* PGP matches
* Authenticode matches
* SourceForge data was modified
* DNS records were modified
It's quite possible this came from 1 big developer hack, but considering how the release was done, with full source and everything for every supported platform... if it was a hack, it's a very, very good one. They've also decided to modify the license terms, perhaps bringing it into compatibility with more common FOSS licenses.
I think it's far more likely at this point that the devs, who had not updated their software in years, finally decided to call the project over and have marked it insecure because the codebase is now unmaintained and should be assumed insecure.
This does not explicitly suggest vulnerabilities exist in older versions, but rather the latest version with these changes is very explicitly insecure and should not be used. This does leave room for issues to have been discovered in old versions - maybe rather than fix, they are throwing in the towel.
It would be so easy for the person(s) in question to just say that, though.
I don't know what to think.
So they decided to end things with such an extremely juvenile behavior devaluating the years they have invested in this project even if not recently?
Unless the responsible one fell into clinical depression it's a pretty strange reason.
I'd hardly call the behavior "juvenile" nor would i call it "devaluating". They've simply abandoned it and are offering alternatives.
(Devaluating? sic? Or is that actually a word?)
If it's the actual TC crew, the explanations toward an NSL or a new vuln that an NSL or similar applies to seem to be about the only rationale - though even then, it seems to me it'd be possible to steer the code audit in the right direction.
Given the churn of new keys today, I'm more inclined to think that the comms of TC have been broken and the breach is being used to drive people away from the releases of the tool for which source is available.
As I said even if not recently they still invested many years into that project.
Of course it is juvenile to senselessly ruin the code and suddenly advertising a very different commercial product, especially without proper scientific reason.
Not to mention that precisely because they haven't done much work lately I don't see any reason why the developers would disfigure their project like that.
They're not "advertising a very different commercial product". They're recommending you actually use a maintained alternative. Bitlocker is probably the most viable alternative on Windows.
It's also possible that Bitlocker solved the problem well enough for them so they saw no gain in maintain TC any further.
How would a software with closed source from a company that has been gladly working with the US government in the past be a "viable alternative" to TrueCrypt? Really, please try to read the comments above before you enter the discussion.
BitLocker lacks another one of TrueCrypt's most important features: open-source code, readable, verifiable, and compilable by any interested user. BitLocker is almost definitely already backdoored, so encouraging people to switch to that makes all of that data accessible by the powers that be.
I think it's silly to pretend like no authorities would have an interest in promoting the use of closed-source encryption techs. Apple and Microsoft were both willful participants in the PRISM program. TrueCrypt was the only open-source FDE software that had widespread adoption on non-Linux systems. After this, no major corporation or group is going to use TrueCrypt to encrypt anything anymore and will rely entirely on the backdoored encryption solutions provided by the NSA's known and confirmed compatriots.
Though I suppose that's not the best legal rationale, now is it?