The TrueCrypt website has been changed it now has a big red warning stating "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". They recommend using BitLocker for Windows 7/8, FileVault for OS X, or (whatever) for Linux. So, what happened? The TrueCrypt site says:
This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Did the TrueCrypt devs (or SourceForge?) get a NSL? They are offering a "new" version (7.2), but apparently the signing key has changed and a source code diff seems to indicate a lot of the functionality has been stripped out. What's up?
(Score: 5, Insightful) by sgleysti on Thursday May 29 2014, @05:37AM
The encryption functionality was removed; decryption remains. This makes sense if they were required to surreptitiously weaken the encryption.
The advice given for linux users is to search for any package with the word "crypt" or "encrypt" and follow its instructions. This is strange advice from security-conscious developers.
I think the real devs did it for the following reasons:
One would expect truecrypt to attract more notice now that it is being audited. They just raised $16,000 to put it through serious auditing. This is a crazy time to nuke the project, unless they got an NSL.
(Score: 1, Funny) by Anonymous Coward on Thursday May 29 2014, @06:35AM
The audit revealed the true encryption algorithm was ROT13. Further development was deemed impossible without breaking backward compatibility.
(Score: 2) by maxwell demon on Thursday May 29 2014, @07:28AM
Those were security people. They certainly knew that these days you need triple-rot13 to be truly secure.
The problem the audit found was that the second step wasn't a decryption step, as triple-rot13 requires, but an additional encryption step.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Interesting) by threedigits on Thursday May 29 2014, @09:41AM
The "U.S." to "United States" is more than probably an artifact of changing Visual Studio versions.
You can see the same happening here, for example: https://chromium.googlesource.com/webm/webmdshow/+ /74379b419a791c5d81f1120c0f23e28d19cf03eb%5E!/ [googlesource.com]
(Score: 2) by zocalo on Thursday May 29 2014, @11:27AM
What if TrueCrypt was backdoored as the result of an NSL some time ago - say pre-v7.1a, which is when development basically stalled and could be the reason for that stall? One likely outcome of that might be a difference of opinion between the devs, ending development and culminating in a difference of opinion wherein one or more of them basically decided to blow the whistle against the wishes of the rest. If the whistleblower(s) were the coders rather than the web admin, then it's conceivable they might not have access to SourceForge but would have the code signing keys, which would explain the hacky nature of the "reveal".
UNIX? They're not even circumcised! Savages!
(Score: 2) by forsythe on Thursday May 29 2014, @01:59PM
I was actually going to mention the U.S. -> United States thing, but thought I would come off as being overly silly.
So here's something else: Towards the beginning of the diff, some options of a dialog box got changed (that didn't seem obviously related to the neutering), and the option to choose `No' was removed.
(Score: 1) by eieken on Thursday May 29 2014, @04:03PM
Secretly communicating what happened via the No seems like something to do, bothersome that I really liked TrueCrypt. :(