Not like most sane people haven't already stopped using it years ago when they were compromised by gov. agencies, but I bet some still run that old piece of shit...
[OpSec] TrueCrypt fully compromised
Not like most sane people haven't already stopped using it years ago when they were compromised by gov. agencies, but I bet some still run that old piece of shit...
[33 Points] specialtime_dnm:
[16 Points] None:
[deleted]
[7 Points] throwawaygdtkaZ3mOw:
The vulnerabilities described do not mean Truecrypt is broken. If you have your entire drive encrypted with Truecrypt and shut down, it can't be decrypted. If you are using an unencrypted Truecrypt container and they have seized your sytem, it will be trivial for them to get Administrator - they just reset the password. Even so, the vulnerabilities described do not help the Stazi or whoever is trying to break your system to decrypt your container.
What the vulnerabilites described allow is: If the Stazi are able to log on to your system while you are running it, they can break out of a limited account and become administrators. From there they can plant keyloggers, etc. that eventually will gather your passsword. That's it. Windows has shown itself to be full of such vulnerabilities and the same problem will show up with Veracrypt. If they break into your system while you have it on and logged in, they can install keyloggers, etc. no matter what encryption system you are running.
This vulnerability shows that one of those zero-day exploits for gaining admin lies within Truecrypt (and, until just patched) Veracrypt software.
With that said, I'm sticking with TrueCrypt for the following reasons:
The vulnerability is one that allows a limited user to gain admin, not one that breaks the Truecrypt encryption. This is trivial for Windows, especially if they have physical access to your machine.
The NSA listed TrueCrypt (along with Tails and TOR) as something they could not crack, at least as of 2012.
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html
(BTW, VPNs and SSL are apparently easy to break.)
Why would they do that if they could break it?
The Truecrypt developers used a brilliant (and somewhat obvious) method of telling people they were being forced to shut down: They advised people to switch to Windows Bitlocker. Of all the disk encryption systems out there, they advised people to switch to one that is almost certainly back-doored and is usually used on Windows. That seems a clear indicator they were operating under duress and to take what they said with a grain of salt.
The publicity about the vulnerabilities seems more of an attempt to scare people away from using Truecrypt. News releases seem to go out of their way to mention Truecrypt and to imply that this means it is broken. It isn't.
Who's behind Veracrypt? Why should I trust them? Although the same may be said about Truecrypt, Truecrypt has shown its credibility:
a.) The leaked NSA documents show they could not break it. b.) The Truecrypt project was almost certainly shut down unwillingly. c.) It passed a security audit just as it was being shut down.
The same is not true for Veracrypt.
I'm not saying Veracrypt is necessarily vulnerable, but it hasn't proven itself as Truecrypt has.
Eventually Truecrypt may fall to some attack, but until then, I think it has shown itself to be the best we have and I'll continue to use it.
tl:dr: Truecrypt encryption isn't broken. Nothing else has the crypto creds of Truecrypt.
Edit: I'm posting from Tor with a throwaway and it seems to screw up the numbering. I don't know why...
[4 Points] TiredDogg:
Yeah it's only for windows users. Windows users are fucked anyway so it is not big deal.
[4 Points] metac0rtex:
Pretty sure this is only applicable to windows installations due to "abusing drive letter handling." None the less, it is now time to stop using TrueCrypt if you haven't already.
[3 Points] None:
[deleted]
[2 Points] ErraticWire:
Caught this on /r/netsec earlier and forgot to post it, thanks OP!
[2 Points] JackDostoevsky:
This is interesting and all, but on /r/DNM why aren't we saying, "Yeah that's interesting but you should be using Linux + LUKS"?
[1 Points] xDirty:
Im a fan on of veracrypt cause it seems to have picked up where truecrypt left off.
[1 Points] TripAddict:
So it is safe to use Veracrypt correct?
[1 Points] xDirty:
Does anyone if this bug affects containers made with previous builds of veracrypt
[1 Points] earthmoonsun:
Is DiskCryptor safe?
[1 Points] lordredvampire:
Veracrypt took over the project and fixed many low and medium security vulnerabilities found on TrueCrypt audit report.
For Linux: use Linux and dmcrypt+luks.
[1 Points] None:
what about wickr?
[1 Points] young_k:
Veracrypt.
[1 Points] tuckmyjunksofast:
Truecrypt was NEVER compromised by govt agencies. In fact the CIA tried several times to crack it and could not.
Is this the vulnerabilities that allow privilege escalation and doesn't actually break the security on the containers.
In a non alarmist fashion..... if truecrypt is running and your containers are mounted, if your computer is seized in that state. Escalated privileges are going to be low on the list of your concerns.