
TrueCrypt suggesting migration to BitLocker? - dewey
http://truecrypt.sourceforge.net/
======
Adaptive
In order of likelihood:

    
    
        * Defaced site, timed to screw up a big announcement
        * Rogue content maintainer
        * Phase II of audit turned up something rather bad
          (edit: NO - see tptacek below)
    

edit: Variations on "developer forced to do this" (cf simmerian's comment):

    
    
        * Developer was big brother all along and they are shutting it down
        * Security vuln about to be disclosed, dev scrambles to inform (albeit poorly)
        * Legally or otherwise compelled to compromise source code,
          dev complies and/or nukes project from orbit
    

The last alternative would be suggested in part by the strange content of the
page, assuming it is legit from the developer: Normally I'd expect at _least_
something like "there's a major vuln that is unfixable and we'll disclose
formally in a week/two, migrate now.".

~~~
ultramancool
After examining all the facts, I think it's most likely they just didn't want
to develop it anymore:

    
    
        * PGP matches
        * Authenticode matches
        * SourceForge data was modified
        * DNS records were modified
    

And to top it off, let's put ourselves in the theoretical attacker's shoes,
the binaries when run make no unexpected connection attempts or write to any
unexpected places and don't appear to contain any unexpected imports, so if
this was a hack, it's a very stealthy and very boring one. The most they
achieved would be uninteresting to most attackers. It would only really be an
effective attack against people who had TrueCrypt volumes but not a current
copy of TrueCrypt as there's no compelling reason for anyone to upgrade to 7.2
and certainly they'd be skeptical after this. Any attacker with the
intelligence and patience for such an attack would surely realize how poor an
execution this would be. A better attack would be "here, it's TrueCrypt 8, it
has loads of EFI support and mad security, everyone should install it, it's
the best!". There's simply no reason to shut it down like this, unless the
attack is just an elaborate practical joke.

It's quite possible this came from 1 big developer hack, but considering how
the release was done, with full source and everything for every supported
platform... if it was a hack, it's a very, very good one. They've also decided
to modify the license terms, perhaps bringing it into compatibility with more
common FOSS licenses.

I think it's far more likely at this point that the devs, who had not updated
their software in years, finally decided to call the project over and have
marked it insecure because the codebase is now unmaintained and should be
assumed insecure.

~~~
mandelbulb
>>After examining all the facts, I think it's most likely they just didn't
want to develop it anymore:

So they decided to end things with such an extremely juvenile behavior
devaluating the years they have invested in this project even if not recently?

Unless the responsible one fell into clinical depression it's a pretty strange
reason.

~~~
ultramancool
They haven't updated it for years.

I'd hardly call the behavior "juvenile" nor would i call it "devaluating".
They've simply abandoned it and are offering alternatives.

~~~
Nexxxeh
I think suggesting BitLocker as a viable alternative to their work is
"devaluing" their work. Who would trust BitLocker not to be vastly more
compromised that TrueCrypt?

(Devaluating? sic? Or is that actually a word?)

~~~
ultramancool
You're right - few would trust it more. However, it is the closest viable
alternative to TrueCrypt on the windows platform today.

------
rgaloppini
Providing some details from SourceForge:

1\. We have had no contact with the TrueCrypt project team (and thus no
complaints).

2\. We see no indicator of account compromise; current usage is consistent
with past usage.

3\. Our recent SourceForge forced password change was triggered by
infrastructure improvements not a compromise. FMI see
[http://sourceforge.net/blog/forced-password-
change/](http://sourceforge.net/blog/forced-password-change/)

Thank you,

The SourceForge Team communityteam@sourceforge.net

~~~
jzdziarski
2\. We see no indicator of account compromise; current usage is consistent
with past usage.

I'm calling BS. This site was disabled repeatedly for exceeding bandwidth
today. I find it hard to believe traffic is as usual.

~~~
moorman2
Actually, this is standard behavior for the SourceForge project web service.
Bandwidth usage is capped to prevent folks from serving files from project web
instead of the mirror network-backed download service. Staff saw the surge in
traffic to the project web site, confirmed it wasn't file serving activity,
and re-enabled the site.

------
BoppreH
\- Signature is valid, so it's not a defacement. (
[http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_dev...](http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/chtl7jb)
)

\- The version there works and does not seem to have a trojan, so probably not
a regular hacker. (
[https://news.ycombinator.com/item?id=7813373](https://news.ycombinator.com/item?id=7813373)
)

\- Instructs to migrate to dubious alternatives, so it's not a legit security
effort.

\- License change, precise instructions and decrypt-only version indicate it's
not a completely rushed press release. (license change:
[https://github.com/warewolf/truecrypt/compare/master...7.2#d...](https://github.com/warewolf/truecrypt/compare/master...7.2#diff-
dc5cde275269b574b34b1204b9221cb2L1) )

\- On the other hand the Linux instruction is a joke, so it's not completely
well thought either. (
[http://truecrypt.sourceforge.net/OtherPlatforms.html](http://truecrypt.sourceforge.net/OtherPlatforms.html)
)

\- The security audit was so far ok, so it's not a sudden vulnerability
discovered there. (
[https://twitter.com/matthew_d_green/status/47174183672207360...](https://twitter.com/matthew_d_green/status/471741836722073600)
)

\- No details whatsoever other than a " _may_ contain unfixed security
issues", so it might be an automated release (doesn't know what happened) or
gagged reaction (can't say what happened).

\- Source code includes unrelated changes, so it probably comes from a
developer. (
[https://news.ycombinator.com/item?id=7812674](https://news.ycombinator.com/item?id=7812674)
)

If I had to wager a crazy bet, I would go with newly developed Dead-
Man's-Switch gone wrong.

Edit: someone on Reddit has an interesting view that it may be a halfhearted
attempt at complying with an NSA request (
[http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_i...](http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/chte8r2)
).

~~~
BoppreH
_infosecslave_ said in a dead comment:

    
    
        [...] you have to consider the fact that Truecrypt project
        was started before FDE was popular, maybe their goal all 
        this time was to popularize such encryption. With XPs 
        demise that goal would have been achieved as every  
        current Windows version comes with Bitlocker.
    

Your comment is dead but makes a lot of sense, especially in light of the
message on the website:

    
    
        The development of TrueCrypt was ended in 5/2014 after
        Microsoft terminated support of Windows XP.
    

I don't agree Bitlocker is a sensible alternative, but this piece does fit the
puzzle.

~~~
usefulcat
"..as every current Windows version comes with Bitlocker."

It's only available in Ultimate and Enterprise Vista/Win7 and Pro/Enterprise
versions of Win8. Lots of machines ship(ped) with only Win7 Home Premium or
vanilla Win8.

------
dewiz
Suppose that the author received a secret order from a secret court that
required the author keep secret the secrecy of the secret order from the
secret court. Furthermore, the author was secretly required to turn over his
secret signing key to a secret third party. If you were the author, what would
you do? Consider your options. One is that you could issue an update with a
warning that the program is no longer secure. Even though the program really
is, at this moment, secure. The only source code changes are to insert the
warnings. But what the warnings are warning you about, but cannot just come
out and say, is that the program will not be secure in the future because a
third party now has the keys to sign authentic new insecure versions. This
wouldn't be unlike Lavabit shutting down. The author is choosing to fall on
his sword for the good of everyone.

~~~
isp
Continuing the thought experiment. By stating the "reason" you're shutting
down is that your project is "no longer necessary", then (i) your userbase
will rapidly infer that the reason is odd (e.g.,
[https://news.ycombinator.com/item?id=7813799](https://news.ycombinator.com/item?id=7813799)
), while (ii) you can plausibly defend closing down with a straight face, in
court if required ("Our raison d'être no longer applies. So obviously this was
the perfect time to shutdown the project for totally this reason and not any
others.") Additionally, by changing the TrueCrypt License from 3.0 to 3.1
(removing the clause requiring advertising truecrypt.org), you tacitly support
TrueCrypt forks while simultaneously de-emphasising the now-compromised
truecrypt.org.

~~~
spacehome
This is without a doubt the most parsimonious explanation for all available
evidence.

------
Sephr
Interestingly enough, they also changed the TrueCrypt license.

    
    
        -TrueCrypt License Version 3.0
        +TrueCrypt License Version 3.1
    

This lead me to think about the legal implications of changing a software
license using stolen signing keys, when signing keys are all that you have to
verify that the software is official (such is the case with TrueCrypt and its
anonymous authors). If the license is changed, and the package is signed with
the same signing keys, can I legally use the new license in derivative
software?

The new license removes the following restrictions regarding attribution:

    
    
        -    c. Phrase "Based on TrueCrypt, freely available at
        -    http://www.truecrypt.org/" must be displayed by Your Product
        -    (if technically feasible) and contained in its
        -    documentation. Alternatively, if This Product or its portion
        -    You included in Your Product constitutes only a minor
        -    portion of Your Product, phrase "Portions of this product
        -    are based in part on TrueCrypt, freely available at
        -    http://www.truecrypt.org/" may be displayed instead. In each
        -    of the cases mentioned above in this paragraph,
        -    "http://www.truecrypt.org/" must be a hyperlink (if
        -    technically feasible) pointing to http://www.truecrypt.org/
        -    and You may freely choose the location within the user
        -    interface (if there is any) of Your Product (e.g., an
        -    "About" window, etc.) and the way in which Your Product will
        -    display the respective phrase.

~~~
laurent123456
Interesting, especially since the author(s) are anonymous and not working off
public repositories, it will be very hard, if not impossible, for them to
prove that they did _not_ release this software.

~~~
tacotime
If two groups with opposing messages control the key, it's pretty clear that
the key is compromised in some manner.

------
dkokelley
Is it possible that this is the result of a "dead man's switch" (DMS) set by
the developer(s)? Perhaps a (continually updated) process was set up so that
TrueCrypt would shut itself down if the developer were unable to prove he or
she was still actively maintaining the software.

I can see a couple of scenarios where this would be wise:

A) The developer passes away, leaving nobody else to maintain TrueCrypt. Zero-
day 1234 is discovered which compromises TrueCrypt. The DMS activates,
depreciating the software and advising users to migrate to another alternative
(why BitLocker, I have no idea).

B) The developer(s) is(are) coerced into compromising TrueCrypt in some way.
As a part of the coercion, the developer(s) is(are) unable to demonstrate
proof of life to the DMS, so the system nukes itself.

~~~
grlhgr420
the page specifically mentions that it's ending support in may because ms is
dropping xp support, though

~~~
dkokelley
Not quite, though. The page says _" The development of TrueCrypt was ended in
5/2014 after Microsoft terminated support of Windows XP."_ We can infer that
the two are connected, but it would be equally valid to say "The development
of TrueCrypt was ended in 5/2014 after Snowden interviewed with NBC."

The reason I make this distinction is because continuing from a
cautious/paranoid perspective, the DMS might not say "WARNING! Dead Man's
Switch Activated! If you are reading this, I may have been compromised, and am
no longer available to maintain TrueCrypt." It's possible that the landing
page simply references a relatively innocuous event in the cyber security
world to plausibly discontinue the software. The best evidence I have for this
is the fact that TrueCrypt didn't shut down precisely when XP support was
dropped. (In fact, according to [http://www.microsoft.com/en-
us/windows/enterprise/end-of-sup...](http://www.microsoft.com/en-
us/windows/enterprise/end-of-support.aspx) official support ended in April,
not May like the landing page states.)

------
Moral_
A very interesting comment from netsec:
[http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_dev...](http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/chtgqg7)

This is very strange. I have another theory since I don't believe in
coincidences. We don't know the real author of TrueCrypt. I think someone
found his identity (cough NSA) and made him an offer like lavabit.com
received. This time probably with security classification so he can't talk
about that. HOWEVER, if we take a look on diff of his code, we can see two
interesting things:

    
    
        messages about TrueCrypt not being secure
        and the second thing he changed everywhere U.S. text to United States
    

Do you think that somoene who is closing a project would pay attention to
doing such thing? I don't think so. I think that he tried to point a real
reason of closing his project by that. I won't be surprised when truecrypt
fork appears in TOR network soon...

~~~
cjg_
There was a lot of unrelated changes, this release was most likely just cut
off their development branch.

~~~
tacotime
The point is that a search and replace from "U.S." to "United States" is an
_unusual_ change. I have not seen evidence of this firsthand yet so I am just
taking Moral_ on his word but if that is the case and there are a number of
occurrences then it is certainly an interesting thing for the author to think
to change.

------
timothya
I just came across this on Twitter:
[https://github.com/warewolf/truecrypt/compare/master...7.2](https://github.com/warewolf/truecrypt/compare/master...7.2)

This is supposedly the commit for the 7.2 release. Just looks like a bunch of
code replaced with the app aborting as insecure.

I'm not sure how legit this is, the repository was just created a few minutes
ago. Apparently there is a new binary release that goes along with this,
though.

[I've created a fork here just in case the original goes down:
[https://github.com/timothyarmstrong/truecrypt/compare/master...](https://github.com/timothyarmstrong/truecrypt/compare/master...7.2)]

~~~
Kapow
Notice the added functions like IsNonSysPartitionOnSysDrive and
ResolveAmbiguousSelection, and all the unrelated minor changes like the
comment line in Common/Volumes.h. Looks a lot like they based it on current
pre-release development code.

------
scott_karana
Sourceforge seems to have recently updated their password hashing algorithm,
so that might hint at the cause of a compromise. Here's the body of the email
sent to me on the 22nd:

    
    
      Greetings,
      
      To make sure we're following current best practices for security, we've
      made some changes to how we're storing user passwords. As a result, the
      next time you go to login to your SourceForge.net account, you will be
      prompted to change your password. Once this is done, your password will be
      stored more securely. We recommend that you do this at your earliest
      convenience by visiting the SourceForge website and logging in.
      
      And, as always, be vigilant about password security. Use a secure password,
      never include your password in an email, and don't click on links for
      unsolicited password resets.
      
      If you have any concerns about this, please contact SourceForge support at
      sfnet_ops@slashdotmedia.com
      
      Best regards,
      SourceForge Team
      
      ----------------------------------------------------------------------
      SourceForge.net has made this mailing to you as a registered user of
      the SourceForge.net site to convey important information regarding
      your SourceForge.net account or your use of SourceForge.net services.
      
      We make a small number of directed mailings to registered users each
      year regarding their account or data, to help preserve the security of
      their account or prevent loss of data or service access.
      
      If you have concerns about this mailing please contact our Support
      team per: http://sourceforge.net/support

~~~
conductor
Sourceforge's representative says it's unrelated:
[https://news.ycombinator.com/item?id=7813121](https://news.ycombinator.com/item?id=7813121)

------
Netcob
This is creepy as hell.

No mention of _why_ it's supposed to be not secure - it's an open source
project so it would be easy to point to a specific vulnerability. All of this
shortly after passing audit. There are detailed steps towards switching to
supposedly secure closed-source solutions by companies known to be working
closely with the NSA.

Also, since when do open source projects suddenly decide they are not as good
enough as a closed-source alternative and then stop the project? Are we in
danger of seeing a similar message on the homepage of LibreOffice and
OpenOffice, declaring that you should switch to Microsoft Office?

I can't even begin to imagine a valid scenario in which something like this
would be put up by the developers, with no pressure other than some fatal
security flaw about which they just really don't want to talk.

~~~
logicallee
It doesn't matter why. If "we are now insecure" then the last thing you say
is, "so please download these new versions, used only to decrypt your old
files and nothing else." No we won't tell you what, if anything, was wrong, so
you can make an informed decision.

~~~
CHY872
The motivation would be so that if you had a TrueCrypt archive lying around on
a drive that you find in 5 years time, it would be possible to decrypt it -
but they don't want to allow encryption because they won't be continuing
development, and so fixing future bugs will not be possible.

~~~
Zancarius
If that's the motivation then in 5 years' time, who's to say the new version
will work as well (assuming that it also won't be updated)? That doesn't make
any sense.

~~~
CHY872
They're saying that one should not continue to use orphaned software (when
it's so security critical). So they're stopping the distribution of the
encryption part of it, and continuing to distribute the part of the software
that decrypts the code. This means that if (in five years) you find an archive
that you can't open without TrueCrypt (and you uninstalled it etc) you'll
still be easily able to find a signed version that will decrypt it for you.

At the same time, the developer clearly doesn't want people to be encrypting
new archives with it, so have removed that functionality.

Removing the software in total would have lead to many mirror sites springing
up, most with unproved providence (and a great opportunity for exploits). This
method allows an official version to still exist (unmaintained, but still
compatible with the current archives), whilst severely restricting new usages
(by strongly warning against it and requiring using the dubious mirrors to
obtain the software).

~~~
Zancarius
> This means that if (in five years) you find an archive that you can't open
> without TrueCrypt (and you uninstalled it etc) you'll still be easily able
> to find a signed version that will decrypt it for you.

That still doesn't seem to answer the point. The differences between 7.1* and
the questionable 7.2 are exclusively limited to what was ripped out. In 5
years, 7.1 and 7.2 will likely work precisely the same in terms of decryption.
If a glibc update or similar breaks 7.1, it'll likely break 7.2.

Perhaps I wasn't clear enough in my first comment, but fundamentally it seems
like a silly argument to make to suggest that distributing a new release for
some measure of future proofing readability is necessary. Outside "don't use
this, it's broken," I can't really see "this will still work in 5 years' time"
as a valid reason.

------
Torgo
I tried sending a message to their contact email PGP-encrypted to their public
key, asking them for a PGP-signed confirmation. And it came back:

550 5.1.1 <contact@truecrypt.org>: Recipient address rejected: User unknown in
local

If they got hacked, it's not just their sourceforge account.

------
sp8
I'll leave others more knowledgeable in such things to comment on the
legitimacy of this, but one practical thing I'll note: the assertion on the
site that Windows Vista/7/8 has support for encrypted disks is only half true.
Quoting from Wikipedia [1] "BitLocker is available in the Enterprise and
Ultimate editions of Windows Vista and Windows 7. It is also available in the
Pro and Enterprise editions of Windows 8."

Since a lot of domestic users will be using Home or Home Premium versions of
Windows, and as one of those users who uses Truecrypt for full disk
encryption, this does not leave us with as easy a migration path as this site
now suggests.

[1]
[https://en.wikipedia.org/wiki/BitLocker_Drive_Encryption](https://en.wikipedia.org/wiki/BitLocker_Drive_Encryption)

~~~
Elepsis
It's worth pointing out that it doesn't leave people with a _free_ migration
path, but it is absolutely easy. Windows 7 and 8 both support "anytime
upgrade" functionality, where you can pretty trivially upgrade from Home/Home
Premium to a higher-level edition of Windows without needing to reinstall
anything or move data--just as long as you pay for the more expensive edition.

~~~
rflig
Also there are 3rd party (paid and free) FDE tools available.

------
eli
The advice for Linux is "Search available installation packages for words
encryption and crypt, install any of the packages found and follow its
documentation."

So... just any of them, then? Sure, ok.

~~~
this_user
[https://wiki.archlinux.org/index.php/Disk_encryption#Compari...](https://wiki.archlinux.org/index.php/Disk_encryption#Comparison_table)

This might help.

~~~
pyre
I think the point was just that the advice given was so vague, that it seems
suspicious that this is _actually_ an official communication.

------
andre
Wikipedia entry was edited and reversed with similar message:
[https://en.wikipedia.org/w/index.php?title=TrueCrypt&action=...](https://en.wikipedia.org/w/index.php?title=TrueCrypt&action=history)

By "Truecrypt-end" user:
[https://en.wikipedia.org/wiki/Special:Contributions/Truecryp...](https://en.wikipedia.org/wiki/Special:Contributions/Truecrypt-
end)

------
UVB-76
8 hours ago on the IndieGoGo TrueCrypt Audit page [1]

> p.s. We hope to have some _big_ announcements this week, so stay tuned.

[1] [https://www.indiegogo.com/projects/the-truecrypt-
audit#activ...](https://www.indiegogo.com/projects/the-truecrypt-
audit#activity)

~~~
UVB-76
Although Kenn White, who wrote that message, has no idea what's going on [1]

> .@FiloSottile @matthew_d_green no idea. It's doing a 301 perm to a static pg
> @ SF, now blocked. Possibly compromised. pic.twitter.com/g5tSFUuXzu

[1]
[https://twitter.com/kennwhite/status/471740840478797824](https://twitter.com/kennwhite/status/471740840478797824)

~~~
pyre
He's responded specifically about the message:

    
    
      .@Costly no idea. The announcement was about a
      new Open Crypto Audit Project initiative, not TC.
    

[https://twitter.com/kennwhite/status/471741290552782849](https://twitter.com/kennwhite/status/471741290552782849)

------
andrewcooke
i just wanted to say thanks to the truecrypt devs for a decade of largely
unthanked and criticised work that, as far as i can tell, has been
impressively reliable.

[kinda disappointed that, despite arriving so late to this thread, no-one
seems to have said this.]

------
toyg
Interestingly, an Infoworld review of the recent TrueCrypt audit [1] says: _"
One major issue was how compiling TrueCrypt from source required the use of an
older Windows build environment that's noticeably out of date [...] using a
shockingly old version of Microsoft Visual C++ released in 1993."_

Align this with what the TC website says now: "development of TrueCrypt was
ended in 5/2014 _after Microsoft terminated support of Windows XP._ "

Could it be that the original developer is somehow unable to update the build
process to work on newer OSes, or unwilling to do so? Maybe they don't trust
any VC++ released after 1993, and that version is probably not going to work
on Windows 7 or 8.

[1] [http://www.infoworld.com/t/encryption/sloppy-secure-open-
sou...](http://www.infoworld.com/t/encryption/sloppy-secure-open-source-
truecrypt-passes-audit-240478)

~~~
Alupis
I would be absolutely shocked if there was some reason any VC++ lib would not
install on any modern Windows OS.

Microsoft has many faults, but backwards compatibility is not one of them.

I doubt this would be the reason. (Also, TrueCrypt runs on OSX and Linux too,
so a build environment dependent on Windows-only seems odd).

~~~
A_Non_eMouse
The version of MSVC needed is 1.52c, which was 16-bit, and was the last
version able to create 16-bit binaries. It was likely needed for building the
bootloader. (Why this couldn't be moved over to a FOSS compiler, I don't
know.)

------
computer
> WARNING: Using TrueCrypt is not secure as it may contain unfixed security
> issues

I see many readers here and on Twitter who interpret that as "TrueCrypt has
security issues". That's not what it says. It says that it might be insecure.
That does not make too much sense right now, but considering this webpage
would be meant to stay up, unchanged, for years, that makes a lot more sense:
security problems may be found, and will not have been fixed in the version on
the page.

So, it's a deprecation warning, not a security issue warning.

~~~
emeraldd
For security software, deprecation is effectively a security issue since there
are no plans for fixing future bugs.

------
david_shaw
Well - this comes as a pretty big surprise.

Is this real? Is there a known vulnerability that catalyzed this? Money from
Microsoft? Threats?

I'm not buying into conspiracy theories, but it does seem pretty out of place.

~~~
pearjuice
The binaries are properly GPG-signed with the same key as the previous
binaries, check for yourself. [They] either compromised their private key too
or the actual developer(s) did this. Be it voluntarily or by force of secret
three-character agencies / a massive pay check.

~~~
this_user
Maybe something like the Lavabit scenario where they rather close the shop
than sell their users out. On the other hand, proposing Bitlocker as an
alternative would be rather suspect in that case.

~~~
unsignedint
Well, the thing is though, it's not that they were hosting users' data. It's
not like they would be forced to provide the contents of users' communication.

I suppose they could be approached by someone to plant backdoor into the
software, but I wonder if that can be done without someone noticing it...

~~~
marcosdumay
If they put a backdor on the binaries, but not source, lots of people will be
compromissed, and for a really long time nobody may notice.

EDIT: I normaly don't care. But this time I'd be glad if who downmoded this
post explained why.

------
harrystone
Call me paranoid but this just looks like really good evidence that Truecrypt
was secure.

~~~
alextgordon
...or that BitLocker isn't.

~~~
lelandriordan
I know everyone likes to bash MS around here but is there any actual proof of
Bitlocker's insecurity that is more recent than 2008? If you look at wikipedia
it seems like the only known real vulnerability requires someone with physical
access to boot via USB into another OS within a few minutes of turning the
computer off. When is this a real risk for anyone? I am not a security expert
but unless you are doing things shady enough to get raided by the FBI, it
seems like Bitlocker is pretty secure. The same problem occurs in other
encryption programs on Linux and OSX. Also, it may not be open source like
what we want, but MS lets its partners and enterprise customers audit the code
subject to an NDA.

[http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption#Secu...](http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption#Security_concerns)

~~~
pfg
It's really not that hard to imagine scenarios where this might happen. Simply
leaving your notebook unattended after a shutdown might leave you compromised.
Besides, government agencies in other countries might have a slightly
different view on what constitutes "shady behaviour" (think regime critics).

------
dpeck
Best advice is for everyone to sit tight and not do anything for at least 24
hours. You'll be saving yourself a world of heartburn.

------
evunveot
According to this [http://dnshistory.org/dns-
records/truecrypt.org](http://dnshistory.org/dns-records/truecrypt.org) the A
record for www.truecrypt.org hasn't changed (still resolves to 72.233.34.82).
So not a DNS hijack.

------
filmgirlcw
This doesn't pass the smell test. Either there was some underlying political
reason for this migration or someone hijacked the DNS.

Anyone know who the main committers/project leads are so we could reach out
for comment/clarification?

------
tptacek
Well, if red Times New Roman on a Sourceforge page says so...

~~~
ivank
[http://truecrypt.org/](http://truecrypt.org/) redirects there, too.

~~~
harshreality
Tom has a point, though. The nature of the message (abandoning truecrypt
rather than fixing it simply because XP is end-of-lifed?) and the
unwillingness to fix it rather than post a dire message about its insecurity
and recommend migrating to other solutions that don't have hidden volume
functionality -- it suggests it's either very poorly handled, or a fake
message.

It might be more likely that a dev got hacked, compromising the signing key,
sourceforge project, and truecrypt.org site.

~~~
tptacek
We don't know much about the TC developers, do we? It's also possible that
they're just really cavalier about this stuff, and that this is their response
to the TC audit process ("stop bothering us about it and use something that's
maintained").

~~~
harshreality
True. Security announcements have been botched in the past, for all sorts of
reasons, not that you have any experience with that, of course. But what does
XP being EOL'd have to do with _anything_? That and the blithe recommendation
to use other solutions, even though they don't have hidden volume
functionality which is a main selling point of TC, is what changed my mind,
from thinking this is probably a legit mishandled disclosure, to thinking it's
probably fake.

On the other hand, as pointed out in other subthreads, if the devs are tired
of maintaining it, this could be a legit, unappreciated-developer version of a
temper tantrum. Nobody seems to know (yet).

~~~
nikcub
> But what does XP being EOL'd have to do with anything?

Every version of Windows after XP has a native disk encryption utility.
TrueCrypt was built to bring full disk encryption to Windows, which didn't
exist at the time - this is the developers way of saying "you don't need us
anymore, Windows now does what we did"

~~~
myoldryn
Not every version... In case of Vista and 7 only Enterprise and Ultimate
editions have it and in case of 8/8.1 you need to have Pro or Enterprise
edition.

~~~
nikbackm
True, but if you need disk encryption you probably use one of those already.

I mean, a normal use case is a corporate laptop used when traveling or
similar. Normal home users certainly have no need of it, for them it's just
something else that can go wrong and destroy all their data.

------
jshb
Perhaps the TC devs were ticked off that this audit kickstarter/indiegogo has
netted so much money none of which goes to the devs. And this is their way of
not playing along with the whole shenanigan.

------
diminoten
There's no way this is legit, but if it is, what other kind of cross-platform
solution is available? I need to be able to encrypt/decrypt on all 3 major
OSes.

~~~
alecdbrooks
Maybe EncFS [0]? Its Windows port is experimental, alas. I suppose it would be
suitable if you were willing to make frequent backups.

[0]:
[https://en.wikipedia.org/wiki/EncFS](https://en.wikipedia.org/wiki/EncFS)

~~~
Eiwatah4
There is a relatively recent audit[1] of EncFS with some damning results. I
really wouldn't use it.

[1]: [https://defuse.ca/audits/encfs.htm](https://defuse.ca/audits/encfs.htm)

~~~
ars
> damning results

They didn't seem that severe to me, they seemed pretty minor actually.
Especially if your attack vector is solely a read attack rather than a read-
write attack.

Which one got you worried?

~~~
TheLoneWolfling
> EncFS is probably safe as long as the adversary only gets one copy of the
> ciphertext and nothing more. _EncFS is not safe if the adversary has the
> opportunity to see two or more snapshots of the ciphertext at different
> times._ EncFS attempts to protect files from malicious modification, but
> there are serious problems with this feature.

Which, seeing as my current major use case is to lock down Dropbox, kind of
renders it useless for me.

~~~
bothuman
EncFS is horrible.

However you should not use XTS with Dropbox
[http://sockpuppet.org/blog/2014/04/30/you-dont-want-
xts/](http://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/)

------
braum
I'm really confused. Which isn't unusual really, but in this case I think it
is understandable.

~~~
alecdbrooks
I'm with you. This seems like an odd move, given that most likely only a
minority of their users used XP for some time. Why haven't they been warning
Windows Vista, 7 and 8 users to use Bitlocker for years (not to mention Mac OS
X and Linux users)? Perhaps I just missed the warnings, but I am really
puzzled.

I suppose the developers could have just found a massive vulnerability
(perhaps they're doing their own audit in advance of the public one?).

~~~
axx
If you scroll to the bottom, you'll find this link:
[http://truecrypt.sourceforge.net/OtherPlatforms.html](http://truecrypt.sourceforge.net/OtherPlatforms.html)

~~~
alecdbrooks
I saw that. It's just that taking this line at face value, it's not clear why
they would port TrueCrypt to Linux and Mac OS X or suggest that people using
later versions of Windows should use TrueCrypt:

>The development of TrueCrypt was ended in 5/2014 after Microsoft terminated
support of Windows XP.

------
ACow_Adonis
I remember TrueCrypt from several years ago when I was looking into various
options for encryption. Haven't used encryption for a while, but if this is
true, is there now an encryption software/service that doesn't involve being
authored by a large corporation in the country that gave us the NSA, and which
allows things like hidden volumes/partitions, algorithm choices, and use with
various portable devices?

~~~
byuu
FreeBSD has GEOM/geli, which is a block-level (sub-filesystem) encryption
method written by Paweł Jakub Dawidek (a Pole). It allows your choice of
several data integrity verification algorithms, several encryption algorithms,
and the usage of zero or more key files and/or a passphrase. And you can use
it on external devices if you like. Also supports hardware acceleration via
AES/NI with recent Intel CPUs.

Since it's block-level, you can use any filesystem you like. Since it's BSD,
you might as well use ZFS (but don't use data integrity verification if you
do, since ZFS has that built in.)

Downside is that you have to use FreeBSD to get it. Upside is that you get to
use FreeBSD =)

------
lucb1e
The interesting thing about this is how everyone is going on about there being
no cross-platform alternative. Really, is Truecrypt the only available option?
Because that's a pretty sad state of affairs then; there needs to be only one
unnoticed bug and pretty much all full disk encryption is broken. Unless you
want to chain your data to Microsoft, that is.

~~~
marcosdumay
There are plenty of alternatives that don't work on Windows, and a few that
only work on Windows.

Thus, there is no cross-platform alternative.

------
Tomte
Turning on Bitlocker has been on my TODO list for quite some time now, but to
me the real value of Truecrypt wasn't full disk encryption, it was having
encrypted volumes and mounting them on a as-needed basis.

And how do I handle sensitive stuff wrt backups? I could burn a Truecrypt
volume to a DVD or Blu-ray. I cannot do this in any way with Bitlocker, can I?

~~~
jodrellblank
_I cannot do this in any way with Bitlocker, can I?_

Yes. There's BitLocker to Go for encrypting removable drives, and with Windows
Professional editions you can create and mount a VHD virtual hard disk file as
if it was any other drive, and Bitlocker encrypt it, e.g.

[http://www.concurrency.com/blog/encrypted-container-using-
bi...](http://www.concurrency.com/blog/encrypted-container-using-bitlocker-
and-vhd/)

------
notlisted
I recently came across this link (Apr 15 2014) [1] which references [2].
Wonder what happened.

[1] [http://www.infoworld.com/t/encryption/sloppy-secure-open-
sou...](http://www.infoworld.com/t/encryption/sloppy-secure-open-source-
truecrypt-passes-audit-240478)

[2]
[https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_A...](https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf)

------
morepyplease
A significant concern of mine with this is that Windows 8 has support for
syncing your bitlocker encryption keys with microsoft. If privacy is something
a user is seeking, how easy would it be to subpoena bitlocker keys for a user
under duress?

~~~
fiatmoney
Trivial. It's the same as any other business record.

------
Canada
I've always found it sketchy how the maintainers remove old versions.

Now seems like a good time to: git clone [https://github.com/DrWhax/truecrypt-
archive.git](https://github.com/DrWhax/truecrypt-archive.git)

~~~
kbart
Can somebody confirm that these archives are valid?

------
kirab
Could it be related to this announcement from yesterday: "just yesterday we
added the ability to extract cached Truecrypt passphrases from Linux memory
dumps."

[http://volatility-labs.blogspot.de/2014/05/volatility-
update...](http://volatility-labs.blogspot.de/2014/05/volatility-update-all-
things.html)

~~~
stith
Extracting TrueCrypt passwords from memory dumps has been trivial for quite a
while now.

~~~
asdfasdfasdddd
Agreed. TrueCrypt has always been upfront about the dangers of physical access
to your machine (pulling master keys from RAM). This kind of response wouldn't
makes sense

------
dewey
OP here, I came across this link via this Tweet [0] and it's probably a good
idea to stay away from the linked TrueCrypt version on the site. It's version
7.2 and afaik the last version for Mac was 7.1.1 (At least that's what I
installed recently).

I really hope it's "just" a defacement/DNS issue.

[0]
[https://twitter.com/maclemon/status/471727027356434432](https://twitter.com/maclemon/status/471727027356434432)

Edit: Just saw the comment that they are properly signed. I'll just sit tight
and wait for an announcement then.

------
tux3
Repost from 4chan, there's a silly coincidence in the warning.

>WARNING: Using TrueCrypt is not secure as it may contain unfixed security
issues That's worded awkwardly. >Not Secure As Emphasis on the NSA in "not
secure as" >WARNING: Using TrueCrypt is NSA it may contain unfixed security
issues.

------
mschuster91
In case this is legit: Bitlocker so far so good, but neither Bitlocker nor any
other crypto solution offer plausible deniability (aka hidden volumes).

~~~
greyfade
I've heard multiple rumors that the NSA has a backdoor in Bitlocker. I don't
trust any of this.

~~~
e12e
I suppose this leaves yet another possible explanation: A secret order with
the intention of getting people to stop using truecrypt and start using
bitlocker (possibly either bl and/or tpm has some convenient back doors in
them...)?

------
lawl
If this is true it's time to fork I guess. Though I remember TC having a weird
license. Anyone knows to what extent TC would be forkable?

~~~
lnanek2
Amusingly, they modified the license to remove the advertising clause that was
causing trouble. The author seems really awesome the way they are handling
this, wish they weren't stopping. It may be out of their hands, however: NSA,
law suit, whatever.

------
x0jar
Just did a quick search and came across this:

[http://archive.today/h68Xb](http://archive.today/h68Xb)

I find it very odd that this person also mentions BitLocker... Anyone know who
this Peter Kleissner is?

------
UVB-76
Suspicion this could be related to the NBC News Snowden interview to be aired
tonight?

~~~
mindcrime
It's hard to see how it could be, but it's hard not to suspect something,
given the timing. That'd be a pretty big chance coincidence.

------
edwintorok
So what was the point of raising money to audit TrueCrypt if they knew they
would shut it down once XP was EOL? In fact why didn't they announce this
earlier?

~~~
sp332
Maybe the result of the audit is that it's not secure?

~~~
artumi-richard
But without a similar audit on the alternatives proving their security, surely
the most responsible action would be just to explain there is a problem and
stop there.

------
dpeck
Site seems to be getting close to bandwidth quota and returning error
occasionally. image mirror from @FiloSottile,
[https://pbs.twimg.com/media/Bov18I1IYAEGFEb.png:large](https://pbs.twimg.com/media/Bov18I1IYAEGFEb.png:large)

------
N0joke
If the developer wanted to 1) motivate a fork, 2) maybe abandon the license
under the guise of "he dare not reveal himself for the purpose of enforcing
it", and 3) still keep the TC-hugging ciphernerd throngs willing to use the
forked software by suggesting an alternative so unpalatable, then he might
take actions like we've seen here; and the results might be that he could 1)
come out of hiding as some "new" project lead, 2) license it differently, and
3) have a huge, loyal user base. This means he might now be able to
participate in funding campaigns like the Audit's and make money from
licensing it to, for example, commercial enterprises, without generating too
much outrage.

------
pasbesoin
So... the best course is likely a bit of patience. However, is there any way
to establish some trustworthy mirrors of 7.1a for those who need it while this
is still in the course of blowing over?

(I'm just bringing up some new machines, myself -- I'll have to hunt a bit for
local copies from the last time I downloaded (legitimate copies of) the 7.1a
version.)

\--

P.S. For two recognizable names/sites (to me, at least) near the top of a
Google search, FileHippo and CNET are hosting Windows .exe intallers for 7.1a
. No signature files, though. And with CNET (download.com), as I seem to
recall and last I heard, they practice wrapping the actual product installers
inside their own crapware installer.

~~~
venomsnake
Just checked - i have 7.1a source + windows installer. Securely encrypted on a
truecrypt volume. So I baked them up a few times.

In a few days there will be some information and possibly a fork.

------
pcvarmint
[http://arstechnica.com/security/2014/05/truecrypt-is-not-
sec...](http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-
official-sourceforge-page-abruptly-warns/)

------
myth_buster
Screenshot before the site went down.

[http://i.imgur.com/rmuogzH.jpg](http://i.imgur.com/rmuogzH.jpg)

------
od9
Maybe it wasn't someone's account being compromised, maybe some of the
developers got into a huge disagreement and one of them did this as a kind of
"fuck you, I'm done" to the rest of the team.

------
Tomte
Is that real? Is the web page just defaced?

~~~
rsync
truecrypt.org does a redirect to this sourceforge page, so perhaps it is the
DNS that got hijacked, and not truecrypt website itself.

I don't remember TC ever being hosted on SF, so I think this is a bad
redirect...

~~~
guan
On the other hand, SourceForge lists the project as having been created in
2004:
[http://sourceforge.net/projects/truecrypt/](http://sourceforge.net/projects/truecrypt/)

~~~
kintamanimatt
The SF account could have been compromised too.

~~~
guan
Certainly, it just makes it less suspect that it’s on SourceForge at all.
(Unless SourceForge lets you rename projects? Then it could be an old
placeholder project that’s been renamed to truecrypt.)

------
Shorel
It is the only full disk encryption software currently used that offers
plausible deniability.

Plausible deniability is the key here.

It think the FBI and/or the NSA bullied the developers and forced them to
this.

~~~
rflig2
PLEASE DELETE THIS POST!

Dear mod, as you seem to moderate posts (of new user accounts??) I post here
despite mailing: Please update
[http://ycombinator.com/newswelcome.html](http://ycombinator.com/newswelcome.html)
to reflect that posts are moderated before being published (and in which
cases) and the actual meaning of "You're submitting too fast. Please slow
down. Thanks." (i.e. which frequency is 'OK' etc.). It made your site easier
to handle and so more attractive to users willing to abide the rules.

Thank you.

~~~
dang
Comments from new accounts posted through Tor are killed automatically. This
was necessary because of abuse by spammers and trolls. Moderators unkill many
of these comments and mark the user accounts as legit so their comments won't
be auto-killed.

Please don't post comments like this one, though. As the HN guidelines say,
you should email hn@ycombinator.com instead. We can't always answer right
away, but we do answer.

------
rian
If you're looking for actively developed cross platform free software
alternative: [http://www.getsafe.org/](http://www.getsafe.org/)

~~~
roadnottaken
Can anyone else comment on the viability of this option? It seems pretty nice,
from the website, but I'd like to hear more about it's reputation in the
security community.

~~~
MichaelGG
GetSafe was discussed a few times on HN. A potentially interesting thread:
[https://news.ycombinator.com/item?id=7588497](https://news.ycombinator.com/item?id=7588497)

It is not full disk encryption, so not a direct alternative for a product like
TrueCrypt. I believe it uses a RAM disk for the files so you're limited in
size, too - something like that.

Personally I'm not a big fan of using WebDAV to expose the encrypted file
system - it seems like a large liability. But I'm not a real security expert
at all, just saying it sounds complicated to get right (caching could keep a
unencrypted copy) and exposes an even larger attack surface.

------
tachion
Time for OpenTrueCrypt AKA LibreTrueCrypt? Theo, we're ready and we're
waiting! ;)

------
yk
Just trying to make sense of the news, ( did I miss something, or is this the
current state of the rumor mill?)

1\. Truecrypt.org redirects to TrueCrypt's sourceforge account.

2\. The sourceforge page is defaced.

3\. There is a signed(?) binary which can only be used to migrate.

Sounds remarkably bad ( and remarkably much effort for the lu1z.) So is there
a defined version for the audit? ( Such that there is a known good version to
roll back to?)

------
zufallsheld
Must be fake/ a hack. It wants you to download Truecrypt 7.2, but according to
Wikipedia[0] and other download-portals the most recent version is 7.1a.
[0}[https://en.wikipedia.org/wiki/TrueCrypt](https://en.wikipedia.org/wiki/TrueCrypt)

------
brunorsini
Can't help but think of Marco Arment's point about free applications... Sigh.
Just wish I could throw a bit of money at them now to stop whatever the heck
is going on here (and yeah, I know I probably could have donated before but
fact is I didn't).

------
opendais
It doesn't appear to be related to the Audit
[https://twitter.com/matthew_d_green/status/47174183672207360...](https://twitter.com/matthew_d_green/status/471741836722073600)

------
zomg
wow this is a kick in the nuts. i've been using truecrypt for years. i
probably won't stop just because development has ceased... but i'm still
curious to know what the real story is behind this. seems sketchy.

------
thrillgore
I missed the part where this document lists the vulnerabilities in TrueCrypt.

~~~
owlmanatt
It says 'may', which is a responsible message if you're abandoning security
software. Never know what the future holds; don't want to encourage people to
rely on it if bugs will never be fixed.

------
redfhendrix
Back and forth speculation is great and all, but does anyone know of a solid
alternative to TrueCrypt? Perferably open-source but at the very least not a
potential government lap-dog like Microsoft?

~~~
mcovey
tcplay - [https://github.com/bwalex/tc-play](https://github.com/bwalex/tc-
play) \- is truecrypt compatible but based on dm-crypt, afaik it's only
compatible with Linux/BSD although for privacy-conscious individuals, few
other operating systems make sense to run.

Wild guess here but you might want to recreate any containers using tcplay and
copy files over, rather than continuing to use possibly compromised truecrypt
containers.

For full-disk encryption Linux has LUKS/dm-crypt/cryptsetup.

~~~
pldg59
Given that we know nothing about the security of TrueCrypt at this point, can
we really say that tcplay is safe? I am especially reluctant to use TrueCrypt
to access tcplay containers using the TC gui. Thoughts?

------
iki23
[http://news.softpedia.com/news/TrueCrypt-Not-Dead-Forked-
and...](http://news.softpedia.com/news/TrueCrypt-Not-Dead-Forked-and-
Relocated-to-Switzerland-444447.shtml)

home: [http://truecrypt.ch/](http://truecrypt.ch/)

source:
[https://github.com/FreeApophis/TrueCrypt](https://github.com/FreeApophis/TrueCrypt)

twitter:
[https://twitter.com/TrueCryptNext](https://twitter.com/TrueCryptNext)

------
cr4zy1
I just hope that light will be shed on this sometime soon so the speculation
will stop. If you guys have looked at the audits you can see that if there are
any ones that can cause harm you need administrator level access, and by that
point why try to break into truecrypt by screwing with volume headers when you
could just install a bloody ASM keylogger and call it a day.

I honestly think that the government is behind this fiasco, nobody just ups
and leaves a massive project used by millions without leaving a valid note.

------
ParkerK
I'm not too up to date on TrueCrypt, but are the authors of the project known?
Or is their identity unknown? Can they be contacted in any way, or is there
anywhere they post often?

------
enscr
If I take this message at face value and decide to switch to BitLocker, can
someone answer this.

Dropbox + Truecrypt take full advantage of block sync & block encryption i.e.
if a tiny piece of data is modified inside an encrypted container, only the
relevant blocks are synced on update. Dropbox does not need to sync the entire
container each time. This is a very useful feature. I know Google Drive &
OneDrive aren't that smart.

Will bitlocker + Dropbox work the same way?

~~~
MichaelGG
Bitlocker is block based, too. It uses a diffuser keyed off the sector to
serve in lieu of an IV. So block-based sync software should work just as well
on it.

------
ChrisAntaki
Perhaps it's time for a fork.

~~~
edwintorok
The TrueCrypt license is not OSI approved, so probably noone wants to touch it
for the same reason noone wanted to touch OpenSSL for all those years ...
unless you really really have to and have no alternatives.

~~~
ewindisch
With the authors anonymous and presumably intending to stay so, there is
nobody to challenge copyright violations against their code. Furthermore,
international copyright law can have a certain flakiness in execution
depending on various circumstances.

Not that it makes it right, but the limitations of licensing are more ethical
than practical.

------
sp332
OS X version
[http://truecrypt.sourceforge.net/OtherPlatforms.html](http://truecrypt.sourceforge.net/OtherPlatforms.html)

------
Ayaz
I was wondering: That page on SourceForge with the warning wasn't put up only
yesterday, was it? Because, I could've sworn I came across that page several
days ago (or even more) and when I saw people talk about the page allegedly
being a hoax yesterday, I couldn't help but wonder why it was discovered all
of a sudden only yesterday and not before.

------
surakvulcan
This is the best analysis I have seen on the situation so far. It has the
facts, cites sources, and gives a few theories as to what may be happening.

[http://www.etcwiki.org/wiki/What_happened_to_Truecrypt_-
_May...](http://www.etcwiki.org/wiki/What_happened_to_Truecrypt_-_May_2014)

~~~
falsecrypt
Great theories, good list of facts, but there aren't too many facts to begin
with. Any ideas to add?

------
testOSTERON
You can still reach the old website, if you're asking the SF-webserver for the
index.php (not the index.html). That site seems pretty normal, except for the
warning:
[http://truecrypt.sourceforge.net/index.php](http://truecrypt.sourceforge.net/index.php)

------
ctb_mg
From Matt Green's twitter. "This is Truecrypt's advice on creating an
encrypted Mac disk image. Encryption: none."

[https://twitter.com/matthew_d_green/status/47199831543788339...](https://twitter.com/matthew_d_green/status/471998315437883392)

------
mrmattyboy
Why have they only talk about how to secure a partition in Windows. Would the
developers, or persons who took over the project, not care about other
operating systems?!

Of course, by 'they', I mean the fake development team that the hijacker of
the site wanted to portray... no way this is real

~~~
jcrawfordor
TrueCrypt is, to be honest, Windows software. The Linux version is a port and
used to lag far behind the Windows version featurewise (for some time it was
command line and even read-only).

------
unsignedint
One thing I have noticed is that the version they have on this site is 7.2,
and if I remember this correctly, it was 7.1a that was on the truecrypt.org
(checked a few days ago...)

So they've put up a new version and telling us it's for migration only?

~~~
lnanek2
Amusingly it also has unrelated changes that look like the developer was
working on 7.2 for a proper release before this.

------
secfirstmd
This entire situation creates a real headache for people who train human
rights defenders, activists and journalists. Quite a lot of the material,
lessons etc rely on TrueCrypt (even though many of us had suspicions about
it.)

------
general_failure
Related:
[https://www.schneier.com/blog/archives/2014/04/auditing_true...](https://www.schneier.com/blog/archives/2014/04/auditing_truecr.html)

------
luciusf
Why not turn this around (for fun): It was developed by agencies all the time,
and someone from within (snowden fanboy) decided now to blow it up.

So it's not defacing, but dedefacing -or so ..

------
tehabe
For me the most weird thing is, that the authors of the current text on the
website are mentioning the end of the XP support as a reason.

Am I the only one who things that is odd?

------
nodata
My money is on setting a very weak password on the sf.net account to allow
trust in the project to be reduced. This allows them to comply with an NSA
order.

------
therealmarv
Maybe it is time for LibreTruecrypt ;) like LibreSSL !

~~~
cptn_brittish
No it has to be called openTruecrypt first and then we fork that to
LibreTruecrypt

~~~
unsignedint
Someone has to fork openTruecrypt to Go-ot before that, too. (and merge those
to LibreTruecrypt...)

------
jamesgeck0
I'm seeing a message, "This project has been temporarily blocked for exceeding
its bandwidth threshold."

Does anyone have a cached version?

~~~
myth_buster
Or a screenshot?

Edit: Found it.
[http://i.imgur.com/rmuogzH.jpg](http://i.imgur.com/rmuogzH.jpg)

------
jpswade
This is a call to look at BitLocker very closely.

------
thorrr
Interesting github project:

[https://github.com/bwalex/tc-play](https://github.com/bwalex/tc-play)

------
aaron695
State sponsored hacking?

I'd think it's to organised for a defacement (re-written code, signed
binaries, two sites compromised). I can't see money being made, so can't see
criminal.

That kinda leaves a state sponsor with the organisation skills and commitment.
It gets to create doubt about the product and slow it's uptake down.

Or it's real :/

------
ioseph
The OSX instructions are particularly hilarious: encryption - none..

~~~
xcrunner529
Mistake.

------
unr3al011
checkout www.truecrypt71a.com for forums, downloads and information

------
ausjke
what about the enterprise-class ecryptfs? it works at the filesystem level
instead of block(hard-drive partition) level though.

------
EGreg
What about for the Mac?

------
rx4g
inb4 LibreCrypt

------
bak3dj0
Wow this is a real surprise

------
Technophobe
Even if this is not real, it reduces my trust in the TrueCrypt team (since
they were able to get hacked).

------
Ihmahr
The poor Czech guy who wrote TrueCrypt and had the pgp keys will be found
hanged with his finger nails removed.

------
xenadu02
Seems like a state-financed targeted attack. It only has to last long enough
to get the target (a user of truecrypt) to switch off it. My guess is whoever
they are going after is being inundated with links to the page. They must also
be a Windows user, since they took great pains to demo how to move the data.

------
gldsmth
I don't see why so many are jumping onto conspiracy theories. Truecrypt, like
the page states, has become redundant with built-in OS offerings. While it
could be used for other things, the main reason/drive behind its development
was the Full Disk Encryption feature, which has only ever worked on Windows,
and has only ever truly been "necessary" for Windows XP users. Windows had
bitlocker for FDE since Vista, Mac OS X had FDE built-in with Filevault 2
since Lion, and linux since installers started shipping with dm-crypt built-
in. Like it or not, with Windows XP being obsoleted there isn't much drive
left to develop something like Truecrypt. Just use the built-in OS features.

~~~
jmnicolas
There are people in this world that do not trust big corporations with their
data. Truecrypt is (was ?) a welcome alternative to Bitlocker and Filevault.

~~~
gldsmth
Because developers who refuse to show any responsibility for the code they've
written (by staying anonymous and thus not risking their career/credibility in
software) are much more trustworthy than "big corporations" right?

It hasn't even been a month since phase 1 of the first truecrypt audit ended.
Which means up until now this piece of software was as shady as it could be.

~~~
dmix
People who create security software are always targeted by governments, and a
lesser extent hackers. Truecrypt devs who remain anonymous can produce
software in a much safer environment. Just like Satoshi. Code can speak for
itself.

~~~
gldsmth
> Code can speak for itself.

The constant open source mantra of "code speaks for itself" strikes again..
except that none of the competent eyeballs have looked at truecrypt up until
very recently (phase 1 audit ended in April 2014 which is ten years after the
first truecrypt release). A lot of good did it do with OpenSSL too.

But surely, code written by anonymous, untrustworthy developers that hasn't
been looked at much for ten years is worth more than code written by a
corporation that has a public image to uphold.

As for "being targeted by government" that's called conspiracy theories.
Unless you live in a place like Russia or Saudi Arabia you don't have anything
to fear just because you wrote encryption software.

~~~
dewey
> As for "being targeted by government" that's called conspiracy theories.

This is already happening and not a conspiracy theory any more:

[0] [http://nakedsecurity.sophos.com/2012/06/08/interest-in-
crypt...](http://nakedsecurity.sophos.com/2012/06/08/interest-in-cryptocat-
spikes-following-developers-interrogation-at-us-border/)

[1] [http://www.cnet.com/news/researcher-detained-at-u-s-
border-q...](http://www.cnet.com/news/researcher-detained-at-u-s-border-
questioned-about-wikileaks/)

