I am not using TrueCrypt version 7.2

This message "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" is very disturbing.

It can be a hidden message "do not use newer versions of TrueCrypt, programmers are forced to advertise Microsoft software with backdoor and to include backdoor to the version 7.2".

On the bottom of the website the message is different: "WARNING: Using TrueCrypt is not secure". It can be interpreted: "this version of TrueCrypt contains backdoor, do not use it".

Warning! The version 7.2 of TrueCrypt executables (or source code!) may contain backdoor or Trojan horse!

This red warning above the download links should be enough to convince you not to click on the links! (Archive.)

I am still using the old version.

Building TrueCrypt 7.1a on Ubuntu 12.04 TLS

The latest version (before 7.2) was 7.1a: Google Drive. 

$ sha512sum TrueCrypt\ 7.1a\ Source.tar.gz
b5e766023168015cb91bfd85c9e2621055dd98408215e02704775861b5070c5a0234a00c64c1bf7faa34e6d0b51ac71cd36169dd7a6f84d7a34ad0cfa304796a  TrueCrypt 7.1a Source.tar.gz
$ md5sum TrueCrypt\ 7.1a\ Source.tar.gz
102d9652681db11c813610882332ae48  TrueCrypt 7.1a Source.tar.gz

The PGP key of the TrueCrypt Foundation may be compromised. Therefore, you should not trust to their signatures - compare the sha512sum with the checksum of the my copy of TrueCrypt (downloaded from TrueCrypt.org several months ago) and other copies.

Ask your trusted friends about checksums of their copy of TrueCrypt (downloaded months before). And install only from the genuine source code version 7.1a.

It is not possible to be disproved that BitLocker contains a backdoor! Do not use closed source encryption software!

Comments

  1. counter_pointJune 9, 2014 at 2:54 PM

    Since, as one example, “Passware Kit Forensic” can decrypt passwords/volumes from literally anything which stores keys on computer (including even TrueCrypt) with Passware used by governments worldwide; and since the USA government recently said AUMF targets are attempting their own (and assumedly outside Passware powers) encryption software, wouldn’t anyone carrying on TrueCrypt “as-is” be required to say data isn’t safe from hackers with $995 of their own invested in decryption software, and wouldn’t anyone making TrueCrypt truly unbreakable be required to give officials decoding tools or face treatment as if aiding AUMF targets?

    ReplyDelete
  2. Art ZinnJune 9, 2014 at 2:55 PM

    As Wikipedia documents, several attempts were made to hack into truecrypt encrypted drives, without success. If there was a weakness as described in this article, they were not able to find it; these were in builds going back to v6. Given the nature of the criminal activity alleged, substantial resources were available to the authorities to crack into truecrypt. One true weakness is not being visible enough to provide an entity to concretely associate truecrypt.org with; whether its for funding or other support, by being too cryptic, the response to it was equally cryptic.

    ReplyDelete

Post a Comment

Popular posts from this blog

[fixed] "Evolution is currently offline due to a network outage."

Evolution is currently offline due to a network outage. Evolution will return to online mode once a network connection is established. If you have this error when updating your system (for example, from Ubuntu 14 to Ubuntu 16), the solution is to run Evolution with this command: evolution --force-online That is usually related to a combination of evolution, dbus, and NetworkManager. With all three installed the idea was that NM would say whether it had a working network or not over dbus. Tools like evolution would ask on dbus about the state of the network and switch to online or offline as networks were hotplugged. This breaks down when the network isn't managed by NM but NM is still running. Such as when /etc/network/interfaces is configured to use ifupdown instead. If NM is running then it won't have any networks under its control and it fails to recognize that the system does actually have a network running outside of its control. It will respond to evolution
Read more

Do not use (only) flash memory (SSD drives, hardware wallets, USB flash drives) for your precious private keys!

Image
Flash memory is not a reliable medium for archives. Especially when there is no regular power. I have personal experience with usb flash drive not powered for weeks - one file became corrupted . (Read more here: Archiving private keys - TLDR version. ) You should always back up on paper and other mediums. Flash memory is prone to failure if it is not powered for weeks or more and if there are ionizing radiation When you write your precious private keys you should use technologies like Parchive and ZFS . And make several copies of your files. It's OK if you use your USB flash drive for another backup, but don't rely on it! Always back up on DVDs (even small files!), paper and online (after encryption with CPU and RAM intensive key derivative function like scrypt). Here is example of using the scrypt utility: $ sudo apt-get install scrypt $ scrypt enc -M 1073741824 -t 200 secret.txt encrypted.scrypt Do not use default values of "-M" and "-t", they
Read more

Archiving private keys - TLDR version

0. Make multiple encrypted copies. On DVDs (they are better than CDs and Blu-Ray discs; DVD+R are better than DVD-R), paper, cloud services like DropBox, OneDrive, Google Drive, e-mail it to yourself and to your friends, use P2P storage services like MaidSafe, Storj and Sia , etc. 1. Use proper font when printing PGP encrypted keys on paper. 2. Flash memory (SSD, USB flash drives, hardware wallets) is less reliable when not powered regularly (i.e. every week). 3. Use error correction methods like Parchive and ZFS. 4. Print on paper or store on digital media only encrypted data. 5. Your encryption software should use CPU/RAM-intensive KDF (i.e. scrypt with secure options - do not use defaults! ). First, encrypt with scrypt and then encrypt it again with PGP (using different password!) in ASCII armor mode before print it (other methods like QR codes may not be reliable as multiple copies of the PGP ASCII armor). Do not use the same password for the PGP because it's easy to brute
Read more
[ad removed]