What's happening with Truecrypt?
June 10, 2014 9:59 AM

Recently I noticed a lot of controversy about whether Truecrypt is secure or not. It looks like their webpage is raising concerns about it, even to the point of suggesting that people migrate their data away from it. Arstechnica and others are following the story. What's going on? Might this be a hoax? Are truecrypt encrypted flashdrives not safe? If not, what level of security do they provide, if any? What would be a good alternative if we are to migrate away as quickly as possible?
posted by jasper411 to Computers & Internet (8 answers total) 9 users marked this as a favorite
There's been a pretty long discussion of it over on The Blue. There's a huge range of theories from "It's been compromised but the dev team doesn't want to just say so" to "NSA pwned them" to "the team just got bored with it." The short version is that there is no short version; the less-bad theories are entirely realistic and maybe you can use it just fine, but - to my eyes - there's really no consensus here, at least to the point that I'd go along with it. "Nobody really knows" is a terrifically unsatisfying way to think about widely-used cryptographic software but here we are, nobody really knowing.
posted by Tomorrowful at 10:09 AM on June 10, 2014


Phase II of the audit hasn't finished, and Bruce Schneier is as surprised/baffled/dismayed as everyone else, so I'm inclined to think there's just a very small handful of people who actually know what's going on, and none of them are talking.
posted by johnofjack at 10:10 AM on June 10, 2014


Tomorrowful probably meant to link here.
posted by jangie at 10:22 AM on June 10, 2014


TLDR discussed this a few weeks ago.
posted by julthumbscrew at 10:36 AM on June 10, 2014




As everyone says, no one's sure of anything. Even if we suppose that it hasn't been compromised, I'd still suggest migrating from it because we don't know what will come of the proposed forks, and it's not a happy position to depend on unsupported software for something important. (I think the current situation is more easily explained by the devs flaking out than by skulduggery involving a known-to-some compromise of its crypto, but see first sentence.)
posted by Zed at 11:50 AM on June 10, 2014


What's going on?

I'm a little more inclined to believe the developers were spooked by something, which perfectly easily could have been an NSL, but there's really no proof and they seem disinclined to provide any, which may or may not be by choice (see NSL).

Might this be a hoax?

Well, in the initial hours, that probably seemed plausible, but as time has passed there has been no obvious effort to reclaim control by the dev team. Since a non-hoax is very well plausible under the circumstances I see no basis to pursue this line of reasoning. The effect is the same.

Are truecrypt encrypted flashdrives not safe?

The audit thus far suggests they probably are generally safe in that no obvious code failures or compromises have been found. But the audit continues. I'm inclined to trust the audit team on this one.

If not, what level of security do they provide, if any?

Well, this is the real nut. Are you trying to protect your data from identity thieves, unscrupulous acquaintances and associates, or some sort of national security apparatus? It's all a matter, as with all security, of effort versus return.

What would be a good alternative if we are to migrate away as quickly as possible?

This is the other real nut. There isn't any broadly good and/or convenient one. With the absence of TC another may arise (and there is clearly a demand for a solution), so keep your nose in the wind. Bitlocker on Windows is probably as decent security as easily obtainable anywhere, but if your defenses are necessary against the FBI or NSA, few trust Microsoft that far.
posted by dhartung at 1:51 PM on June 10, 2014


bue_beetle: "GRC has all the information you need."

Even if the head of the NSA walked up to me personally and said "Nope, trust me, we haven't infiltrated TrueCrypt and we don't even have any backdoors into it - it's A1, 100% secure, and we're not spying on users (nudge nudge, wink wink)", I'd still believe them over Steve Gibson.

He has a well-deserved reputation as someone who will say and do absolutely anything to support his personal opinions…
posted by Pinback at 7:43 PM on June 10, 2014


« Older Article finder edition   |   Please help me finish this quiz Newer »
This thread is closed to new comments.