Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3474
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: devnullius
« on: 05. July 2014., 22:26:37 »

Original news: http://cointelegraph.com/news/111614/encryption_site_truecrypt_shuts_down_amid_speculation_and_conspiracy_theories

New updates: why it must have been NSA that shut TrueCrypt down: http://cointelegraph.com/news/111858/cointelegraph_reader_spotted_truecrypt_s_possible_warrant_canary_in_early_june (full article has supporting graphics)

Quote
A tip of the hat is due to CoinTelegraph reader proliberate, who spotted a possible warrant canary on TrueCrypt’s late-May shutdown notice when we first reported on it.



First, some background is necessary.

TrueCrypt, a popular open-source encryption tool, abruptly announced on its Sourceforge page on May 29 that it was no longer safe to use. The page then directed users to migrate their data to BitLocker or another program.

Red flags went off among users. Comparisons to the abrupt shutdown of encrypted email provider Lavabit were made.

Those comparisons are particularly interesting because we have since discovered that founder Ladar Levinson was put in a position by the US government to either install spy equipment on his company’s network or shut down. Levinson chose the latter.

The US government can issue secret subpoenas under 18 U.S.C.§2709(c) of the USA Patriot Act for user data and other information. The subpoenaed service provider is legally bound from divulging receipt of such an order.

Thus, warrant canaries were created as a workaround. Typically, a warrant canary is an image or piece of information that alerts users to such secret subpoenas only when that image or information disappears from, say, a company web page.
Did TrueCrypt post a warrant canary?

Theoretically, a new message written in code could also serve as a warrant canary. That’s what proliberate was pointing out back in early June.

Here is the text of TrueCrypt’s notice:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

At first glance, most readers would be forgiven for glossing over the awkward sentence construction, as that’s how legalese tends to read to most of us.

The first clue that some other message is encoded is the “not secure as.” For everyone who remembers the FANBOYS mnemonic from middle school, there should at least be a comma before that “as.”

Instead, we’re left with three awkward words that proliberate suggests could mean NSA, the US government’s National Security Agency, which Edward Snowden blew the whistle on more than a year ago for overreaching in its surveillance of, well, just about everyone.
The Latin theory

Since then, a theory has developed on top of what proliberate suggested: That making an anagram from all the letters in the warning sentence reveals a phrase in awkward Latin.

Here is what Live Business Chat forum administrator badon theorized on June 15:
“That sentence uses strange English, like the word ‘unfixed,’ that is clearly contrived to fit a hidden message. If you take just the first letter of each word, except the word ‘WARNING’:
‘Using TrueCrypt is not secure as it may contain unfixed security issues’
you get this:
‘uti nsa im cu si’
 
It's Latin that roughly means:
‘Unless I want to use the NSA’
So, the full message seems to be this:
‘WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues, unless I want to use the NSA’”

Sure, that could be a bit of a stretch, in the vein of numerologists who claim that the date 9/11/2001 proves the Illuminati brought down the World Trade Center.

But as badon notes:
“The important thing is that the hidden message — even if it doesn't exist — has succeeded in getting people to question whether the NSA might be trying to tamper with the security of TrueCrypt. That's a bona fide ‘mission accomplished’ from the point of view of the TrueCrypt developers, and there's really nothing more to say about it.”
Posted by: neerajrawat1
« on: 31. May 2014., 13:53:03 »

As it was posted by devnullius so seemed true to me. I also checked their webiste that day and it was stating the same and still the same. Had it been compromised as stated by WOT then they would have fixed by now hence I believe its True.

@devnullius

It was an awesome by look still have an original copy though did not get time to install and test but would do on 1st July. However, it has been closed as purchased by an unknown company and I guess within 6 months of launch so it could be a revolutionary one.
Posted by: devnullius
« on: 31. May 2014., 11:14:02 »

D., are you sure that this isn't an Hoax?

Seems legit to me...

http://threatpost.com/ominous-warning-or-hoax-truecrypt-warns-software-not-secure-development-shut-down

Quote
OMINOUS WARNING OR HOAX? TRUECRYPT WARNS SOFTWARE ‘NOT SECURE,’ DEVELOPMENT SHUT DOWN

by Michael Mimoso   May 28, 2014 , 5:35 pm

Is it a hoax, or the end of the line for TrueCrypt?



At the moment, there is little more than speculation as to the appearance today of an ominous note greeting visitors to the TrueCrypt page at SourceForge. The text warns that the open source encryption software is not secure and informs users that development has been terminated.

Related Posts
Of TrueCrypt and Warrant Canaries
May 29, 2014 , 1:41 pm
House Committee Initiates NIST-NSA Separation on Crypto Standards
May 27, 2014 , 10:54 am
Android Outlook App Could Expose Emails, Attachments
May 22, 2014 , 3:25 pm
The page also demonstrates step-by-step instructions explaining how to migrate from TrueCrypt to BitLocker, Microsoft’s file and disk encryption software.

It’s unclear whether the site has been defaced or whether the developers are aware of a critical vulnerability or backdoor that would jeopardize the integrity of the software, which has been downloaded more than 28 million times.

An audit of TrueCrypt was commissioned last year in order to determine if the software had been tampered with in the wake of the Edward Snowden leaks and the depths of surveillance by the National Security Agency. The results of the first phase of the audit were released on April 14 by iSEC Partners on behalf of the Open Crypto Audit Project and no backdoors were found. The first phase focused on the TrueCrypt bootloader and Windows kernel driver. Architecture and code reviews were performed, said Kenneth White, senior security engineer at Social & Scientific Systems, one of the OCAP architects.

A second phase, which has not yet begun, will focus on whether encryption suites, random number generators and critical algorithms have been properly implemented.

Many experts are downplaying the possibility that this is a defacement. Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, told Threatpost that the current version listed on the SourceForge page, version 7.2, was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years. This was also confirmed by Kaspersky Lab researcher Costin Raiu.

“With a defacement, you would usually just expect to see the website change. In this change, the software seems to have changed as well,” Sandvik said. “The software has been modified to display a warning when you start it, as well as display a warning as part of the standard UI.”

Sandvik said she performed a quick analysis on the installer and saw no network traffic emanating from it.

“If the installer had a keylogger, you would expect the installer to at some point connect to another host and transfer information. Since there is no network traffic, there is no part of the installer that attempts to call home,” Sandvik said. “Note that I just did a very quick analysis, a deeper dive might uncover sketchy bits and pieces.”

Speculation ran amok on Twitter as well that the shutdown had to do with an impending announcement regarding the TrueCrypt audit, which White said, via his Twitter feed, is unfounded and that the announcement has to do with an upcoming OCAP initiative.

“As a general rule, any time a high-profile site gets replaced with a terse static page (much less redirects), I would urge caution,” White told Threatpost, adding that OCAP had reached out to the TrueCrypt developers seeking more information. “But at the moment, I’m afraid I don’t have much to add.”

5 Categories: Cryptography
Comments (5)

 Vagner May 28, 2014 @ 6:14 pm
1
Lascou!

Reply ↓
 Anon May 28, 2014 @ 9:48 pm
2
Bitlocker has NSA key escrow – maybe this is a government originated move to get people away from secure encryption and over to using products the government can bypass?

Reply ↓
 dongle May 29, 2014 @ 8:41 am
3
What is strange is this part, for me at least:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP.

Why would this affect all versions or the safety across other operating systems?

Something funky here…

Reply ↓
 NickieH May 29, 2014 @ 12:56 pm
4
Many are suggesting a Lavabit-style situation, where the developers have been pressured to backdoor their code by Certain Government Agencies, and chosen to push the self-destruct button instead.

Reply ↓
 murky May 30, 2014 @ 11:06 am
5
How about the developers having just sold out to Microsoft and since they’re not telling, they’re getting away with it? The last line of that page looks very much along the line of wording we’ve seen from Microsoft.
Posted by: devnullius
« on: 31. May 2014., 11:13:43 »

It is news of the century related to computing even more shocking than the closing of Pear OS Linux.

Pear OS? Never heard of that?
Posted by: Samker
« on: 30. May 2014., 19:47:37 »

D., are you sure that this isn't an Hoax?
Posted by: neerajrawat1
« on: 29. May 2014., 19:26:36 »

It is news of the century related to computing even more shocking than the closing of Pear OS Linux.
Posted by: devnullius
« on: 29. May 2014., 17:38:38 »

SOURCE: https://twitter.com/BTCWorldNews/status/472051139098472450

Copy of: http://btcworldnews.com/popular-encryption-tool-truecrypt-mysteriously-shuts-down/
Quote
Popular Encryption Tool TrueCrypt Mysteriously Shuts Down
Joon Ian Wong (@joonian) | Published on May 29, 2014 at 17:11 BST | News, Technology

A popular open-source encryption program often used to secure desktop bitcoin wallets is compromised, according to its developers.

The program, TrueCrypt, was deemed “not secure” due to “unfixed security issues” according to a notice on its SourceForge page that appeared on 28th May. Users who attempted to access the program’s website, truecrypt.org, were redirected to the SourceForge page.

The appearance of the mysterious notice followed the announcement that development on TrueCrypt ended this month after Microsoft stopped supporting Windows XP. The TrueCrypt website now contains instructions for migrating data from TrueCrypt to BitLocker, a similar program developed by Microsoft.

Users have pointed out that BitLocker is only available on Windows 8.1 Pro and Windows 8.1 Enterprise, whereas TrueCrypt was available on multiple Windows versions, Linux, Android and Apple’s OS X.

Community reactions

The bitcoin and privacy communities were rife with speculation about what caused TrueCrypt’s developers – who have remained anonymous since the program was first released 10 years ago – to put up the warning.

Theories floated on reddit, for example, range from a backdoor being discovered in the program to misfortune befalling the developers.

Deepening the mystery is the fact that a new version of TrueCrypt is now available for download on the website.

Snowden tool

An initial analysis by a member of the Open Crypto Audit Project’s technical advisory board, Runa Sandvik, concluded that although the new version seemed free of malicious behaviour, it can only be used to decrypt data and migrate existing encrypted data – not to create encrypt new data.

The Open Crypto Audit Project is an open source attempt to check TrueCrypt’s code to ensure that it is free of backdoors. The effort was initiated in 2013 and it has yielded the first phase of a multi-part review. This report, released last month, could find no such flaws.

TrueCrypt has been used by Edward Snowden, who even hosted a ‘CryptoParty‘ in Hawaii, where he recommended using the program to keep information private, shortly before he appeared in Hong Kong with his cache of secret NSA documents.

Alternatives to TrueCrypt include FileVault for OS X, developed by Apple, and Jetico BestCrypt for OS X, Linux and Windows, which is recommended by the bitcoin Wiki alongside TrueCrypt.
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising