Talk:TrueCrypt/Archive 2

This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

Archive 1

Archive 2

Archive 3

I've removed the URL relating to the claim "FBI can't crack truecrypt" as it's not encyclopedic and is purely promotional - any product using the same algorthms would get the same results. AES-XTS is AES-XTS. that FBI can't crack AES-XTS doesn’t proves anthing, except arguably that AES is secure - which is hardly in doubt and may not be admitted even if it wasn't. On top of that, the story on the WWW page linked to is analagous to a "Cracking contest" - see Bruce Schniers articles "Warning Sign #9" at http://www.schneier.com/crypto-gram-9902.html#snakeoil and "The Fallacy of Cracking Contests" at [1]. i'm not saying truecrypt is insecure, just that the link adds nothing of value and is misleading. Gat101 (talk) 12:16, 1 July 2010 (UTC)

Ironic that you cite Bruce Schneier with reference to "snake oil", because the URL relating to the FBI's inability to break TrueCrypt came from (wait for it...) Bruce Schneier's lastest "Cryptogram" email bulletin. Mr Schneier describes the incident as quote "Cryptography success story from Brazil. The moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files." Read it for yourself, it's here:-

http://www.schneier.com/crypto-gram-1007.html

Not all implementations of AES-XTS are necessarily the same - there can be differences (and even subtle errors) in the way in which an algorithm is implemented. The inability of the FBI to crack TrueCrypt wasn't a cracking contest - and was never intended to be. What actually happened was that a well-funded US Govt law enforcement agency (with generous resources) spent over 12 months trying to break into a TrueCrypt-encrypted volume - and failed to do so. If that's not encyclopaedic knowledge that's well worth knowing, I don't know what is! None of this means that TrueCrypt is unbreakable. However, it does mean that (to quote Schneier) it's a "Cryptography success story". Citing this incident in Wikipedia isn't "promotional", given that the software is free and requires no payment to use it. It is, however, of great interest and relevance to end-users. All of these points should have been self-evident. Nabokov (talk) 00:05, 18 July 2010 (UTC)

I agree, the story is certainly relevant to the article, and as an established news publication it passes WP:RS. A high-profile FBI case isn't the sort of "cracking contest" that Schneier warns about — read Schneier's "The Fallacy of Cracking Contests". Now obviously this doesn't prove that TrueCrypt is secure, but it's a good data point, as most people deal with less resourceful attackers than the FBI. The way in which it was presented in the article was more over-reaching than it should be, but that can be fixed. -- intgr [talk] 14:29, 18 July 2010 (UTC)

While I understand the point of the editor removing the URL, and he is somewhat right, I think it makes **very** sense to include this news here, however, we should take care to not present it as "Truecrypt in unbrekable" or something similar. Otherwise I am all for the inclusion of this. --SF007 (talk) 15:13, 18 July 2010 (UTC)

That's 3 people (including myself) who believe that this information re. the FBI's failed attempt to break into TrueCrypt is relevant. Perhaps intgr or SF007 could re-insert the information in a fair and balanced way which is acceptable to all readers? - Nabokov (talk) 08:27, 19 July 2010 (UTC)

Putting my bit in, I think it should be included as well - though I agree with either User talk:Gat101 and user talk:intgr - it would be much better to put this information on the XTS section of Disk encryption page, or even better, on the AES page. This although TrueCrypt is mentioned, the critical bit relates to the algorithm used, not any given software product. Nuwewsco (talk) 09:18, 19 July 2010 (UTC)

"it would be much better to put this information on the XTS section of Disk encryption page,"

No it WOULD NOT. Some of these programs can be cracked without breaking AES. As Schneier repetitively stated, it is NOT the encryption they're trying to break, it's the implementation of it. It's almost a certainty that nobody will ever break AES to a degree where someone can decrypt it in today's world, I am sure it's a mathematical impossibility (even though noone has yet proved that). But if you could somehow look at the way Truecrypt is on the MBR and figure out what it is, then the FBI would have done it. Instead they were reduced to dictionary attacks. Anonywiki (talk) 23:12, 21 July 2010 (UTC)

Agreed with Anonywiki. Nearly all weaknesses in crypto software today come from protocol or implementation problems, not the primitives. -- intgr [talk] 10:46, 22 July 2010 (UTC)

I've re-inserted the information re. the FBI & TrueCrypt. If someone wants to rewrite what I've put (maybe insert clarifications?) then that's fine - go ahead. However, please don't dive in and revert it because I honestly believe that the information is relevant to any user of TrueCrypt. Deleting the fact that the FBI spent 12 months trying to break into TrueCrypt-protected volumes (in a well-funded, "real-life" attack) and failed would be a big mistake. Nabokov (talk) 11:20, 4 August 2010 (UTC)

This term is present a lot in the "Significant changes" column of the table in the "Version history" section, but has not been introduced otherwise in the body of the article. (And i find it used a lot in this discussion page). --Jerome Potts (talk) 20:20, 1 August 2010 (UTC)

The same can be said for the term "bug fixes". It's used 5 times in "Significant changes", but never introduced otherwise... Hasn't been brought up here on the discussion page, though. What's up with that? – jaksmata 15:20, 3 August 2010 (UTC)

Until it is confirmed that there was actually something usable on the drive (perhaps the disk was filled with tripe?), that truecrypt (rather than something else) prevented access to it (there are mentions in some articles about another security method), and that the government did not, in fact, decrypt the drive. —Preceding unsigned comment added by 68.165.132.208 (talk) 14:02, 20 November 2010 (UTC)

How do you expect it to be confirmed? It won't ever be. Also what are these "some articles"?

Per verifiability policy, the current source supports everything that's in the article. If another source contradicts these claims then the contradiction can be covered in the article as well, but I see no reasons to remove it. -- intgr [talk] 16:41, 20 November 2010 (UTC)

Let's start a civil discussion about this issue. You're set on emphasizing the *poor* performance of TrueCrypt. Sources being to the contrary, I dispute that point of view. 68.102.20.122 (talk) 22:31, 20 January 2011 (UTC)

I'm not certain who you mean by "you're", though I can't see the current article as suggesting anything about "poor" performance at all; the article as it was before your changes seemed to reflect the sources listed quite accurately, and in neutral terms. Your edits on the other hand seem to only detail only selected parts of the sources.

I've reverted your change back pending consensus being reached Moonradar (talk) 23:56, 20 January 2011 (UTC)

Please review this diff of the first time I touched the article. At this point, the only sources on the article at all talked about good performance, so I removed an unsourced assertion about poor performance. It was reverted to re-emphasize TrueCrypt's poor performance. This attitude has persisted, even as I have introduced sources that describe its good performance. Without exception, bits about performance reductions are cherry-picked out of sources, and I'm left with commit comments that state "inherently true," "Overhead still present," as well as some unhelpful standard "Undid..." messages. There was the appearance of an "it's obvious" attitude that led people to not bother to provide sources for statements like "though using TrueCrypt on a drive will still decrease performance." I find that non-obvious, so I've challenged it, with inline tags and commit comments asking for a source to make that case. No one else has added any sources, and every source I've found (excluding blogs) spins its performance in a positive light. And yet, looking at the article, the reader is left with a distinctly different impression.

I feel my latest edit introduced a neutral point of view in an even-handed manner, without plagiarizing Tom's Hardware, without excessively close paraphrasing, and without giving undue weight to lines about performance reduction. Particularly, the line about "power users" is off the mark in an encyclopedic article: the review doesn't say anything about what that means, or how it was measured. The sources themselves spend far more ink talking about good performance, which is reflected in my work. 68.102.20.122 (talk) 00:25, 21 January 2011 (UTC)

I've attempted a further compromise, rewording what I consider the three most negative parts to be more neutral:

• "was slower compared to an unencrypted disk" changed to "had a performance impact"; 'slower' implies a judgment not present in the article

No judgment present; it's just simple WP:UPE

• "on dual-core Core i5-600-series CPU or a quad-core Core i5-700-series chip" changed to "on multi-core systems"; test rig specifics weren't key to that article, only the distinction between multi- and single-core chips

In benchmarking, the test system used is very significant - that's why Toms Hardware details it. The source article doesn't state the difference is between N-cored CPUs

• "though can still have a noticeable impact in some instances, and power users will complain" changed to "depending on the application"; 'complain' is subjective and tossed in at the last second, and the first clause feels weaselly

Thoughts? 68.102.20.122 (talk) 00:42, 21 January 2011 (UTC)

That's understandable - I've kept this in, but put back the power users comment as per the source Moonradar (talk) 12:45, 30 January 2011 (UTC)

You seem to have an axe to grind about this topic. I don't understand how you can read the same sources I'm reading and come to such different conclusions. 68.102.20.122 (talk) 01:40, 31 January 2011 (UTC)

Hello,

Regarding the sentence "Using a fast multi core processor and a fast system drive, preferably a Flash SSD, makes TrueCrypt almost transparent" which is an excerpt of tomshardware website, I strongly disagree with the assertion that "a fast system drive, preferably a Flash SSD" makes true crypt more performant. The tomshardware review does not provide enough evidence (benchmark with a hard drive, then with a SSD) to validate such an assertion. However, what is sure:

1. the performance of true crypt is limited solely by the processing capacities of the computer (if the processor can encrypt/decrypt faster than the storage device can write/read, then obviously you wouldn't see a performance degradation due to encryption)
2. for security reasons, it is not recommended to store a true crypt encrypted file/partition on a SSD or a USB key because such devices use a wear-leveling mechanism to extend their lifetime. The true crypt website states: "we recommend that TrueCrypt volumes are not created/stored on devices (or in file systems) that utilize a wear-leveling mechanism" (http://www.truecrypt.org/docs/?s=wear-leveling). Using a RAID of hard-drives to achieve read/write performance is thus preferable in this respect.

Regards. —Preceding unsigned comment added by 77.194.156.87 (talk) 00:07, 10 March 2011 (UTC)

The author presented this as a valid attack. Later it turned out to be a classic hoax (the attack could be performed only by a privileged attacker who has already compromised the system). Only valid attacks may be presented in the article (anyone could create a hoax attack and present it in the article forever).

LogicKey (talk) 16:06, 8 October 2010 (UTC)

Can you show how it was proven that this was a hoax? Magog the Ogre (talk) 01:51, 9 October 2010 (UTC)

The attack does not pass the "10 Immutable Laws of Security" test.

http://technet.microsoft.com/en-us/library/cc722487.aspx

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

The author was informed of this fact by the developers but he presented the attack as valid anyway. Therefore, it was a deliberate hoax. LogicKey (talk) 15:37, 9 October 2010 (UTC)

You are correct, this attack bypasses TrueCrypt's security model. Users should be aware that attacks like this are possible, yet it comes as a surprise to many.

It never claimed to be a "new" attack, it was just making the point that the disk encryption security model does not apply to some significant real-world scenarios. Does this make the attack irrelevant or bogus? No.

In other words, making sure that the threat model applies to their scenario is the user's responsibility. The attacker isn't bound by the threat model -- the user is.

Let's say you leave your laptop at a hotel room for some time, someone sneaks in and tampers with it. What can you do -- yell at the attacker "You nasty cheater! You didn't use a valid attack! Give me back my encryption keys!"... Doesn't really work what way, does it? If they get your encryption keys they've successfully broken the system. -- intgr [talk] 18:54, 9 October 2010 (UTC)

See my response below. LogicKey (talk) 15:24, 11 October 2010 (UTC)

I think intgr is right; encryption is meant to keep everyone out, including people who might have physical access to the information that you have created. Magog the Ogre (talk) 02:48, 10 October 2010 (UTC)

You see that's the problem, users expect encryption to take care of all their data security problems, but it cannot. If an attacker gets physical access to your computer, they can tamper with it, and if you try to use the computer after it's been tampered with, it's game over — because there is attacker's software or their components running in your computer.

It's a fundamental problem really, it's impossible to write secure software on top of compromised hardware. "Law #3" as quoted by LogicKey is true and I'm not disputing it at all. There are multiple ways to achieve this, one is installing a "bootkit" like Stoned, another is adding a hidden hardware keylogger device.

Hence why developers of security software define a "threat model" — a set of circumstances in which the software is secure. Hardware tampering is excluded from this threat model. This threat model is fully documented by TrueCrypt and users should be aware of it, but the consequences usually aren't obvious to users.

What LogicKey is saying that the attack is a hoax because it bypasses TrueCrypt's threat model.

What I'm saying is, TrueCrypt's threat model has limitations and no smart attacker would "follow" the threat model. Like it or not, it's a weakness of the system. Documenting the attack on Wikipedia is actually a service done to users, so they know how easy it is to pull off these sorts of attacks.

Anyway, this was already discussed back in February, in the section #Concerns: The "Stoned" bootkit -- intgr [talk] 11:37, 10 October 2010 (UTC)

The weakness is a compromised system (it is not a weakness of TrueCrypt). TrueCrypt requires a secure system to work like any other security software.

If you wanted to demonstrate what physical security means, you would not publish an invalid attack on TrueCrypt and claim it is valid (like the author did). TrueCrypt documentation contained section 'Physical security' before this hoax was published. Anybody could create a hoax attack like this one and present it in the TrueCrypt article forever. Therefore, this hoax must be removed. LogicKey (talk) 15:20, 10 October 2010 (UTC)

If the attack can be executed in a real situation then how you can claim it's a "hoax"? You're always implying this, but nobody is claiming that it breaks TrueCrypt's threat model. Nobody is claiming that the TrueCrypt documentation didn't warn users about the issue.

And even though it was documented, lots of people are still surprised that attacks like this are possible — which very well suggests that TrueCrypt's documentation does a poor job at informing their users (either people don't read it or they fail to draw the right conclusions).

The reason we're covering is here is because there is a significant amount of media coverage about Stoned's relation to TrueCrypt, partly a result of TrueCrypt Foundation's denial of the attack.

Anyway, we shouldn't even be having this "hoax or not hoax" argument because Wikipedia's verifiability policy states:

"The threshold for inclusion in Wikipedia is verifiability, not truth—whether readers can check that material in Wikipedia has already been published by a reliable source, not whether editors think it is true."

I totally agree that the section should be presented more neutrally (covering both Kleissner's and TrueCrypt's positions), but there is enough coverage in sources that it makes no sense to delete it. -- intgr [talk] 16:17, 10 October 2010 (UTC)

The attack is a hoax because it does not pass the the "10 Immutable Laws of Security" test.

http://technet.microsoft.com/en-us/library/cc722487.aspx

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

The author sent a responsible disclosure message to the developers before publishing the hoax. This proves he presented it as a valid attack. But the attack is invalid (it does not pass the "10 Immutable Laws of Security" test). The developers informed the author of this fact before the attack was published. Therefore, by presenting the attack as valid, the author lost credibility. LogicKey (talk) 15:24, 11 October 2010 (UTC)

You're going in circles. This argument is totally irrelevant given that we have several reliable sources saying that the attack does apply to TrueCrypt. Please read WP:V, WP:NPOV (or any other Wikipedia policy) and tell me what part of that you can use to justify the removal of this section? -- intgr [talk] 16:55, 11 October 2010 (UTC)

The "10 Immutable Laws of Security" prove that the is attack invalid. Therefore, this hoax attack can be removed due to the following rule:

Wikipedia:Verifiability: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question. LogicKey (talk) 15:24, 12 October 2010 (UTC)

The article has inline citations that state that Stoned can tamper TrueCrypt's MBR and bypass encryption. The article does not make any claims of "valid attack", however you might try to twist that phrase. -- intgr [talk] 15:29, 12 October 2010 (UTC)

The author presented this as a valid attack on TrueCrypt. Therefore, at least one reliable source must directly support the attack as valid. The developers declared the attack invalid and the "10 Immutable Laws of Security" prove it really is invalid (the material was challenged even before it was published). LogicKey (talk) 17:30, 12 October 2010 (UTC)

No — the author presented it as a "bootkit" against multiple versions of Microsoft Windows, which includes Windows disk encryption software TrueCrypt. But I get it, you're going to claim that rootkits and trojans aren't valid attacks either. -- intgr [talk] 17:57, 12 October 2010 (UTC)

As I already said (and you deliberately ignored), the author sent a responsible disclosure message to the developers before he published the attack. This proves it was presented as a valid attack on TrueCrypt.

Anybody could create an "attack" on TrueCrypt by installing a keylogger. Then he could present the "attack" at Black Hat and attract media attention. But this does not make the attack valid and, of course, this does not mean such hoax should be presented in the TrueCrypt article. LogicKey (talk) 18:26, 12 October 2010 (UTC)

The TrueCrypt documentation says that you shouldn't leave your laptop unattended, even for a moment. But if the only reasonable attack against a TrueCrypt-protected computer was a hardware keylogger then in practice you could leave your laptop unattended for hours (in a hotel room, to use the classic example), because such a thing is difficult and time-consuming to install. If you don't care about the authorities and think organised crime is unlikely to pray on you then you'd basically be able to ignore of this all as a technicality, since hardware key-loggers are very hard for non-experts to install without leaving clues.

But hardware keyloggers are not the least difficult physical attack. So the question now becomes, what is? Can I leave my laptop for 30 minutes? 5 minutes? One!? This is a question that a Wikipedia should give an answer to, or at least as much of an answer as possible. The fact that TrueCrypt develops don't care about the answer, because their documentation essentially says "one second is already too long", is irrelevant. They are not the target audience of this article. Quietbritishjim (talk) 18:56, 12 October 2010 (UTC)

Encyclopedia must not consist of hoaxes.

Once again: Anybody could create an "attack" on TrueCrypt by installing a keylogger. Then he could present the "attack" at Black Hat and attract media attention. But this does not make the attack valid and, of course, this does not mean such hoax should be presented in the TrueCrypt article.

