标签:htm add not width iar sign secure compile resources
Truecrypt, the popular disk encryption software has recently changed its website to a security warning that states Truecrypt is not secure anymore, and to switch to BitLocker for Windows, or No encryption for Mac. It does not even mention Linux.
Download TrueCrypt All Versions: All TrueCrypt files, binaries, keys, source, all versions
ValdikSS Analysis on Github Gist | Russian Version
The Premise
As per recent posts from Matthew Green and Steven Barnhart, it appears as though we have an answer. The dev claims to have just gotten tired of maintaining the program Truecrypt. He claims that he does not want anyone using the source code for the bootloader and the GUI because "that‘s harmful because only they are really familiar w/code".
Is this really what happened though? I mean what about the panic
stricken Bitlocker page and the mysterious method used to leave the
software world? What about the refusal to let others build on the code
that was nearly open-source? It still seems fishy, but we do have an
answer from the dev at least...
Sources:
https://twitter.com/stevebarnhart/status/472200478345150464
@matthew_d_green 1 more "I were happy with the audit, it didn‘t spark anything. We worked hard on this for 10 years, nothing lasts forever."
https://twitter.com/matthew_d_green
These are facts of what I have seen that may offer some insight into the cause of TrueCrypt‘s recent decision.
Again, this is only speculation, I have read a lot and spoken with a lot of people about the possibilities and I have come up with a few theories that could match the facts.
The premise
The TrueCrypt dev team was told by a government agency to add a backdoor to TrueCrypt.
See: Wikipedia Rubber Hose Cryptanalysis
My Reasoning
The whole situation with TrueCrypt is just a bit off, none of it makes sense from our viewpoint. It is possible that there was a subpoena was issued to reveal information that would compromise the security of TrueCrypt, whether this is knowledge of any possible security flaws, private keys, or the request to add a backdoor to TrueCrypt. This is exactly what happened to Lavabit email service a while back, and resulted in a similar outcome to what we see today in TrueCrypt. The combination of the factors below indicate to me that the developer was trying to say his software is no longer safe BUT he cannot say why due to a warrant canary.
The Premise
The TrueCrypt audit project raised over $62,000 US dollars source to investigate whether the TC dev team was hiding things in the code that could bypass encryption, literally tearing their project up with a huge budget. Meanwhile, the TrueCrypt foundation gets so little donations, that it was too disheartening to continue because everyone was against them.
My Reasoning
The Premise
Someone gained access to all of Truecrypts keys and logins for both the program, the webserver, and SourceForge
My Reasoning
This is the least likely scenario in my mind at this point. It would be too elaborate for vandalism. Still here are the supporting reasons:
The Premise
The dev got bored of supporting the project, or had issues in real life that took precedence over TrueCrypt.
My Reasoning
It happens to everyone
The Premise
Someone gained access to all of Truecrypt‘s keys and logins for both the program, the webserver, and SourceForge, but could not find the developers.
My Reasoning
A government might have enough resources to break the developers‘ public-private key pairs and hack into the site.
The Premise
The developer was working on new features for 7.2 based on the diff of the source. It is possible there was a major flaw that was found by the dev and nobody else yet. Instead of releasing the vulnerability and making it public which would allow everyone to open anyone‘s Truecrypt containers, the dev decided to close the project and convince people that the program is no longer secure by destroying its credibility.
My Reasoning
Yes, I know that there were no flaws found in the audit YET, but still here are my reasons:
The Premise
We know nothing about the dev team for TrueCrypt so this is pure speculation but sometimes dev teams disagree, and it can turn into something like this. If one irate developer had access to the private keys for the program, access to the webserver, and access to the SourceForge account, this is a possibility.
My Reasoning
Related Posts
News
转载 - TrueCrypt发生了什么? - What happened to Truecrypt - May 2014
标签:htm add not width iar sign secure compile resources
原文地址:http://www.cnblogs.com/pityhero233/p/7522054.html