Talk:TrueCrypt

Dead link requiring removal

As listed in the references/notes for the article, reference #34 is a dead link (I clicked on it 19-Oct-2011) (http://peterkleissner.com/?p=11) and ought to be removed. As an aside, I've often thought wikipedia should have some kind of automated process that would prune dead links (or at least colour them some way?) since it takes a fair bit of work to vet a whack of articles manually.

^ "TrueCrypt Foundation is a joke to the security industry, pro Microsoft". Peter Kleissner post and expert comments about Stoned bootkit. Peter Kleissner. Retrieved 2009-08-05. — Preceding unsigned comment added by 174.113.114.198 (talk) 22:56, 19 October 2011 (UTC)

It is archived here: http://web.archive.org/web/20090803081510/http://peterkleissner.com/?p=11 Family Guy Guy (talk) 03:32, 27 February 2014 (UTC)

Is the "stoned bootkit" not a bit of a joke?

If you have full administrator privileges and get the user to type in their truecrypt password, then you will be able to decrypt the drive. Come on, that's ridiculous. Anonywiki (talk) 06:12, 31 October 2012 (UTC)

Claims of backdoors or extra code in TrueCrypt

The FAQ page of TrueCrypt claims that TrueCrypt is safe and contains no extra code, backdoors etc: TrueCrypt FAQ page.

Given that it's a primary source (the reason why my edit was removed), can anyone locate reliable sources which can prove TrueCrypt is either safe or not safe, with regards to backdoors etc.

Here's an interesting discussion about it. TurboForce (talk) 12:56, 25 May 2013 (UTC)

TechARP dug up a pdf,[1] basically a prosecutor's guide to data forensics. The pdf casually claims that backdoors are available for popular encryption software including TrueCrypt. (slide 30) However since this pdf was ironically found in the "darknets" it's difficult to judge its veracity. Make your own call. Ham Pastrami (talk) 03:09, 28 January 2014 (UTC)

Here's instructions on how to reproduce TrueCrypt's binaries from the source code: [2] Tarcieri (talk) 20:09, 28 May 2014 (UTC)

An article about its licence

If anyone's looking for sources of info, there's an article here by the German group iFrOSS, who are usually very knowledgeable about free software licences:

• http://www.ifross.org/artikel/foss-or-not-source-and-license-auditing-project-truecrypt-disk-encryption-software

They work with Harold Welte to enfoce the GPL in Germany. Gronky (talk) 22:04, 20 January 2014 (UTC)

Is TrueCrypt really Open Source, or just "source-available"?

I want to bring this up because it's not exactly a small thing, even though to those outside the tech community it may seem that way. And it affects how we describe the subject of this article in the very first line.

I realize it is common to refer to the software as "open source", but this is generally out of media ignorance. In the tech community (where the term originated and where it is still most often used), that term has a very specific meaning that implies multiple things, the first of which being free license.

There is debate over whether TrueCrypt (with its TrueCrypt License 3.0) meets those major freedoms that designate it to be open source and free software.

The recent change to the introduction seems to be quite hasty, and if I may say so, pretty sloppy. Before the change, the heading called TC "source available" and linked to the licensing section where it was explained that the "openness" of the software was in question by the tech/open source community.

Now not only has that entire section been all but completely deleted, the intro paragraph has been changed to say "open source", and from the looks of it, the citations included weren't even vetted by the user that made the change. For example, the first citation doesn't even mention the words "open source" (outside of the comments section where an anonymous commenter lists it as an attribute of the program. I sure hope the user who made this change doesn't think a comment on a webpage meets WP:RS.) What's even more ironic is the second cited source actually claims TC isn't open source. The sub-header of the article literally says "its claim to be open source doesn't hold water, either."

If I wasn't supposed to assume good faith I would think this was a joke.

Given that the other two sources cited mention nothing about the licensing issues that bring the open source status of TC into question, one can only assume they are used as citations for no other reason than because they simply call TC an "open source" program. Again, this is just media ignorance. (And again, the user who made this change should be aware of that because not only did he delete the relevant information that explained this issue in the Wikipedia article, one of the very sources he cited goes into great detail and actually concludes that TC is not really considered open source.)

I invite discussion on this, but given the fact that the only citation provided which actually talks about the open source status ultimately concludes the software is in fact not open source, I'm going to revert the change and put back the relevant info in the license section until we can decide how we want to address the debate in the article (because I would think we can all agree it is something that is worthy of mention in the article, and as I said, for some reason it was deleted.) --Wikisian (talk) 02:27, 21 May 2014 (UTC)

RE: TrueCrypt's "Discontinued Development"

Give the nature of the "archival site" (truecrypt.org redirects to truecrypt.sourceforge.net) I suspect that TrueCrypt's website may have been compromised and this is a clever attempt to hack into people's machine. I say we wait for official word other than the website before claiming it's discontinued. —f3ndot ^{(TALK) (EMAIL) (PGP)} 19:29, 28 May 2014 (UTC)

Hum, don't think it was hacked somehow. First, most of the page teaches how to migrate data. Second, the only available download is a "new" version, 7.2, that only allows you to decrypt data. Installing and running it on your computer won't open any kind of network connection. It doesn't create any new files, hidden files, nor modifies your registry. And don't think there'll be a official communication other than the official website, since the authors weren't known. Don't think there'll be a way to check if anyone claiming "I'm the TC author" will be provable. I'd take the official announcement as serious. Noonnee (talk) 19:49, 28 May 2014 (UTC)

Noonnee, there are many reasons to consider this suspect: (1) the URL redirects to truecrypt.sourceforge.net. (2) The SIGs provided in the new binaries do not validate. (3) The keys provided do not validate under Web of Trust. (4) The timing is bizzare since there's an initiative to audit truecrypt and this is counter to the developers' Modus Operandi. (5) No other official information anywhere else? No. This is highly suspicious. We should wait for additional sources. —f3ndot ^{(TALK) (EMAIL) (PGP)} 19:53, 28 May 2014 (UTC). Edited this to strike out point (2), I was mistaken. Sorry y'all! —f3ndot ^{(TALK) (EMAIL) (PGP)} 03:08, 29 May 2014 (UTC)

Noonnee: if that's true, you might want to post a malwr.com analysis of the file to verify your claims. Additionally, more evidence would be prudent before taking the claim as serious, imo. 173.13.21.69 (talk) 19:57, 28 May 2014 (UTC)

According to a test of TrueCrypt 7.2, the executable was marked as clean by VirusTotal. Given the popularity of obfuscation tools that allow malware authors to make their programs difficult to detect by AV products, it's unclear whether this program is really innocuous. — Preceding unsigned comment added by 97.80.118.90 (talk) 21:03, 28 May 2014 (UTC)

Here's a diff between 7.2 and the latest version. [3] — Preceding unsigned comment added by 31.210.250.116 (talk) 21:05, 28 May 2014 (UTC)

In addition to the preceding, code was made public on github unofficially [4], with sources of what appear to be both 7.1a and 7.2 —StereoSanctity (talk) 21:14, 28 May 2014 (UTC)

There is also another unofficial repository for old and new TrueCrypt source code and binaries: [5]. Zym (talk) 14:13, 29 May 2014 (UTC)

I find it highly suspicious that the TrueCrypt developer(s) would have chosen to redirect to SourceForge rather than merely modify the existing website. Also, the "announcement" does not acknowledge the fact that Bitlocker is only available on more premium versions of Windows Vista and later, and coupled with the mismatching file signature (which I have not personally verified), it seems probable that this is a hoax. Tang (talk) 21:07, 28 May 2014 (UTC)

Now that I think about it, something similar happened to another encryption software last year, FreeOTFE.

FWIW, I've verified that the 7.2.exe file hosted on SourceForge was signed by the same key that the old Truecrypt binaries were signed with. So while I also find this highly suspicious, if it is a hack, the hackers have the signing keys as well as access to the web site. [6]

Just want to throw this in here: https://news.ycombinator.com/item?id=7812133 --84.62.137.69 (talk) 21:28, 28 May 2014 (UTC)

Considering that the executable may be questionable and the growing amount of news stories on this event [7], would it make sense to put something in the main article about this incident and put up a current event template? gt24 (talk) 21:30, 28 May 2014 (UTC)

Given the recent and repeated edits with the same content it may be a good idea to protect the page until there is official word. This stinks of vandalism to me - rogue maintainer perhaps? More information is needed and the vandalism shouldn't be allowed to continue. 109.155.216.185 (talk) 22:55, 28 May 2014 (UTC)

Whatever it may be, I agree we should protect the page until more verification and sources crop up. With the current event template and an acknowledgement of the End-of-Life 7.2 is sufficient. —f3ndot ^{(TALK) (EMAIL) (PGP)} 23:04, 28 May 2014 (UTC)

Is User:Truecrypt-end part of this, uh, what's the word I'm looking for, ... scam? --bender235 (talk) 07:32, 29 May 2014 (UTC)

At this point there are no reliable sources, such as Bruce Schneier, Steve Gibson, Brian Krebs, especially the Electronic Frontier Foundation, The Guardian or any mainline newspapers known to be reliable on cybersecurity issues that have the resources and have done the necessary homework to tell us what is going on. Matt Green hasn't confirmed any of the details. I find the timing and method of this 'announcement' very suspicious, as others do. The hatnote is sufficient for now, together with the paragraph on end-of-life. Semi-protection doesn't seem warranted yet. — Becksguy (talk) 08:10, 29 May 2014 (UTC)

Okay, there's two possible explanations: (i) TrueCrypt's current website is a warrant canary, or (ii) their website has been defaced and replaced by sort of a scareware scam. As of now, I suspect the latter. --bender235 (talk) 09:46, 29 May 2014 (UTC)

I've added a link to an article by the Register which would further indicate that it is indeed the latter Bender. I'd imagine that further, more robust confirmation isn't too far behind it. Cyclonius (talk) 15:15, 29 May 2014 (UTC)

FreeOTFE

I've added a link in see-also to FreeOTFE, but it was undid with comment don't want to call out any specific alternative unless it is particularly significant, instead the comparison of alternatives is linked - but this software is significant because it's features are identical to TrueCrypt's it also has a quite similar GUI. And there is also no other non-closed-source on-the-fly volume encryption software for Windows. It's now abandoned but as I know there wasn't any security issues with it. Maybe it's fault of small user base but still it is significant name to mention along TrueCrypt. I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ? pwjb (talk) 11:55, 29 May 2014 (UTC)

"I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ?" You pretty much just admitted it's not in the previous sentence when you described it as 'dead'. It might be, in future, but that's a WP:CRYSTALBALL matter. Content in articles still need to meet some degree of notability. If no-one has even heard about it (ideally major media), it just shouldn't be there. -Rushyo ^Talk 15:48, 29 May 2014 (UTC)