Hacker News new | comments | ask | show | jobs | submit login
Ask HN: What ever happened with the TrueCrypt shutdown?
78 points by Tech1 on June 14, 2014 | hide | past | web | favorite | 84 comments
I haven't heard anything since the first few forum posts. Did we ever figure out definitively if it was a hack, information operation, canary, dead man's switch or what?

Conjecture: TrueCrypt was developed by mainly by one person. This person did write TrueCrypt to encrypt his WinXP Laptop/PC, but does not need it anymore now, because he can now use Bitlocker.

TrueCrypt is a consumer facing Open Source project. Those rarely have a large developer community and seldom get patches. Most successful ones are backed by corporate interests (Firefox, Eclipse, VirtualBox, ...).

Having no need of TrueCrypt himself, no other developer in the community to whom he could entrust the project and faced with drudgery the like he probably also has at his job (except he gets payed there), he probably did not want to continue developing and improving TrueCrypt (e.g. EFI support).

At this point. Since it is a critical security product there is no other option then to warn of all users. If there is a fork, it has to earn its reputation first.

I view truecrypt.ch as a bad development, since a) TrueCrypt is trademarked by the developer and b) the TrueCrypt license explicitly says that you cannot fork the project without renaming it to something other than TrueCrypt.

See https://www.grc.com/misc/truecrypt/truecrypt.htm "And then the TrueCrypt developers were heard from . . ."

A person who the Truecrypt Audit Project has some evidence is the actual Truecrypt developer, in an email I've seen (because I'm working with the project), more or less confirmed this story.

In particular: many people on HN seem to think that Linux Truecrypt is the most important product of the Truecrypt project, but the developers don't see it that way; they started the project for Windows, and Windows has good FDE now.

> Windows has good FDE now.

Only for those running Ultimate or Enterprise edition. What's everyone else supposed to use?

Well if encryption is that important you either buy a version of Windows which has FDE or you buy some other proprietary software which can do FDE. You can just keep using TrueCrypt until you need to upgrade Windows and get BitLocker supported edition.

> What's everyone else supposed to use?

At the risk of sounding snarky, Linux?

If you're not using Ultimate or Enterprise, you're probably not a business, so you probably don't have any business-critical applications that need to be run in Windows, so you can probably just use Linux for anything that needs to be kept encrypted.

Switching to Linux is a conceptual and time-consuming burden that the average consumer will not deal with. Widespread adoption of encryption can only be achieved by making it as simple as possible.

Do you think anyone who is ready and willing to use encryption on Windows is incapable of switching to linux?

FWIW, a non-negligible percentage of my not-computer-savvy friends have switched to Linux over the last few years because they mostly just need an internet machine after all, and were tired of dealing with windows. Most of them seem to have no trouble after they figure out how to boot a liveUSB.

> Do you think anyone who is ready and willing to use encryption on Windows is incapable of switching to linux?

Yes, because I know people who fit that exact profile. Just Friday I was talking to a person who had found TrueCrypt a few years ago and used it ever since, who wanted my help with what the dramatic website shutdown meant for them. "Just switch to Linux" certainly would not have gone over well.

The set of all people who (a) cannot afford Windows Ultimate (b) rely on Windows-only software and (c) want encryption is non-negligible.

Windows 8 Pro comes with Bitlocker and is fairly cheap.

> Windows has good FDE now.

A BitLocker's "feature" is that you can recover your key! So can Microsoft, NSA, etc. See: https://twitter.com/TheBlogPirate/status/471759810644283392

You can recover it if you decided to store it on MS servers. You can just not do that.

That doesn't remove any reason not to trust their implementation.

Sad but true - Given Microsoft's all-too-eager cooperation with the TLA's, any encryption product they pack with the OS is immediately suspect.

That doesn't just apply to Microsoft. I wouldn't trust FileVault on Apple or Red Hat's implementation of LUKS either.

What's the closest thing to a fact you can supply about Red Hat, Apple, or Microsoft subverting FDE software on behalf of any world government?

It's not that they subvert FDE in a provable manner (indeed, the manner of such a subversion would make it almost impossible to prove anyways..), it's that they eagerly cooperate with certain agencies. Microsoft is documented to have given zero-days to government agencies before patching them.

They may or may not be subverted, but why take the risk when you can use something that has a greatly reduced chance of that risk and works cross-platform?

>[Apple & Red Hat] eagerly cooperate with certain agencies

Last I heard on Apple was that their system is perfect, as long as they don't add another key to your iMessages which you'd never know of. So not perfect, but only if you are chosen to be inspected. It can't be part of a dragnet collection unlike say https if the NSA have the private key.

For Red Hat the best I can find in your favour is that some of them have NDAs on their conversations with the NSA.

My SSBN used at least two separate subsystems running Red Hat-based servers as a part of their functionality. Yet another separate system used X11. Thanks, FOSS devs! :)

We won't be given any of those until 2035. Isn't it always 20 or so years later unless you get a Snowden?

When ever there have been a dispute regarding export control of crypto and microsoft, they have opted to exclude encryption or use something like DES with low keysize. Microsoft has also sold exploit tools for windows, which is serious regardless if FDE software was one of the exploits targets.

So, given their history, has they done anything to actually earn our trust?

What are you talking about? Microsoft doesn't source even an appreciable fraction of the exploits for exploitable bugs in Microsoft products. There is a 9-figure business in reversing WinAPI software, discovering vulnerabilities in it, and weaponizing them with exploit code. Microsoft is a bystander to that industry.

I would not call Computer Online Forensic Evidence Extractor (COFEE) to be a bystander. Might be small in the grand scheme of things, but password decryption, data and volatile memory extraction is commonly associated with exploit kits for a reason. It uses vulnerabilities in windows in order to bypass the need to ask for permission.

If a company develop a kit that exploits the internal design of their own product, you are not a bystander. Bystanders do not sell exploit kits.

Are you seriously comparing a crappy forensics tool to a modern exploit kit?

Do you think Wietse Venema and Dan Farmer are suspicious for having released The Coroner's Toolkit? Should we all stop running Postfix now?

In what way is The Coroner's Toolkit using postfix vulnerabilities?

The only relationship those two project has is that they share the same developer. COFEE however exploit microsoft own products.

It seems you are arguing that trust is not effected if companies first sells a product, then sells exploits for that product in secret. It may be small, or unimportant, or old product, but it doesn't really matter to me. Trust is not something that should be given out lightly.

You mean that Microsoft is a victim, who is actively fighting against this 9-figure business, not just a bystander.

Otherwise why bother with exploits, just build good, solid C# backdoors and get over with it already.

Apple has this 'feature' too.

It's a perfectly reasonable feature. For one, it's not just for Microsoft servers -- in an enterprise environment you can just have it stored on your companies AD servers, so if for any reason an employee forgets or loses their key the company can recover the data.

However, you're still missing a fundamental aspect of security, which is that it's targeted, not universal. Your system is not 'secure', it's 'secure against x', where x is your adversary. If your set of adversaries includes, say, someone losing their laptop at the airport, but not Microsoft, then storing your keys on MS servers loses you nothing and gains you ease of use.

This does not explain why they would do something as inexplicably naive as recommending that everyone use a closed-source solution for encrypting their data in 2014. (And conversely, if it were really a matter of them having had a change of heart and suddenly coming to perceive the world to be such a nice and simple place, why didn't they just sign the final declaration with their real names, given that the threat of them being forced to tamper with future versions is now moot?)

It seems like people are still somehow willing to believe that even if a spy agency had set its eyes on Truecrypt, they could not force them to make arbitrary statements to people sending them e-mails or members of the audit project.

Only on HN, Reddit, and Slashdot is a recommendation of Bitlocker "inexplicably naive" because it's "closed-source". Meanwhile: I trust my sources a lot more than I trust your totally unfounded, straight- out- of- the- first- thoughts- that- came- to- your- mind speculation. One substantive difference between my sources and your speculation: I actually have sources.

The fact that the "warrant canary" scenario with Truecrypt is also silly also weighs heavily against your argument. Try to game out the scenario where Truecrypt is actually compromised. Especially funny: it's compromised at exactly the moment when a third party crowdsources an expert review of Truecrypt. That's when they choose to backdoor it. Seems legit.

> Only on HN, Reddit, and Slashdot is a recommendation of Bitlocker "inexplicably naive" because it's "closed-source".

I would be interested in seeing the argument of someone who is not part of "HN, Reddit, and Slashdot" against the proposition that cryptographic software that only few people have access to the source of is not trustworthy. I do not claim being involved particularly deeply in either the academic or the industrial security community, but my impression from the occasional academic discussion group I have managed to find the time to drop in on always was that this and/or some related proposition was part of what is commonly held to be true beyond the need for argument.

Regardless, there are two separate questions here - firstly, whether some sort of foul play actually was involved with the Truecrypt project closing up shop, and secondly, whether the recommendation to switch to Bitlocker should be considered sound or not. I believe that the recommendation is dangerous regardless of what happened with Truecrypt - at the very least, making no recommendation at all or telling people to stay with Truecrypt (7.1) for the time being and giving the OSS community some time to try and fill the vacuum is not worse than making said recommendation under any circumstances. In that light, even if your scenario is more compelling, I would argue that simply to err on the side of caution, one ought to refrain from pushing a narrative to the effect of "nothing fishy here; these perfectly trustworthy people just told you to use Bitlocker, make of that what you will" at this point in time.

It is worth being clear that TrueCrypt is not an 'Open Source project'. The source is available, but it is under a proprietary license designed to discourage forks and reuse and allowing the original authors to sue you. The one-off TrueCrypt license means that TrueCrypt code can not be utilized under any OSI-recognized open source licenses as it is incompatible with them. The FSF, Ubuntu, etc all agree that TrueCrypt can't be considered open source. The source is available, but it's difficult for you to use it other than to analyze it.

I'm not an expert, but I thought there was a distinction between what's meant by "Open Source" and "Free Software". The way I understand it:

Open Source: You can analyze the source code and build it yourself - which is great if you don't trust anyone to give you binaries from what you analyzed. Usually at least free as in "free beer".

Free Software: Open source software which gives you lots of permissions via its license, while making sure you get to keep these permissions. Usually free as in "free speech" (in addition to "free beer").

TrueCrypt not being free as in speech is a bummer, but being able to inspect the code and build it yourself is a critical advantage, especially when it comes to cryptography. I have a hard time imagining BitLocker not having any backdoors built in. At the very least it'll have some kind of weak random number generator or whatever, making sure that with the right algorithm you get to crack it within a few minutes or so.

From Wikipedia [1]:

"In production and development, open source as a development model promotes a) universal access via free license to a product's design or blueprint, and b) universal redistribution of that design or blueprint, including subsequent improvements to it by anyone"

So no, "open source" doesn't just mean being able to read the source code; it also means being able to modify and redistribute it, just like "free software". The difference between the two terms isn't very meaningful in practical terms, IMHO.

[1] http://en.wikipedia.org/wiki/Open_source

No, there is a meaningful difference [1].

Free (as in freedom) Software guarantees that the end user can always get, modify, and redistribute the source, by requiring any use of the source code to be under the same license. In short, copyleft.

For example [2], since linksys modified and extended GPL'd code (the linux kernel) in creating the WRT54G wireless router, they had to release their work under the GPL too, which is how to OpenWrt project was created.

The term Open Source applies to projects with more permissive licenses, such as the MIT license, where there is not obligation to release your modified version of the source to the end user.

[1]: https://www.gnu.org/philosophy/free-software-for-freedom.htm... [2]: http://en.wikipedia.org/wiki/OpenWrt#History

Free software is a subset of open source software. Truecrypt wasn't open source software, as in it didn't have an open source license. It was proprietary, with no ability to fork it, but the source code was available. It's like Microsoft making available the source code of Windows on Github so everyone can see it - without giving it an open source license.

> Free software is a subset of open source software

No, they're the same set.


Edit: before you knee-jerk downvote, please read my link. Open source is a term coined by OSI as a replacement synonym for free software. We have somehow culturally forgotten this. We keep repeating some other version of the facts for some reason and have forgotten what "open source" really means.

This is not even vaguely true.

Please read my link. Open source is a term coined by OSI as a replacement synonym for free software. We have somehow culturally forgotten this. We keep repeating some other version of the facts for some reason and have forgotten what "open source" really means.

The term predates OSI.

No. Please read my link above. This is thing #2 in my link above. Christine Petersen coined the term. OSI was then formed under this term.

There is an unrelated "open source intelligence" older term, about how to spy on people using publicly-available sources, but nobody called software "open source" before OSI. Eric Raymond confirms as much:


In the abstract of the same text by Raymond, http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...:

>"By mid-1996 I thought I was beginning to understand. Chance handed me a perfect way to test my theory, in the form of an open-source project that I could consciously try to run in the bazaar style. So I did—and it was a significant success." //

OSI started in 1998 yet here is Raymond saying he did an open-source project in 1996. Not only that be he was copying an established style of software authorship which was already open source. Whilst the wording may not have been widely used, perhaps not at all, until 1998 open source was already a thing. OSI tried to create a tightly defined word but they created usage of the term to cover what was - as we see above - already a thing. The thing that existed didn't and doesn't fit neatly in to the OSD and nor should it. Usages change as well but here I think those who [it seems] coined the term and set it free used it in a different way to some of the community from the start.

It would be interesting to do a survey of the HN crowd to see what they consider the term "open source" to mean.

You are of course open source software existed for a long time before it was called that, way back to the early 1960's. People called it free software for a long time. And not just Stallman called it that, even the BSDs did and still do, despite hating RMS and all he stands for (GNU, GPL...)

ESR edits his texts a lot, and CATB came out before 1998. I don't know if I can track down a first edition of CATB and see what term ESR used here, but I bet it wasn't "open source". Note how he hyphenates it, according to his recommendation in the thing I linked.

I cut-pasted and reused his hyphenation, I noted it well. He uses "open-source software" and just "open source". Did I err in this regard?

That aside, it doesn't matter if he wrote the line last week about making an open source project in 1996, it's recognition that open source per se (as opposed to the name) started prior to OSI and their OSD. It was an established thing that they tried to straight-jacket in to a particular definition.

I was pointing out his hyphenation to point out how it's something that nobody does, just like almost nobody writes e-mail anymore instead of email. The term seemed new at the time, so esr thought he needed special recommendations on how to use it.

And yes, I agree again with you, open source existed for a long time before OSI. It was and is called free software. All that OSI attempted to do was provide a more business-friendly synonym for free software, but their message seems to have gotten distorted, and people seem to think that open source is something different from free software. It was never meant to be different.

> I'm not an expert, but I thought there was a distinction between what's meant by "Open Source" and "Free Software".

No, there is no difference:


Edit: before you knee-jerk downvote, please read my link. Open source is a term coined by OSI as a replacement synonym for free software. We have somehow culturally forgotten this. We keep repeating some other version of the facts for some reason and have forgotten what "open source" really means.

I think you have mixed "Open-Source" and "Free Software".

TrueCrypt IS Open-Source. You can read the source.

It is not, however, free software. It's free to use, but not free as in GPL.

TrueCrypt IS Open-Source. You can read the source.

Depending on whose definition you accept, simply being able to "read the source" does not make something "open source". While not accepted by everyone, the Open Source Initiative's "Open Source Definition"[1] is a very widely accepted definition of what it means to be "Open Source".

I would posit that "Shared Source"[2] is a more accurate term for a project where the source is available, but the license doesn't permit all of the things required by the OSD.

[1]: http://opensource.org/osd-annotated

[2]: http://en.wikipedia.org/wiki/Shared_source

Yes, there's some confusion because the term "open source" was around before OSI attempted to define it.

If my understanding is correct, the TrueCrypt developers were attempting to make an "OpenSource(tm)" license, but the OSI folks had some technical objections. So the software falls into a gray area where it's not quite officially OpenSource, but it still could be modified and distributed by third parties.

> Yes, there's some confusion because the term "open source" was around before OSI attempted to define it.

No, it was not. OSI coined it. Specifically, Christine Petersen coined it.

It appears to be such a natural term now that we have become convinced that we were using it before OSI, but we weren't. The earliest OED citation for "open source" is from 1998, around the time when OSI coined it. If you have an earlier citation, please submit it to the OED. I don't believe one exists.

There is an unrelated term "open source intelligence" which is indeed older, but nobody called software "open source" before OSI.

Sorry, no reference. But I recall the term was not eligible for a trademark for some reason.

I don't know why Bruce Perens apparently trademarked a bunch of things but not "open source" itself. However, as part of its trademark policy, OSI asks that people do not call software "open source" if it's not under an OSI-approved license:


"open source" is descriptive (even if you capitalise it). Descriptions aren't trademarks; that's probably why.

You are conflating 'open source' and 'source available' (sometimes referred to as 'shared source' like when Microsoft makes source available for Windows to partners). Having the source available does not make it open source.

Open source means the source is available under an open source license, as recognized by the OSI. This gives you the freedom to modify and reuse it.

>Open source means the source is available under an open source license, as recognized by the OSI. //

I've been part of the [F]OSS community (mainly on the receiving side!) for ~15 years but have never seen it specified that OSS has to comply with an OSI definition.

"open source" [de-capitalisation is purposeful to distinguish with "Open Source [OSD]"] has always simply meant that the source was available to view for those the program was distributed to. For example - IIRC - Star Office was a paid application initially but was open source as those who purchased it could request the source code. Way back in the day people/companies would even make nominal charges to cover media and distribution of the source and still be "open source". Of course not all open source is free-gratis, clearly one can charge for open source. But, moreover, not all open source is free-libre either, just being open source doesn't mean that you have to have a GPL/LGPL/Berkley/CC or whatever compatible license.

I'm pretty sure I recall the OSI starting; we had open source software before that. The OSI's "Open Source" is not coterminous with "open source". For example someone distributing a linux distro that specified that no proprietary software could be bundled as part of the distro would be excluded by the OSI's definition from terming the distro "Open Source" whilst it could very clearly be completely open source. Similarly if you say "may not be used for development or activation or control of weapons designed to cause harm" as part of your license you can allow any type of source manipulation you like but the OSI's definition would say your software is not "Open Source".

FOSS (Free [-libre] Open Source Software) gives you the freedom to modify and reuse it, though there still might be relicensing controls. That's why we have FOSS and OSS definitions in the first place, the Free-libre bit wouldn't be necessary otherwise. No need to try and overload the language to push an ideological position like OSI appear to have done.

> TrueCrypt IS Open-Source. You can read the source.

No, open source means a lot more than "the source is visible".


Edit: before you knee-jerk downvote, please read my link. Open source is a term coined by OSI as a replacement synonym for free software. We have somehow culturally forgotten this. We keep repeating some other version of the facts for some reason and have forgotten what "open source" really means.

It could be true, that open source meaning is different now. But still I would use open-source by its current definition. Open source's meaning has expanded than what you describe. Which is why we now have Free AND Open Source Software(FOSS).

If you would look around there are lot of licenses built around this point. All open sourced software are not free. Some allow owner to restrict its use like not allowed to be used commercially.

If I had to sum it up these two would be orthogonal: 1. Closed-source vs open-source 2. Proprietary vs free.

My issue with the fork is the two guys who threw together the site to get "FIRST!!" dibs don't actually seem like developers capable or willing to continue the fork themselves. They just want credit for the work they want others to do for them.

Truecrypt is not open source if its license is ever enforced. It forbids commercial distribution. This does not fit the open source definition, which means a lot more than merely "the source is visible".


It is open source, alright. You mean that it's not free in the FSF's definition of the term and that it indeed is.

Please read my link. It is not open source in the sense of OSI's definition, who were the first ones to ever define open source. Furthermore, they trademark the term "open source", and they have even asked that you do not call truecrypt open source:

   it is not all appropriate for [TrueCrypt] to describe itself as
   "open source." This use of the term "open source" to describe
   something under a license that's not only unapproved by OSI but
   known to be subject to issues is unacceptable.
(from http://www.infoworld.com/d/open-source-software/truecrypt-or... )

Will all due respect to OSI and its trademarks, a software with the source code that is open to the public is quite naturally described as "open source". Just by a simply virtue of dictionary definition of two words involved. I'm all for pedantry, but it's quite misplaced here.

No. Please read my link.

It is not naturally described as such, because nobody described it naturally as such before OSI came along. The dictionary definitions in this case lead you to the wrong conclusion about the meaning, just like at least one dictionary definition of "free" can lead to the wrong conclusion about what free software means.

I am being pedantic about this because I want people to value the principles that open source is supposed to be about. I don't want people to forget what open source really means.

It is pedantry of the same kind as RMS insisting on using GNU/Linux name instead of Linux. I have several projects under GPL and MIT licenses, some are over 10 years old, and I still think it's perfectly fine to describe something with publicly available code as "open source". Whether it is released under an open source license is another matter, and in many cases it's not, including TC and most of what Microsoft releases. But in conversational English TC is open source, because there's basically no other established term to describe the fact that its source is available. If you are aware of one, I'd like to know it.

Stallman and his toe cheese have nothing to do with this.

I think the term "visible source" is quite unambiguous, but perhaps I'm wrong. Microsoft prefers the term "shared source" for what you describe.

Who is going to complain if someone uses TrueCrypt's name? Can anonymous people retain copy rights over their work?

Given that copyright automatically attaches in a lot of countries... then yes anonymous people retain copyright over their work.

However an anonymous person could not do anything about enforcing their copyright without losing their anonymity. You can't sue someone anonymously (you as the plaintiff), you can't DCMA anonymously, etc etc.

It's trademark, not copyright FWIW (you may have known it just looks unclear in your post).

Trademark is a registration mark unlike copyright (copyright is automatic in almost every state in the world according to a few treaties). Broadly, provided you pay your fees then you retain a granted trademark. There are trademarks that are unregistered, acquired by use in trade, but it's a very weak instrument. Non-use can be grounds to contest a trademark - so it's almost impossible to retain a mark and remain anonymous as you need to be trading using that mark and usually trading requires you to disclose identifying information in some way.

Also USPTO's TESS facility gives the trademark assignee information, http://assignments.uspto.gov/assignments/q?db=tm&qt=sno&reel... .

Is there a case anyone can point to where an anonymous plaintiff has sued someone over intellectual property authored anonymously?

In the United States, the 6th amendment, known as the "Confrontation Clause" is supposed to guarantee the right to see / know the accuser. It is literally baked into the constitution, otherwise anonymous trolls would be suing with no real recourse against them.

I think anyone who thinks the answer to your question is yes is misinformed.


There are civil remedies for copyright infringement, so you're wrong. This is also why people should listen to lawyers, not random posters on the internet.

Yes, they can. Enforcing those rights is more difficult if you wish to remain anonymous, but still possible.

That "explanation" doesn't make any sense.

BitLocker is not open source and is pretty much guaranteed to have a backdoor considering Snowden's leaks about Microsoft and NSA.

Steve Gibson has also made the TrueCryptⓇ Final Release Repository at https://www.grc.com/misc/truecrypt/truecrypt.htm

I had to use this mirror recently as there are already bad copies floating about; it is a trusted hosting for the last ungimped version for windows and linux. check the hashes n' sigs!

The best of all the conspiracy theories was http://pastebin.com/9catw4X7.

Wow. I'm going to spread that one around:)

There is this person claiming "I can confirm presence of TrueCrypt duress canary as per 2004 conversation."

There were a bunch of other tweets with further details, but those seem to have been deleted.


Note: I am not claiming this is necessarily true.

I don't know anyone who works in cryptography who thinks those twerps were credible. Do you? I'd be interested in a name.

A developer for tor (@puellavulnerata) retweeted this. That is the only claim to it's credibility that I know of

Following http://truecrypt.ch/ and https://twitter.com/TrueCryptNext is a good resource to get new information on this case at the moment.

I haven't come across any new and definite information since the hack/shutdown.

So a random developer with 4 years of experience teamed up with a Drupal developer to take leadership of this project?

This is pretty sad/funny.

What about the fact its his first C project on Github?

That doesn't necessarily mean anything. Github is very, very new relative to C development. There are programmers who had coded in C for decades before Github even existed.

How are you recommending two places to get new information if you admittedly have not come across any new information since the shutdown?

Dino's Pizzeria is my favorite place to get pizza. I have never had a pizza from Dino's Pizzeria.

I would encourage you to listen to Steve Gibson's Security Now podcast on Twit. But the gist is TrueCrypt has not been hacked. Take a listen to the "TrueCrypt WTF?" episode.


It was discredited. Mission accomplished!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact