Talk:TrueCrypt

Dead link requiring removal

As listed in the references/notes for the article, reference #34 is a dead link (I clicked on it 19-Oct-2011) (http://peterkleissner.com/?p=11) and ought to be removed. As an aside, I've often thought wikipedia should have some kind of automated process that would prune dead links (or at least colour them some way?) since it takes a fair bit of work to vet a whack of articles manually.

^ "TrueCrypt Foundation is a joke to the security industry, pro Microsoft". Peter Kleissner post and expert comments about Stoned bootkit. Peter Kleissner. Retrieved 2009-08-05. — Preceding unsigned comment added by 174.113.114.198 (talk) 22:56, 19 October 2011 (UTC)

It is archived here: http://web.archive.org/web/20090803081510/http://peterkleissner.com/?p=11 Family Guy Guy (talk) 03:32, 27 February 2014 (UTC)

Claims of backdoors or extra code in TrueCrypt

The FAQ page of TrueCrypt claims that TrueCrypt is safe and contains no extra code, backdoors etc: TrueCrypt FAQ page.

Given that it's a primary source (the reason why my edit was removed), can anyone locate reliable sources which can prove TrueCrypt is either safe or not safe, with regards to backdoors etc.

Here's an interesting discussion about it. TurboForce (talk) 12:56, 25 May 2013 (UTC)

TechARP dug up a pdf,[1] basically a prosecutor's guide to data forensics. The pdf casually claims that backdoors are available for popular encryption software including TrueCrypt. (slide 30) However since this pdf was ironically found in the "darknets" it's difficult to judge its veracity. Make your own call. Ham Pastrami (talk) 03:09, 28 January 2014 (UTC)

Here's instructions on how to reproduce TrueCrypt's binaries from the source code: [2] Tarcieri (talk) 20:09, 28 May 2014 (UTC)

Is TrueCrypt really Open Source, or just "source-available"?

I want to bring this up because it's not exactly a small thing, even though to those outside the tech community it may seem that way. And it affects how we describe the subject of this article in the very first line.

I realize it is common to refer to the software as "open source", but this is generally out of media ignorance. In the tech community (where the term originated and where it is still most often used), that term has a very specific meaning that implies multiple things, the first of which being free license.

There is debate over whether TrueCrypt (with its TrueCrypt License 3.0) meets those major freedoms that designate it to be open source and free software.

The recent change to the introduction seems to be quite hasty, and if I may say so, pretty sloppy. Before the change, the heading called TC "source available" and linked to the licensing section where it was explained that the "openness" of the software was in question by the tech/open source community.

Now not only has that entire section been all but completely deleted, the intro paragraph has been changed to say "open source", and from the looks of it, the citations included weren't even vetted by the user that made the change. For example, the first citation doesn't even mention the words "open source" (outside of the comments section where an anonymous commenter lists it as an attribute of the program. I sure hope the user who made this change doesn't think a comment on a webpage meets WP:RS.) What's even more ironic is the second cited source actually claims TC isn't open source. The sub-header of the article literally says "its claim to be open source doesn't hold water, either."

If I wasn't supposed to assume good faith I would think this was a joke.

Given that the other two sources cited mention nothing about the licensing issues that bring the open source status of TC into question, one can only assume they are used as citations for no other reason than because they simply call TC an "open source" program. Again, this is just media ignorance. (And again, the user who made this change should be aware of that because not only did he delete the relevant information that explained this issue in the Wikipedia article, one of the very sources he cited goes into great detail and actually concludes that TC is not really considered open source.)

I invite discussion on this, but given the fact that the only citation provided which actually talks about the open source status ultimately concludes the software is in fact not open source, I'm going to revert the change and put back the relevant info in the license section until we can decide how we want to address the debate in the article (because I would think we can all agree it is something that is worthy of mention in the article, and as I said, for some reason it was deleted.) --Wikisian (talk) 02:27, 21 May 2014 (UTC)

RE: TrueCrypt's "Discontinued Development"

Give the nature of the "archival site" (truecrypt.org redirects to truecrypt.sourceforge.net) I suspect that TrueCrypt's website may have been compromised and this is a clever attempt to hack into people's machine. I say we wait for official word other than the website before claiming it's discontinued. —f3ndot ^{(TALK) (EMAIL) (PGP)} 19:29, 28 May 2014 (UTC)

Hum, don't think it was hacked somehow. First, most of the page teaches how to migrate data. Second, the only available download is a "new" version, 7.2, that only allows you to decrypt data. Installing and running it on your computer won't open any kind of network connection. It doesn't create any new files, hidden files, nor modifies your registry. And don't think there'll be a official communication other than the official website, since the authors weren't known. Don't think there'll be a way to check if anyone claiming "I'm the TC author" will be provable. I'd take the official announcement as serious. Noonnee (talk) 19:49, 28 May 2014 (UTC)

Noonnee, there are many reasons to consider this suspect: (1) the URL redirects to truecrypt.sourceforge.net. (2) The SIGs provided in the new binaries do not validate. (3) The keys provided do not validate under Web of Trust. (4) The timing is bizzare since there's an initiative to audit truecrypt and this is counter to the developers' Modus Operandi. (5) No other official information anywhere else? No. This is highly suspicious. We should wait for additional sources. —f3ndot ^{(TALK) (EMAIL) (PGP)} 19:53, 28 May 2014 (UTC). Edited this to strike out point (2), I was mistaken. Sorry y'all! —f3ndot ^{(TALK) (EMAIL) (PGP)} 03:08, 29 May 2014 (UTC)

Noonnee: if that's true, you might want to post a malwr.com analysis of the file to verify your claims. Additionally, more evidence would be prudent before taking the claim as serious, imo. 173.13.21.69 (talk) 19:57, 28 May 2014 (UTC)

According to a test of TrueCrypt 7.2, the executable was marked as clean by VirusTotal. Given the popularity of obfuscation tools that allow malware authors to make their programs difficult to detect by AV products, it's unclear whether this program is really innocuous. — Preceding unsigned comment added by 97.80.118.90 (talk) 21:03, 28 May 2014 (UTC)

Here's a diff between 7.2 and the latest version. [3] — Preceding unsigned comment added by 31.210.250.116 (talk) 21:05, 28 May 2014 (UTC)

In addition to the preceding, code was made public on github unofficially [4], with sources of what appear to be both 7.1a and 7.2 —StereoSanctity (talk) 21:14, 28 May 2014 (UTC)

There is also another unofficial repository for old and new TrueCrypt source code and binaries: [5]. Zym (talk) 14:13, 29 May 2014 (UTC)

I find it highly suspicious that the TrueCrypt developer(s) would have chosen to redirect to SourceForge rather than merely modify the existing website. Also, the "announcement" does not acknowledge the fact that Bitlocker is only available on more premium versions of Windows Vista and later, and coupled with the mismatching file signature (which I have not personally verified), it seems probable that this is a hoax. Tang (talk) 21:07, 28 May 2014 (UTC)

Now that I think about it, something similar happened to another encryption software last year, FreeOTFE.

FWIW, I've verified that the 7.2.exe file hosted on SourceForge was signed by the same key that the old Truecrypt binaries were signed with. So while I also find this highly suspicious, if it is a hack, the hackers have the signing keys as well as access to the web site. [6]

Just want to throw this in here: https://news.ycombinator.com/item?id=7812133 --84.62.137.69 (talk) 21:28, 28 May 2014 (UTC)

Considering that the executable may be questionable and the growing amount of news stories on this event [7], would it make sense to put something in the main article about this incident and put up a current event template? gt24 (talk) 21:30, 28 May 2014 (UTC)

Given the recent and repeated edits with the same content it may be a good idea to protect the page until there is official word. This stinks of vandalism to me - rogue maintainer perhaps? More information is needed and the vandalism shouldn't be allowed to continue. 109.155.216.185 (talk) 22:55, 28 May 2014 (UTC)

Whatever it may be, I agree we should protect the page until more verification and sources crop up. With the current event template and an acknowledgement of the End-of-Life 7.2 is sufficient. —f3ndot ^{(TALK) (EMAIL) (PGP)} 23:04, 28 May 2014 (UTC)

Is User:Truecrypt-end part of this, uh, what's the word I'm looking for, ... scam? --bender235 (talk) 07:32, 29 May 2014 (UTC)

At this point there are no reliable sources, such as Bruce Schneier, Steve Gibson, Brian Krebs, especially the Electronic Frontier Foundation, The Guardian or any mainline newspapers known to be reliable on cybersecurity issues that have the resources and have done the necessary homework to tell us what is going on. Matt Green hasn't confirmed any of the details. I find the timing and method of this 'announcement' very suspicious, as others do. The hatnote is sufficient for now, together with the paragraph on end-of-life. Semi-protection doesn't seem warranted yet. — Becksguy (talk) 08:10, 29 May 2014 (UTC)

Okay, there's two possible explanations: (i) TrueCrypt's current website is a warrant canary, or (ii) their website has been defaced and replaced by sort of a scareware scam. As of now, I suspect the latter. --bender235 (talk) 09:46, 29 May 2014 (UTC)

I've added a link to an article by the Register which would further indicate that it is indeed the latter Bender. I'd imagine that further, more robust confirmation isn't too far behind it. Cyclonius (talk) 15:15, 29 May 2014 (UTC)

An anonymous Slashdot user explicitly says that the odd behavior is a known and agreed-upon warrant canary. 21:37, 30 May 2014 (UTC)

Schneier has posted his thoughts on the incident, [8] as did Krebs. [9] Neither of them seem too sure what's going on. --Ixfd64 (talk) 17:00, 29 May 2014 (UTC)

After a day of wild speculation, it seems like the most plausible scenario is also the most boring: the TrueCrypt developers (probably no more than 2-3 people) decided to call it quits, and to no longer maintain the software. Being responsible developers, they announce their decission so that people know the software they rely on is no longer subject to updates and bug fixes. --bender235 (talk) 19:39, 29 May 2014 (UTC)

Old Versions including the last working Version 7.0a is now hosted here: http://truecrypt.ch, 77.56.6.4 (talk) 22:21, 29 May 2014 (UTC)

Not saying anything specific, but to quote 'morningstar'
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
-> "WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues"
--> "WARNING: Using TrueCrypt is NSA it may contain unfixed security issues"
combined with the source code change (https://www.alchemistowl.org/arrigo/truecrypt-7.1a-7.2.diff.gz)
"-#endif // English (U.S.) resources
+#endif // English (United States) resources"
I think I consider this settled. — Preceding unsigned comment added by 89.1.40.25 (talk • contribs) 14:54, 30 May 2014 (UTC)

WP:OR. --Guy Macon (talk) 15:53, 30 May 2014 (UTC)

Steve Gibson offers a good closing overview. --Wikisian (talk) 15:37, 30 May 2014 (UTC)

FreeOTFE

I've added a link in see-also to FreeOTFE, but it was undid with comment don't want to call out any specific alternative unless it is particularly significant, instead the comparison of alternatives is linked - but this software is significant because it's features are identical to TrueCrypt's it also has a quite similar GUI. And there is also no other non-closed-source on-the-fly volume encryption software for Windows. It's now abandoned but as I know there wasn't any security issues with it. Maybe it's fault of small user base but still it is significant name to mention along TrueCrypt. I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ? pwjb (talk) 11:55, 29 May 2014 (UTC)

"I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ?" You pretty much just admitted it's not in the previous sentence when you described it as 'dead'. It might be, in future, but that's a WP:CRYSTALBALL matter. Content in articles still need to meet some degree of notability. If no-one has even heard about it (ideally major media), it just shouldn't be there.

Quote: "Articles that present original research in the form of extrapolation, speculation, and "future history" are inappropriate. Although scientific and cultural norms continually evolve, we must wait for this evolution to happen, rather than try to predict it." -Rushyo ^Talk 15:48, 29 May 2014 (UTC)

Link to the license

The best I can find is [10]. http://www.truecrypt.org/docs/license is down, and I cannot find it in archive.org or google cache. --_{Piotr Konieczny aka Prokonsul Piotrus| reply here} 05:38, 1 June 2014 (UTC)

This is good. That will be useful as a citation source for all the now-broken links for TrueCrypt Documentation. Too bad it's not anchored or otherwise offering an ability to link to specific sections, but it's better than people having to open a PDF. Perhaps someone can find a reproduction of the Documentation with links to specific sections? I figured one would eventually pop up somewhere, as on truecrypt.ch they're even asking for a copy of the whole original website. If anyone wants to go through and change all those Documentation citations, of course they're welcome, but my thinking was it would be best to just wait for a source with specific section links, and that way it would just be a matter of search/replace of the URL, as opposed to a possibly more involved change to update the citations. --Wikisian (talk) 22:39, 1 June 2014 (UTC)

All truecrypt licences can be found here: https://github.com/DrWhax/truecrypt-archive/tree/master/doc — Preceding unsigned comment added by 146.200.36.253 (talk) 07:55, 3 June 2014 (UTC)

end of life in lede

t this point there don't appear to be any real concerns that the end of life is a hoax or hack. I think we should put in the lede that the software is no longer being updated, and the former maintainers have recommended against its use. I will be WP:BOLDly doing this now. Gaijin42 (talk) 21:52, 2 June 2014 (UTC)

Cow can we change the "stable release" in the info box? I was unable to find that point. --Faux (talk) 06:28, 3 June 2014 (UTC)

Stable release

Someone changed latest stable version from 7.2 to 7.1 (here) with note that 7.2 is 'created by hackers'. I changed this to version 7.1a, what is last version before 7.2. But I am not sure if all this is correct. Technically 7.2 is latest version. I don't think that 7.2 was created by hackers but I don't trust this version. So what to do with this? Should we keep there both versions (7.1a and 7.2) with note that 7.2 is capable only of decryption and has questionable source?