TrueCrypt is saying it's insecure, recommends using BitLocker

Everyone knows encryption is important, and TrueCrypt has long been a great free tool to help keep your important files from prying eyes. The Open Source tool has been available for over a decade, allowing users the ability to encrypt files, whole disks, and even create "hidden volumes." Today a major announcement from the TrueCrypt team has rocked the security world.

According to the SourceForge page for TrueCrypt, the tool is now considered insecure as it "may contain unfixed security issues." The page then goes on to explain that users should use BitLocker to encrypt their volumes and gives step-by-step instructions on how to do that. Based on the notice on the page, development ceased after support for Windows XP expired.  They also state that users should decrypt their data and migrate to another encryption platform. From the website:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

There's a lot of uncertainty about this, especially considering that TrueCrypt has recently been going through a security audit to see if there are any currently unknown backdoors. The first phase of the audit was completed last month, with Bruce Schneier saying, "Quick summary: I'm still using it." This has led many to believe that the TrueCrypt.org domain was simply hijacked and the binary on the site replaced with a Trojan. Neowin users are discussing this in the forums, and neufuse has noted some unusual network traffic from the 7.2 release of TrueCrypt, something he hasn't seen in the past.

For now, we recommend that you do not download the latest version of TrueCrypt from the website until we hear definitively what the status of the tool is as it's possible it's malicious and will send your data to an unknown location.

Source: TrueCrypt.org | Special thanks to D. FiB3R | Image Courtesy of WorldTech360

Report a problem with article
Previous Story

BlackBerry CEO: We have a lot of problems, but we're not dead

Next Story

TechSpot: Plextor M6 SSD Series - SATA, mSATA and M.2 Drives Tested

57 Comments

Commenting is disabled on this article.

I think it's sort of odd how some refuse to use Bitlocker. I understand the concern because it is closed source, but how many of you decided to use TrueCrypt before it was audited?

Ian William said,
I think it's sort of odd how some refuse to use Bitlocker. I understand the concern because it is closed source, but how many of you decided to use TrueCrypt before it was audited?

A lot of it is based on principle. I haven't examined all of the source code in the Linux kernel or in the Ubuntu operating system, but the fact that it is freely available gives me all kinds of warm and fuzzies inside, lol. Any corporation that would expect you to pay for something, use it, and trust your personal information with it, without telling you how it actually works or what it's actually doing, is not somebody I'm willing to trust.

Gerowen said,

A lot of it is based on principle. I haven't examined all of the source code in the Linux kernel or in the Ubuntu operating system, but the fact that it is freely available gives me all kinds of warm and fuzzies inside, lol. Any corporation that would expect you to pay for something, use it, and trust your personal information with it, without telling you how it actually works or what it's actually doing, is not somebody I'm willing to trust.

Your comment deserves a longer, more in depth response. But . . . I will just say that your viewpoint is completely understandable, and that for me, trust is also earned if the behavior of a person (or software) is consistent with the stated intent.

Assuming the site wasn't hacked. Then why would the audit not find anything yet, but supposedly the authors of Truecrypt know that its insecure... that would mean they know/knew there is a backdoor that they put in it. Otherwise they would just fix it. Common sense tells you that.

I would imagine that would open them up to lawsuits.

One (probably crazy) theory is that it's an encoded message.

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" is worded weirdly.

"...Not Secure As..." = NSA.

I'd view the weakness of using Bitlocker to be dependant on how sensible the user was for keeping their generated recovery key. I'd advise against storing the recovery key within your Microsoft account, it may be convenient but it's a security risk.

Dane said,
Wait, but doesn't Microsoft allow police to access the stuff even with bitlocker?

MSFT responded to this long ago:
http://mashable.com/2013/09/11...crosoft-bitlocker-backdoor/

"The suggestion is that we are working with governments to create a backdoor so that they can always access BitLocker-encrypted data," wrote Niels Ferguson, Microsoft's cryptographer and principal software development engineer. "Over my dead body."

0--JLowzrif said,
Over his dead body uh?

Nowhere is BitLocker mentioned in there, it's always about the on-line services where they're being forced to give data. Frankly, even if there were (and it wouldn't surprise me with the NSA strong-arming everybody), personally will worry about it when I'm doing illegal stuff that warrants the police kicking my doors in. It's not like they can access what's on my drive remotely you know.. would rather "risk" the backdoor versus dodgy software that's probably been compromised with who knows what. That said, if you're of the tin-foil type, there's plenty of alternatives too, a good number available for all operating systems, you don't have to use it.

That's different.

Hosting Data on their servers makes them liable, they have legal requirements to meet.

MS has NO such requirement to implement something on your.. No gov't can sue MS for what you do on your comp, nor must they give backdoors. Gov't can lock you away forever till you give them the key to get in though lol

It seems more like an implication that their program is insecure only because Windows XP is not longer supported and considered to be insecure.

timster said,
It seems more like an implication that their program is insecure only because Windows XP is not longer supported and considered to be insecure.

That's the biggest question mark -- WinXP support has *nothing* to do with TrueCrypt, so why'd they bring it up...?

Fezmid said,

That's the biggest question mark -- WinXP support has *nothing* to do with TrueCrypt, so why'd they bring it up...?

their wording could use some help. this is what they mean if you read it carefully:

Because windows XP is no longer supported, you should stop using it if you care about your security. If you're a windows user, this means you either go to vista, 7 or 8, all which have built in crypto. If you're a non windows user, there are equally good solutions on your platform. Therefore we see no reason to keep this going given XP users (presumably a large portion of their users) can no longer trust the OS they run.

Actually it kind of does.

In order to compile the bootstrap from source you need an old version of visual studio, and some pretty old compile libraries that i doubt will run on vista and up. With XP now being flagged as open season, any new source compiled on XP machines would potentially be compromised.

Don't know why they couldn't just update the boot strap code, but hay.

Yer, good thing I ordered and received a TPM module from the US a week or so ago.. Altho I'll probably never use it anyway lol. It was cheap so I brought it. But I know it works.

Hello,

The verbiage is certainly suspect (e.g., tying the cessation of development to Windows XP reaching EOL status) so without any better information I am leaning towards the "National Security Letter" explanation.

Regards,

Aryeh Goretsky

goretsky said,
Hello,

The verbiage is certainly suspect (e.g., tying the cessation of development to Windows XP reaching EOL status) so without any better information I am leaning towards the "National Security Letter" explanation.

Regards,

Aryeh Goretsky


While there are plenty of possibilities, I have to agree the NSL\otherwise legally gagged seems to fit, given the limited information, timing and nature of the messaging. But I noticed another explanation here: http://krebsonsecurity.com/201...ng-truecrypt-is-not-secure/ that made some sense - I'd call it the fkitol theory.

-
"Bill Cole May 29, 2014 at 1:21 am
....
Imagine yourself as the lead/solo developer working on TC. No one pays you for this, governments hate you, much of the crypto community is throwing rocks at you while your user community spends half of its time joining in with clueless paranoia and the other half whining about feature gaps (e.g. GPT boot disks.) You have to eat, so you have a real paying job. You're not so young any more (doing the TC crap for a decade) and maybe the real job now includes responsibilities that crowd out side work. Or maybe you've got a family you love more than the whiny paranoids you encounter via TC. And now iSec is telling you your code is sloppy and unreadable, and that you should take on a buttload of mind-numbing work to pretty it up so they will have an easier time figuring out where some scotch-fueled coding session in 2005 ( or maybe something you inherited from a past developer) resulted in a gaping exploitable hole that everyone will end up calling a NSA backdoor.

Maybe you just toss it in. Why not? Anyone with a maintained OS has an integrated alternative and as imperfect as they may be, they are better than TC for most users. Maintaining TC isn't really doing much good for many people and the audit just pushed a giant steaming pile of the least interesting sort of maintenance into top priority. Seems like a fine time to drop it and be your kids' soccer coach."
-
*shugs* Just so odd, even more so that we may never know.
I'll continue to use 7.1a where I already use it till the dust settles.

Edited by knighthawk, May 29 2014, 7:11am :

I'm not buying that though. Plenty of open source projects die -- just say that on the page if that's what you're doing. There's no need to pull the old version as it still works. The code analysis hadn't shown any issues yet. The whole thing just doesn't make sense.

This article is not very clear. Says that TrueCrypt ceased development when MS stopped support for XP. What in the world does that have to do with anything? Then it goes on to say that tc is undergoing a security audit (even though the project is supposedly abandoned).

babyHacker said,
This article is not very clear. Says that TrueCrypt ceased development when MS stopped support for XP. What in the world does that have to do with anything? Then it goes on to say that tc is undergoing a security audit (even though the project is supposedly abandoned).

The article is very clear. I wrote, "Based on the notice on the page, development ceased after support for Windows XP expired." I didn't say development stopped, only that the PAGE says it did. And the code IS going through an independent security audit, read the link I put in the article: https://www.schneier.com/blog/...014/04/auditing_truecr.html

If development did cease, this may be the same thing with XP support ending; if they wont be updating it in the future then its susceptible to exploits and vulnerabilities, etc.
The article made sense to me.

este said,
If development did cease, this may be the same thing with XP support ending; if they wont be updating it in the future then its susceptible to exploits and vulnerabilities, etc.
The article made sense to me.
Windows XP is just one operating system they support. They'd kill the entire product because one operating system... isn't getting updates anymore? What does that have to do with the Linux, OS X, and other versions?

This is so bizarre! Such a short explanation for a tool that's around for so long - that "it's insecure. use bitlocker"?!

There are 4 theories of what happened:

1) The website was hacked. However, the binaries were also changed and the new binaries were signed with the same private key as before. For a hacker to obtain their private keys in much more difficult. And if so, the hacker is more profitable selling the private key to the government than publicizing that they stole the private key too.

2) They were ordered by the government to add a backdoor and were given a gag order so that they couldn't talk about the backdoor. Being the righteous folks that they were, publicizing a supposed insecurity is their way of protecting the public from falling into the trap without actually saying that it contained a backdoor. However, the legal ramifications of handling it this way is disputable.

3) The company was bought by someone (maybe a competitor or the government) whose intention was to drive them to the ground. The government hates encryption it can't break.

4) The security audit being performed on the software actually found something and they choose to handle it this way.

em_te said,
There are 4 theories of what happened:

1) The website was hacked. However, the binaries were also changed and the new binaries were signed with the same private key as before. For a hacker to obtain their private keys in much more difficult. And if so, the hacker is more profitable selling the private key to the government than publicizing that they stole the private key too.

2) They were ordered by the government to add a backdoor and were given a gag order so that they couldn't talk about the backdoor. Being the righteous folks that they were, publicizing a supposed insecurity is their way of protecting the public from falling into the trap without actually saying that it contained a backdoor. However, the legal ramifications of handling it this way is disputable.

3) The company was bought by someone (maybe a competitor or the government) whose intention was to drive them to the ground. The government hates encryption it can't break.

4) The security audit being performed on the software actually found something and they choose to handle it this way.

Good thing I use bitlocker.

Gerowen said,
The guy doing the audit said they didn't find anything. If I had to guess, the feds have something to do with all this.

But the audit isn't over, they are going to review the crypto section of the program next, so we will have to wait until after summer to get iSECs findings

It turns out that the developers were done supporting Truecrypt, probably because their previous release had been stable for such a long time and the Audit was potentially going to cause a lot of additional development on Truecrypt.

You can see the communications between the Auditor antd the Truecrypt developers here in the green section: https://www.grc.com/misc/truecrypt/truecrypt.htm

Askew_ said,

But the audit isn't over, they are going to review the crypto section of the program next, so we will have to wait until after summer to get iSECs findings

I know, I was simply pointing out that thus far, there wasn't any blaring, catastrophic vulnerability that would warrant abandoning the project, which made them doing so kind of suspicious.

People are suggesting that this may be a DMS (Dead Mans Switch) that is activated as a suttle prompt that TC has been compromised, and not to trust any other version that may be released after the DMS is activated.

7.1a was the last release before this message for anyone who wants to know.

devn00b said,
If it was hacked was a damn good hack, has the developer keys.
And has also managed to keep the actual devs quiet for most of the day now..