibility of being deleterious for security.
    reply

    Zancarius 4 hours ago | link

    If you're developing a free product and you're going to throw in the towel anyway, why not just open up the sources with a liberal license and/or hand the project over to someone else who's willing to carry the torch.
    reply

    Torgo 1 hour ago | link

    Cryptsetup 1.6 supports Truecrypt volumes now, using its own reimplementation:
    https://code.google.com/p/cryptsetup/wiki/Cryptsetup160
    So at least Linux users should be covered.
    reply

    quasque 3 hours ago | link

    It may be the same strong sense of ownership and control that precluded the liberalisation of Truecrypt's license during its lifetime in the past decade.
    reply

    c_c_c 2 hours ago | link

    The license was changed with the new release.
    Edit: The following clause was deleted in the 7.2 release.
    - c. Phrase "Based on TrueCrypt, freely available at - http://www.truecrypt.org/" must be displayed by Your Product - (if technically feasible) and contained in its - documentation. Alternatively, if This Product or its portion - You included in Your Product constitutes only a minor - portion of Your Product, phrase "Portions of this product - are based in part on TrueCrypt, freely available at - http://www.truecrypt.org/" may be displayed instead. In each - of the cases mentioned above in this paragraph, - "http://www.truecrypt.org/" must be a hyperlink (if - technically feasible) pointing to http://www.truecrypt.org/ - and You may freely choose the location within the user - interface (if there is any) of Your Product (e.g., an - "About" window, etc.) and the way in which Your Product will - display the respective phrase.
    reply

    SAI_Peregrinus 3 hours ago | link

    It's already open-source.
    reply

    quasque 3 hours ago | link

    As far as I know, its license is incompatible with other open source licenses due to an advertising clause (all derivative works have to state "based on Truecrypt" somewhere in the documentation or via use of the software). The old four clause BSD license had a similar issue.
    reply

    throwaway8889 2 hours ago | link

    One of the changes in the newly-uploaded version is indeed a change in the license.
    reply

    quasque 2 hours ago | link

    It does appear that the authors have removed the advertising clause in this latest license version. Also the section on commercial licensing, some mentions of registered trademarks, and all specific references to the truecrypt.org domain, including email addresses.
    However it's unclear if this change is only for Truecrypt 7.2 or can be applied retrospectively to previous versions. As the authors have deleted sizeable portions of the encryption code in this final version, such ambiguity could be problematic.
    reply

    4bpp 4 hours ago | link

    The element that does not square with any theories that suggest benevolent intent behind the change is the recommendation that users switch to Bitlocker. Surely, a Truecrypt developer who got served a gagging order to build in a backdoor would realise that a big and compliant target such as Microsoft would have been subject to the same measure long ago, and likewise that if a pre-existing vulnerability on a sufficient scale to justify this went unnoticed in an open-source project even after a proper audit, the situation is unlikely to look that much better in a closed-source solution (that only the makers and government agencies have access to).
    While this might be reading a tad much into it, the language of the announcement, specifically the "...as it may contain unfixed security issues" bit, sounds like what somebody who just came out on the losing end of a heated debate about whether some bug-feature should or should not be considered the former would say. Knowing the vitriol and determination with which software developer arguments are often carried out, this would explain the observed combination of remarkable dedication and haphazard execution.
    reply
Last edited by SquidInk on 05-28-2014 09:25 PM, edited 1 time in total.
For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Post by SquidInk » 05-28-2014 09:21 PM

con't...
  • UVB-76 4 hours ago | link

    > The element that does not square with any theories that suggest benevolent intent behind the change is the recommendation that users switch to Bitlocker.
    I realize we are firmly in conspiracy theory territory here, but perhaps the suggestion that users switch to Bitlocker is intended to be so patently absurd as to be a signal that the developers are under duress?
    reply

    jebblue 2 hours ago | link

    I'd agree, that seems more believable than some of the other theories I've read.
    reply

    tomku 3 hours ago | link

    As crazy as it sounds, I think you're right and it's just the developer(s) quitting (rage-quitting?) the project. Nothing else makes sense.
    The Bitlocker thing seems strange until you realize that it probably really IS the best alternative for most users. The users who are paranoid enough to not trust Bitlocker can probably look out for their own security, so it makes sense to give instructions for the rest.
    None of the explanations people have came up with regarding intelligence agencies and conspiracies really hold water. If the devs were compromised, I doubt they would be given the freedom to post something like they did today. If they were under some kind of NSL or gag order, this would almost certainly violate it.
    reply

    danrik 40 minutes ago | link

    No more than shutting down Lavabit violated whatever NSLs/court orders were directed at it.
    reply

    Adaptive 4 hours ago | link

    Agreed on the language/vitriol interpretation. I was thinking the same when I listed rogue content maintainer.
    reply

    enimodas 4 hours ago | link

    Maybe while looking at the code themselves they found a very bad bug which would make previously made encrypted partitions easily crackable, and fixing it would obviously make the world aware to this, and they don't want to endanger or ruin the lives of everybody who has had a truecrypt container with sensitive data taken from them (for example to a malicious government), so the only way to go for them is to tell people their product should not be used any more and is bad.
    reply

    gregatragenet2 4 hours ago | link

    Another possibility - the author was required by a court order to provide a backdoor for unfettered access to truecrypt disk, and to not disclose the existence of the order. The solution was to modify the code so that everyone has unfettered access (i.e. disable encryption entirely) and make the recommendation that everyone switch to something else.
    reply

    Torgo 5 hours ago | link

    Their mail server is on the same IP as truecrypt.org, and it's now rejecting mail.
    reply

    Netcob 6 hours ago | link

    If the audit turned up something bad, the obvious step to take would be to publish it in all detail, fix the flaw, and then tell users to upgrade as soon as possible. Not go "OK SHOW'S OVER, USE PROPRIETY SOFTWARE FROM NOW ON".
    reply

    Adaptive 6 hours ago | link

    Yes. This would be just about the worst way to announce and make recommendations. Looks like defacement to me.
    reply

    Flimm 5 hours ago | link

    Nit

    pick: Truecrypt is proprietary (it's source is viewable, but you aren't licensed to distribute modifications of it).
    replyopendais 5 hours ago | link

    https://twitter.com/matthew_d_green/sta ... 2207360...
    It doesn't appear related to the audit
    reply

    higherpurpose 5 hours ago | link

    Unless some kind of backdoor was about to be discovered...and they'd rather close it down before it gets discovered.
    reply

    simmerian 5 hours ago | link

    * That's a lot of wasted effort for a defacement with seemingly no motive except some (uncredited) lulz.
    * Possible, but once again I see no motive that would produce this brand of outburst.
    * And it's unfixable? That would be a world first.
    I think it's much more plausible this is some powerful entity forcing a hand. We know by now there's plenty of motive and candidates to fit that shoe.
    reply

    Adaptive 5 hours ago | link

    It is a lot of effort, and you make good points. I'll add a note to my original post.
    reply

    unsignedint 6 hours ago | link

    Also might be coming from lack of donations. I remember that button becoming more and more prominent lately...
    reply

    Alupis 6 hours ago | link

    That would not result in a message of "True Crypt Is Not Secure!!!!" in bold red. Seems to be geared towards frightening people.
    I concur -- likely an elaborate website deface.
    reply

    owlmanatt 5 hours ago | link

    That's not what the message says, though.
    > WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
    That is a perfectly reasonable thing to say if you are abandoning security software. Any issues discovered will not be fixed, so you should stop relying on this software for security.
    reply

    philtar 5 hours ago | link

    Scroll all the way to the bottom
    reply

    unsignedint 5 hours ago | link

    As irrational it may be, I've seen people writing something like that out of frustrations...
    I don't think any legit organization would do that, but what if it's maintained by a small team or even individual -- I don't think I've ever seen a single face of TrueCrypt developers out there...
    reply

    Alupis 5 hours ago | link

    Good point.
    If true, I'd much rather have them post a countdown clock and say "If we don't reach X funding goal in donations by date Y, then we will be forced to close the project". Funds would come in then... a lot of people depend on truecrypt.
    reply

    api 2 hours ago | link

    * SourceForge account compromised and developers unwisely stored private keys and other information somewhere inside this account, permitting the attacker to compromise lots of other stuff and generally have a blast.
    reply

    Alupis 5 hours ago | link

    NSA is obviously in on it. Who else would recommend using holy-bug-riddled proprietary-back-doored-on-purpose encryption software? ;-P
    reply

    Tomte 4 hours ago | link

    I choose to believe Niels Ferguson when he says "Over my dead body.": http://blogs.msdn.com/b/si_team/archive ... 2590.as...
    reply

    alextgordon 3 hours ago | link

    If I were the NSA, I'd try to get one of my hundreds of world-class cryptographers a job on the BitLocker team.
    In fact, BitLocker would be the first thing I'd weaken. Because
    1) It's closed source, hard to externally audit.
    2) It's one of the most used encryption packages in the world.
    3) Microsoft's poor security track record provides excellent cover if the weakness is ever found.
    Closed-source security software is a recipe for disaster.
    reply

    mschuster91 4 hours ago | link

    A NSL is powerful enough to render all this moot. Therein lies the great danger of NSLs.
    reply

    Alupis 4 hours ago | link

    2 things.
    1) Obviously I was joking in my comment above.
    2) That post is dated well before common knowledge of how "in-bed" Microsoft is with the USA spy agencies (at least management is).
    This is a topic for another discussion, but I just want to point out that, of course someone being coerced under gag order to install less-than above-water "features" and/or purposefully weaken the product would say exactly what is in the blog post.
    reply

    pearjuice 5 hours ago | link

    This is legit and I am willing to bet.
    https://gist.github.com/anonymous/e5791d5703325b9cf6d1
    The entire source has been modified to reflect the Sourceforge page its contents. Encryption process is disabled. The current binaries can only be used to "migrate". You can deface a webpage but the effort it takes to rewrite the entire source code, compromise the GPG, compromise domain, compromise mail servers et cetera is not minimal.
    It is happening. Whether they are being forced to do so is a whole different story.
    reply

    conductor 4 hours ago | link

    I agree that this really looks like it is legit. It looks like, for some reason (we don't believe in the legend version, do we?) they abruptly (the diff contains many normal changes also) stopped the development and are burning all the bridges. They also slightly changed the license so now the forks are free to not mention that they are based on TrueCrypt, they are not allowed to link to truecrypt.org site or mention the TrueCrypt name in their product's domain name. They also removed all the links to their site from the source code (even the donation page).
    reply

    marcosdumay 3 hours ago | link

    > we don't believe in the legend version, do we?
    I dunno. We saw the legend version happening with a lot of people recently. Yep, we still mostly don't belive it, but...
    What's the oposite to The Boy that Cried Wolf?
    reply

    timothya 5 hours ago | link

    I just came across this on Twitter: https://github.com/warewolf/truecrypt/c ... ster...7.2
    This is supposedly the commit for the 7.2 release. Just looks like a bunch of code replaced with the app aborting as insecure.
    I'm not sure how legit this is, the repository was just created a few minutes ago. Apparently there is a new binary release that goes along with this, though.
    [I've created a fork here just in case the original goes down: https://github.com/timothyarmstrong/tru ... /master...]
    reply

    Kapow 5 hours ago | link

    Notice the added functions like IsNonSysPartitionOnSysDrive and ResolveAmbiguousSelection, and all the unrelated minor changes like the comment line in Common/Volumes.h. Looks a lot like they based it on current pre-release development code.
    reply

    dkokelley 2 hours ago | link

    Is it possible that this is the result of a "dead man's switch" (DMS) set by the developer(s)? Perhaps a (continually updated) process was set up so that TrueCrypt would shut itself down if the developer were unable to prove he or she was still actively maintaining the software.
    I can see a couple of scenarios where this would be wise:
    A) The developer passes away, leaving nobody else to maintain TrueCrypt. Zero-day 1234 is discovered which compromises TrueCrypt. The DMS activates, depreciating the software and advising users to migrate to another alternative (why BitLocker, I have no idea).
    B) The developer(s) is(are) coerced into compromising TrueCrypt in some way. As a part of the coercion, the developer(s) is(are) unable to demonstrate proof of life to the DMS, so the system nukes itself.
    reply

