Did TrueCrypt call it quits?

Logan and Wendel,

I was about to grab TrueCrypt from SourceForge when I found this message on their landing page...

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

It goes on to say that development for TrueCrypt ended and users of TrueCrypt should migrate to BitLocker. 

Do you guys find this strange as TrueCrypt recently passed their security audit?  Also, why would the developers recommend BitLocker?  It would be great to hear your thoughts and theories on TrueCrypt, BitLocker, and whatever you think is going on here.

DO NOT DOWNLOAD 7.2 ANYTHING (7.2 or 7.2a) details later. we may have been compromised, or lavabit'd.

 

 

understood...

Lavabit 2.0? 

 

I hope another project crops up in its place, which I am sure will happen. Perhaps they're issuing a warrant canary

Wendell, I've heard LUKS and dm-crypt talked about as viable alternatives. What's your opinion on this? Do you think people are going to try to fork TrueCrypt and continue it, or do you think this will bolster existing projects? Full disclosure: I've never really dabbled with this stuff, but I've followed it and I've always wanted to play with this kind of stuff. 

Are people really using TrueCrypt? Heh, never touched that stuff, I mean people felt the need to audit it, that says a lot about it in my opinion.

Plus, using encryption in Windows is so silly and pointless. It's like bolting your door, but having every window open.

Kscorps, about TrueCrypt, dm-crypt and some other encryption methods: https://wiki.archlinux.org/index.php/Disk_encryption

The TrueCrypt Audit Team is just as confused as we are, they have said that they just started to like TrueCrypt and that they haven't found anything more than what they have already published. This sounds like a Self-Takedown. One thing is clear, they no longer control the signing key, yet TrueCrypt has not (can not) tell us. This reeks of US Government forcing the TrueCrypt Dev Team to hand over the key and possibly alter their executable to have a back door.

As for Ksajal, the reason why they recommended Windows BitLocker was to tip everyone off that something wasn't right and to be cautious... Just in case them telling you in red text that the application was insecure wasn't enough.

"lavabit'd"

:)

7.1a -> true-crypt

7.2* -> false-crypt

---

From what I have seen TrueCrypt lost some key developers who worked with the boot code, and they have no clue how to get it working with UEFI. Microsoft also hasn't released some APIs for Win8 like they have with Win7 so the team really doesn't know how to make it for Windows 8.

Not working with UEFI wouldn't make it insecure. just incompatible.

Why do I feel like the government got butthurt they couldn't crack it and forced truecrypt to shut down or something? 

As far as I know, no one has a clue who is developing TrueCrypt. So how would we know who is developing the boot code?

Perhaps if we knew who the TrueCrypt dev team was, we could understand their motivations.  We may never know what actually happened here.  Maybe after Matthew Green raised $70,000 for the audit, the TrueCrypt team simply said the hell with this and ended the project.

I think the urge to audit was based on how popular the software was.  That being said, being popular could very well make you a target.

We will be making an announcement later today on the TrueCrypt audit and our work ahead.

https://twitter.com/OpenCryptoAudit/status/471994475322294272

Sounds like there will be some more light shed on the situation later today.

A couple of useful websites in regards to this recent turn of events...

Matthew Green (Recent Tweets):

  • Johns Hopkins Cryptographer who recently helped to launch the TrueCrypt Audit, is currently as clueless as anyone.

Brad Kovach:

  • The death of TrueCrypt: a symptom of a greater problem - Thoughts on the current state of Open Source Software (OSS). Basically OSS makes up a good portion of the web which makes it critical and how thankless it is to be contributing to OSS. Think of OpenSSL, Apache, NGINX, etc...

Steve Gibson (GRC):

Excellent links, thanks for sharing..

Wouldn't it have been nice it Kenneth and Matthew funneled the rest of the funds they gathered for the Audit and donated it to TrueCrypt pending the audit results?

I already knew it was compromised. You can't have a piece of software that open source that is used for encryption. It just doesn't work. Atleast for now.

Probably, but that ship has already sailed it would appear. 

What was compromised about it prior to the latest turn events?