I was about to grab TrueCrypt from SourceForge when I found this message on their landing page...
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
It goes on to say that development for TrueCrypt ended and users of TrueCrypt should migrate to BitLocker.
Do you guys find this strange as TrueCrypt recently passed their security audit? Also, why would the developers recommend BitLocker? It would be great to hear your thoughts and theories on TrueCrypt, BitLocker, and whatever you think is going on here.
Wendell, I've heard LUKS and dm-crypt talked about as viable alternatives. What's your opinion on this? Do you think people are going to try to fork TrueCrypt and continue it, or do you think this will bolster existing projects? Full disclosure: I've never really dabbled with this stuff, but I've followed it and I've always wanted to play with this kind of stuff.
The TrueCrypt Audit Team is just as confused as we are, they have said that they just started to like TrueCrypt and that they haven't found anything more than what they have already published. This sounds like a Self-Takedown. One thing is clear, they no longer control the signing key, yet TrueCrypt has not (can not) tell us. This reeks of US Government forcing the TrueCrypt Dev Team to hand over the key and possibly alter their executable to have a back door.
As for Ksajal, the reason why they recommended Windows BitLocker was to tip everyone off that something wasn't right and to be cautious... Just in case them telling you in red text that the application was insecure wasn't enough.
From what I have seen TrueCrypt lost some key developers who worked with the boot code, and they have no clue how to get it working with UEFI. Microsoft also hasn't released some APIs for Win8 like they have with Win7 so the team really doesn't know how to make it for Windows 8.
Perhaps if we knew who the TrueCrypt dev team was, we could understand their motivations. We may never know what actually happened here. Maybe after Matthew Green raised $70,000 for the audit, the TrueCrypt team simply said the hell with this and ended the project.
Johns Hopkins Cryptographer who recently helped to launch the TrueCrypt Audit, is currently as clueless as anyone.
Brad Kovach:
The death of TrueCrypt: a symptom of a greater problem - Thoughts on the current state of Open Source Software (OSS). Basically OSS makes up a good portion of the web which makes it critical and how thankless it is to be contributing to OSS. Think of OpenSSL, Apache, NGINX, etc...
Steve Gibson (GRC):
Whither TrueCrypt - Steve's thoughts on what may have happened to TrueCrypt.
Wouldn't it have been nice it Kenneth and Matthew funneled the rest of the funds they gathered for the Audit and donated it to TrueCrypt pending the audit results?
I already knew it was compromised. You can't have a piece of software that open source that is used for encryption. It just doesn't work. Atleast for now.