The Sudden Policy Change In Truecrypt Explained

X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA." Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?

TC developer used hidden message!!!

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

Re:TC developer used hidden message!!!

[Jason+Levine]

Let's assume that the government would be breaking the law by NSLing the signing keys. (As opposed to the law being so mucked up that such an action is entirely legal.)

1) What lawyer is going to be able to fight this battle against the US Government and win? Let me narrow that list down a bit. What lawyer that the TrueCrypt developers would hire would be able to fight this battle against the US Government and win?

2) Would the TrueCrypt developers even be allowed to see a trial or would they be arrested on "unrelated" charges and sent to prison? Or worse. (There is plenty that a power hungry governmental agency can do to someone that says "no" to them that makes "being arrested on unrelated charges" preferable.)

I Voted This Submission Down

[NotSanguine]

No evidence is presented. The reference to a "canary" is suspect, as it isn't discussed what that canary was.

Some semi-random tweeter is reposted on some random blog? I don't think so.

It's possible that this is accurate, but without evidence, why bother? As I asked in the original discussion about the shuttering of TrueCrypt, who stands to benefit?

Re: people ruin everything

[Noah+Haders]

this is actually a link to an interesting article, not goatse. it's an editorial about how the most recent full version of true crypt (7.1a) is still as secure as it was last week, and there's no reason to stop using it. It also says they (who?) are working on an open license fork that will be released on a future date.

still doesn't answer the question on if it's like lava bit. true crypt may be just as secure as it was last week, but maybe it's also been owned by NSA from day one.

Re:That's not proof!

[arglebargle_xiv]

Could you clarify? Who is Alyssa Rowan to TrueCrypt? Sorry for my ignorance, I tried Googling a bit and just got links to this article.

It's someone who has been active in the crypto/security community for awhile now. Personal details are pretty scarce (i.e. it could be a front for the NSA for all anyone knows), but the persona has been active in crypto. If you want something to Google on try "alyssa rowan cryptography".

Re:still speculation

[tero]

Two guys - working working over a decade without funding etc.

Ennead was 29 in 2005 (http://www.wolfmanzbytes.com/windows/70-truecrypt-encryption.html) and they obviously developed it on their freetime.

Fast forward from that to today and you got couple of middle-aged devs, probably with more demading careers and perhaps even families and maybe with young kids.

They started it as a Windows project, when Windows was...a completely different beast than it is today.

It's no wonder TrueCrypt didn't get very many (any?) releases in the past couple of years.

It's certainly a very interesting way to exit stage.

Re:Speculation

[Aighearach]

Not really, when the project used an incompatible license all along and while marginally "open source," they were clearly taking a hostile stance towards other FLOSS projects, as nobody could integrate their work with anything else.

In that context their explanation makes perfect sense; they didn't do it for love of FLOSS, they did it because there was no other portable options that included support for all windows versions. Without XP, that ceases being true.

As a supporter of Free Software that reasoning might sound lame to me, but it is very consistent. And if their whole point was to provide an option for windows users, then recommending bitlocker is actually consistent. Having different values doesn't imply he's lying about his.

As far as canaries go, you have to have the live bird before going into the mine, and then have the dead bird. In this case there was no live bird in advance, and there is dead bird afterwards. Not only have we not been warned by a canary, nobody actually even claims to have seen one, dead or alive.

The name of the person who registered a non-profit and for-profit for TrueCrypt in the US was David Morgan. That person has already verified the posted information from an email address @truecrypt, so this other person not known to be associated with TrueCrypt should be ignored.

Re: people ruin everything

[symbolset]

The former CEO of USWest was sent to prison based on secret NSA data that could not be independently confirmed - or even discussed. That this happened shortly after he refused to cooperate with illegal NSA data collection is completely coincidental.

Re:Where is the Kickstarter to re-implement it?

[swb]

I think it would be great for the EFF and the ACLU to sponsor it. It would immediately cause problems for someone to get ham-handed about it.

Re:Steve Gibson

[duke_cheetah2003]

Steve has made some mistakes in the past and over-hyped some things, but all in the all, the man means well and is genuinely interested in the welfare of computer users. If you write him off just because he's made a few poor judgments in the past, well, that's your loss. He does have generally useful information and it's presented in a non-nerdy fashion so any bonehead can make sense of it. Usually.