"So, thanks guys . . . we'll take it from here." seems like an understated reaction. More like a huge thank you for 10 years of hard work, with no personal recognition, providing the world with a free, trusted and increasingly useful aid to security and privacy. Whatever path the devs have chosen to take, TrueCrypt users everywhere are very grateful.
This really doesn't feel satisfying. What about the bizarre way the project was taken down? They really recommend Bitlocker? They literally think you should just grep for "crypt" and use the result for your needs?
I guess I can buy that declaring it insecure because the dev team is no longer maintaining it makes sense.
Assuming this is legit, I wonder if the move toward cloud storage and mobile devices made them feel that they were slipping into a niche need. I disagree (to some extent), but maybe they felt the bulk of their usefulness was behind them.
The writing style in this letter is completely different from that on the TrueCrypt page. If this letter had been posted originally, the whole episode would have been viewed much differently. And why does the author of this letter assure readers that "As far as we know, TrueCrypt is utterly uncrackable", while the TrueCrypt.org page (or rather, the truecrypt.sourceforge.net page to which it redirects) screams (in red at the very top), "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"?
EDIT: Sorry - as brazzy and NickSharp kindly point out below, the letter was imagined and written by Steve Gibson. As the HN title at the moment is "One of the TrueCrypt Devs Responded", I missed that.
Misunderstanding aside, these two statements are not really incompatible:
-"As far as we know, TrueCrypt is utterly uncrackable"
-"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"
It makes sense to post such a warning to a product with no known vulnerabilities, if it's to remain unsupported. What if a bug becomes public tomorrow? Are you going to keep current with the news and analyze allegations, despite having given up supporting the tool? These crypto attacks are often pretty hard to understand...
If this is what they want I am glad they can move on. I just feel like if there was ever a time to be interested in the project it would be now. Obviously, privacy has always been relevant, but given the microscopic lens everyone is under the problem seems relevant, challenging and exciting. The exact opposite time to walk away.
I think the issue really is XP and the 20 year old compiler. It would be insecure to compile on an unpatched OS, and my guess is that they've been unable to get it to work satisfactorily in an updated compiler. Simple as that?
Thank you for your hard and unappreciated work for the last 10 years.
But if you're no longer interested in continuing to devleop TrueCrypt, could you please replace the license on 7.1a with one of the OSI-approved, DFSG-compatible licenses so that other people can keep developing and using TrueCrypt if they want to? I know that you think it's risky to keep using TrueCrypt, but there seem to be plenty of people who are willing to fork over tens of thousands of dollars to discover and fix any security issues.
An email sent to the auditing team and/or a message published on the official website, signed with your usual keys, should suffice.