Hacker News new | comments | show | ask | jobs | submit login
TrueCrypt, the final release, archive (grc.com)
37 points by buddylw 965 days ago | hide | past | web | 15 comments | favorite

"So, thanks guys . . . we'll take it from here." seems like an understated reaction. More like a huge thank you for 10 years of hard work, with no personal recognition, providing the world with a free, trusted and increasingly useful aid to security and privacy. Whatever path the devs have chosen to take, TrueCrypt users everywhere are very grateful.

Note to the devs:

Thank you for your hard and unappreciated work for the last 10 years.

But if you're no longer interested in continuing to devleop TrueCrypt, could you please replace the license on 7.1a with one of the OSI-approved, DFSG-compatible licenses so that other people can keep developing and using TrueCrypt if they want to? I know that you think it's risky to keep using TrueCrypt, but there seem to be plenty of people who are willing to fork over tens of thousands of dollars to discover and fix any security issues.

An email sent to the auditing team and/or a message published on the official website, signed with your usual keys, should suffice.

This really doesn't feel satisfying. What about the bizarre way the project was taken down? They really recommend Bitlocker? They literally think you should just grep for "crypt" and use the result for your needs?

I guess I can buy that declaring it insecure because the dev team is no longer maintaining it makes sense.

Assuming this is legit, I wonder if the move toward cloud storage and mobile devices made them feel that they were slipping into a niche need. I disagree (to some extent), but maybe they felt the bulk of their usefulness was behind them.

Is there any proof that these statements from the devs are legit?

They still don't want to explain why they took it down so abruptly, which is strange to say the least for a popular 10 year project.

Also, why didn't they make it easy to continue to project with the license, and why do they keep saying that forking Truecrypt is "harmful"?

Perhaps they believe that, without them at the helm, any new people who take up the project won't know the code or crypto well enough, creating new security holes.

Perhaps they look at their 10-year old code and think that it would be better if someone re-wrote it from scratch.

The writing style in this letter is completely different from that on the TrueCrypt page. If this letter had been posted originally, the whole episode would have been viewed much differently. And why does the author of this letter assure readers that "As far as we know, TrueCrypt is utterly uncrackable", while the TrueCrypt.org page (or rather, the truecrypt.sourceforge.net page to which it redirects) screams (in red at the very top), "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"?

EDIT: Sorry - as brazzy and NickSharp kindly point out below, the letter was imagined and written by Steve Gibson. As the HN title at the moment is "One of the TrueCrypt Devs Responded", I missed that.

Misunderstanding aside, these two statements are not really incompatible:

-"As far as we know, TrueCrypt is utterly uncrackable"

-"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues"

It makes sense to post such a warning to a product with no known vulnerabilities, if it's to remain unsupported. What if a bug becomes public tomorrow? Are you going to keep current with the news and analyze allegations, despite having given up supporting the tool? These crypto attacks are often pretty hard to understand...

Are you talking about the imagined letter that is, uh, not actually from the Truecrypt devs?

Sorry - completely missed that. The title of the HN post at the moment is "One of the TrueCrypt Devs Responded".

I believe you are referring to the "imaginary letter" linked to in that post. As stated, that link is speculation, not an actual response from the devs.

If this is what they want I am glad they can move on. I just feel like if there was ever a time to be interested in the project it would be now. Obviously, privacy has always been relevant, but given the microscopic lens everyone is under the problem seems relevant, challenging and exciting. The exact opposite time to walk away.

I think the issue really is XP and the 20 year old compiler. It would be insecure to compile on an unpatched OS, and my guess is that they've been unable to get it to work satisfactorily in an updated compiler. Simple as that?

Given that the application is open source, wouldn't that reason be easy to verify?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact