Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Sudden Policy Change In Truecrypt Explained

Posted by timothy on from the maybe-your-canary-needs-a-canary dept.

X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?

5 of 475 comments (clear)

  1. tc-play is a reimplementation of Truecrypt by Anonymous Coward · · Score: 5, Informative

    Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play

    Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.

  2. AC in last thread mentioned a warranty canary by Anonymous Coward · · Score: 5, Informative

    An anonymous coward in the last thread said that a known warrant canary was seen:

    http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051

  3. Ars Scholae Palatinae by westlake · · Score: 5, Informative
    There is nothing I think worth adding to "Marlor's" post to Ars:

    I can't comprehend the conspiracy theories flying around about this.

    [TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.

    The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).

    If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.

    Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.

    If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.

    "Don't use this anymore. It's not maintained, and should therefore be considered insecure".

    Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"

    ''TrueCrypt is not secure,'' official SourceForge page abruptly warns

    [Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]

  4. Re:What else? by rahvin112 · · Score: 5, Informative

    The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it. .

  5. Re: people ruin everything by Anonymous Coward · · Score: 5, Informative

    Link because why in the world do people use URL shorteners?