![]() But "maybe what they did today makes that impossible," Green said. Green, too, was of the belief this was the work of the TrueCrypt team itself - that "they decided to quit and this is their signature way of doing it."Įven if the TrueCrypt team has bailed on the project, Green noted, he will continue with the project to audit the TrueCrypt code nonetheless so that other people might resurrect the project and continue. Krebs also interviewed Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and one of the other supporters of the TrueCrypt audit effort. ![]() He notes "a cursory review of the site's historic hosting, WHOIS, and DNS records shows no substantive changes recently," which he feels rules out hacking. Researcher Steve Gibson is of the belief that the matching keys is reason enough to conclude the original team is responsible, and that given the team's penchant for secrecy and silence, their motives are most likely impossible to know.īrian Krebs, the researcher who investigated the theft of massive amounts of personal data from the LexisNexis database, is also tilting toward the idea that the TrueCrypt team is indeed responsible. That by itself would bode badly enough for both the project and the team. One possible explanation of those facts is that a hacker gained access to a computer used by a member of the TrueCrypt team and thus was able to steal both a newer edition of the source code and the public key. "Either legit, selective attack, or key compromise," he tweeted. Taylor Hornby of Defuse Security also noted, strangely enough, the 7.2 binaries were apparently signed by the same public key previously used by the TrueCrypt team. The last legit binaries are version 7.1, but the new binaries are tagged with the version number 7.2. Researcher Arrigo Triulzi performed his own analysis of the modified source code in TrueCrypt's SourceForge site, and other researchers noted that some changes within the sources hinted at them having been derived from a later version of the source code than the version used to generate the most recent legitimate binaries. Since the Project was preparing to make an announcement later in the week about a new Open Crypto Audit Project initiative, some speculated that the timing of the changes to TrueCrypt's site and code were part of it, but White tweeted that the announcement was "not TC ". Among them is Kenn White, one of the members of the Open Crypto Audit Project that rallied resources and money to audit TrueCrypt's source code and determine how secure it was. Various security experts have since examined the changes to the site and the software. ( Windows XP support ended on April 8, 2014, not in May.) "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," the site reads. ![]() Other aspects of the warning are also curious, since they seem to focus mainly on Windows, despite the fact that TrueCrypt is a cross-platform application. Aside from sporting a warning about TrueCrypt's alleged insecurity, the TrueCrypt website had been rewritten to recommend, inexplicably, that existing TrueCrypt users migrate to not another open source encryption system, but instead Microsoft's proprietary BitLocker encryption system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |