![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
I've removed the URL relating to the claim "FBI can't crack truecrypt" as it's not encyclopedic and is purely promotional - any product using the same algorthms would get the same results. AES-XTS is AES-XTS. that FBI can't crack AES-XTS doesn’t proves anthing, except arguably that AES is secure - which is hardly in doubt and may not be admitted even if it wasn't. On top of that, the story on the WWW page linked to is analagous to a "Cracking contest" - see Bruce Schniers articles "Warning Sign #9" at http://www.schneier.com/crypto-gram-9902.html#snakeoil and "The Fallacy of Cracking Contests" at [1]. i'm not saying truecrypt is insecure, just that the link adds nothing of value and is misleading. Gat101 ( talk) 12:16, 1 July 2010 (UTC)
Ironic that you cite Bruce Schneier with reference to "snake oil", because the URL relating to the FBI's inability to break TrueCrypt came from (wait for it...) Bruce Schneier's lastest "Cryptogram" email bulletin. Mr Schneier describes the incident as quote "Cryptography success story from Brazil. The moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files." Read it for yourself, it's here:-
http://www.schneier.com/crypto-gram-1007.html
Not all implementations of AES-XTS are necessarily the same - there can be differences (and even subtle errors) in the way in which an algorithm is implemented. The inability of the FBI to crack TrueCrypt wasn't a cracking contest - and was never intended to be. What actually happened was that a well-funded US Govt law enforcement agency (with generous resources) spent over 12 months trying to break into a TrueCrypt-encrypted volume - and failed to do so. If that's not encyclopaedic knowledge that's well worth knowing, I don't know what is! None of this means that TrueCrypt is unbreakable. However, it does mean that (to quote Schneier) it's a "Cryptography success story". Citing this incident in Wikipedia isn't "promotional", given that the software is free and requires no payment to use it. It is, however, of great interest and relevance to end-users. All of these points should have been self-evident. Nabokov ( talk) 00:05, 18 July 2010 (UTC)
That's 3 people (including myself) who believe that this information re. the FBI's failed attempt to break into TrueCrypt is relevant. Perhaps intgr or SF007 could re-insert the information in a fair and balanced way which is acceptable to all readers? - Nabokov ( talk) 08:27, 19 July 2010 (UTC)
I've re-inserted the information re. the FBI & TrueCrypt. If someone wants to rewrite what I've put (maybe insert clarifications?) then that's fine - go ahead. However, please don't dive in and revert it because I honestly believe that the information is relevant to any user of TrueCrypt. Deleting the fact that the FBI spent 12 months trying to break into TrueCrypt-protected volumes (in a well-funded, "real-life" attack) and failed would be a big mistake. Nabokov ( talk) 11:20, 4 August 2010 (UTC)
This term is present a lot in the "Significant changes" column of the table in the "Version history" section, but has not been introduced otherwise in the body of the article. (And i find it used a lot in this discussion page). -- Jerome Potts ( talk) 20:20, 1 August 2010 (UTC)
Until it is confirmed that there was actually something usable on the drive (perhaps the disk was filled with tripe?), that truecrypt (rather than something else) prevented access to it (there are mentions in some articles about another security method), and that the government did not, in fact, decrypt the drive. —Preceding unsigned comment added by 68.165.132.208 ( talk) 14:02, 20 November 2010 (UTC)
Let's start a civil discussion about this issue. You're set on emphasizing the *poor* performance of TrueCrypt. Sources being to the contrary, I dispute that point of view. 68.102.20.122 ( talk) 22:31, 20 January 2011 (UTC)
The author presented this as a valid attack. Later it turned out to be a classic hoax (the attack could be performed only by a privileged attacker who has already compromised the system). Only valid attacks may be presented in the article (anyone could create a hoax attack and present it in the article forever).
LogicKey ( talk) 16:06, 8 October 2010 (UTC)
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
The TrueCrypt documentation says that you shouldn't leave your laptop unattended, even for a moment. But if the only reasonable attack against a TrueCrypt-protected computer was a hardware keylogger then in practice you could leave your laptop unattended for hours (in a hotel room, to use the classic example), because such a thing is difficult and time-consuming to install. If you don't care about the authorities and think organised crime is unlikely to pray on you then you'd basically be able to ignore of this all as a technicality, since hardware key-loggers are very hard for non-experts to install without leaving clues.
But hardware keyloggers are not the least difficult physical attack. So the question now becomes, what is? Can I leave my laptop for 30 minutes? 5 minutes? One!? This is a question that a Wikipedia should give an answer to, or at least as much of an answer as possible. The fact that TrueCrypt develops don't care about the answer, because their documentation essentially says "one second is already too long", is irrelevant. They are not the target audience of this article. Quietbritishjim ( talk) 18:56, 12 October 2010 (UTC)
It's pretty clear by now that you won't convince us and we won't convince you. So we can agree to disagree here and move on. Wikipedia can still function in the presence of disagreements, that's why we have the consensus policy. I have also presented my reasons above, based on the verifiability policy, to keep the section. -- intgr [talk] 17:04, 14 October 2010 (UTC)
LogicKey, verifiability extends to citing hard facts (e.g., George W. Bush is 62 years old), not to invalidating any source which has an interpretation of facts we don't like (e.g., saying the Wall Street Journal is an invalid source for claiming that the war in Iraq was controversial). Your reading of that passage misconstrues it to such an extent that any editor disputing any content could wholly remove the section. And that's simply not correct. Magog the Ogre ( talk) 21:12, 15 October 2010 (UTC)
Uff guys guys, first of all the TrueCrypt "attack" was just 1 page (not even one page) out of 46 in the Stoned Bootkit paper. Whats special about the bootkit is that you can install it on the encrypted drive without knowing the password. There is no other software that allows you that, you cannot install any rootkit on an encrypted drive and other bootkits will make the computer unusable (the boot process will fail). One point why I criticized TrueCrypt was because they do not secure their own software on a running system (you can simply overwrite the MBR). Thats why the fancy emails with them. But the bottom line is that Stoned was a dedicated "attack" on the TrueCrypt software, thus its worth mentioning here. And multiple law enforcements are using my software already. They get a court order, they install Stoned (and their own trojan) and give back the laptop. Once the suspect logs on, they have the evidence. -Peter Kleissner
Am I the only one who think that LogicKey and "Austrian software developer Peter Kleissner" are the same person? This section about "Stoned" bootkit are useless! Above section already explains Physical security issues applicable to TrueCrypt. 91.77.254.56 ( talk) 11:35, 10 March 2011 (UTC)
What evidence is there that the TrueCrypt Foundation is legally a non-profit? I searched for them using GuideStar to no avail. Inclined to remove the "a non-profit organization" phrase unless it is somehow evidenced outside truecrypt.org. Threexk ( talk) 16:07, 7 July 2011 (UTC)
An IP recently changed the performance section to make it more favourable to TrueCrypt, removing "subjective" text even though it was being quoted from a source, and even though there was favourable unquoted subjective comment in the same sentence ("the performance impact of TrueCrypt on desktop applications is not generally noticeable"). That section already had a citation [2] to back up a claim that TrueCrypt is "almost transparent", when in fact that page says nothing specific about TrueCrypt's performance.
I've tidied up that section a little to try and put objective statements in the first paragraph, and more accurately quote Tom's hardware review in the second. However I'm still very unhappy with this; I don't think Tom's hardware is a reliable source for the claims they make. For a start, they describe TrueCrypt performance in practice, but only test with benchmarks, which are rather artificial. (For instance, I find that TrueCrypt makes Windows 7 thrash it's hard drive for several minutes after a hibernation; this isn't checked by that source, which presumably lets things settle down before conducting a benchmark.) Even worse, they discuss performance over different hardware configurations, but had only tested with one, so this is clearly pure speculation. And this is precisely the stuff being quoted in this article!
I think some more reliable, accurate sources need to be found. Quietbritishjim ( talk) 00:28, 24 July 2011 (UTC)
The info on David Tesařík as the person who registered the trademark TRUECRYPT in the Czech Republic should be amended; the registration has been changed to:
(730) Applicant/Owner TrueCrypt Developers Association, LC 375 N. Stephanie St., Suite 1411 Henderson US
This can be seen by doing a search on the pages of the Czech Industrial Property Office, http://upv.cz , specifically at http://isdv.upv.cz/portal/pls/portal/portlets.ozs.frm?plan=English (English search)
http://isdv.upv.cz/portal/pls/portal/portlets.ozs.det?pozk=154085&plan=en (English result)
David Tesařík appears in the Trade Register as licensed for "Advertising, marketing, media representation, translation and interpreting". http://www.rzp.cz/cgi-bin/aps_cacheWEB.sh?VSS_SERV=ZVWSBJVYP&OKRES=&CASTOBCE=&OBEC=&ULICE=&CDOM=&COR=&COZ=&ICO=64907279&OBCHJM=&OBCHJMATD=0&JMENO=&PRIJMENI=&NAROZENI=&ROLE=&VYPIS=1&PODLE=subjekt&IDICO=f5314fa8dff4894b&HISTORIE=1 — Preceding unsigned comment added by 109.232.208.11 ( talk) 08:20, 18 August 2011 (UTC)
TrueCrypt is being distributed by some distributions e.g. Mandriva, or communities around distributions e.g. RPM Fusion for Fedora, or as installers for TrueCrypt e.g. Gentoo. In the case of Mandriva and RPM Fusion they have rebranded TrueCrypt as RealCrypt in order to comply with TrueCrypt License Version 3.0. It would be useful to add this information and elaborate on it in the main article, for anyone who is knowledgeable about RealCrypt and it's implications. It would also be worth updating the information related to the differences between the 2.5, 2.8 and 3.0 licences and the implications they changes in the licences may have for other distributions able or willing to distribute TrueCrypt/RealCrypt. Some links:
Stephen Judge ( talk) 16:36, 5 October 2011 (UTC)
My edit was reverted: [3] Nevertheless, there are serious concerns about TrueCrypt's license. See: [4] [5] Note the second of those links is a legal opinion from Red Hat's counsel not just some ramblings from an IANAL. Richard W.M. Jones ( talk) 19:03, 19 October 2011 (UTC)
I have re-structtured the section "Developers/Owners identities and related concerns" due to lack of sources, but I was reverted [6]
The content I removed was very problematic:
"The domain name "truecrypt.org" was originally registered to a false address ("NAVAS Station, ANTARCTICA")"
This section has two references, the first is offline [www.webreportr.com/sites/truecrypt.org] and the second [7] simply reports that the adress of the owner of truecrypt.org is "NAVAS Station 80S 120w, Marie Byrd Land 80S 120W, ANTARCTICA", it neither reports that this address was the initial one to be registered, nor that it is a "false address". I tried to search for "Navas station" and I got no relevant information, however, "Absence of evidence is not evidence of absence" (meaning: that station might perfectly exist). Going to the whois records and making up conclusions is also pretty much "original research", which is not allowed per Wikipedia:No original research.
"The TrueCrypt developers used the aliases "ennead" and "syncon", but later replaced all references to these aliases on their website with "The TrueCrypt Foundation" in 2010"
The source used is this [8], but does not discusses the issue at all, not even mentioning those aliases.
"Due to the anonymity of the developers, the lack of a comprehensive review of the source code by a qualified cryptographer, the difficulty creating binaries from Truecrypt's source that match the official binaries, and other peculiarities, some observers have raised suspicions about the provenance of the product and speculated about the possibility that vulnerabilities or backdoors might exist in the source code or executables."
The source used is blatantly inappropriate privacylover.com and clearly not a "reliable source"
Why privacylover.com is not appropriate:
_______________
privacylover.com article dissected:
So, this article starts with "Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?", but offers just speculation.
"The domain name “truecrypt.org” was originally registered to a false address (“NAVAS Station, Antarctica”), and was later concealed behind a Network Solutions private registration." --The domain being registered to a false address and/or hidden via another company is pretty much what you would expect from people working on encryption software: if they work on encryption software it is likely they care about privacy, therefore it is not surprising they try to hide their real identities. Working on sensitive software and being open about their identities would likely put them under enormous pressure/threats from governments and organized criminals, trying to push for backdoors on the software or other nasty things.
"Truecrypt developers identity hidden" --I already detailed the possible reasoning for that above
"Everyone likes to be known and congratulated for their great work, but apparently not Truecrypt developers, they do not care about the glory and honour and all that comes with it." --Not everyone like to be "congratulated for their work" if it implies loosing their privacy and/or their own lifes.
"Truecrypt developers working for free" --Many many people "work for free", see open source (although many people are payed to work on open products)
"these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages ." --They might work on their free time. Or they might be wealthy, or funded by a wealthy benefactor..
"Very few people compile the Windows binaries from source" --Very few people compile any software from source. Period.
"it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt" --It is unclear what they mean by "binaries that match", I would assume they mean exact bit-by-bit identical. As far as I know this is simply what happens in the software world due to the various variations in compilers, OSs, compiler flags, etc. I'm pretty sure it would also not be very easy to create binaries of Firefox that "match" the official ones.
"Truecrypt is released under its own “Truecrypt license”" --The code is still open and available for review, the license is completely irrelevant to this issue.
"Truecrypt open source code has never been reviewed" --I dare to say most open-source code out there has not been reviewed. The code is open for review, again, this proves nothing.
"Censorship at Truecrypt forums" --Most websites perform some kind of "censorship" (including wikipedia), nothing special here
"you are not allowed to discuss about other encryption software" --The official position is that is is to present spam/advertising. Perfectly understandable.
"Truecrypt forum rule 8 you can’t discuss Truecrypt forks" --Again, to prevent advertising or weakening the project with fork advertising.
"Truecrypt forum rule 9 you can’t discuss software that decrypts Truecrypt" --As of writing this rule no longer exists. Again, they could be trying to prevent advertising and/or limit the exposure of information intended to "hack" truecrypt.
"If you post any criticisms or negative comments about their software, you will find that those posts will mysteriously disappear." --We don't know the particular case, and no evidence whatsoever is provided. Many criticism is borderline trolling, which could be the case.
"Can the FBI crack Truecrypt?" --In this section the author even admits "I do not believe the FBI can crack Truecrypt"
As I tried to show, that blog post is very poor and clearly not a usable source for this article. Please do not re-add the information without proper sources, as it is likely against
WP:RS,
WP:BLP,
WP:LIBEL,
WP:OR,
WP:UNDUE --
SF007 (
talk)
22:27, 25 February 2012 (UTC)
--Most websites perform some kind of "censorship" (including wikipedia), nothing special here BUT what about the "wikipedia isn't censored" bluff? I KNEW IT!!! — Preceding unsigned comment added by 189.69.57.138 ( talk) 22:25, 3 July 2012 (UTC)
In the middle of the article page, under "Security Concerns" is this quote:
"If a system drive, or a partition on it, has been encrypted with TrueCrypt, then the above paragraph applies only to the contents of that drive/partition."
I don't understand what this means, could someone explain? I'd like to make the sentence clearer but first want to understand -- is this saying that encrypting an entire partition is more advantageous than only single files, less so, or? Some info please. — Preceding unsigned comment added by 110.74.221.156 ( talk) 20:57, 5 August 2012 (UTC)
If you have full administrator privileges and get the user to type in their truecrypt password, then you will be able to decrypt the drive. Come on, that's ridiculous. Anonywiki ( talk) 06:12, 31 October 2012 (UTC)
If anyone's looking for sources of info, there's an article here by the German group iFrOSS, who are usually very knowledgeable about free software licences:
They work with Harold Welte to enfoce the GPL in Germany. Gronky ( talk) 22:04, 20 January 2014 (UTC)
As listed in the references/notes for the article, reference #34 is a dead link (I clicked on it 19-Oct-2011) ( http://peterkleissner.com/?p=11) and ought to be removed. As an aside, I've often thought wikipedia should have some kind of automated process that would prune dead links (or at least colour them some way?) since it takes a fair bit of work to vet a whack of articles manually.
^ "TrueCrypt Foundation is a joke to the security industry, pro Microsoft". Peter Kleissner post and expert comments about Stoned bootkit. Peter Kleissner. Retrieved 2009-08-05. — Preceding unsigned comment added by 174.113.114.198 ( talk) 22:56, 19 October 2011 (UTC)
It is archived here: http://web.archive.org/web/20090803081510/http://peterkleissner.com/?p=11 Family Guy Guy ( talk) 03:32, 27 February 2014 (UTC)
The FAQ page of TrueCrypt claims that TrueCrypt is safe and contains no extra code, backdoors etc: TrueCrypt FAQ page.
Given that it's a primary source (the reason why my edit was removed), can anyone locate reliable sources which can prove TrueCrypt is either safe or not safe, with regards to backdoors etc.
Here's an interesting discussion about it. TurboForce ( talk) 12:56, 25 May 2013 (UTC)
TechARP dug up a pdf, [9] basically a prosecutor's guide to data forensics. The pdf casually claims that backdoors are available for popular encryption software including TrueCrypt. (slide 30) However since this pdf was ironically found in the "darknets" it's difficult to judge its veracity. Make your own call. Ham Pastrami ( talk) 03:09, 28 January 2014 (UTC)
t this point there don't appear to be any real concerns that the end of life is a hoax or hack. I think we should put in the lede that the software is no longer being updated, and the former maintainers have recommended against its use. I will be WP:BOLDly doing this now. Gaijin42 ( talk) 21:52, 2 June 2014 (UTC)
The best I can find is [11]. http://www.truecrypt.org/docs/license is down, and I cannot find it in archive.org or google cache. -- Piotr Konieczny aka Prokonsul Piotrus| reply here 05:38, 1 June 2014 (UTC)
Give the nature of the "archival site" (truecrypt.org redirects to truecrypt.sourceforge.net) I suspect that TrueCrypt's website may have been compromised and this is a clever attempt to hack into people's machine. I say we wait for official word other than the website before claiming it's discontinued. — f3ndot ( TALK) ( EMAIL) ( PGP) 19:29, 28 May 2014 (UTC)
Hum, don't think it was hacked somehow. First, most of the page teaches how to migrate data. Second, the only available download is a "new" version, 7.2, that only allows you to decrypt data. Installing and running it on your computer won't open any kind of network connection. It doesn't create any new files, hidden files, nor modifies your registry. And don't think there'll be a official communication other than the official website, since the authors weren't known. Don't think there'll be a way to check if anyone claiming "I'm the TC author" will be provable. I'd take the official announcement as serious. Noonnee ( talk) 19:49, 28 May 2014 (UTC)
At this point there are no reliable sources, such as Bruce Schneier, Steve Gibson, Brian Krebs, especially the Electronic Frontier Foundation, The Guardian or any mainline newspapers known to be reliable on cybersecurity issues that have the resources and have done the necessary homework to tell us what is going on. Matt Green hasn't confirmed any of the details. I find the timing and method of this 'announcement' very suspicious, as others do. The hatnote is sufficient for now, together with the paragraph on end-of-life. Semi-protection doesn't seem warranted yet. — Becksguy ( talk) 08:10, 29 May 2014 (UTC)
Not saying anything specific, but to quote 'morningstar'
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
-> "WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues"
--> "WARNING: Using TrueCrypt is NSA it may contain unfixed security issues"
combined with the source code change (
https://www.alchemistowl.org/arrigo/truecrypt-7.1a-7.2.diff.gz)
"-#endif // English (U.S.) resources
+#endif // English (United States) resources"
I think I consider this settled. — Preceding
unsigned comment added by
89.1.40.25 (
talk •
contribs) 14:54, 30 May 2014 (UTC)
Steve Gibson offers a good closing overview. -- Wikisian ( talk) 15:37, 30 May 2014 (UTC)
Looking at the version history of TrueCrypt, one can understand that the developers lost interest in the development:
Versions by year:
2004 - 6
2005 - 3
2006 - 1
2007 - 1
2008 - 6
2009 - 4
2010 - 2
2011 - 1
2012 - 1
2013 - 0
2014 - Discontinued
--
85.179.0.198 (
talk)
21:13, 4 June 2014 (UTC)
Someone changed latest stable version from 7.2 to 7.1 ( here) with note that 7.2 is 'created by hackers'. I changed this to version 7.1a, what is last version before 7.2. But I am not sure if all this is correct. Technically 7.2 is latest version. I don't think that 7.2 was created by hackers but I don't trust this version. So what to do with this? Should we keep there both versions (7.1a and 7.2) with note that 7.2 is capable only of decryption and has questionable source? — Preceding unsigned comment added by PetrPP ( talk • contribs) 10:46, 3 June 2014 (UTC)
There is a hidden message on the new sourceforge TrueCrypt site that says, approximately, "Don't use TrueCrypt because it is under the control of the NSA". Details about the message are on my user page at MediaWiki.org. Badon ( talk) 01:49, 16 June 2014 (UTC)
It made it to BoingBoing's front page today, thats just as reliable as many of the other sources we have for this article. Gaijin42 ( talk) 16:41, 17 June 2014 (UTC)
There seems to be some POV-switching going on recently. Not being a TrueCrypt user, I'm not sure which is correct.
It seems that:
Now it's not clear to me what's going on, but either TrueCrypt (overall, as is the scope of this article) is end-of-lifed and the article should reflect that from the lead onward or else the Windows end-of-life is just one part of this and if the Linux version continues, then the article should not be taking such a simple "the product is now EOLed" approach. Andy Dingley ( talk) 11:18, 17 June 2014 (UTC)
This is just speculation, but it would seem like the developer(s) simply didn't feel like maintaining the project anymore, and so terminated support and provided a tutorial for migrating encrypted file to more up-to-date software, since TrueCrypt won't be receiving any security fixes in the future. After all, maintaining software can be stressful. You may not meet your project funding goals, and users aren't always appreciative of your efforts. It could be that the developer(s) got fed up and just wanted to walk away. I doubt it's anything more suspect than that.
With that said, I think it's safe to conclude the software has simply been discontinued, or "end-of-lifed" as you said. 98.86.119.246 ( talk) 00:09, 5 July 2014 (UTC)
As of 17 July 2014 there is a section under "Legal cases" titled Bo Chen. This section contains three separate citations from unreliable sources (From the Trenches World Report www.fromthetrenchesworldreport.com, cryptome.org, sribd). The scribd link isn't from court filings or police documents. Additionally, the other two links don't have reporting or appear to be fact checked. A Google search of "Bo Chen," and "Bo Chen Addison arrest" also doesn't turn up any verifiable information. Given the lack of verifiable sources, I have decided to remove the section on Bo Chen from the wiki.
If anyone finds any reliable sources, please feel free to add it to the wiki.
Purgnostic ( talk) 17:55, 17 July 2014 (UTC)
I want to bring this up because it's not exactly a small thing, even though to those outside the tech community it may seem that way. And it affects how we describe the subject of this article in the very first line.
I realize it is common to refer to the software as "open source", but this is generally out of media ignorance. In the tech community (where the term originated and where it is still most often used), that term has a very specific meaning that implies multiple things, the first of which being free license.
There is debate over whether TrueCrypt (with its TrueCrypt License 3.0) meets those major freedoms that designate it to be open source and free software.
The recent change to the introduction seems to be quite hasty, and if I may say so, pretty sloppy. Before the change, the heading called TC "source available" and linked to the licensing section where it was explained that the "openness" of the software was in question by the tech/open source community.
Now not only has that entire section been all but completely deleted, the intro paragraph has been changed to say "open source", and from the looks of it, the citations included weren't even vetted by the user that made the change. For example, the first citation doesn't even mention the words "open source" (outside of the comments section where an anonymous commenter lists it as an attribute of the program. I sure hope the user who made this change doesn't think a comment on a webpage meets WP:RS.) What's even more ironic is the second cited source actually claims TC isn't open source. The sub-header of the article literally says "its claim to be open source doesn't hold water, either."
If I wasn't supposed to assume good faith I would think this was a joke.
Given that the other two sources cited mention nothing about the licensing issues that bring the open source status of TC into question, one can only assume they are used as citations for no other reason than because they simply call TC an "open source" program. Again, this is just media ignorance. (And again, the user who made this change should be aware of that because not only did he delete the relevant information that explained this issue in the Wikipedia article, one of the very sources he cited goes into great detail and actually concludes that TC is not really considered open source.)
I invite discussion on this, but given the fact that the only citation provided which actually talks about the open source status ultimately concludes the software is in fact not open source, I'm going to revert the change and put back the relevant info in the license section until we can decide how we want to address the debate in the article (because I would think we can all agree it is something that is worthy of mention in the article, and as I said, for some reason it was deleted.) -- Wikisian ( talk) 02:27, 21 May 2014 (UTC)
SHOULD BE 7.1 ??! — Preceding unsigned comment added by 178.190.110.136 ( talk) 18:11, 16 August 2014 (UTC)
I've added a link in see-also to FreeOTFE, but it was undid with comment don't want to call out any specific alternative unless it is particularly significant, instead the comparison of alternatives is linked - but this software is significant because it's features are identical to TrueCrypt's it also has a quite similar GUI. And there is also no other non-closed-source on-the-fly volume encryption software for Windows. It's now abandoned but as I know there wasn't any security issues with it. Maybe it's fault of small user base but still it is significant name to mention along TrueCrypt. I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ? pwjb ( talk) 11:55, 29 May 2014 (UTC)
VeraCrypt is an updated fork of TrueCrypt.
Mentioned here: [1] webpage here: [2]
Is it notable enough to mention in the page? 196.215.47.219 ( talk) 15:25, 17 October 2014 (UTC)
I just poked around in the VeraCrypt source code on codeplex.com. The page said "Browsing changes in <master> as of commit 4ffb715b69c0, Nov 11, 2014", to confirm it was the current source code I was viewing, yet the files still have TrueCrypt copyright! For example, Driver/EncryptedIOQueue.c has "Copyright (c) 2008-2009 TrueCrypt Developers Association. All rights reserved." ... Um... isn't that a sign of ineptness they can't even update the copyright headers in all their "forked" files? 74.10.5.213 ( talk) 00:51, 21 November 2014 (UTC)
References
I am using professional and EFS doesn't encrypt filenames and it doesn't support BitLocker, worse I have one machine running home "premium" that doesn't even support EFS or RDP without a patch. Their site says to use BitLoc$er, but it's no replacement for TC which is free and multiplatform. — Preceding unsigned comment added by 75.158.72.234 ( talk) 03:21, 28 October 2014 (UTC)
Yes Bitlocker was mentioned due to the *incorrect* TrueCrypt EOL message which didn't consider not all versions of Windows supported it when claiming Truecrypt was unnecessary. Since I made my comment, this fact has been added to the article, but not sure why it's mentioned in () 75.158.72.234 ( talk) 04:33, 27 December 2014 (UTC)
CipherShed is a now available fork of TrueCrypt. here. Thus, alongside VeraCrypt, it provides a viable replacement for TrueCrypt. The article said
There is a proposal for a software fork named CipherShed...
So I changed the text to reflect this. It will then be necessary to update the Wiki article "comparison of disk encryption software" to include CipherShed.
This "alternatives" section ends with an unclear phrase:
According to another discussion,[29] TrueCrypt may still be used on supported platforms, while also watching 3 of the known TrueCrypt forks and one commercial alternative.
Firstly, any discontinued software may be used if it is present on the user's computer. Secondly, who watches what ? - The two, now working forks are CipherShed and VeraCrypt and there are many commercial alternatives.
-- Paul Williams ( talk) 17:18, 28 October 2014 (UTC)
The section on TrueCrypt's sudden end of support was written in a way that only fueled the fire of paranoid theories. It emphasized security risks, rather than the tone of the references (and all other media i read on it) that actually were in the opposite direction: there is no evidence at all that TrueCrypt is suddenly not safe anymore. It almost seems as if whoever wrote that section is trying to contribute to the FUD of the truecrypt creators, rather than reflecting the tone of the media coverage. Please help me improve it to reflect the tone of the media coverage. PizzaMan ( ♨♨) 12:23, 18 March 2015 (UTC)
the tone was too suspicious, although it's better now." What? O: It is the same as before now. I reverted every change made by PizzaMan.
Actually it does mention security". Please quote!
There are two sections about the end of life announcement". Again, please show me. I don't see.
The correct link for his quote is ..." a self-published blog by an obscure person whose authority on the subject is not significant. Can't use it, per WP:RS.
Not Secure Anymore — Preceding unsigned comment added by 81.218.241.26 ( talk) 11:04, 5 July 2015 (UTC)
This should get an own article and the redirect page should be eliminated.-- Mideal ( talk) 14:41, 16 September 2015 (UTC)
I came here to find out about the current state of TrueCrypt and found that this page was long and confusing and didn't immediately provide this information. This is why I added the "Current Safety & Security Status" section to say that the independent security audit has completed and found TrueCrypt to be secure and people can still use it. Sorry if I didn't do things correctly I'm not a regular editor, but I'm eager to learn so please provide guidance on anything I did wrong (if at all). For the first sentence I provided two citations, and I feel that the second sentence is a logical conclusion from the first sentence and from the other information on the page. Galori ( talk) 19:02, 26 September 2015 (UTC)
Neither http://truecrypt.sourceforge.net/ (via http://truecrypt.org) or https://www.grc.com/misc/truecrypt/truecrypt.htm is going to cut it. There is no website to visit. The URL in the infobox may need some adjustment. Any ideas? ~ Kvng ( talk) 04:35, 13 April 2016 (UTC)
truecrypt.org
is not usurped. It is still the official website. If and when it was taken down, we change it from "{{URL|truecrypt.org}}" to "truecrypt.org
(offline)".RE: [25]
Couldn't fit this in an edit summary – Steel 19:47, 11 May 2016 (UTC)
I'd appreciate if someone adds this information to the article for me.
http://arstechnica.com/tech-policy/2016/05/feds-say-suspect-should-rot-in-prison-for-refusing-to-decrypt-drives/ Additionally, this case was linked to in the article. https://www.wired.com/2012/02/laptop-decryption-appeal-rejected/ — Preceding unsigned comment added by 104.240.130.199 ( talk) 16:04, 29 May 2016 (UTC)
LaCie claims to use the TrueCrypt encryption engine.:
-- Elvey( t• c) 20:29, 9 July 2016 (UTC)
![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 |
I've removed the URL relating to the claim "FBI can't crack truecrypt" as it's not encyclopedic and is purely promotional - any product using the same algorthms would get the same results. AES-XTS is AES-XTS. that FBI can't crack AES-XTS doesn’t proves anthing, except arguably that AES is secure - which is hardly in doubt and may not be admitted even if it wasn't. On top of that, the story on the WWW page linked to is analagous to a "Cracking contest" - see Bruce Schniers articles "Warning Sign #9" at http://www.schneier.com/crypto-gram-9902.html#snakeoil and "The Fallacy of Cracking Contests" at [1]. i'm not saying truecrypt is insecure, just that the link adds nothing of value and is misleading. Gat101 ( talk) 12:16, 1 July 2010 (UTC)
Ironic that you cite Bruce Schneier with reference to "snake oil", because the URL relating to the FBI's inability to break TrueCrypt came from (wait for it...) Bruce Schneier's lastest "Cryptogram" email bulletin. Mr Schneier describes the incident as quote "Cryptography success story from Brazil. The moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files." Read it for yourself, it's here:-
http://www.schneier.com/crypto-gram-1007.html
Not all implementations of AES-XTS are necessarily the same - there can be differences (and even subtle errors) in the way in which an algorithm is implemented. The inability of the FBI to crack TrueCrypt wasn't a cracking contest - and was never intended to be. What actually happened was that a well-funded US Govt law enforcement agency (with generous resources) spent over 12 months trying to break into a TrueCrypt-encrypted volume - and failed to do so. If that's not encyclopaedic knowledge that's well worth knowing, I don't know what is! None of this means that TrueCrypt is unbreakable. However, it does mean that (to quote Schneier) it's a "Cryptography success story". Citing this incident in Wikipedia isn't "promotional", given that the software is free and requires no payment to use it. It is, however, of great interest and relevance to end-users. All of these points should have been self-evident. Nabokov ( talk) 00:05, 18 July 2010 (UTC)
That's 3 people (including myself) who believe that this information re. the FBI's failed attempt to break into TrueCrypt is relevant. Perhaps intgr or SF007 could re-insert the information in a fair and balanced way which is acceptable to all readers? - Nabokov ( talk) 08:27, 19 July 2010 (UTC)
I've re-inserted the information re. the FBI & TrueCrypt. If someone wants to rewrite what I've put (maybe insert clarifications?) then that's fine - go ahead. However, please don't dive in and revert it because I honestly believe that the information is relevant to any user of TrueCrypt. Deleting the fact that the FBI spent 12 months trying to break into TrueCrypt-protected volumes (in a well-funded, "real-life" attack) and failed would be a big mistake. Nabokov ( talk) 11:20, 4 August 2010 (UTC)
This term is present a lot in the "Significant changes" column of the table in the "Version history" section, but has not been introduced otherwise in the body of the article. (And i find it used a lot in this discussion page). -- Jerome Potts ( talk) 20:20, 1 August 2010 (UTC)
Until it is confirmed that there was actually something usable on the drive (perhaps the disk was filled with tripe?), that truecrypt (rather than something else) prevented access to it (there are mentions in some articles about another security method), and that the government did not, in fact, decrypt the drive. —Preceding unsigned comment added by 68.165.132.208 ( talk) 14:02, 20 November 2010 (UTC)
Let's start a civil discussion about this issue. You're set on emphasizing the *poor* performance of TrueCrypt. Sources being to the contrary, I dispute that point of view. 68.102.20.122 ( talk) 22:31, 20 January 2011 (UTC)
The author presented this as a valid attack. Later it turned out to be a classic hoax (the attack could be performed only by a privileged attacker who has already compromised the system). Only valid attacks may be presented in the article (anyone could create a hoax attack and present it in the article forever).
LogicKey ( talk) 16:06, 8 October 2010 (UTC)
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
The TrueCrypt documentation says that you shouldn't leave your laptop unattended, even for a moment. But if the only reasonable attack against a TrueCrypt-protected computer was a hardware keylogger then in practice you could leave your laptop unattended for hours (in a hotel room, to use the classic example), because such a thing is difficult and time-consuming to install. If you don't care about the authorities and think organised crime is unlikely to pray on you then you'd basically be able to ignore of this all as a technicality, since hardware key-loggers are very hard for non-experts to install without leaving clues.
But hardware keyloggers are not the least difficult physical attack. So the question now becomes, what is? Can I leave my laptop for 30 minutes? 5 minutes? One!? This is a question that a Wikipedia should give an answer to, or at least as much of an answer as possible. The fact that TrueCrypt develops don't care about the answer, because their documentation essentially says "one second is already too long", is irrelevant. They are not the target audience of this article. Quietbritishjim ( talk) 18:56, 12 October 2010 (UTC)
It's pretty clear by now that you won't convince us and we won't convince you. So we can agree to disagree here and move on. Wikipedia can still function in the presence of disagreements, that's why we have the consensus policy. I have also presented my reasons above, based on the verifiability policy, to keep the section. -- intgr [talk] 17:04, 14 October 2010 (UTC)
LogicKey, verifiability extends to citing hard facts (e.g., George W. Bush is 62 years old), not to invalidating any source which has an interpretation of facts we don't like (e.g., saying the Wall Street Journal is an invalid source for claiming that the war in Iraq was controversial). Your reading of that passage misconstrues it to such an extent that any editor disputing any content could wholly remove the section. And that's simply not correct. Magog the Ogre ( talk) 21:12, 15 October 2010 (UTC)
Uff guys guys, first of all the TrueCrypt "attack" was just 1 page (not even one page) out of 46 in the Stoned Bootkit paper. Whats special about the bootkit is that you can install it on the encrypted drive without knowing the password. There is no other software that allows you that, you cannot install any rootkit on an encrypted drive and other bootkits will make the computer unusable (the boot process will fail). One point why I criticized TrueCrypt was because they do not secure their own software on a running system (you can simply overwrite the MBR). Thats why the fancy emails with them. But the bottom line is that Stoned was a dedicated "attack" on the TrueCrypt software, thus its worth mentioning here. And multiple law enforcements are using my software already. They get a court order, they install Stoned (and their own trojan) and give back the laptop. Once the suspect logs on, they have the evidence. -Peter Kleissner
Am I the only one who think that LogicKey and "Austrian software developer Peter Kleissner" are the same person? This section about "Stoned" bootkit are useless! Above section already explains Physical security issues applicable to TrueCrypt. 91.77.254.56 ( talk) 11:35, 10 March 2011 (UTC)
What evidence is there that the TrueCrypt Foundation is legally a non-profit? I searched for them using GuideStar to no avail. Inclined to remove the "a non-profit organization" phrase unless it is somehow evidenced outside truecrypt.org. Threexk ( talk) 16:07, 7 July 2011 (UTC)
An IP recently changed the performance section to make it more favourable to TrueCrypt, removing "subjective" text even though it was being quoted from a source, and even though there was favourable unquoted subjective comment in the same sentence ("the performance impact of TrueCrypt on desktop applications is not generally noticeable"). That section already had a citation [2] to back up a claim that TrueCrypt is "almost transparent", when in fact that page says nothing specific about TrueCrypt's performance.
I've tidied up that section a little to try and put objective statements in the first paragraph, and more accurately quote Tom's hardware review in the second. However I'm still very unhappy with this; I don't think Tom's hardware is a reliable source for the claims they make. For a start, they describe TrueCrypt performance in practice, but only test with benchmarks, which are rather artificial. (For instance, I find that TrueCrypt makes Windows 7 thrash it's hard drive for several minutes after a hibernation; this isn't checked by that source, which presumably lets things settle down before conducting a benchmark.) Even worse, they discuss performance over different hardware configurations, but had only tested with one, so this is clearly pure speculation. And this is precisely the stuff being quoted in this article!
I think some more reliable, accurate sources need to be found. Quietbritishjim ( talk) 00:28, 24 July 2011 (UTC)
The info on David Tesařík as the person who registered the trademark TRUECRYPT in the Czech Republic should be amended; the registration has been changed to:
(730) Applicant/Owner TrueCrypt Developers Association, LC 375 N. Stephanie St., Suite 1411 Henderson US
This can be seen by doing a search on the pages of the Czech Industrial Property Office, http://upv.cz , specifically at http://isdv.upv.cz/portal/pls/portal/portlets.ozs.frm?plan=English (English search)
http://isdv.upv.cz/portal/pls/portal/portlets.ozs.det?pozk=154085&plan=en (English result)
David Tesařík appears in the Trade Register as licensed for "Advertising, marketing, media representation, translation and interpreting". http://www.rzp.cz/cgi-bin/aps_cacheWEB.sh?VSS_SERV=ZVWSBJVYP&OKRES=&CASTOBCE=&OBEC=&ULICE=&CDOM=&COR=&COZ=&ICO=64907279&OBCHJM=&OBCHJMATD=0&JMENO=&PRIJMENI=&NAROZENI=&ROLE=&VYPIS=1&PODLE=subjekt&IDICO=f5314fa8dff4894b&HISTORIE=1 — Preceding unsigned comment added by 109.232.208.11 ( talk) 08:20, 18 August 2011 (UTC)
TrueCrypt is being distributed by some distributions e.g. Mandriva, or communities around distributions e.g. RPM Fusion for Fedora, or as installers for TrueCrypt e.g. Gentoo. In the case of Mandriva and RPM Fusion they have rebranded TrueCrypt as RealCrypt in order to comply with TrueCrypt License Version 3.0. It would be useful to add this information and elaborate on it in the main article, for anyone who is knowledgeable about RealCrypt and it's implications. It would also be worth updating the information related to the differences between the 2.5, 2.8 and 3.0 licences and the implications they changes in the licences may have for other distributions able or willing to distribute TrueCrypt/RealCrypt. Some links:
Stephen Judge ( talk) 16:36, 5 October 2011 (UTC)
My edit was reverted: [3] Nevertheless, there are serious concerns about TrueCrypt's license. See: [4] [5] Note the second of those links is a legal opinion from Red Hat's counsel not just some ramblings from an IANAL. Richard W.M. Jones ( talk) 19:03, 19 October 2011 (UTC)
I have re-structtured the section "Developers/Owners identities and related concerns" due to lack of sources, but I was reverted [6]
The content I removed was very problematic:
"The domain name "truecrypt.org" was originally registered to a false address ("NAVAS Station, ANTARCTICA")"
This section has two references, the first is offline [www.webreportr.com/sites/truecrypt.org] and the second [7] simply reports that the adress of the owner of truecrypt.org is "NAVAS Station 80S 120w, Marie Byrd Land 80S 120W, ANTARCTICA", it neither reports that this address was the initial one to be registered, nor that it is a "false address". I tried to search for "Navas station" and I got no relevant information, however, "Absence of evidence is not evidence of absence" (meaning: that station might perfectly exist). Going to the whois records and making up conclusions is also pretty much "original research", which is not allowed per Wikipedia:No original research.
"The TrueCrypt developers used the aliases "ennead" and "syncon", but later replaced all references to these aliases on their website with "The TrueCrypt Foundation" in 2010"
The source used is this [8], but does not discusses the issue at all, not even mentioning those aliases.
"Due to the anonymity of the developers, the lack of a comprehensive review of the source code by a qualified cryptographer, the difficulty creating binaries from Truecrypt's source that match the official binaries, and other peculiarities, some observers have raised suspicions about the provenance of the product and speculated about the possibility that vulnerabilities or backdoors might exist in the source code or executables."
The source used is blatantly inappropriate privacylover.com and clearly not a "reliable source"
Why privacylover.com is not appropriate:
_______________
privacylover.com article dissected:
So, this article starts with "Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?", but offers just speculation.
"The domain name “truecrypt.org” was originally registered to a false address (“NAVAS Station, Antarctica”), and was later concealed behind a Network Solutions private registration." --The domain being registered to a false address and/or hidden via another company is pretty much what you would expect from people working on encryption software: if they work on encryption software it is likely they care about privacy, therefore it is not surprising they try to hide their real identities. Working on sensitive software and being open about their identities would likely put them under enormous pressure/threats from governments and organized criminals, trying to push for backdoors on the software or other nasty things.
"Truecrypt developers identity hidden" --I already detailed the possible reasoning for that above
"Everyone likes to be known and congratulated for their great work, but apparently not Truecrypt developers, they do not care about the glory and honour and all that comes with it." --Not everyone like to be "congratulated for their work" if it implies loosing their privacy and/or their own lifes.
"Truecrypt developers working for free" --Many many people "work for free", see open source (although many people are payed to work on open products)
"these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages ." --They might work on their free time. Or they might be wealthy, or funded by a wealthy benefactor..
"Very few people compile the Windows binaries from source" --Very few people compile any software from source. Period.
"it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt" --It is unclear what they mean by "binaries that match", I would assume they mean exact bit-by-bit identical. As far as I know this is simply what happens in the software world due to the various variations in compilers, OSs, compiler flags, etc. I'm pretty sure it would also not be very easy to create binaries of Firefox that "match" the official ones.
"Truecrypt is released under its own “Truecrypt license”" --The code is still open and available for review, the license is completely irrelevant to this issue.
"Truecrypt open source code has never been reviewed" --I dare to say most open-source code out there has not been reviewed. The code is open for review, again, this proves nothing.
"Censorship at Truecrypt forums" --Most websites perform some kind of "censorship" (including wikipedia), nothing special here
"you are not allowed to discuss about other encryption software" --The official position is that is is to present spam/advertising. Perfectly understandable.
"Truecrypt forum rule 8 you can’t discuss Truecrypt forks" --Again, to prevent advertising or weakening the project with fork advertising.
"Truecrypt forum rule 9 you can’t discuss software that decrypts Truecrypt" --As of writing this rule no longer exists. Again, they could be trying to prevent advertising and/or limit the exposure of information intended to "hack" truecrypt.
"If you post any criticisms or negative comments about their software, you will find that those posts will mysteriously disappear." --We don't know the particular case, and no evidence whatsoever is provided. Many criticism is borderline trolling, which could be the case.
"Can the FBI crack Truecrypt?" --In this section the author even admits "I do not believe the FBI can crack Truecrypt"
As I tried to show, that blog post is very poor and clearly not a usable source for this article. Please do not re-add the information without proper sources, as it is likely against
WP:RS,
WP:BLP,
WP:LIBEL,
WP:OR,
WP:UNDUE --
SF007 (
talk)
22:27, 25 February 2012 (UTC)
--Most websites perform some kind of "censorship" (including wikipedia), nothing special here BUT what about the "wikipedia isn't censored" bluff? I KNEW IT!!! — Preceding unsigned comment added by 189.69.57.138 ( talk) 22:25, 3 July 2012 (UTC)
In the middle of the article page, under "Security Concerns" is this quote:
"If a system drive, or a partition on it, has been encrypted with TrueCrypt, then the above paragraph applies only to the contents of that drive/partition."
I don't understand what this means, could someone explain? I'd like to make the sentence clearer but first want to understand -- is this saying that encrypting an entire partition is more advantageous than only single files, less so, or? Some info please. — Preceding unsigned comment added by 110.74.221.156 ( talk) 20:57, 5 August 2012 (UTC)
If you have full administrator privileges and get the user to type in their truecrypt password, then you will be able to decrypt the drive. Come on, that's ridiculous. Anonywiki ( talk) 06:12, 31 October 2012 (UTC)
If anyone's looking for sources of info, there's an article here by the German group iFrOSS, who are usually very knowledgeable about free software licences:
They work with Harold Welte to enfoce the GPL in Germany. Gronky ( talk) 22:04, 20 January 2014 (UTC)
As listed in the references/notes for the article, reference #34 is a dead link (I clicked on it 19-Oct-2011) ( http://peterkleissner.com/?p=11) and ought to be removed. As an aside, I've often thought wikipedia should have some kind of automated process that would prune dead links (or at least colour them some way?) since it takes a fair bit of work to vet a whack of articles manually.
^ "TrueCrypt Foundation is a joke to the security industry, pro Microsoft". Peter Kleissner post and expert comments about Stoned bootkit. Peter Kleissner. Retrieved 2009-08-05. — Preceding unsigned comment added by 174.113.114.198 ( talk) 22:56, 19 October 2011 (UTC)
It is archived here: http://web.archive.org/web/20090803081510/http://peterkleissner.com/?p=11 Family Guy Guy ( talk) 03:32, 27 February 2014 (UTC)
The FAQ page of TrueCrypt claims that TrueCrypt is safe and contains no extra code, backdoors etc: TrueCrypt FAQ page.
Given that it's a primary source (the reason why my edit was removed), can anyone locate reliable sources which can prove TrueCrypt is either safe or not safe, with regards to backdoors etc.
Here's an interesting discussion about it. TurboForce ( talk) 12:56, 25 May 2013 (UTC)
TechARP dug up a pdf, [9] basically a prosecutor's guide to data forensics. The pdf casually claims that backdoors are available for popular encryption software including TrueCrypt. (slide 30) However since this pdf was ironically found in the "darknets" it's difficult to judge its veracity. Make your own call. Ham Pastrami ( talk) 03:09, 28 January 2014 (UTC)
t this point there don't appear to be any real concerns that the end of life is a hoax or hack. I think we should put in the lede that the software is no longer being updated, and the former maintainers have recommended against its use. I will be WP:BOLDly doing this now. Gaijin42 ( talk) 21:52, 2 June 2014 (UTC)
The best I can find is [11]. http://www.truecrypt.org/docs/license is down, and I cannot find it in archive.org or google cache. -- Piotr Konieczny aka Prokonsul Piotrus| reply here 05:38, 1 June 2014 (UTC)
Give the nature of the "archival site" (truecrypt.org redirects to truecrypt.sourceforge.net) I suspect that TrueCrypt's website may have been compromised and this is a clever attempt to hack into people's machine. I say we wait for official word other than the website before claiming it's discontinued. — f3ndot ( TALK) ( EMAIL) ( PGP) 19:29, 28 May 2014 (UTC)
Hum, don't think it was hacked somehow. First, most of the page teaches how to migrate data. Second, the only available download is a "new" version, 7.2, that only allows you to decrypt data. Installing and running it on your computer won't open any kind of network connection. It doesn't create any new files, hidden files, nor modifies your registry. And don't think there'll be a official communication other than the official website, since the authors weren't known. Don't think there'll be a way to check if anyone claiming "I'm the TC author" will be provable. I'd take the official announcement as serious. Noonnee ( talk) 19:49, 28 May 2014 (UTC)
At this point there are no reliable sources, such as Bruce Schneier, Steve Gibson, Brian Krebs, especially the Electronic Frontier Foundation, The Guardian or any mainline newspapers known to be reliable on cybersecurity issues that have the resources and have done the necessary homework to tell us what is going on. Matt Green hasn't confirmed any of the details. I find the timing and method of this 'announcement' very suspicious, as others do. The hatnote is sufficient for now, together with the paragraph on end-of-life. Semi-protection doesn't seem warranted yet. — Becksguy ( talk) 08:10, 29 May 2014 (UTC)
Not saying anything specific, but to quote 'morningstar'
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
-> "WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues"
--> "WARNING: Using TrueCrypt is NSA it may contain unfixed security issues"
combined with the source code change (
https://www.alchemistowl.org/arrigo/truecrypt-7.1a-7.2.diff.gz)
"-#endif // English (U.S.) resources
+#endif // English (United States) resources"
I think I consider this settled. — Preceding
unsigned comment added by
89.1.40.25 (
talk •
contribs) 14:54, 30 May 2014 (UTC)
Steve Gibson offers a good closing overview. -- Wikisian ( talk) 15:37, 30 May 2014 (UTC)
Looking at the version history of TrueCrypt, one can understand that the developers lost interest in the development:
Versions by year:
2004 - 6
2005 - 3
2006 - 1
2007 - 1
2008 - 6
2009 - 4
2010 - 2
2011 - 1
2012 - 1
2013 - 0
2014 - Discontinued
--
85.179.0.198 (
talk)
21:13, 4 June 2014 (UTC)
Someone changed latest stable version from 7.2 to 7.1 ( here) with note that 7.2 is 'created by hackers'. I changed this to version 7.1a, what is last version before 7.2. But I am not sure if all this is correct. Technically 7.2 is latest version. I don't think that 7.2 was created by hackers but I don't trust this version. So what to do with this? Should we keep there both versions (7.1a and 7.2) with note that 7.2 is capable only of decryption and has questionable source? — Preceding unsigned comment added by PetrPP ( talk • contribs) 10:46, 3 June 2014 (UTC)
There is a hidden message on the new sourceforge TrueCrypt site that says, approximately, "Don't use TrueCrypt because it is under the control of the NSA". Details about the message are on my user page at MediaWiki.org. Badon ( talk) 01:49, 16 June 2014 (UTC)
It made it to BoingBoing's front page today, thats just as reliable as many of the other sources we have for this article. Gaijin42 ( talk) 16:41, 17 June 2014 (UTC)
There seems to be some POV-switching going on recently. Not being a TrueCrypt user, I'm not sure which is correct.
It seems that:
Now it's not clear to me what's going on, but either TrueCrypt (overall, as is the scope of this article) is end-of-lifed and the article should reflect that from the lead onward or else the Windows end-of-life is just one part of this and if the Linux version continues, then the article should not be taking such a simple "the product is now EOLed" approach. Andy Dingley ( talk) 11:18, 17 June 2014 (UTC)
This is just speculation, but it would seem like the developer(s) simply didn't feel like maintaining the project anymore, and so terminated support and provided a tutorial for migrating encrypted file to more up-to-date software, since TrueCrypt won't be receiving any security fixes in the future. After all, maintaining software can be stressful. You may not meet your project funding goals, and users aren't always appreciative of your efforts. It could be that the developer(s) got fed up and just wanted to walk away. I doubt it's anything more suspect than that.
With that said, I think it's safe to conclude the software has simply been discontinued, or "end-of-lifed" as you said. 98.86.119.246 ( talk) 00:09, 5 July 2014 (UTC)
As of 17 July 2014 there is a section under "Legal cases" titled Bo Chen. This section contains three separate citations from unreliable sources (From the Trenches World Report www.fromthetrenchesworldreport.com, cryptome.org, sribd). The scribd link isn't from court filings or police documents. Additionally, the other two links don't have reporting or appear to be fact checked. A Google search of "Bo Chen," and "Bo Chen Addison arrest" also doesn't turn up any verifiable information. Given the lack of verifiable sources, I have decided to remove the section on Bo Chen from the wiki.
If anyone finds any reliable sources, please feel free to add it to the wiki.
Purgnostic ( talk) 17:55, 17 July 2014 (UTC)
I want to bring this up because it's not exactly a small thing, even though to those outside the tech community it may seem that way. And it affects how we describe the subject of this article in the very first line.
I realize it is common to refer to the software as "open source", but this is generally out of media ignorance. In the tech community (where the term originated and where it is still most often used), that term has a very specific meaning that implies multiple things, the first of which being free license.
There is debate over whether TrueCrypt (with its TrueCrypt License 3.0) meets those major freedoms that designate it to be open source and free software.
The recent change to the introduction seems to be quite hasty, and if I may say so, pretty sloppy. Before the change, the heading called TC "source available" and linked to the licensing section where it was explained that the "openness" of the software was in question by the tech/open source community.
Now not only has that entire section been all but completely deleted, the intro paragraph has been changed to say "open source", and from the looks of it, the citations included weren't even vetted by the user that made the change. For example, the first citation doesn't even mention the words "open source" (outside of the comments section where an anonymous commenter lists it as an attribute of the program. I sure hope the user who made this change doesn't think a comment on a webpage meets WP:RS.) What's even more ironic is the second cited source actually claims TC isn't open source. The sub-header of the article literally says "its claim to be open source doesn't hold water, either."
If I wasn't supposed to assume good faith I would think this was a joke.
Given that the other two sources cited mention nothing about the licensing issues that bring the open source status of TC into question, one can only assume they are used as citations for no other reason than because they simply call TC an "open source" program. Again, this is just media ignorance. (And again, the user who made this change should be aware of that because not only did he delete the relevant information that explained this issue in the Wikipedia article, one of the very sources he cited goes into great detail and actually concludes that TC is not really considered open source.)
I invite discussion on this, but given the fact that the only citation provided which actually talks about the open source status ultimately concludes the software is in fact not open source, I'm going to revert the change and put back the relevant info in the license section until we can decide how we want to address the debate in the article (because I would think we can all agree it is something that is worthy of mention in the article, and as I said, for some reason it was deleted.) -- Wikisian ( talk) 02:27, 21 May 2014 (UTC)
SHOULD BE 7.1 ??! — Preceding unsigned comment added by 178.190.110.136 ( talk) 18:11, 16 August 2014 (UTC)
I've added a link in see-also to FreeOTFE, but it was undid with comment don't want to call out any specific alternative unless it is particularly significant, instead the comparison of alternatives is linked - but this software is significant because it's features are identical to TrueCrypt's it also has a quite similar GUI. And there is also no other non-closed-source on-the-fly volume encryption software for Windows. It's now abandoned but as I know there wasn't any security issues with it. Maybe it's fault of small user base but still it is significant name to mention along TrueCrypt. I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ? pwjb ( talk) 11:55, 29 May 2014 (UTC)
VeraCrypt is an updated fork of TrueCrypt.
Mentioned here: [1] webpage here: [2]
Is it notable enough to mention in the page? 196.215.47.219 ( talk) 15:25, 17 October 2014 (UTC)
I just poked around in the VeraCrypt source code on codeplex.com. The page said "Browsing changes in <master> as of commit 4ffb715b69c0, Nov 11, 2014", to confirm it was the current source code I was viewing, yet the files still have TrueCrypt copyright! For example, Driver/EncryptedIOQueue.c has "Copyright (c) 2008-2009 TrueCrypt Developers Association. All rights reserved." ... Um... isn't that a sign of ineptness they can't even update the copyright headers in all their "forked" files? 74.10.5.213 ( talk) 00:51, 21 November 2014 (UTC)
References
I am using professional and EFS doesn't encrypt filenames and it doesn't support BitLocker, worse I have one machine running home "premium" that doesn't even support EFS or RDP without a patch. Their site says to use BitLoc$er, but it's no replacement for TC which is free and multiplatform. — Preceding unsigned comment added by 75.158.72.234 ( talk) 03:21, 28 October 2014 (UTC)
Yes Bitlocker was mentioned due to the *incorrect* TrueCrypt EOL message which didn't consider not all versions of Windows supported it when claiming Truecrypt was unnecessary. Since I made my comment, this fact has been added to the article, but not sure why it's mentioned in () 75.158.72.234 ( talk) 04:33, 27 December 2014 (UTC)
CipherShed is a now available fork of TrueCrypt. here. Thus, alongside VeraCrypt, it provides a viable replacement for TrueCrypt. The article said
There is a proposal for a software fork named CipherShed...
So I changed the text to reflect this. It will then be necessary to update the Wiki article "comparison of disk encryption software" to include CipherShed.
This "alternatives" section ends with an unclear phrase:
According to another discussion,[29] TrueCrypt may still be used on supported platforms, while also watching 3 of the known TrueCrypt forks and one commercial alternative.
Firstly, any discontinued software may be used if it is present on the user's computer. Secondly, who watches what ? - The two, now working forks are CipherShed and VeraCrypt and there are many commercial alternatives.
-- Paul Williams ( talk) 17:18, 28 October 2014 (UTC)
The section on TrueCrypt's sudden end of support was written in a way that only fueled the fire of paranoid theories. It emphasized security risks, rather than the tone of the references (and all other media i read on it) that actually were in the opposite direction: there is no evidence at all that TrueCrypt is suddenly not safe anymore. It almost seems as if whoever wrote that section is trying to contribute to the FUD of the truecrypt creators, rather than reflecting the tone of the media coverage. Please help me improve it to reflect the tone of the media coverage. PizzaMan ( ♨♨) 12:23, 18 March 2015 (UTC)
the tone was too suspicious, although it's better now." What? O: It is the same as before now. I reverted every change made by PizzaMan.
Actually it does mention security". Please quote!
There are two sections about the end of life announcement". Again, please show me. I don't see.
The correct link for his quote is ..." a self-published blog by an obscure person whose authority on the subject is not significant. Can't use it, per WP:RS.
Not Secure Anymore — Preceding unsigned comment added by 81.218.241.26 ( talk) 11:04, 5 July 2015 (UTC)
This should get an own article and the redirect page should be eliminated.-- Mideal ( talk) 14:41, 16 September 2015 (UTC)
I came here to find out about the current state of TrueCrypt and found that this page was long and confusing and didn't immediately provide this information. This is why I added the "Current Safety & Security Status" section to say that the independent security audit has completed and found TrueCrypt to be secure and people can still use it. Sorry if I didn't do things correctly I'm not a regular editor, but I'm eager to learn so please provide guidance on anything I did wrong (if at all). For the first sentence I provided two citations, and I feel that the second sentence is a logical conclusion from the first sentence and from the other information on the page. Galori ( talk) 19:02, 26 September 2015 (UTC)
Neither http://truecrypt.sourceforge.net/ (via http://truecrypt.org) or https://www.grc.com/misc/truecrypt/truecrypt.htm is going to cut it. There is no website to visit. The URL in the infobox may need some adjustment. Any ideas? ~ Kvng ( talk) 04:35, 13 April 2016 (UTC)
truecrypt.org
is not usurped. It is still the official website. If and when it was taken down, we change it from "{{URL|truecrypt.org}}" to "truecrypt.org
(offline)".RE: [25]
Couldn't fit this in an edit summary – Steel 19:47, 11 May 2016 (UTC)
I'd appreciate if someone adds this information to the article for me.
http://arstechnica.com/tech-policy/2016/05/feds-say-suspect-should-rot-in-prison-for-refusing-to-decrypt-drives/ Additionally, this case was linked to in the article. https://www.wired.com/2012/02/laptop-decryption-appeal-rejected/ — Preceding unsigned comment added by 104.240.130.199 ( talk) 16:04, 29 May 2016 (UTC)
LaCie claims to use the TrueCrypt encryption engine.:
-- Elvey( t• c) 20:29, 9 July 2016 (UTC)