Skip to content

Instantly share code, notes, and snippets.

@kristapsk

kristapsk/gist:5d02c9810816d9827651

Forked from ValdikSS/gist:c13a82ca4a2d8b7e87ff
Created May 29, 2014 12:05
Show Gist options
  • Save kristapsk/5d02c9810816d9827651 to your computer and use it in GitHub Desktop.
Save kristapsk/5d02c9810816d9827651 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.md

The binary on the website is capable only to decode encrypted data, not encode, and may contain trojan (seems like it doesn't, but don't believe me). The binary is signed with the valid (usual) key. All old versions are wiped, the repository is wiped too.

Assumption #1 The website is presumed hacked, the keys are presumed compromised. Please do not download or run it. And please don't switch to bitlocker.

Latest working version is 7.1a. Version 7.2 is a hoax

On the SourceForge, the keys were changed before any TrueCrypt files uploaded, but now they are deleted and the old keys got reverted back.

Why I think so: strange key change, why bitlocker?

Assumption #2 Something bad happened to TrueCrypt developers (i.e. take down or death) or to TrueCrypt itself (i.e. found the worst vulnerability ever) which made them do such a thing. So this version is legit

Why I think so: all files are with valid signatures, all the releases are available (Windows; Linux x86, x86_64, console versions, Mac OS, sources), the binaries seems like was built on the usual developer PC (there are some paths like c:\truecrypt-7.2\driver\obj_driver_release\i386\truecrypt.pdb, which were the same for 7.1a). License text is changed too (see the diff below).

Why is it ridiculous for TrueCrypt developers to suggest moving to BitLocker? Well, TrueCrypt was strictly against of using TPM because it may contain extra key chains which allow agencies like NSA to extract your private key. So why would they suggest such a thing and not other open-source alternatives? It looks like a clear sign that the developer can't say he's in danger so he did this. As many suppose, this could be the sort of warrant canary

Assumption #2 is more likely true than assumption #1. Sad but true.

Assumption #3 7.1a is backdoored and the developer wants all users to stop using it.

Why I think so: there is a website http://truecryptcheck.wordpress.com which contains all the hash sums for TrueCrypt 7.1a. Is has only 1 blog record from August 15, 2013, only for TrueCrypt and only for 7.1a. It's a bit strange to make a website with the hash sums for only one program and only one version of it.

SourceForge sent emails on 22 May, they said they changed password algorithms and everybody should change their passwords.

SourceForge claims everything is as usual (from https://news.ycombinator.com/item?id=7813121):

Providing some details from SourceForge:

  1. We have had no contact with the TrueCrypt project team (and thus no complaints).

  2. We see no indicator of account compromise; current usage is consistent with past usage.

  3. Our recent SourceForge forced password change was triggered by infrastructure improvements not a compromise. FMI see http://sourceforge.net/blog/forced-password-change/

Thank you,

The SourceForge Team communityteam@sourceforge.net

TrueCrypt developers are unknown and currently there is no way to know who is who and who should we listen to.

From wikileaks twitter https://twitter.com/wikileaks/status/471769936038461440:

(1/4) Truecrypt has released an update saying that it is insecure and development has been terminated http://truecrypt.sf.net

(2/4) the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement

(3/4) the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict..

(4/4) in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys.

From Matthew Green (one of TrueCrypt auditor) twitter https://twitter.com/matthew_d_green/status/471752508147519488:

@SteveBellovin @mattblaze @0xdaeda1a I think this is legit.

TrueCrypt Setup 7.1a.exe:

  • sha1: 7689d038c76bd1df695d295c026961e50e4a62ea
  • md5: 7a23ac83a0856c352025a6f7c9cc1526

TrueCrypt 7.1a Mac OS X.dmg:

  • sha1: 16e6d7675d63fba9bb75a9983397e3fb610459a1
  • md5: 89affdc42966ae5739f673ba5fb4b7c5

truecrypt-7.1a-linux-x86.tar.gz:

  • sha1: 0e77b220dbbc6f14101f3f913966f2c818b0f588
  • md5: 09355fb2e43cf51697a15421816899be

truecrypt-7.1a-linux-x64.tar.gz:

  • sha1: 086cf24fad36c2c99a6ac32774833c74091acc4d
  • md5: bb355096348383987447151eecd6dc0e

Diff between latest version and the hoax one: https://github.com/warewolf/truecrypt/compare/master...7.2

Screenshot: http://habrastorage.org/getpro/habr/post_images/da1/1bf/6a5/da11bf6a5225fa718987ba4e54038fc1.png

Topics: https://news.ycombinator.com/item?id=7812133

http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/

http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/

http://www.reddit.com/r/crypto/comments/26px1i/truecrypt_shutting_down_development_of_truecrypt/

http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

Twitter stream: https://twitter.com/search?q=truecrypt&src=typd

You may join IRC #truecrypt@irc.freenode.net, although there is no OPs right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment