
Truecrypt warrant canary confirmed? - sp332
http://meta.ath0.com/2014/05/30/truecrypt-warrant-canary-confirmed/
======
cnahr
The original headline ends in a question mark, cites one person from Twitter
who claims a 2004 (?) conversion, and still provides no explanation why any
government might possibly want to serve TrueCrypt a warrant, given that they
don't store user data (unlike Lavabit) and all their source code was open
anyway.

------
beloch
Truecrypt is a high quality open source project that has been updated
diligently for many years. For its developers to abandon it in such an
_immature_ fashion was highly bizarre. The possibility that they were sending
a deliberate signal with this act was one of my first thoughts. I don't
consider the article posted here to be plausible evidence, but it certainly
gives voice to my suspicions.

Truecrypt's developers, if they indeed live in the U.S., may have done as much
as they can do. It is now up to the audit team to evaluate truecrypt as
thoroughly as possible and, should truecrypt prove sound, it will be up to
international teams to pick up the torch. It's certainly possible that a
completely different country is cracking down on truecrypt's developers, but
this action fits the NSA's modus operandi _perfectly_.

------
zymhan
Who is Alyssa Rowan, and why should I care that she thinks the TrueCrypt post
is a warrant canary?

~~~
antiegoist
She runs [https://efchan.net/](https://efchan.net/).

~~~
hrrsn
What does an MLP chan have to do with Truecrypt?

~~~
AlyssaRowan
Bugger all, it's just a random site I happen to host.

~~~
zymhan
Could you verify that you are who you really say you are? And sorry for not
knowing what you're associated with, a Google search for your name isn't very
helpful in find out who you are. What relation do you have with the TrueCrypt
devs?

EDIT: I also didn't realize that you had replied to my original comment, sorry
about that.

~~~
AlyssaRowan
No relation with the devs. Just a decade-old conversation about PGPdisk, IVs
and trouble export laws might cause, so it's perfectly OK to not put _too_
much stock in it.

------
erichurkman
I'm curious, do we have any definitive examples of other warrant canaries
being triggered in public? One prominent example is rsync.net [1] and their
canary has been publishing weekly updates for a long time.

[1]
[http://www.rsync.net/resources/notices/canary.txt](http://www.rsync.net/resources/notices/canary.txt)

------
polemic
A canary that no one knows about is a <understate>little</understate>
pointless... nonetheless it _feels_ like a lavabit-esque shutdown. The
intrigue continues.

~~~
proexploit
Well isn't a warrant canary that is public knowledge just considered a method
of breaking NSL silence? To be safe, a warrant canary would need to be
plausibly deniable.

~~~
Tomte
If I were a three letter agency who illegally threatened some crypto developer
with unsavory things, willing to send him to Guantanamo or to outright kill
him (as some people on HN obviously can imagine very well)... I'd just shrug
my shoulders after this highly conspicuous way of shutting down the project
and think "well played, Mr. Developer, no hard feelings".

Of course.

~~~
indrax
If anyone knows their identity and suspects the canary, then disappearance or
death would hint strongly at the canary being true.

------
csense
How do NSL's work in practice in large organizations? This might not make
sense for a small organization like Truecrypt, but if someone like Microsoft
or Google receives an NSL, presumably multiple people have to see it and
handle it -- what keeps one of them from taking a picture of it on their cell
phone and leaking it anonymously? (Of course they need to sanitize the
embedded metadata and timestamps.)

If they can't prove which specific employee leaked it, who do they punish?

~~~
hrrsn
I'd imagine it goes straight to the lawyers

------
xarball
Don't jump to conclusions yet -- I'm still reading this analysis.

[https://pay.reddit.com/r/crypto/comments/26px1i/truecrypt_sh...](https://pay.reddit.com/r/crypto/comments/26px1i/truecrypt_shutting_down_development_of_truecrypt/chtf94s)

------
yeukhon
The question remains how do they find out the dev's identity in the first
place even if this was true; yet we don't even know who the hell Satoshi
Nakamoto is really. Would secret agency knows who Satoshi Nakamoto is?

~~~
sumedh
Didn't truecrypt website have a paypal donate button. So paypal definitely
knows who they are.

------
ASneakyFox
If it were a warrant canary. Doesn't stating that the update is obviously a
canary put the true crypt team possibly in legal trouble? Communicating the
warrant. Even cryptically is still communicating about the warrant.

------
ipsin
I think we won't actually know what happened until the TrueCrypt dev team is
willing to step into the light.

