TrueCrypt speculation

jpgoldberg
jpgoldberg
1Password Alumni

In anticipation of people wanting to discuss/speculate about what is behind the statement that appeared on TrueCrypt's site, I open this thread.

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

>

This page exists only to help migrate existing data encrypted by TrueCrypt.

>

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

I have my own speculation (but that is all it can be), which I will try to post later.

Comments

  • Stephen_C
    Stephen_C
    Community Member

    Many thanks for drawing attention to this: it had entirely escaped my notice.

    Stephen

  • michaelbehan
    michaelbehan
    Community Member
    edited May 2014

    @jpgoldberg‌ This was just posted:

    TrueCrypt development stopped amid a cloud of mystery
    http://www.engadget.com/2014/05/30/truecrypt-development-stopped/

    Apparently the developers just got bored? Still seems odd.

  • michaelbehan
    michaelbehan
    Community Member
    edited May 2014

    And one of my colleagues had actually contributed money to a heavy code review that was ongoing.

    "This is weird given TrueCrypt was undergoing a heavy code review currently
    (one I contributed to money even). Matt Green, who has been leading the
    review:"

    >

    And then I think... where did the $70,000 go that they were funded to review the code!?
    http://www.reuters.com/article/2014/05/29/us-internet-security-encryption-idUSKBN0E925M20140529

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I also contributed to the code review, and I think that there is a small connection between the code review and what is happening. I will get to that.

    The mysterious developers of TrueCrypt have made several attempts to turn what they do into a way in which they could earn a living. They had a their own crowd funding thing a few years ago and have done things that explored a number of models. None of these succeeded.

    Providing some sort of product/service for enterprises (if that is one direction in which they were thinking) probably went out the Windows with the death of XP and the advent of BitLocker. Any such plans would have been Sherlocked by BitLocker.

    Everything I hear from Matthew Green and the audit group is that there are no indications of a backdoor and no serious problems have been found. But a lot of little things, mostly surrounding "good coding practices" have been found. My guess is that these would have taken a lot of work to fix. So if the TrueCrypt developers were already close to a decision to wind things up, the audit may have helped trigger it.

    Of course we can't rule out the possibility that they anticipated being Lavabitten. But given the openness of the source and the audit, I don't really see that as likely. I think that it is simply a mundane case of them looking at how much work it takes to maintain TrueCrypt properly and how much time they need to do work they get paid for.

    The license is TeX-like, so it can easily be forked but with a different name. I expect that to happen.

This discussion has been closed.