    grlhgr420 2 hours ago | link

    the page specifically mentions that it's ending support in may because ms is dropping xp support, though
    reply

    dkokelley 2 hours ago | link

    Not quite, though. The page says "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP." We can infer that the two are connected, but it would be equally valid to say "The development of TrueCrypt was ended in 5/2014 after Snowden interviewed with NBC."
    The reason I make this distinction is because continuing from a cautious/paranoid perspective, the DMS might not say "WARNING! Dead Man's Switch Activated! If you are reading this, I may have been compromised, and am no longer available to maintain TrueCrypt." It's possible that the landing page simply references a relatively innocuous event in the cyber security world to plausibly discontinue the software. The best evidence I have for this is the fact that TrueCrypt didn't shut down precisely when XP support was dropped. (In fact, according to http://www.microsoft.com/en-us/windows/ ... -of-sup... official support ended in April, not May like the landing page states.)
    reply


    [deleted]

    msantos 4 hours ago | link

    Are you sure about the domain http://www.trucrypt.org ? there's a typo there, no?
    reply

    teoruiz 4 hours ago | link

    The first time around you curled "www.trucrypt.org" (note the missing "e") and it went to a domain parking service (findingresult.com).
    The second time you went to the real "www.truecrypt.org", which is the real domain that now redirects to SF.
    reply

    Sephr 5 hours ago | link

    Interestingly enough, they also changed the TrueCrypt license.
    -TrueCrypt License Version 3.0
    +TrueCrypt License Version 3.1
    This lead me to think about the legal implications of changing a software license using stolen signing keys, when signing keys are all that you have to verify that the software is official (such is the case with TrueCrypt and its anonymous authors). If the license is changed, and the package is signed with the same signing keys, can I legally use the new license in derivative software?
    The new license removes the following restrictions regarding attribution:
    - c. Phrase "Based on TrueCrypt, freely available at
    - http://www.truecrypt.org/" must be displayed by Your Product
    - (if technically feasible) and contained in its
    - documentation. Alternatively, if This Product or its portion
    - You included in Your Product constitutes only a minor
    - portion of Your Product, phrase "Portions of this product
    - are based in part on TrueCrypt, freely available at
    - http://www.truecrypt.org/" may be displayed instead. In each
    - of the cases mentioned above in this paragraph,
    - "http://www.truecrypt.org/" must be a hyperlink (if
    - technically feasible) pointing to http://www.truecrypt.org/
    - and You may freely choose the location within the user
    - interface (if there is any) of Your Product (e.g., an
    - "About" window, etc.) and the way in which Your Product will
    - display the respective phrase.
    reply

    laurent123456 4 hours ago | link

    Interesting, especially since the author(s) are anonymous and not working off public repositories, it will be very hard, if not impossible, for them to prove that they did not release this software.
    reply
For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Post by SquidInk » 05-28-2014 09:24 PM

For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Post by SquidInk » 05-29-2014 07:52 PM

For if it profit, none dare call it Treason.

User avatar
Fan
Lady with a
Posts: 5270
Joined: 05-09-2011 02:18 PM
Contact:

Post by Fan » 05-30-2014 06:14 PM

Wow I missed this... looking into it.

There are plenty of alternatives, but TC works so well.
The heartbreaking necessity of lying about reality and the heartbreaking impossibility of lying about it.

― Kurt Vonnegut, Cat's Cradle

User avatar
Fan
Lady with a
Posts: 5270
Joined: 05-09-2011 02:18 PM
Contact:

Post by Fan » 06-02-2014 11:07 AM

The heartbreaking necessity of lying about reality and the heartbreaking impossibility of lying about it.

― Kurt Vonnegut, Cat's Cradle

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Re: TrueCrypt suggests migration to BitLocker?

Post by SquidInk » 09-28-2015 06:58 PM

For if it profit, none dare call it Treason.

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Re: TrueCrypt suggests migration to BitLocker?

Post by SquidInk » 09-30-2015 03:27 PM

http://www.itworld.com/article/2987438/ ... omise.html
The flaws, which were apparently missed in an earlier independent audit of the TrueCrypt source code, could allow attackers to obtain elevated privileges on a system if they have access to a limited user account.

The original authors of TrueCrypt, who have remained anonymous, abruptly shut down the project in May 2014 warning that "it may contain unfixed security issues" and advised users to switch to BitLocker, Microsoft's full-disk encryption feature that's available in certain versions of Windows.
For if it profit, none dare call it Treason.

User avatar
Fan
Lady with a
Posts: 5270
Joined: 05-09-2011 02:18 PM
Contact:

Re: TrueCrypt suggests migration to BitLocker?

Post by Fan » 09-30-2015 04:25 PM

I think for me it is evident that one should only use open source encryption.
The heartbreaking necessity of lying about reality and the heartbreaking impossibility of lying about it.

― Kurt Vonnegut, Cat's Cradle

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Re: TrueCrypt suggests migration to BitLocker?

Post by SquidInk » 03-29-2016 10:51 AM

https://mastermind.atavist.com/he-alway ... -dark-side
Hafner and his SecurStar colleagues suspected that Le Roux was part of the TrueCrypt collective but couldn’t prove it. Indeed, even today the question of who launched the software remains unanswered. “The origin of TrueCrypt has always been very mysterious,” says Matthew Green, a computer-science professor at the Johns Hopkins Information Security Institute and an expert on TrueCrypt who led a security audit of the software in 2014. “It was written by anonymous folks; it could have been Paul Le Roux writing under an assumed name, or it could have been someone completely different.”
Who's telling the truth about anything? Where are the trusted sources? Hard to tell these days.
For if it profit, none dare call it Treason.

User avatar
Riddick
Pirate
Posts: 12253
Joined: 11-01-2002 03:00 AM
Location: SE WI
Contact:

Re: TrueCrypt suggests migration to BitLocker?

Post by Riddick » 03-29-2016 11:21 PM

SquidInk wrote:https://mastermind.atavist.com/he-alway ... -dark-side
Hafner and his SecurStar colleagues suspected that Le Roux was part of the TrueCrypt collective but couldn’t prove it. Indeed, even today the question of who launched the software remains unanswered. “The origin of TrueCrypt has always been very mysterious,” says Matthew Green, a computer-science professor at the Johns Hopkins Information Security Institute and an expert on TrueCrypt who led a security audit of the software in 2014. “It was written by anonymous folks; it could have been Paul Le Roux writing under an assumed name, or it could have been someone completely different.”
Who's telling the truth about anything? Where are the trusted sources? Hard to tell these days.
Ain't that the truth!

Hey, how are ya? Glad ta see ya Squid!

User avatar
SquidInk
________________
Posts: 5862
Joined: 03-15-2007 03:48 PM

Re: TrueCrypt suggests migration to BitLocker?

Post by SquidInk » 03-30-2016 10:29 AM

Hiya Riddick! Doing ok...you?

Marveling at yet another election cycle where people actually believe they are "informed" because they have somehow divined "good" sources of information. These people will call folks like me "low information" voters because I have no desire to spend precious life-energy curating a finely detailed set of opinions on the hocus-pocus abbracadabbra "issues" of the moment. Of course they are dead wrong. As a matter of fact, unless the two main gangs go back into their respective caves and find some candidates who reflect my worldview, I probably won't be voting on the national mumbo jumbo (I happen to believe the lesser of two evils is still an evil, and I won't vote for evil...I'm kooky that way). So, according to the voter-mob, I forfeit my "right to complain".

As you well know, Riddick...it's a big club and we ain't in it.

For if it profit, none dare call it Treason.

Post Reply

Return to “FF IT Tech”