Re: [LUG] Truecrypt

[MWilliams <mwilliams@xxxxxxxxxxxxxxxxxxxxxxxx>]

On 29/05/2014 18:51, Neil Winchurst wrote:
> I noticed some reports that Truecrypt
> is no longer being maintained and, more to the point, no longer
> considered safe. The recommendation seems to be to forget TC and to
> look elsewhere. Hence the question.
>
> Neil


No longer maintained as it served the purpose for which it was built and 
proved to be secure so far. The recent audit was far from a complete 
review of the code but the elements they did examine only contained 
minor weaknesses primarily arising from inconsistent authorship, not 
flaws that would compromise the entire system.

Given old reports of previous versions being unbreakable by the NSA and 
other 3 letter agencies following seizures upon entry into the US, I'd 
be cautiously optimistic that it hasn't been broken. If I recall 
correctly, the reports arose from legal cases seeking enforced 
disclosure of passwords or encryption keys following 2+ years of 
attempting to break the encryption.

Cory Doctorow has picked up on the story and links to a Reddit thread 
with alternatives:
http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html

Krebs' analysis is here:
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure

Schneier commented "I have no idea what's going on with TrueCrypt" which 
is probably the most accurate response anyone can give presently.

I use TC with 80+ devices and will continue to do so until confirmation 
is apparent either way.
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq