There's some good information in this thread from /r/netsec: http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/
You might also want to read this article from The Register, linked to from that reddit thread: http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ Even more worrying, *The Reg* has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site <http://sourceforge.net/projects/truecrypt/files/TrueCrypt/>, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo. <http://regmedia.co.uk/2014/05/28/truecrypt_strings.png> Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge) We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text. I'm not trusting anything until we get confirmation from the core developers. --Matt On Thu, May 29, 2014 at 8:35 AM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > I don't think anybody knows anything factual at this point, so I'm going > to respectfully ask people refrain from speculation (sure, that might > work.) ;-) But just in case you didn't see this, you should. > > > > Truecrypt was mysteriously yanked from the internet yesterday or the day > before. Replaced by a site that seems ridiculous, so you might first > suspect that it's just a prank, but at the bottom, there is a download link > to truecrypt 7.2, which is apparently modified to open truecrypt files > read-only so you can migrate data away from truecrypt, and is signed by the > TrueCrypt Foundation. Signed May 27. > > > > So as arstechnica points out, if some sneaky hacker got access to > truecrypt dns and also the private key, this is a really obtuse and > improbable hoax. Because with the truecrypt dns and private key, you could > do much bigger badder things. > > > > > http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/ > > > > So there are lots of possibilities here, including hoax, or nsa coercion > resulting in a lavabit-esque results, or a few other speculative > possibilities... But whatever is going on, I say, WTF. > > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > >
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
