The Sudden Policy Change In Truecrypt Explained 475
X10 (186866) writes "I use Truecrypt, but recently someone pointed me to the SourceForge page of Truecrypt that says it's out of business. I found the message weird, but now there's an explanation: Truecrypt has received a letter from the NSA."
Anyone with a firmer source (or who can debunk the claim), please chime in below; considering the fate of LavaBit, it sure sounds plausible. PCWorld lists some alternative software, for Windows users in particular, but do you believe that Microsoft's BitLocker is more secure?
tc-play is a reimplementation of Truecrypt (Score:5, Informative)
Fyi Truecrypt, with its dubious code provenance, has been suspect for a long time anyway, regardless of these developments. S there already is a re-implementation of Truecrypt from the ground up for Linux and BSD by non-anonymous(?) developers: https://github.com/bwalex/tc-play
Also, cryptsetup-LUKS (recent versions only) can mount truecrypt containers under Linux.
Re: people ruin everything (Score:2, Informative)
https://t.co/x1H2T6UtEv
still speculation (Score:5, Informative)
According to this page - someone e-mailed a dev contact and claims they called it quits due to lack of interest
https://www.grc.com/misc/truec... [grc.com]
(Scroll to the bottom, the green box).
The only real "confirmation" we have is the info on the TrueCrypt page. It's over (no matter what the reason is), best to move on.
AC in last thread mentioned a warranty canary (Score:5, Informative)
An anonymous coward in the last thread said that a known warrant canary was seen:
http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051
Re:tc-play is a reimplementation of Truecrypt (Score:5, Informative)
You are behind the times.
The binary build was duplicated from the source.
The source has been audited.
Ars Scholae Palatinae (Score:5, Informative)
I can't comprehend the conspiracy theories flying around about this.
[TrueCyrpt] is a barely-maintained Open Source project (no updates in the past two years), with an outdated, messy code-base, serious build dependency problems, and lacking in full support for the newest Windows release. It likely only has a small development team - perhaps only one or two people.
The developers are absurdly secretive, and when they do come out of hiding to make a statement, they are confrontational (take, for example, their response to Fedora's queries over the clause in their license that reserves the right to sue for copyright infringement).
If this was any other project, we'd all just assume the developers had decided to call it a day. However, because of the nature of the software, everyone assumes security agencies or reptilians are involved.
Maybe the developer was a security researcher who has decided to retire to a tropical island. Or maybe there were two developers, and they have had a dispute. Maybe the primary developer took a job offer at a security firm, with a clause prohibiting him from working on external projects. There are an almost infinite range of possibilities... assuming that the cause was the devious acts of state-sponsored actors is leaping to a pretty big conclusion.
If I developed a piece of security software, and wanted to cease development, I'd make a similar statement.
"Don't use this anymore. It's not maintained, and should therefore be considered insecure".
Otherwise, if a vulnerability is discovered, everyone will scream: "Fix it now! Nobody told us to stop using it!"
''TrueCrypt is not secure,'' official SourceForge page abruptly warns [arstechnica.com]
[Ars stats for Marlor: 1279 posts > registered Oct 3, 2003 > 0.01% of all posts > 0.33 posts per day]
Re:What else? (Score:5, Informative)
The simplest explanation is that the developers simply got tired of the project and decided to abandon it. It's been years since any update and it's certainly plausible that those developers remaining simply decided it wasn't worth it to keep the project alive when no one was maintaining it. .
Re: people ruin everything (Score:5, Informative)
Link [grc.com] because why in the world do people use URL shorteners?
Re:people ruin everything (Score:4, Informative)
Governments are made up of people. People are always the problem.
Re:tc-play is a reimplementation of Truecrypt (Score:4, Informative)
The audit of the source is complete. The next phase of the audit is cryptanalysis.
Old code still available (Score:5, Informative)
It appears grc [grc.com] has created page where the last final version of TrueCrypt and all source code could be downloaded.
My hope would be that someone will fork the project and continue development for Linux, and Windows XP/2003, at least, AND preferably work on new Version of Windows.
Bitlocker is REALLY not good enough, for most users won't have access to it -- since it is only in the ENTERPRISE version of Windows 7; in particular... Windows 7 Standard and Professional do not have the feature.
Re:That's not proof! (Score:2, Informative)
Just an old, jaded reverser who hung around in a few places with a few people. I didn't always use my real name. /akr
Re:That's not proof! (Score:4, Informative)
Ya think? Really? You are hereby awarded the prize for most spectacular understatement of the obvious. Sorry, I do not intend to be mean; it just hit my funny bone; peace, man. It's somewhat akin to stating that the US "may be entering a period of decline" or saying in 2004 the space shuttle program "may be winding down".
OTOH, seriously, the project may have gone deader than a doornail overnight, but use of 7.1a is still just as viable as it was before the stunning suicide note. It has passed the independent stage 1 security audit with thumbs up, and if you don't already have a copy it's not hard to find out there. Pretty sure in the long run somebody will pick up the pieces and carry on. The HQ for the next project will clearly have to be located some place other than the inheritor of the Nazi Germany/Soviet Russia mantle of most despicable police state.
LUKS is very good, but until someone works out a way to do hidden containers, it's not even close to a replacement for the most critical feature of TrueCrypt.
Re:That's not proof! (Score:4, Informative)
Already there, dude.
http://truecrypt.ch/ [truecrypt.ch]
Switzerland!
Re:That's not proof! (Score:4, Informative)
LUKS is very good, but until someone works out a way to do hidden containers, it's not even close to a replacement for the most critical feature of TrueCrypt.
Hidden containers are less useful than you might imagine in practice for a variety of reasons. Some of these points are relevant [google.com]. I don't have any use for hidden containers, although I do use LUKS on a large number of systems.
Re: people ruin everything (Score:5, Informative)
My point wasn't that privacy is not important. My point is that YOU are not important...and I'm right. You're not.
Which is entirely beside the point.
You are irrelevant to The Man until you become a "problem" and all this data gathering is for instant dossiers on people who become a "problem." To nail the head that sticks up.
Privacy is a human right because without it people are unable to effect change - they remain powerless. There is nobody on the planet without a skeleton in the closet, and exposing that skeleton is what this is all really about. It's national-level Borking, to remove any kind of power from people who would oppose a police-state.
That's why.
You, sir, are a short-sighted douchebag and, through your apathy, an enemy to everyone on this planet.
Ta Ta.
--
BMO