Ddxfish at 16:12, 25 July 2015

2015-07-25T16:12:16Z

← Older revision		Revision as of 16:12, 25 July 2015
Line 1:		Line 1:
	Truecrypt, the popular disk encryption software has recently changed its website to a security warning that states Truecrypt is not secure anymore, and to switch to BitLocker for Windows, or No encryption for Mac. It does not even mention Linux.		Truecrypt, the popular disk encryption software has recently changed its website to a security warning that states Truecrypt is not secure anymore, and to switch to BitLocker for Windows, or No encryption for Mac. It does not even mention Linux.
			[[Category:Software]]
	'''This article was written May 29, 2014 at 12:30PM'''		'''This article was written May 29, 2014 at 12:30PM'''

Ddxfish at 20:32, 30 May 2014

2014-05-30T20:32:57Z

New page

Truecrypt, the popular disk encryption software has recently changed its website to a security warning that states Truecrypt is not secure anymore, and to switch to BitLocker for Windows, or No encryption for Mac. It does not even mention Linux.

'''This article was written May 29, 2014 at 12:30PM'''

'''This article was updated May 29, 2014 at 2:30PM, 5:36PM, 7:05PM, 8:43PM'''

'''This article was updated May 30, 2014 at 12:00AM, 2:00PM, 4:30PM''' - Final Answer now first section -- please read

[[File:Truecrypt-warning.png|right|thumb|TrueCrypt 7.2 Warning]]

Download TrueCrypt All Versions: [https://github.com/DrWhax/truecrypt-archive/ All TrueCrypt files, binaries, keys, source, all versions]

[https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff ValdikSS Analysis on Github Gist] | [http://habrahabr.ru/post/224491/ Russian Version]

==Final Answer - Solved?==
'''The Premise'''

As per recent posts from Matthew Green and Steven Barnhart, it appears as though we have an answer. The dev claims to have just gotten tired of maintaining the program Truecrypt. He claims that he does not want anyone using the source code for the bootloader and the GUI because "that's harmful because only they are really familiar w/code".

Is this really what happened though? I mean what about the panic stricken Bitlocker page and the mysterious method used to leave the software world? What about the refusal to let others build on the code that was nearly open-source? It still seems fishy, but we do have an answer from the dev at least...

Sources:

https://twitter.com/stevebarnhart/status/472200478345150464

@matthew_d_green 1 more "I were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever."

https://twitter.com/matthew_d_green

==The facts==
These are facts of what I have seen that may offer some insight into the cause of TrueCrypt's recent decision.

*'''Sourceforge Account'''
**Signed keys were updated 3 hours before posting version 7.2 by an apparently legitimate source [http://sourceforge.net/p/truecrypt/activity/?page=0&limit=100#5386267c34309d5eeee49ec5 Sourceforge, Truecrypt account history] [http://sourceforge.net/api/file/index/project-id/120388/mtime/desc/limit/200/rss rss version]
**Sourceforge changed its password policy 1 week before the incident [https://news.ycombinator.com/item?id=7812615 source]
**Sourceforge claims there is no suspicious activity on the admin account [https://news.ycombinator.com/item?id=7813121 source]

*'''The Webhost for Truecrypt.org'''
**Still has the same IP address of many years back [http://dnshistory.org/dns-records/truecrypt.org DNS History for Truecrypt]
**DNS was not modified
**The entire site redirects to the SourceForge project page
[[File:Truecrypt-site.png|right|thumb|TrueCrypt's Website on SF]]
*'''The Website code for Truecrypt.org'''
**Now redirects to the SourceForge page for Truecrypt using a 301 permanent redirect

*'''The Content on Truecrypt.org'''
**The main page has been replaced with instructions to switch to Bitlocker for Windows
**There is a mention of the end of Windows XP support, and an incorrect date for its end of life, 5/2014 instead of 4/2014
**The directions for Bitlocker are only possible for the few people who use Ultimate and Enterprise versions of Windows, less then 20% of users
**The directions for Bitlocker migration are simply wrong (you should unencrypt before you go to bitlocker, but they say the reverse)
**The directions for Mac encryption say to use "none"

*'''The Mail Addresses of Truecrypt.org'''
**Are all bouncing messages [https://news.ycombinator.com/item?id=7812604 confirmation]

*'''The new TrueCrypt version 7.2'''
**Has a lot of changes that appear to have been in development for a while, like an incomplete new version
**Removed the ability to create encrypted volumes and drives
**Added a bunch of messages saying the exact same thing on the website-- TrueCrypt is insecure

*'''The Truecrypt terms of use'''
**Removed the clause requiring a link to truecrypt.org or to say your code uses TrueCrypt
**Changes every "U.S." to "United States" (possibly irrelevant)

[[File:Webcite-truecrypt.png|thumb|right|Truecrypt.org Manually removed from Webcitation]]
*'''TrueCrypt on the Internet'''
**TrueCrypt is now being removed from all "wayback machine" like sites where you can view websites as they used to look [http://www.webcitation.org/query.php source]

*'''The Truecrypt dev team'''
**They are anonymous, nobody knows who made TrueCrypt
**Nobody can reach them now

*'''The audit and the audit team'''
**They have not heard from Truecrypt Devs yet, last word was they were looking forward to phase 2 of the audit
**Matthew Green is keeping people up to date on his blog [https://twitter.com/matthew_d_green blog]

==Speculation of what happened==
Again, this is only speculation, I have read a lot and spoken with a lot of people about the possibilities and I have come up with a few theories that could match the facts.

----

===#1 - Coercion===
'''The premise'''
[[File:Lavabit.jpg|right|thumb|Lavabit Letter to Public]]
The TrueCrypt dev team was told by a government agency to add a backdoor to TrueCrypt.

See: [http://en.wikipedia.org/wiki/Warrant_canary Wikipedia Warrant Canary]

See: [http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Wikipedia Rubber Hose Cryptanalysis]

'''My Reasoning'''

The whole situation with TrueCrypt is just a bit off, none of it makes sense from our viewpoint. It is possible that there was a subpoena was issued to reveal information that would compromise the security of TrueCrypt, whether this is knowledge of any possible security flaws, private keys, or the request to add a backdoor to TrueCrypt. This is exactly what happened to Lavabit email service a while back, and resulted in a similar outcome to what we see today in TrueCrypt. The combination of the factors below indicate to me that the developer was trying to say his software is no longer safe BUT he cannot say why due to a warrant canary.

*Strange wording on the TrueCrypt site (Windows XP end date incorrect among others)
*Recommendation of BitLocker - this is the complete opposite of TrueCrypt and is a horrible piece of advice
*Recommendation for Mac to use no encryption - Are they trying to tell us something?

----

===#2 - Unappreciated===
'''The Premise'''

The TrueCrypt audit project raised over $62,000 US dollars [http://blog.cryptographyengineering.com/2013/12/an-update-on-truecrypt.html source] to investigate whether the TC dev team was hiding things in the code that could bypass encryption, literally tearing their project up with a huge budget. Meanwhile, the TrueCrypt foundation gets so little donations, that it was too disheartening to continue because everyone was against them.

'''My Reasoning'''

*There were very few donations to TC Foundation. I do not know the exact number of course, but it is safe to say the audit raised way more money than Truecrypt itself
*As an anonymous developer, you get no credit for your contributions, and nobody to say thank you every day
*All of these changes appear suspicious but still likely made by the dev himself or the foundation

----

===#3 - Defacement or Hacked Account===
'''The Premise'''

Someone gained access to all of Truecrypts keys and logins for both the program, the webserver, and SourceForge

'''My Reasoning'''

This is the least likely scenario in my mind at this point. It would be too elaborate for vandalism. Still here are the supporting reasons:

*Idiotic recommendation to use Bitlocker instead of an open source solution
*No warning to being shut down

----

===#4 - Real Life===
'''The Premise'''

The dev got bored of supporting the project, or had issues in real life that took precedence over TrueCrypt.

'''My Reasoning'''

It happens to everyone

*claiming TrueCrypt is not safe is a good idea in this scenario, as it will no longer have official updates
*All of the suspicious changes appear to have been made by the developer

----

===#5 - Government Trying to Smoke out Developers===
'''The Premise'''

Someone gained access to all of Truecrypt's keys and logins for both the program, the webserver, and SourceForge, but could not find the developers.

'''My Reasoning'''

A government might have enough resources to break the developers' public-private key pairs and hack into the site.

*Making an absurd recommendation that everyone switch to Bitlocker might goad the real developers into responding.
*The government might have enough power to break the public-key encryption used to authenticate the developers.

----

===#6 - Major Flaw===
'''The Premise'''

The developer was working on new features for 7.2 based on the diff of the source. It is possible there was a major flaw that was found by the dev and nobody else yet. Instead of releasing the vulnerability and making it public which would allow everyone to open anyone's Truecrypt containers, the dev decided to close the project and convince people that the program is no longer secure by destroying its credibility.

'''My Reasoning'''

Yes, I know that there were no flaws found in the audit YET, but still here are my reasons:

*TrueCrypt cannot regain the trust of the world again after this nefarious activity, effectively killing it
*The methods used to "shed" users were very mysterious on purpose-- to make it very public that nobody is safe

----

===#7 - Irate Developer===
'''The Premise'''

We know nothing about the dev team for TrueCrypt so this is pure speculation but sometimes dev teams disagree, and it can turn into something like this. If one irate developer had access to the private keys for the program, access to the webserver, and access to the SourceForge account, this is a possibility.

'''My Reasoning'''

*This happens sometimes (yes a weak argument but statistically it should be on this list)

----

==External Links==
'''Related Posts'''
*[https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries]
*[https://news.ycombinator.com/item?id=7812133 ycombinator] - A long comment page with lots of useful information and links
*[http://truecrypt.sourceforge.net/ TrueCrypt page on Sourceforge] - The Truecrypt.org address redirects here
*[https://twitter.com/matthew_d_green Twitter - Matthew D Green] The lead of the audit team who was in contact with TC devs
*[http://www.sumotorrent.sx/en/details/13856457/truecrypt-archive-master.html SumoTorrent - TrueCrypt Master Archive] - All sources, binaries, and keys for every OS and all versions of TC in a torrent file
*[http://istruecryptauditedyet.com/ Istruecryptauditedyet.com] - The name says it all

'''News'''
*[http://www.zdnet.com/truecrypt-quits-inexplicable-7000029994/ ZDNet article on TrueCrypt's issue]
*[http://www.forbes.com/sites/runasandvik/2014/05/28/encryption-tool-endorsed-by-snowden-abruptly-shuts-down/ Forbes News] - Encryption Tool Endorsed By Snowden Abruptly Shuts Down

What happened to Truecrypt - May 2014 - Revision history

Ddxfish at 16:12, 25 July 2015

Ddxfish at 20:32, 30 May 2014