The TrueCrypt website has been changed it now has a big red warning stating "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". They recommend using BitLocker for Windows 7/8, FileVault for OS X, or (whatever) for Linux.
So, what happened? The TrueCrypt site says:
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Did the TrueCrypt devs (or SourceForge?) get a NSL? They are offering a "new" version (7.2), but apparently the signing key has changed and a source code diff seems to indicate a lot of the functionality has been stripped out. What's up?
But the take-away from your post is that Windows users are hosed. But I repeat myself.
Everyone is hosed if that is your take-away. Not just Windows users, Linux users, Apple users, Android users, ChromeOS users, ~everyone~.
Run encryption atop your OS, well you have to trust the OS provider and the encryption software provider.
Run OS provided encryption - now you only have one party to trust.
If the OS is complicit then it matters not a jot what the encryption layers on top of it do, you're hosed.
The actual take-away is..... file(system) encryption, fine for preventing casual thieves who purloin your mobile devices from gaining access to your files but it's not to be relied on for defeating snooping.
But then it was never supposed to be a panacea, it does what it says on the tin - encrypts your shit while at rest (for now).
Which makes me think - say you went to the bother of one of these TrueCrypt encrypted hidden partitions then installed OS of choice on it... what prevents the OS of choice giving away whatever crown jewels? Or the underlying hardware for that matter?
Maybe this is the take-away... TrueCrypt was over a decade old and pre-dated mass Internet usage, having a deniable OS then was useful. Now not so much, it is our online footprint that betrays us.
I honestly don't know.
You are largely right. The most important thing to grasp is that TILT is the new default courtesy first and foremost of the NSA: if you are running COTS hardware (as nearly everyone does) you can not trust your hardware. This fact is not because the NSA and others have hardware implants (which they have plenty of) and it is not because they could weaken specific logic gates in whatever chips you are using (they could, it's not science fiction), nor is it because of the efforts of the NSA's TAO and their software (which is likely best of the best and amazingly brilliant), it runs deeper and is because it has become more than apparent and verified that the NSA (and any other such organization whom we might not even know about) does not have any kind of apprehension against using their unlimited clout in order to sift and/or record all data in existence using any means possible.
Sure in exceptional cases that does mean they'll use the aforementioned. It has also been shown that they will use secret courts and secret court orders and "national security letters" and any "legal device" (even if illegal) and influencing industry standards (it doesn't matter all that much whether it strengthens or weakens said standards, since it is clear that what matters to them is that they'll do it to suit whatever they think is in their own interest).
There is no reason to assume that their efforts stops there! Social hacking is always easier. If one can manipulate the foundations of academic research or industry-wide best practices or technical practical solutions it is worth far more than millions of later weaknesses. If you think you own the rabbit hole you want to make it as deep as possible: all the way down for forever, because it becomes tremendously more efficient the deeper it goes, and they have the resources to do just that.
One should by now recognize that the NSA was and will always be a "bad faith" [wikipedia.org] actor (personally this is what hurts the most). This very fact is the negative ramification of the Snowden leaks that is almost suspiciously absent from the reports on the damages caused to the US: the leaks have removed any possibility of "good faith" status for the NSA (and also the US government) and this very "good faith" status was one of the most if not the most useful property/tool/attribute they had.
Why isn't this being spelled out by the reports on the consequences of the leaks? Because they're hoping people won't notice; they're trying to avoid the Streisand effect because they would like to cling on to the incorrect "good faith" status and have as many people as possible continue to assume that they are "good faith" actors.
They can't broadcast one of the most immediate and profound damages because it would exacerbate the troubling truth: they are not the "good guys", they are evil, and they represent the doom of humanity just like the Nazis and the Commies did only with vastly improved technology.
The classic solution to the problem of a needle in a haystack is to set fire to the haystack. It won't matter that the initial motivation was to find the needles to remove and/or destroy them in order to save the hay: the solution remains the same.