Friday 30 May 2014

Truecrypt development team compromised?

It appears that the Truecrypt development team have been compromised by the NSA using some brute-force social engineering.

The Truecrypt home page and its Warrant Canary has disappeared from the web (including from the Wayback Machine at http://web.archive.org/web/*/http://truecrypt.org ), which indicates that they have been served with an order for user data under Section 215 of the Patriot Act.

The old Truecrypt page at http://truecrypt.org/ now redirects to a page at http://truecrypt.sourceforge.net/  which encourages migration to BitLocker. As the Bitlocker team appear to having been targeted by the NSA, the Truecrypt developers are either being *extremely* tongue in cheek in hinting to the community about a Lavabit-style social engineering attack or they are plain stupid.  I'd go for the former.

A new Swiss group has sprung up at http://truecrypt.ch/ to fork the source, but "who are these guys then?".

For now, do NOT migrate to Bitlocker.  Instead, keep using Truecrypt 7.1a until such time that the new Swiss group's credentials can be checked and a rolling code audit process has been established.

John Gilmore's quote from TIME magazine springs to mind:

"The Net interprets censorship as damage and routes around it."

4 comments: