Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"given that everyone was happy to keep using TrueCrypt up until 1 day ago"

The same was true for OpenSSL a few weeks ago.

One of the most plausible theories is that the TrueCrypt developers found a gaping security hole (ala OpenSSL) and realised that releasing a fix for it would reveal the bug and compromise every TrueCrypt partition in existence, so they chose to kill the project rather than risk the safety of all of that currently encrypted data.

If that scenario is true, there's a big rush to switch to something else before the bug is discovered by other researchers.



Their warning about it being insecure is clearly a joke, as their alternate suggestions (particularly for linux and Mac) are ones that no one should ever take seriously. TrueCrypt passed Phase I of the audit, and Phase II of the audit is coming down the pipe soon enough. Also keep in mind that TrueCrypt is one of the most widely-used cross-platform drive encryption tools and has been for some time. It seems far more likely to me that TrueCrypt is secure than that a more obscure competitor, no matter what the developers say in a weird, cryptic message that everyone assumed was their site being hacked.


That would make sense, especially with all the truecrypted drives in evidence lockers and whatnot - in other words, things that can't be properly upgraded.


If that was the case, why not fix the bug and then tell everybody to upgrade to the new fixed version ASAP?


by fixing the bug you tell everybody what/where the bug is and if anybody has a copy of someone else encrypted disk (think external backup, amazon etc..) they can decrypt it.


That's effectively the same thing as releasing details of the bug. It would take time to take the patch and figure out the bug from it, but it would be fairly easily done for a determined attacker.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: