Hacker News new | past | comments | ask | show | jobs | submit login

After examining all the facts, I think it's most likely they just didn't want to develop it anymore:

    * PGP matches
    * Authenticode matches
    * SourceForge data was modified
    * DNS records were modified
And to top it off, let's put ourselves in the theoretical attacker's shoes, the binaries when run make no unexpected connection attempts or write to any unexpected places and don't appear to contain any unexpected imports, so if this was a hack, it's a very stealthy and very boring one. The most they achieved would be uninteresting to most attackers. It would only really be an effective attack against people who had TrueCrypt volumes but not a current copy of TrueCrypt as there's no compelling reason for anyone to upgrade to 7.2 and certainly they'd be skeptical after this. Any attacker with the intelligence and patience for such an attack would surely realize how poor an execution this would be. A better attack would be "here, it's TrueCrypt 8, it has loads of EFI support and mad security, everyone should install it, it's the best!". There's simply no reason to shut it down like this, unless the attack is just an elaborate practical joke.

It's quite possible this came from 1 big developer hack, but considering how the release was done, with full source and everything for every supported platform... if it was a hack, it's a very, very good one. They've also decided to modify the license terms, perhaps bringing it into compatibility with more common FOSS licenses.

I think it's far more likely at this point that the devs, who had not updated their software in years, finally decided to call the project over and have marked it insecure because the codebase is now unmaintained and should be assumed insecure.

I agree that it appears the developers are calling it quits. If you look at the diff itself, they have replaced large chunks of logic with an abort routine, passing the message "Insecure App".

This does not explicitly suggest vulnerabilities exist in older versions, but rather the latest version with these changes is very explicitly insecure and should not be used. This does leave room for issues to have been discovered in old versions - maybe rather than fix, they are throwing in the towel.

I think it's most likely they just didn't want to develop it anymore...

It would be so easy for the person(s) in question to just say that, though.

I don't know what to think.

After the years of silence and the previously infrequent updates, I don't consider it farfetched at all.

>>After examining all the facts, I think it's most likely they just didn't want to develop it anymore:

So they decided to end things with such an extremely juvenile behavior devaluating the years they have invested in this project even if not recently?

Unless the responsible one fell into clinical depression it's a pretty strange reason.

They haven't updated it for years.

I'd hardly call the behavior "juvenile" nor would i call it "devaluating". They've simply abandoned it and are offering alternatives.

I think suggesting BitLocker as a viable alternative to their work is "devaluing" their work. Who would trust BitLocker not to be vastly more compromised that TrueCrypt?

(Devaluating? sic? Or is that actually a word?)

You're right - few would trust it more. However, it is the closest viable alternative to TrueCrypt on the windows platform today.

They don't offer alternatives. Please take a moment to read the second page - the instructions for "other operating systems." The linux instructions make it damned obvious that someone is playing a game. The question is who and why.

If it's the actual TC crew, the explanations toward an NSL or a new vuln that an NSL or similar applies to seem to be about the only rationale - though even then, it seems to me it'd be possible to steer the code audit in the right direction.

Given the churn of new keys today, I'm more inclined to think that the comms of TC have been broken and the breach is being used to drive people away from the releases of the tool for which source is available.

They're offering an encryption product, not a service, an NSL would seem pointless unless they want to slap one at everyone who implements cryptography. and there's plenty of better ways for 3 letter agencies to obtain FDE keys. The Linux instructions just make it clear that your options and process vary per distro, if they're ditching the project I doubt they felt like writing piles more docs to describe every possible combination of loop-aes, dm-crypt, ecryptfs, encfs, luks, etc.

>> They haven't updated it for years.

As I said even if not recently they still invested many years into that project.

Of course it is juvenile to senselessly ruin the code and suddenly advertising a very different commercial product, especially without proper scientific reason.

Not to mention that precisely because they haven't done much work lately I don't see any reason why the developers would disfigure their project like that.

I think it makes sense, it can wear on a developer fairly heavily to be burdened by the user community of a cryptography product. Just look at this very thread, so many paranoid theories about NSLs and such, where they don't even make remote sense. They most likely just wanted to stop needing to work on the project or respond to comments.

They're not "advertising a very different commercial product". They're recommending you actually use a maintained alternative. Bitlocker is probably the most viable alternative on Windows.

It's also possible that Bitlocker solved the problem well enough for them so they saw no gain in maintain TC any further.

"Bitlocker is probably the most viable alternative on Windows."

How would a software with closed source from a company that has been gladly working with the US government in the past be a "viable alternative" to TrueCrypt? Really, please try to read the comments above before you enter the discussion.

Easily. It performs the same task, is actively maintained and supports things like EFI. If you know of a better alternative on the windows platform, please do tell, because I'm not aware of one and neither are the TC devs it appears. Just because an alternative is not as perfect as you would like does not invalidate it completely. If you try actually reading, you'll note that I am the poster of many of the comments above. Please avoid making an ass out of yourself in the future. And keep your retarded paranoia out of legitimate discussion.

One of TrueCrypt's best features was hidden volumes. As far as I know, BitLocker doesn't haven anything like that. I can definitely see that someone would have an interest in getting that shut down.

BitLocker lacks another one of TrueCrypt's most important features: open-source code, readable, verifiable, and compilable by any interested user. BitLocker is almost definitely already backdoored, so encouraging people to switch to that makes all of that data accessible by the powers that be.

I think it's silly to pretend like no authorities would have an interest in promoting the use of closed-source encryption techs. Apple and Microsoft were both willful participants in the PRISM program. TrueCrypt was the only open-source FDE software that had widespread adoption on non-Linux systems. After this, no major corporation or group is going to use TrueCrypt to encrypt anything anymore and will rely entirely on the backdoored encryption solutions provided by the NSA's known and confirmed compatriots.

Does National Security Letter sound depressing enough?

I guess the new license only applies to the release it is distributed with and this latest version removed encryption features so I doubt it will make the truecrypt project more compatible with FOSS licenses.

True, but they likely intended it for all releases and I highly doubt the dev(s) are going to burn their anonymity to go after you even if they didn't.

Though I suppose that's not the best legal rationale, now is it?

Could you post the PGP & Authenticode details? I was unable to verify the 7.1 releases.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact