Truecrypt: Disownment & Abandonment ..what is going on?

Amalgam

All rather strange.

Cory Doctorow @ boingboing.net has posted an article covering the strange announcements from the Truecrypt site.

http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html

The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world--after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai'i. Cory Doctorow tries to make sense of it all.

The Sourceforge project page for Truecrypt now sports a cryptographically signed notice that Truecrypt should no longer be used as it is not secure. The news came on the heels of a crowdfunded $70K security audit of the open source, anonymously maintained software giving it a relatively positive initial diagnosis. The announcement -- signed by the same key that has been used to sign previous, legitimate updates -- links Truecrypt's deprecation to Microsoft's decision to cease supporting Windows XP, though no one seems to have a theory about how these two facts relate to one another.

---

A Reddit thread meanders here and there, mainly throwing up the idea that this is all some elaborate, 'Dead Man Switch', due to pressure from spooks..

http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/

---

<worried Truecrypt user.. :eek:

Echoes675

Worrying indeed considering the company I work at (in the internal support team) has 1200 users and of those at least 60% are using laptops with truecrypt as the encryption solution. Ain't lookin' forward to the next couple of weeks!

All the available info seems really thin on details so it's hard to judge the impact (whether 7.1 and earlier is compromised) but even if this is proven a hoax/hack, trust in the product may be beyond restoration.

Khannie

Thread in the infosec forum. As one user there pointed out - If you're trying to hide your data from the NSA it might be an issue, otherwise 7.1a is probably perfectly good for purpose.

riclad

IT seems the nsa have got many companys to build backdoors into their software .
No one is saying its true in this case.
AT this point i wonder can you trust any hardware device or software made in the usa ,
to be safe and secure to use for business users ,
or people who use it for acessing bank accounts or other private information.
unless its open source software ,that can be inspected by independent
experts.

Echoes675

Further update here:http://www.webcitation.org/6PxFedfi7

Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):
TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
Steven Barnhart: (Paraphrasing) Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
TrueCrypt Developer “David”: Said “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
Quoting TrueCrypt Developer David: “There is no longer interest.”

So looks like the "it may contain unfixed security issues" is really simply a disclaimer for any future issues.

The whole thing is a bit odd. I understand they may want to cease support but why not give advanced warning and make it "official" rather than this turn of events that resembles some kind of hoax. I also understand that they owe nothing to anyone since this is free software but just a really odd way to close it all down.

Overheal

^ It's something you do when you're not in control.

If he had to give backdoors to government entities, he'd have little else he could do, no?

So back to my Encryption question from earlier this week: WHO DO I TRUST TO ENCRYPT MY ****? Encryption is going to be the next small turf war on the internet and I get the suspicion that government intelligence bodies are doing everything in their power to control the means of supply, thereby maintaining their snakey access to your stuff.