Wikipedia:Verifiability: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question.

This hoax is not directly supported by reliable sources. LogicKey (talk) 19:36, 12 October 2010 (UTC)

You say that 'anybody could create an "attack" on TrueCrypt by installing a keylogger'. By mentioning this, you have shown that you've missed my point. If the fastest physical "attack" (quotes added for your benefit) was using a hardware keylogger, then it should be discussed in the article, including the fact that TrueCrypt is not designed to protect against that, and indeed cannot.

Here is the key point: I am not in favour of discussing Stoned because it is a more effective physical "attack" than a keylogger. I am in favour of discussing Stoned because it is faster and easier to carry out physical "attack" than installing a keylogger. Do you disagree with this? Quietbritishjim (talk) 21:02, 12 October 2010 (UTC)

Whether a hardware keylogger can be installed faster than a software keylogger is hard to determine and is not relevant to the topic. LogicKey (talk) 17:51, 13 October 2010 (UTC)

---

It's pretty clear by now that you won't convince us and we won't convince you. So we can agree to disagree here and move on. Wikipedia can still function in the presence of disagreements, that's why we have the consensus policy. I have also presented my reasons above, based on the verifiability policy, to keep the section. -- intgr [talk] 17:04, 14 October 2010 (UTC)

Only with valid arguments you can win a discussion. You presented no valid arguments. You have no right to revert the edit supported by the arguments presented in this discussion.

Wikipedia:Verifiability: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question. LogicKey (talk) 17:24, 14 October 2010 (UTC)

Just because you refuse to accept any of our arguments doesn't mean that they aren't arguments. So here's one person (you), using a single source (MSDN Technet) that doesn't even mention TrueCrypt — editing against the consensus of several editors, and against several cited reliable sources exclusively on the topic of Stoned and TrueCrypt (iTWire, H-online, heise.de, gulli.de, Black Hat conference).

And frankly there's no point in continuing the same argument ad infinitum; as I said, it doesn't look like we will ever convince you and nor will you convince us. Your edit comment claims "no consensus", but there actually is a consensus and it's for keeping the section.

I don't know why you're quoting the verifiability policy here, the section that you deleted was indeed supported by sources. -- intgr [talk] 18:11, 14 October 2010 (UTC)

• The "10 Immutable Laws of Security" is a generic test of a validity of an attack on a security product.
• The developers of TrueCrypt stated the attack is invalid.
• None of the sources directly supports the validity of this attack. News sites just inform about a newly reported attack. Black Hat just provides a platform for presentations.
• Do not use the word "we" when you should use "I".

Wikipedia:Verifiability: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question.

LogicKey (talk) 19:03, 14 October 2010 (UTC)

• Whether the "10 Immutable Laws of Security" applies to Stoned or not, is your original research/synthesis and is not welcome on Wikipedia.
• What the authors of TrueCrypt said is a primary source and their use is limited on Wikipedia.
• But the article never claimed that it's a valid attack either, it reports what is said in the sources.
• Two conflicting viewpoints should both be covered per WP:NPOV. There's no justification for removing the material that someone disagreed with.
• You pasted the verifiability policy again and I still don't know why. You could be more helpful by explaining what material in the article is not supported by the sources. In any case this is not justification for deleting the section as a whole.

-- intgr [talk] 20:13, 14 October 2010 (UTC)

• The "10 Immutable Laws of Security" were compiled by Microsoft to enable security researchers to quickly determine whether an attack is valid or not.
• What the developers of TrueCrypt stated is important because it makes the material challenged (see the rule below).
• When a material is challenged, Wikipedia:Verifiability requires not only that the sources must be reliable but they also must directly support the validity of the material. News sites only report news (they do not directly support the material), Black Hat does not peer review the presentations (it also does not directly support the validity of the material).

Wikipedia:Verifiability: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question. LogicKey (talk) 15:25, 15 October 2010 (UTC)

You are misinterpreting the policy. The verifiability policy applies to content on Wikipedia — not external documents. It doesn't apply to TrueCrypt developers challenging Stoned. It applies to you challenging the "Stoned" section on Wikipedia. The "material in question" refers to what is being said on Wikipedia and the given sources have to support it.

You should be reading the policy as a whole, not clinging on to individual bits and pieces. The very same paragraph you quoted starts out with: "All material in Wikipedia articles must be attributable to a reliable published source to show that it is not original research" — that summarizes the intent of the paragraph. This is also echoed throughout the whole policy.

When multiple sources are in disagreement, there is still no basis to delete the content — Wikipedia should cover all the significant viewpoints; see neutral point of view.

You bring up the "10 Immutable Laws of Security" again, but as I explained above, how it applies to Stoned is your original research/synthesis and thus cannot be used on Wikipedia. Even if it came from a reliable source, it would fall under WP:NPOV and thus still wouldn't be a reason for deleting the section.

The fact that you seem reluctant to do more research on Wikipedia policies, and that you repeat your arguments without responding to my refutal, makes this discussion very frustrating. Truth is, a consensus already exists — you're alone in trying to delete this section. You cannot win arguments on Wikipedia by being the vocal minority. I can withdraw from this argument and that doesn't mean you've "won". -- intgr [talk] 16:28, 15 October 2010 (UTC)

Wikipedia:Verifiability: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question.

The credibility of the material is challenged (the developers stated the attack is invalid). In this case, Wikipedia:Verifiability requires that the validity of the material must be directly supported by reliable sources. LogicKey (talk) 20:01, 15 October 2010 (UTC)

LogicKey, verifiability extends to citing hard facts (e.g., George W. Bush is 62 years old), not to invalidating any source which has an interpretation of facts we don't like (e.g., saying the Wall Street Journal is an invalid source for claiming that the war in Iraq was controversial). Your reading of that passage misconstrues it to such an extent that any editor disputing any content could wholly remove the section. And that's simply not correct. Magog the Ogre (talk) 21:12, 15 October 2010 (UTC)

The basic rule defined by Wikipedia:Verifiability prevents challenged materials from being included in Wikipedia unless they are directly supported by reliable sources (proving the challenge is invalid).

The validity of the attack is challenged but no reliable source directly supports it. Nothing proves the claim of the developers (that the attack is invalid) is wrong and, therefore, the challenge remains valid.

The 2nd paragraph of Wikipedia:Verifiability applies to the material: This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question.

LogicKey (talk) 15:29, 16 October 2010 (UTC)

I already explained this once, but I will try again: The verifiability policy only applies to material on Wikipedia. You quoted the 2nd paragraph only partially — if you read the whole paragraph, it's clear that your interpretation is not the intended one:

"All material in Wikipedia articles must be attributable to a reliable published source to show that it is not original research, but in practice not everything need actually be attributed. This policy requires that anything challenged or likely to be challenged, including all quotations, be attributed to a reliable source in the form of an inline citation, and that the source directly supports the material in question."

It talks abouit challenging material on Wikipedia, not material in sources. The part that you quoted is simply a clarification of when to add citations: in situations where material [in Wikipedia articles] may be challenged. -- intgr [talk] 15:42, 16 October 2010 (UTC)

The 2nd paragraph is not only a clarification of "when to add citations". The rule applies to anything challenged or likely to be challenged, including all quotations. It requires that a challenged material must be directly supported by a reliable source (eliminating the challenge). If the condition is not met, the challenged material must not be included. LogicKey (talk) 16:52, 16 October 2010 (UTC)

Uff guys guys, first of all the TrueCrypt "attack" was just 1 page (not even one page) out of 46 in the Stoned Bootkit paper. Whats special about the bootkit is that you can install it on the encrypted drive without knowing the password. There is no other software that allows you that, you cannot install any rootkit on an encrypted drive and other bootkits will make the computer unusable (the boot process will fail). One point why I criticized TrueCrypt was because they do not secure their own software on a running system (you can simply overwrite the MBR). Thats why the fancy emails with them. But the bottom line is that Stoned was a dedicated "attack" on the TrueCrypt software, thus its worth mentioning here. And multiple law enforcements are using my software already. They get a court order, they install Stoned (and their own trojan) and give back the laptop. Once the suspect logs on, they have the evidence. -Peter Kleissner

FYI LogicKey was banned for edit warring (User talk:LogicKey) so this argument is pretty much over. But thanks for chiming in. :) -- intgr [talk] 15:16, 27 October 2010 (UTC)

Am I the only one who think that LogicKey and "Austrian software developer Peter Kleissner" are the same person? This section about "Stoned" bootkit are useless! Above section already explains Physical security issues applicable to TrueCrypt. 91.77.254.56 (talk) 11:35, 10 March 2011 (UTC)

Considering LogicKey was arguing the attack was a hoax and for exclusion of the section about 'Stoned' to the extent of edit warring leading up to a block. And meanwhile Peter Kleissner is apparently the author of the Stoned software and saying it's been used by law enforcement and in particular, saying that in their opinion TrueCrypt's implementation was flawed because didn't even attempt to stop the MBR being overwritten after TrueCrypt had been loaded. It seems rather unlikely they are the same person.... Nil Einne (talk) 23:30, 14 July 2011 (UTC)

What evidence is there that the TrueCrypt Foundation is legally a non-profit? I searched for them using GuideStar to no avail. Inclined to remove the "a non-profit organization" phrase unless it is somehow evidenced outside truecrypt.org. Threexk (talk) 16:07, 7 July 2011 (UTC)

An IP recently changed the performance section to make it more favourable to TrueCrypt, removing "subjective" text even though it was being quoted from a source, and even though there was favourable unquoted subjective comment in the same sentence ("the performance impact of TrueCrypt on desktop applications is not generally noticeable"). That section already had a citation [2] to back up a claim that TrueCrypt is "almost transparent", when in fact that page says nothing specific about TrueCrypt's performance.

I've tidied up that section a little to try and put objective statements in the first paragraph, and more accurately quote Tom's hardware review in the second. However I'm still very unhappy with this; I don't think Tom's hardware is a reliable source for the claims they make. For a start, they describe TrueCrypt performance in practice, but only test with benchmarks, which are rather artificial. (For instance, I find that TrueCrypt makes Windows 7 thrash it's hard drive for several minutes after a hibernation; this isn't checked by that source, which presumably lets things settle down before conducting a benchmark.) Even worse, they discuss performance over different hardware configurations, but had only tested with one, so this is clearly pure speculation. And this is precisely the stuff being quoted in this article!

I think some more reliable, accurate sources need to be found. Quietbritishjim (talk) 00:28, 24 July 2011 (UTC)

The info on David Tesařík as the person who registered the trademark TRUECRYPT in the Czech Republic should be amended; the registration has been changed to:

(730) Applicant/Owner TrueCrypt Developers Association, LC 375 N. Stephanie St., Suite 1411 Henderson US

This can be seen by doing a search on the pages of the Czech Industrial Property Office, http://upv.cz , specifically at http://isdv.upv.cz/portal/pls/portal/portlets.ozs.frm?plan=English (English search)

http://isdv.upv.cz/portal/pls/portal/portlets.ozs.det?pozk=154085&plan=en (English result)

David Tesařík appears in the Trade Register as licensed for "Advertising, marketing, media representation, translation and interpreting". http://www.rzp.cz/cgi-bin/aps_cacheWEB.sh?VSS_SERV=ZVWSBJVYP&OKRES=&CASTOBCE=&OBEC=&ULICE=&CDOM=&COR=&COZ=&ICO=64907279&OBCHJM=&OBCHJMATD=0&JMENO=&PRIJMENI=&NAROZENI=&ROLE=&VYPIS=1&PODLE=subjekt&IDICO=f5314fa8dff4894b&HISTORIE=1 — Preceding unsigned comment added by 109.232.208.11 (talk) 08:20, 18 August 2011 (UTC)

The page (in English) states that David Tesařík registered it, and the applicant was renamed. The topic as written states that he registered it (which appears to be factual). TEDickey (talk) 08:41, 18 August 2011 (UTC)

TrueCrypt is being distributed by some distributions e.g. Mandriva, or communities around distributions e.g. RPM Fusion for Fedora, or as installers for TrueCrypt e.g. Gentoo. In the case of Mandriva and RPM Fusion they have rebranded TrueCrypt as RealCrypt in order to comply with TrueCrypt License Version 3.0. It would be useful to add this information and elaborate on it in the main article, for anyone who is knowledgeable about RealCrypt and it's implications. It would also be worth updating the information related to the differences between the 2.5, 2.8 and 3.0 licences and the implications they changes in the licences may have for other distributions able or willing to distribute TrueCrypt/RealCrypt. Some links:

• Mandriva RealCrypt http://wiki.mandriva.com/en/RealCrypt
• RPM Fusion RealCrypt http://rpmfusion.org/Package/realcrypt
• Gentoo TrueCrypt http://en.gentoo-wiki.com/wiki/TrueCrypt

Stephen Judge (talk) 16:36, 5 October 2011 (UTC)

My edit was reverted: [3] Nevertheless, there are serious concerns about TrueCrypt's license. See: [4] [5] Note the second of those links is a legal opinion from Red Hat's counsel not just some ramblings from an IANAL. Richard W.M. Jones (talk) 19:03, 19 October 2011 (UTC)

Categorizing it as Free software or Open source runs into the problem that the people who define each of those would not treat this as one of their own. TEDickey (talk) 18:05, 15 December 2012 (UTC)

It's not really our job to decide whether it's open source or free software, if it's ambiguous, which in my opinion it is. That seems a bit close to original research to me. Better to state clearly what the various sources say. Something like "The source is available and the license allows its modification and redistribution in certain circumstances, and the TrueCrypt authors thus call it open source. However a lawyer for Red Hat argues that the license is too restrictive to be classified as open source or free software, saying <relavant quote>". Having said that, a choice has to be made about those categories; I agree that TrueCrypt should be excluded from them. Quietbritishjim (talk) 20:38, 16 December 2012 (UTC)

However, the category is being used on their website in a promotional sense (i.e., "open source is good, we are open source, hence we are good"), which calls for balancing the authors' claims against what third-party sources say. Freeware works for the category though, since no one certifies that TEDickey (talk) 21:02, 16 December 2012 (UTC)

I have re-structtured the section "Developers/Owners identities and related concerns" due to lack of sources, but I was reverted [6]

The content I removed was very problematic:

"The domain name "truecrypt.org" was originally registered to a false address ("NAVAS Station, ANTARCTICA")"

This section has two references, the first is offline [www.webreportr.com/sites/truecrypt.org] and the second [7] simply reports that the adress of the owner of truecrypt.org is "NAVAS Station 80S 120w, Marie Byrd Land 80S 120W, ANTARCTICA", it neither reports that this address was the initial one to be registered, nor that it is a "false address". I tried to search for "Navas station" and I got no relevant information, however, "Absence of evidence is not evidence of absence" (meaning: that station might perfectly exist). Going to the whois records and making up conclusions is also pretty much "original research", which is not allowed per Wikipedia:No original research.

"The TrueCrypt developers used the aliases "ennead" and "syncon", but later replaced all references to these aliases on their website with "The TrueCrypt Foundation" in 2010"

The source used is this [8], but does not discusses the issue at all, not even mentioning those aliases.

"Due to the anonymity of the developers, the lack of a comprehensive review of the source code by a qualified cryptographer, the difficulty creating binaries from Truecrypt's source that match the official binaries, and other peculiarities, some observers have raised suspicions about the provenance of the product and speculated about the possibility that vulnerabilities or backdoors might exist in the source code or executables."

The source used is blatantly inappropriate privacylover.com and clearly not a "reliable source"

Why privacylover.com is not appropriate:

• No indication of any relevance WHATSOEVER
• Clearly not a reliable source
• Edited by someone going by the name "Frank", likely an alias, no indication whatsoever of being any sort of expert
• Mainly just discusses hypothesis/speculation about TrueCrypt, not advancing any evidence whatsoever

_______________

privacylover.com article dissected:

So, this article starts with "Is there a backdoor in Truecrypt? Is Truecrypt a CIA honeypot?", but offers just speculation.

"The domain name “truecrypt.org” was originally registered to a false address (“NAVAS Station, Antarctica”), and was later concealed behind a Network Solutions private registration." --The domain being registered to a false address and/or hidden via another company is pretty much what you would expect from people working on encryption software: if they work on encryption software it is likely they care about privacy, therefore it is not surprising they try to hide their real identities. Working on sensitive software and being open about their identities would likely put them under enormous pressure/threats from governments and organized criminals, trying to push for backdoors on the software or other nasty things.

"Truecrypt developers identity hidden" --I already detailed the possible reasoning for that above

"Everyone likes to be known and congratulated for their great work, but apparently not Truecrypt developers, they do not care about the glory and honour and all that comes with it." --Not everyone like to be "congratulated for their work" if it implies loosing their privacy and/or their own lifes.

"Truecrypt developers working for free" --Many many people "work for free", see open source (although many people are payed to work on open products)

"these two Truecrypt developers also hold full time jobs that pays them a salary to feed their families and covers their mortgages ." --They might work on their free time. Or they might be wealthy, or funded by a wealthy benefactor..

"Very few people compile the Windows binaries from source" --Very few people compile any software from source. Period.

"it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt" --It is unclear what they mean by "binaries that match", I would assume they mean exact bit-by-bit identical. As far as I know this is simply what happens in the software world due to the various variations in compilers, OSs, compiler flags, etc. I'm pretty sure it would also not be very easy to create binaries of Firefox that "match" the official ones.

"Truecrypt is released under its own “Truecrypt license”" --The code is still open and available for review, the license is completely irrelevant to this issue.

"Truecrypt open source code has never been reviewed" --I dare to say most open-source code out there has not been reviewed. The code is open for review, again, this proves nothing.

"Censorship at Truecrypt forums" --Most websites perform some kind of "censorship" (including wikipedia), nothing special here

"you are not allowed to discuss about other encryption software" --The official position is that is is to present spam/advertising. Perfectly understandable.

"Truecrypt forum rule 8 you can’t discuss Truecrypt forks" --Again, to prevent advertising or weakening the project with fork advertising.

"Truecrypt forum rule 9 you can’t discuss software that decrypts Truecrypt" --As of writing this rule no longer exists. Again, they could be trying to prevent advertising and/or limit the exposure of information intended to "hack" truecrypt.

"If you post any criticisms or negative comments about their software, you will find that those posts will mysteriously disappear." --We don't know the particular case, and no evidence whatsoever is provided. Many criticism is borderline trolling, which could be the case.

"Can the FBI crack Truecrypt?" --In this section the author even admits "I do not believe the FBI can crack Truecrypt"

As I tried to show, that blog post is very poor and clearly not a usable source for this article. Please do not re-add the information without proper sources, as it is likely against WP:RS, WP:BLP, WP:LIBEL, WP:OR, WP:UNDUE --SF007 (talk) 22:27, 25 February 2012 (UTC)

--Most websites perform some kind of "censorship" (including wikipedia), nothing special here BUT what about the "wikipedia isn't censored" bluff? I KNEW IT!!! — Preceding unsigned comment added by 189.69.57.138 (talk) 22:25, 3 July 2012 (UTC)

Verifiability is not Censorship. It is an requirement for all and any added content to Wikipedia. Belorn (talk) 00:22, 4 July 2012 (UTC)

In the middle of the article page, under "Security Concerns" is this quote:

"If a system drive, or a partition on it, has been encrypted with TrueCrypt, then the above paragraph applies only to the contents of that drive/partition."

I don't understand what this means, could someone explain? I'd like to make the sentence clearer but first want to understand -- is this saying that encrypting an entire partition is more advantageous than only single files, less so, or? Some info please. — Preceding unsigned comment added by 110.74.221.156 (talk) 20:57, 5 August 2012 (UTC)

I think the author of the text is a bit confused. The first section talks about plausible deniability (in the context in the legal concept of reasonable suspicion), but the hole discussion about statistically random data or how file sizes can give away the existence of an encrypted volumes has no meaning when you deal with whole drives or partitions. With drives and partitions, it is not uncommon that they have random data at the point of sale (When testing a drive for errors, some programs will fill it with random data). The sentence also hints that content on the drive can somehow be analyzed for randomness and file size. If the drive is not decrypted, then you can not do this. There is no way to identify a file in a encrypted volume. It is encrypted :). Belorn (talk) 01:49, 6 August 2012 (UTC)

If you have full administrator privileges and get the user to type in their truecrypt password, then you will be able to decrypt the drive. Come on, that's ridiculous. Anonywiki (talk) 06:12, 31 October 2012 (UTC)

If anyone's looking for sources of info, there's an article here by the German group iFrOSS, who are usually very knowledgeable about free software licences:

• http://www.ifross.org/artikel/foss-or-not-source-and-license-auditing-project-truecrypt-disk-encryption-software

They work with Harold Welte to enfoce the GPL in Germany. Gronky (talk) 22:04, 20 January 2014 (UTC)

As listed in the references/notes for the article, reference #34 is a dead link (I clicked on it 19-Oct-2011) (http://peterkleissner.com/?p=11) and ought to be removed. As an aside, I've often thought wikipedia should have some kind of automated process that would prune dead links (or at least colour them some way?) since it takes a fair bit of work to vet a whack of articles manually.

^ "TrueCrypt Foundation is a joke to the security industry, pro Microsoft". Peter Kleissner post and expert comments about Stoned bootkit. Peter Kleissner. Retrieved 2009-08-05. — Preceding unsigned comment added by 174.113.114.198 (talk) 22:56, 19 October 2011 (UTC)

It is archived here: http://web.archive.org/web/20090803081510/http://peterkleissner.com/?p=11 Family Guy Guy (talk) 03:32, 27 February 2014 (UTC)

The FAQ page of TrueCrypt claims that TrueCrypt is safe and contains no extra code, backdoors etc: TrueCrypt FAQ page.

Given that it's a primary source (the reason why my edit was removed), can anyone locate reliable sources which can prove TrueCrypt is either safe or not safe, with regards to backdoors etc.

Here's an interesting discussion about it. TurboForce (talk) 12:56, 25 May 2013 (UTC)

TechARP dug up a pdf,[9] basically a prosecutor's guide to data forensics. The pdf casually claims that backdoors are available for popular encryption software including TrueCrypt. (slide 30) However since this pdf was ironically found in the "darknets" it's difficult to judge its veracity. Make your own call. Ham Pastrami (talk) 03:09, 28 January 2014 (UTC)

Here's instructions on how to reproduce TrueCrypt's binaries from the source code: [10] Tarcieri (talk) 20:09, 28 May 2014 (UTC)

t this point there don't appear to be any real concerns that the end of life is a hoax or hack. I think we should put in the lede that the software is no longer being updated, and the former maintainers have recommended against its use. I will be WP:BOLDly doing this now. Gaijin42 (talk) 21:52, 2 June 2014 (UTC)

Cow can we change the "stable release" in the info box? I was unable to find that point. --Faux (talk) 06:28, 3 June 2014 (UTC)

The best I can find is [11]. http://www.truecrypt.org/docs/license is down, and I cannot find it in archive.org or google cache. --_{Piotr Konieczny aka Prokonsul Piotrus| reply here} 05:38, 1 June 2014 (UTC)

This is good. That will be useful as a citation source for all the now-broken links for TrueCrypt Documentation. Too bad it's not anchored or otherwise offering an ability to link to specific sections, but it's better than people having to open a PDF. Perhaps someone can find a reproduction of the Documentation with links to specific sections? I figured one would eventually pop up somewhere, as on truecrypt.ch they're even asking for a copy of the whole original website. If anyone wants to go through and change all those Documentation citations, of course they're welcome, but my thinking was it would be best to just wait for a source with specific section links, and that way it would just be a matter of search/replace of the URL, as opposed to a possibly more involved change to update the citations. --Wikisian (talk) 22:39, 1 June 2014 (UTC)

All truecrypt licences can be found here: https://github.com/DrWhax/truecrypt-archive/tree/master/doc — Preceding unsigned comment added by 146.200.36.253 (talk) 07:55, 3 June 2014 (UTC)

Give the nature of the "archival site" (truecrypt.org redirects to truecrypt.sourceforge.net) I suspect that TrueCrypt's website may have been compromised and this is a clever attempt to hack into people's machine. I say we wait for official word other than the website before claiming it's discontinued. —f3ndot ^{(TALK) (EMAIL) (PGP)} 19:29, 28 May 2014 (UTC)

Hum, don't think it was hacked somehow. First, most of the page teaches how to migrate data. Second, the only available download is a "new" version, 7.2, that only allows you to decrypt data. Installing and running it on your computer won't open any kind of network connection. It doesn't create any new files, hidden files, nor modifies your registry. And don't think there'll be a official communication other than the official website, since the authors weren't known. Don't think there'll be a way to check if anyone claiming "I'm the TC author" will be provable. I'd take the official announcement as serious. Noonnee (talk) 19:49, 28 May 2014 (UTC)

Noonnee, there are many reasons to consider this suspect: (1) the URL redirects to truecrypt.sourceforge.net. (2) The SIGs provided in the new binaries do not validate. (3) The keys provided do not validate under Web of Trust. (4) The timing is bizzare since there's an initiative to audit truecrypt and this is counter to the developers' Modus Operandi. (5) No other official information anywhere else? No. This is highly suspicious. We should wait for additional sources. —f3ndot ^{(TALK) (EMAIL) (PGP)} 19:53, 28 May 2014 (UTC). Edited this to strike out point (2), I was mistaken. Sorry y'all! —f3ndot ^{(TALK) (EMAIL) (PGP)} 03:08, 29 May 2014 (UTC)

Noonnee: if that's true, you might want to post a malwr.com analysis of the file to verify your claims. Additionally, more evidence would be prudent before taking the claim as serious, imo. 173.13.21.69 (talk) 19:57, 28 May 2014 (UTC)

According to a test of TrueCrypt 7.2, the executable was marked as clean by VirusTotal. Given the popularity of obfuscation tools that allow malware authors to make their programs difficult to detect by AV products, it's unclear whether this program is really innocuous. — Preceding unsigned comment added by 97.80.118.90 (talk) 21:03, 28 May 2014 (UTC)

Here's a diff between 7.2 and the latest version. [12] — Preceding unsigned comment added by 31.210.250.116 (talk) 21:05, 28 May 2014 (UTC)

In addition to the preceding, code was made public on github unofficially [13], with sources of what appear to be both 7.1a and 7.2 —StereoSanctity (talk) 21:14, 28 May 2014 (UTC)

There is also another unofficial repository for old and new TrueCrypt source code and binaries: [14]. Zym (talk) 14:13, 29 May 2014 (UTC)

I find it highly suspicious that the TrueCrypt developer(s) would have chosen to redirect to SourceForge rather than merely modify the existing website. Also, the "announcement" does not acknowledge the fact that Bitlocker is only available on more premium versions of Windows Vista and later, and coupled with the mismatching file signature (which I have not personally verified), it seems probable that this is a hoax. Tang (talk) 21:07, 28 May 2014 (UTC)

Now that I think about it, something similar happened to another encryption software last year, FreeOTFE.

FWIW, I've verified that the 7.2.exe file hosted on SourceForge was signed by the same key that the old Truecrypt binaries were signed with. So while I also find this highly suspicious, if it is a hack, the hackers have the signing keys as well as access to the web site. [15]

Just want to throw this in here: https://news.ycombinator.com/item?id=7812133 --84.62.137.69 (talk) 21:28, 28 May 2014 (UTC)

Considering that the executable may be questionable and the growing amount of news stories on this event [16], would it make sense to put something in the main article about this incident and put up a current event template? gt24 (talk) 21:30, 28 May 2014 (UTC)

Given the recent and repeated edits with the same content it may be a good idea to protect the page until there is official word. This stinks of vandalism to me - rogue maintainer perhaps? More information is needed and the vandalism shouldn't be allowed to continue. 109.155.216.185 (talk) 22:55, 28 May 2014 (UTC)

Whatever it may be, I agree we should protect the page until more verification and sources crop up. With the current event template and an acknowledgement of the End-of-Life 7.2 is sufficient. —f3ndot ^{(TALK) (EMAIL) (PGP)} 23:04, 28 May 2014 (UTC)

Is User:Truecrypt-end part of this, uh, what's the word I'm looking for, ... scam? --bender235 (talk) 07:32, 29 May 2014 (UTC)

At this point there are no reliable sources, such as Bruce Schneier, Steve Gibson, Brian Krebs, especially the Electronic Frontier Foundation, The Guardian or any mainline newspapers known to be reliable on cybersecurity issues that have the resources and have done the necessary homework to tell us what is going on. Matt Green hasn't confirmed any of the details. I find the timing and method of this 'announcement' very suspicious, as others do. The hatnote is sufficient for now, together with the paragraph on end-of-life. Semi-protection doesn't seem warranted yet. — Becksguy (talk) 08:10, 29 May 2014 (UTC)

Okay, there's two possible explanations: (i) TrueCrypt's current website is a warrant canary, or (ii) their website has been defaced and replaced by sort of a scareware scam. As of now, I suspect the latter. --bender235 (talk) 09:46, 29 May 2014 (UTC)

I've added a link to an article by the Register which would further indicate that it is indeed the latter Bender. I'd imagine that further, more robust confirmation isn't too far behind it. Cyclonius (talk) 15:15, 29 May 2014 (UTC)

An anonymous Slashdot user explicitly says that the odd behavior is a known and agreed-upon warrant canary. 21:37, 30 May 2014 (UTC)

Schneier has posted his thoughts on the incident, [17] as did Krebs. [18] Neither of them seem too sure what's going on. --Ixfd64 (talk) 17:00, 29 May 2014 (UTC)

After a day of wild speculation, it seems like the most plausible scenario is also the most boring: the TrueCrypt developers (probably no more than 2-3 people) decided to call it quits, and to no longer maintain the software. Being responsible developers, they announce their decission so that people know the software they rely on is no longer subject to updates and bug fixes. --bender235 (talk) 19:39, 29 May 2014 (UTC)

Old Versions including the last working Version 7.0a is now hosted here: http://truecrypt.ch, 77.56.6.4 (talk) 22:21, 29 May 2014 (UTC)

Not saying anything specific, but to quote 'morningstar'
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
-> "WARNING: Using TrueCrypt is Not Secure As it may contain unfixed security issues"
--> "WARNING: Using TrueCrypt is NSA it may contain unfixed security issues"
combined with the source code change (https://www.alchemistowl.org/arrigo/truecrypt-7.1a-7.2.diff.gz)
"-#endif // English (U.S.) resources
+#endif // English (United States) resources"
I think I consider this settled. — Preceding unsigned comment added by 89.1.40.25 (talk • contribs) 14:54, 30 May 2014 (UTC)

WP:OR. --Guy Macon (talk) 15:53, 30 May 2014 (UTC)

Steve Gibson offers a good closing overview. --Wikisian (talk) 15:37, 30 May 2014 (UTC)

Looking at the version history of TrueCrypt, one can understand that the developers lost interest in the development:

Versions by year:
2004 - 6
2005 - 3
2006 - 1
2007 - 1
2008 - 6
2009 - 4
2010 - 2
2011 - 1
2012 - 1
2013 - 0
2014 - Discontinued
--85.179.0.198 (talk) 21:13, 4 June 2014 (UTC)

Someone changed latest stable version from 7.2 to 7.1 (here) with note that 7.2 is 'created by hackers'. I changed this to version 7.1a, what is last version before 7.2. But I am not sure if all this is correct. Technically 7.2 is latest version. I don't think that 7.2 was created by hackers but I don't trust this version. So what to do with this? Should we keep there both versions (7.1a and 7.2) with note that 7.2 is capable only of decryption and has questionable source? — Preceding unsigned comment added by PetrPP (talk • contribs) 10:46, 3 June 2014 (UTC)

I'd argue that the correct path is always to give the reader the fullest and most accurate verifiable information that we can. Your suggestion seems sensible - something like: "7.1a (full features), 7.2 (decryption only)" should suffice? DewiMorgan (talk) 00:06, 4 June 2014 (UTC)

Not in infobox, no. Attach a footnote to it if you wish, but please not in the middle of the box itself. Fleet Command (talk) 13:07, 6 June 2014 (UTC)

There is a hidden message on the new sourceforge TrueCrypt site that says, approximately, "Don't use TrueCrypt because it is under the control of the NSA". Details about the message are on my user page at MediaWiki.org. Badon (talk) 01:49, 16 June 2014 (UTC)

I've been told that no one has published this information, so I wrote an article and posted it on Reddit, here: Hidden message on the new sourceforge TrueCrypt site : conspiracy. Badon (talk) 04:17, 16 June 2014 (UTC)

Just WP:OR --Claw of Slime (talk) 07:15, 16 June 2014 (UTC)

Well others spotted it weeks ago. Here's a couple guys noting it on 30 May [19] [20], [21] and these guys on 31 May [22], [23]. Just Google "uti nsa im cu si" there are lots of hits. I can't find any reliable sources noting it though.--Brianann MacAmhlaidh (talk) 11:41, 16 June 2014 (UTC)

It might be worth mentioning in the article somewhere. Badon (talk) 01:35, 17 June 2014 (UTC)

Reliable sources are necessary to mention it in article. --Claw of Slime (talk) 02:51, 17 June 2014 (UTC)

Badon, would you please tell us how you came to discover this code? People normally don't look for codes after all and not all of those who do know any Latin. Fleet Command (talk) 10:26, 17 June 2014 (UTC)

It turns out I wasn't the only one looking for hidden messages in the TrueCrypt page. You can see in Re: Hidden message on the new sourceforge TrueCrypt site, reply #5 that "eyemiru" was messing around with the same text to find something hidden, beginning on 2014 May 29, and he came up with the same thing I published by the next day, on 2014 May 30. Of course, his IRC chat didn't achieve the high profile that my article did. I've mentioned him though, so he's not being overlooked. Badon (talk) 04:29, 18 June 2014 (UTC)

It made it to BoingBoing's front page today, thats just as reliable as many of the other sources we have for this article. Gaijin42 (talk) 16:41, 17 June 2014 (UTC)

I've just been quoted by several prominent news sources:

• Possible hidden Latin warning about NSA in Truecrypt's suicide note - Boing Boing
• TrueCrypt probably didn't leave a Latin message alerting users to NSA spying | Technology | theguardian.com
• Did TrueCrypt's developers hide a Latin message to us all?
• Twitter / Search - #truecrypt
• TrueCrypt probably didn’t depart a Latin message alerting users to NSA spying | Today News

I think it's notable now. Badon (talk) 04:24, 18 June 2014 (UTC)

Newspapers' first priority is to make money and attracting readers; factual accuracy is not always their priority. They are just quoting you (sometimes ad hoc) without editorial oversight. (I asked you how you discovered it and you eluded answering; believing that they have contacted you for verification and oversight is too far-fetched.) Google Translate gives exactly the same thing but because it is based on user input. (I tried alternative input and didn't get enough satisfactory results.) How you changed "if I wish to use NSA" into "it is under NSA control" is an entirely different question. And now, all of the sudden, you are claiming that it is notable too?

Sorry, I think it is too biased. I'd wait until I get a less tabloid-like coverage. Fleet Command (talk) 14:18, 19 June 2014 (UTC)

There's no need to be hostile. It's a controversial topic that has become notable, if only because it's controversial. Fixating on me personally is bizarre and has nothing to do with whether it's notable or not. Whether I answer your questions to your satisfaction or not is also irrelevant. The article should present the facts as they are, and it's up to you to decide what that should look like. I have abstained from editing the article on this subject. If you read some of those sources I provided, you'll see that most of them are skeptical, and a few completely disagree with the article I wrote. I respectfully suggest you shift your focus away from me, and on to more important things. Badon (talk) 09:01, 21 June 2014 (UTC)

Didn't mean to sound hostile. Sorry. But in-depth scrutiny can be scathing if you deeply believe in the opposite of the results. Fleet Command (talk) 11:40, 21 June 2014 (UTC)

There seems to be some POV-switching going on recently. Not being a TrueCrypt user, I'm not sure which is correct.

It seems that:

• TrueCrypt for Windows is end-of-lifed.
• Linux versions are rather independent of this.

Now it's not clear to me what's going on, but either TrueCrypt (overall, as is the scope of this article) is end-of-lifed and the article should reflect that from the lead onward or else the Windows end-of-life is just one part of this and if the Linux version continues, then the article should not be taking such a simple "the product is now EOLed" approach. Andy Dingley (talk) 11:18, 17 June 2014 (UTC)

Although TrueCrypt can still be found in secondary outlets (including Linux repositories) it is no longer available from its primary outlet. Not only it is discontinued, it is slain. You hear a lot that news outlet say "Company X killed product Y" while all that "X" did was to stop providing support. Well, in case of TrueCrypt, the developers (apparently) released a TrueCrypt 7.2 that does not encrypt anything. FileHippo initially hosted that version but now has removed it, after it received a petition to do so. Its derivatives (Linux or otherwise) are unaffected.

Fleet Command (talk) 14:50, 17 June 2014 (UTC)

This is just speculation, but it would seem like the developer(s) simply didn't feel like maintaining the project anymore, and so terminated support and provided a tutorial for migrating encrypted file to more up-to-date software, since TrueCrypt won't be receiving any security fixes in the future. After all, maintaining software can be stressful. You may not meet your project funding goals, and users aren't always appreciative of your efforts. It could be that the developer(s) got fed up and just wanted to walk away. I doubt it's anything more suspect than that.

With that said, I think it's safe to conclude the software has simply been discontinued, or "end-of-lifed" as you said. 98.86.119.246 (talk) 00:09, 5 July 2014 (UTC)

As of 17 July 2014 there is a section under "Legal cases" titled Bo Chen. This section contains three separate citations from unreliable sources (From the Trenches World Report www.fromthetrenchesworldreport.com, cryptome.org, sribd). The scribd link isn't from court filings or police documents. Additionally, the other two links don't have reporting or appear to be fact checked. A Google search of "Bo Chen," and "Bo Chen Addison arrest" also doesn't turn up any verifiable information. Given the lack of verifiable sources, I have decided to remove the section on Bo Chen from the wiki.

If anyone finds any reliable sources, please feel free to add it to the wiki.

Purgnostic (talk) 17:55, 17 July 2014 (UTC)

I would additionally argue that it's a bit tangential to the article. OhNoitsJamie ^Talk 14:12, 18 July 2014 (UTC)

I want to bring this up because it's not exactly a small thing, even though to those outside the tech community it may seem that way. And it affects how we describe the subject of this article in the very first line.

I realize it is common to refer to the software as "open source", but this is generally out of media ignorance. In the tech community (where the term originated and where it is still most often used), that term has a very specific meaning that implies multiple things, the first of which being free license.

There is debate over whether TrueCrypt (with its TrueCrypt License 3.0) meets those major freedoms that designate it to be open source and free software.

The recent change to the introduction seems to be quite hasty, and if I may say so, pretty sloppy. Before the change, the heading called TC "source available" and linked to the licensing section where it was explained that the "openness" of the software was in question by the tech/open source community.

Now not only has that entire section been all but completely deleted, the intro paragraph has been changed to say "open source", and from the looks of it, the citations included weren't even vetted by the user that made the change. For example, the first citation doesn't even mention the words "open source" (outside of the comments section where an anonymous commenter lists it as an attribute of the program. I sure hope the user who made this change doesn't think a comment on a webpage meets WP:RS.) What's even more ironic is the second cited source actually claims TC isn't open source. The sub-header of the article literally says "its claim to be open source doesn't hold water, either."

If I wasn't supposed to assume good faith I would think this was a joke.

Given that the other two sources cited mention nothing about the licensing issues that bring the open source status of TC into question, one can only assume they are used as citations for no other reason than because they simply call TC an "open source" program. Again, this is just media ignorance. (And again, the user who made this change should be aware of that because not only did he delete the relevant information that explained this issue in the Wikipedia article, one of the very sources he cited goes into great detail and actually concludes that TC is not really considered open source.)

I invite discussion on this, but given the fact that the only citation provided which actually talks about the open source status ultimately concludes the software is in fact not open source, I'm going to revert the change and put back the relevant info in the license section until we can decide how we want to address the debate in the article (because I would think we can all agree it is something that is worthy of mention in the article, and as I said, for some reason it was deleted.) --Wikisian (talk) 02:27, 21 May 2014 (UTC)

The license is non-free.[24] --Evice (talk) 06:03, 23 July 2014 (UTC)

SHOULD BE 7.1 ??! — Preceding unsigned comment added by 178.190.110.136 (talk) 18:11, 16 August 2014 (UTC)

3.1 is correct. The license version does not correspond to the software version. —WOFall (talk) 18:56, 16 August 2014 (UTC)

I've added a link in see-also to FreeOTFE, but it was undid with comment don't want to call out any specific alternative unless it is particularly significant, instead the comparison of alternatives is linked - but this software is significant because it's features are identical to TrueCrypt's it also has a quite similar GUI. And there is also no other non-closed-source on-the-fly volume encryption software for Windows. It's now abandoned but as I know there wasn't any security issues with it. Maybe it's fault of small user base but still it is significant name to mention along TrueCrypt. I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ? pwjb (talk) 11:55, 29 May 2014 (UTC)

"I think it went dead because at the time TC was direct and promising competitor. Doesn't that spell significant ?" You pretty much just admitted it's not in the previous sentence when you described it as 'dead'. It might be, in future, but that's a WP:CRYSTALBALL matter. Content in articles still need to meet some degree of notability. If no-one has even heard about it (ideally major media), it just shouldn't be there.

Quote: "Articles that present original research in the form of extrapolation, speculation, and "future history" are inappropriate. Although scientific and cultural norms continually evolve, we must wait for this evolution to happen, rather than try to predict it." -Rushyo ^Talk 15:48, 29 May 2014 (UTC)

FreeOTFE has been relaunched as 'DoxBox' (https://t-d-k.github.io/doxbox/). You could try adding a link to this instead - but I don't know if it is 'significant'. I would do it myself, but I am the maintainer of DoxBox so could be seen as having a vested interest. Squte (talk) 16:22, 31 August 2014 (UTC)

VeraCrypt is an updated fork of TrueCrypt.

Mentioned here:^[1] webpage here:^[2]

Is it notable enough to mention in the page? 196.215.47.219 (talk) 15:25, 17 October 2014 (UTC)

I just poked around in the VeraCrypt source code on codeplex.com. The page said "Browsing changes in <master> as of commit 4ffb715b69c0, Nov 11, 2014", to confirm it was the current source code I was viewing, yet the files still have TrueCrypt copyright! For example, Driver/EncryptedIOQueue.c has "Copyright (c) 2008-2009 TrueCrypt Developers Association. All rights reserved." ... Um... isn't that a sign of ineptness they can't even update the copyright headers in all their "forked" files? 74.10.5.213 (talk) 00:51, 21 November 2014 (UTC)

Why must they delete a legitimate copyright notice? If the code is indeed licensed from TrueCrypt it stands to reason that the text must remain. Fleet Command (talk) 11:21, 23 November 2014 (UTC)

I am using professional and EFS doesn't encrypt filenames and it doesn't support BitLocker, worse I have one machine running home "premium" that doesn't even support EFS or RDP without a patch. Their site says to use BitLoc$er, but it's no replacement for TC which is free and multiplatform. — Preceding unsigned comment added by 75.158.72.234 (talk) 03:21, 28 October 2014 (UTC)

• Please start new topics at the bottom of the discussion page, and please sign your comments with four tildes (~~~~)
• Please focus your comments on changes to be made to the article. I agree that Bitlocker is less than a perfect alternative, however it is mentioned in the article only in relation to the official end-of-life message. —WOFall (talk) 13:59, 28 October 2014 (UTC)

Yes Bitlocker was mentioned due to the *incorrect* TrueCrypt EOL message which didn't consider not all versions of Windows supported it when claiming Truecrypt was unnecessary. Since I made my comment, this fact has been added to the article, but not sure why it's mentioned in () 75.158.72.234 (talk) 04:33, 27 December 2014 (UTC)

CipherShed is a now available fork of TrueCrypt. here. Thus, alongside VeraCrypt, it provides a viable replacement for TrueCrypt. The article said

There is a proposal for a software fork named CipherShed...

So I changed the text to reflect this. It will then be necessary to update the Wiki article "comparison of disk encryption software" to include CipherShed.

This "alternatives" section ends with an unclear phrase:

According to another discussion,[29] TrueCrypt may still be used on supported platforms, while also watching 3 of the known TrueCrypt forks and one commercial alternative.

Firstly, any discontinued software may be used if it is present on the user's computer. Secondly, who watches what ? - The two, now working forks are CipherShed and VeraCrypt and there are many commercial alternatives.

--Paul Williams (talk) 17:18, 28 October 2014 (UTC)

The section on TrueCrypt's sudden end of support was written in a way that only fueled the fire of paranoid theories. It emphasized security risks, rather than the tone of the references (and all other media i read on it) that actually were in the opposite direction: there is no evidence at all that TrueCrypt is suddenly not safe anymore. It almost seems as if whoever wrote that section is trying to contribute to the FUD of the truecrypt creators, rather than reflecting the tone of the media coverage. Please help me improve it to reflect the tone of the media coverage. PizzaMan (♨♨) 12:23, 18 March 2015 (UTC)

What you say about the section is all your imagination.

The section (§ End of life announcement) does not even mention "security" or "insecurity". It only says the software was taken down; developers advised to use BitLocker and Disk Utility. But to counter the imagination that is your head, you added a weasel word-socked line and attributed to Gibson, which I checked and discovered to be false.

Fleet Command (talk) 06:35, 19 March 2015 (UTC)

Actually it does mention security. There are two sections about the end of life announcement, which is a bit confusing. I agree with PizzaMan, the tone was too suspicious, although it's better now.

The correct link for his quote is here: https://www.hbarel.com/analysis/itsec/the-status-of-truecrypt

I suggest the two sections be merged and the Hagai Bar-El quote be put back, but with the correct reference.

Tdk at squte (talk) 12:27, 19 March 2015 (UTC)

"the tone was too suspicious, although it's better now." What? O: It is the same as before now. I reverted every change made by PizzaMan.

"Actually it does mention security". Please quote!

"There are two sections about the end of life announcement". Again, please show me. I don't see.

"The correct link for his quote is ..." a self-published blog by an obscure person whose authority on the subject is not significant. Can't use it, per WP:RS.

Fleet Command (talk) 05:37, 20 March 2015 (UTC)

Not Secure Anymore — Preceding unsigned comment added by 81.218.241.26 (talk) 11:04, 5 July 2015 (UTC)

This should get an own article and the redirect page should be eliminated.--Mideal (talk) 14:41, 16 September 2015 (UTC)

I came here to find out about the current state of TrueCrypt and found that this page was long and confusing and didn't immediately provide this information. This is why I added the "Current Safety & Security Status" section to say that the independent security audit has completed and found TrueCrypt to be secure and people can still use it. Sorry if I didn't do things correctly I'm not a regular editor, but I'm eager to learn so please provide guidance on anything I did wrong (if at all). For the first sentence I provided two citations, and I feel that the second sentence is a logical conclusion from the first sentence and from the other information on the page. Galori (talk) 19:02, 26 September 2015 (UTC)

If I was to describe your contribution with two words, I'd have said "conjecture" and "biased". You have accused the forks of being less secure while you have no evidence to prove this; in fact you yourself say they are not audited independently. But the more funny part is: You accuse them because you don't have an evidence.

The burden of proof is on the person who levels the charge. Fleet Command (talk) 04:22, 28 September 2015 (UTC)

Having a "Current Safety & Security Status" section is a good idea because there's a lot of confusion about this, and most people coming to this page will want to know this. I suggest putting it back with the first sentence, which is factual, but not the second, which is opinion. Tdk at squte (talk) 10:09, 30 September 2015 (UTC)

OK. Fleet Command (talk) 20:47, 2 October 2015 (UTC)

Some of this information is present in the "Security audits" section; although some mention should be made in lead, which is at present rather sparse, does not accurately summarize article (so readers aren't troubled with reading "long and confusing" articles) and could use some retooling. "Plausible deniability" section for hidden volumes should be updated with information on non-compatibility with newer releases of MSFT Windows. Basically, quite a bit of information is incomplete or largely outdated. If Galori or others would like to work together on updating some this, it would be much appreciated. Will see what I can do but, many hands make light work, after all. -- dsprc ^[talk] 14:53, 30 September 2015 (UTC)

OK, I've added this to the lede, I've removed the "well written" part, because it doesn't say that, and put a link to the actual report. — Preceding unsigned comment added by Tdk at squte (talk • contribs) 14:46, 1 October 2015 (UTC)

Thank you FleetCommand and Tdk at squte. That addresses my intention - which was to better inform users coming here to learn about the state of things. I felt that the page provided a lot of info about how it was abandoned and pronounced unsafe by the authors without pointing out the simple fact that the security audit have it a green light. To the point about a better summary, I will take a look and see what I can do. Question: do statements in the lede require their own citation? Or should they just somehow refer to sections below? (Also, "roger that" RE: the notes on my original edit. I'm learning.)

Is there a Wikipedia convention where the History section belongs first? It seems that this could be undesirable in some cases. People come here to learn about a topic and its current day state is arguably more relevant than a full history.

Finally - since I made my original edit two security flaws have been identified in TrueCrypt- so (a) is that mentioned here? (I will check) and (b) should and can that be mentioned as a caviat to the "has been found to be secure by an audit". Galori (talk) 06:29, 5 October 2015 (UTC)

More recent write-up in Ars Technica covers some issues regarding this particular topic area for editors so inclined.

• http://arstechnica.com/security/2015/11/truecrypt-is-safer-than-previously-reported-detailed-analysis-concludes/

@Galori: The lede sections are to be a concise summary of article; a great number of readers will only read lede instead of the whole thing. So yes, you can most certainly include this information within opening section along with any other prominent themes or info in rest of article; just keep it extremely concise and very much to-the-point. For "Is there a Wikipedia convention where the History section belongs first?": not really, no; there is some general idea for sort-of being near top(ish) but is highly variable from one article to next (as you say, often undesirable). -- dsprc ^[talk] 13:52, 25 November 2015 (UTC)

Neither http://truecrypt.sourceforge.net/ (via http://truecrypt.org) or https://www.grc.com/misc/truecrypt/truecrypt.htm is going to cut it. There is no website to visit. The URL in the infobox may need some adjustment. Any ideas? ~Kvng (talk) 04:35, 13 April 2016 (UTC)

Hello, Kvng

Wikipedia is an encyclopedia and therefore it is partly a history source. It is natural to have old URLs, even those that are now usurped. But truecrypt.org is not usurped. It is still the official website. If and when it was taken down, we change it from "{{URL|truecrypt.org}}" to "truecrypt.org (offline)".

Best regards,

Codename Lisa (talk) 17:15, 13 April 2016 (UTC)

TrueCrypt#End_of_life_announcement casts some doubt as to whether truecrypt.org is still the official site. The Whois information is somewhat cloaked but is registered to "TrueCrypt Developers Association, LC" which is not the same as "TrueCrypt Team" or "the TrueCrypt Foundation" who are acknowledged past stewards of the software. I have looked for archived versions of the website pre dissolution and apparently these have been excluded or removed. ~Kvng (talk) 17:50, 13 April 2016 (UTC)

Disagree. There are theories about TrueCrypt being forced to shut down but I don't see a theory that says TrueCrypt's team lost control of their assets. And besides, let's assume there was evidence that such a thing happened; the website had been the official website since 2004. That's 12 years. This length of time has due weight. —Codename Lisa (talk) 19:16, 13 April 2016 (UTC)

RE: [25]

• There's no source
• Probably there's no source partly because the information isn't even accurate as of Windows 8's release three years ago ^[26]
• Nowhere does the article imply Bitlocker is available on all versions of Windows, so unsure of the purpose of this text or why it says 'in reality' as if it's correcting the preceding information when it isn't

Couldn't fit this in an edit summary – Steel 19:47, 11 May 2016 (UTC)

@Steel: Hi. You could write: "Rm. because unsourced, not fully accurate, not contextually correct; see talk page." When you don't write an edit summary however vague, it looks as if you wanted to remove the orphaned "(" or you removed the sentence by mistake. Best regards, Codename Lisa (talk) 04:40, 12 May 2016 (UTC)

I'd appreciate if someone adds this information to the article for me.

http://arstechnica.com/tech-policy/2016/05/feds-say-suspect-should-rot-in-prison-for-refusing-to-decrypt-drives/ Additionally, this case was linked to in the article. https://www.wired.com/2012/02/laptop-decryption-appeal-rejected/ — Preceding unsigned comment added by 104.240.130.199 (talk) 16:04, 29 May 2016 (UTC)

LaCie claims to use the TrueCrypt encryption engine.:

Q: Why can't I open LaCie Private-Public when TrueCrypt software is also installed?

A: Both types of software use the same engine. Uninstall TrueCrypt before installing LaCie Private-Public.

--Elvey^(t•c) 20:29, 9 July 2016 (UTC)