Notices

Originally Posted by malfunctioning

What are your ideas about TrueCrypt after the mysterious end of development, recommending users to switch to BitLocker?

Originally Posted by malfunctioning

What are your ideas about TrueCrypt after the mysterious end of development, recommending users to switch to BitLocker?

Originally Posted by shawnjefferson

Or it could be exactly what the developers said: they were getting bored with it, and with encryption freely available on Windows and Linux, they saw no great need for their software anymore.

Originally Posted by shawnjefferson

- torture the password out of the person (these techniques are known to be used by some governments.)
- legally require them to provide the password (less teeth, but might work in some circumstances.)
- crack the password (I'm assuming the NSA has access to very good hardware and people)

Originally Posted by Estel

I'm genuinely shocked, and very disappointed with former TrueCrypt developers (even though I understand that the might have been put in very hard situation, what they did is just wrong,especially the form). I don't know what happened no surprise, almost no one really know), but I see 3 separate possibilities:

1. (unlikely, IMO) - Truecrypt had backdoor, and developers suspected that some subsequent pass of grand code audit (that is going on for some long time, already) will reveal it.

2. Considering, that TrueCrypt was used by activists, anti-government protesters, whistleblowers, and sometimes even terrorists from all around the world - i.e. all bunch of folkf that gov guys doesn't like, for different reasons, including the most famous case of Snowden and journalists that cooperated with him - someone (probably a group of governments following USA initiative, not a single one) decided to shut TrueCrypt down, on the excuse of cryptoanarchy threat. Now, they could have done it via two ways;

2a. Offering TrueCrypt developers a large (as in big, big, biiiig) amount of money, big enough to make them "forget" why they were working on truecrypt.

2b. Threatening TrueCrypt developers with something very, very serious, probably on various levels. I would be surprised, if they would experience both official and unofficial forms of pressure, including, but not limited to, things that seriously threatened their lives or lives of their relatives/loved ones. It could have gone to the point that they just simply told themselves "**** this!" - not everyone is a type that is willing to sacrifice so important things for higher good, and I can pretty good understand that (not agree with, but understand).

2a + 2b. Mix off all of the above things.
---

Now, a small disclaimer - usually, I'm not into conspiracy theories. But software like TrueCrypt don't just disappear overnight for no reason, and the thing they have done to the code and license clearly states planned action, probably months before. Still, not-so long ago, TrueCrypt had clear roadmap (just like it had all those years before), including support for windoze 8 etc! They never gave a **** about windows stopping XP updates, that's for sure.

There is also the LavaBit case (which was also used by Snowden), and how gov tried to force it's owner to include NSA plugins - forcing him to cease development the same way, just much less secretively (but LavaBit wasn't as big as TrueCrypt, and definitely not as viable for forking by 3th party).

Last but not least, the suggestion to use BitLocker is a plain joke. It's clearly done by TrueCrypt devs in a way that speaks between the lines, on purpose. Which would suggest variant 2b as more viable. Of course there is that thing with first letters of announcement and (crippled) latin, which isn't exactly my cup of tea, but still seems like a way too strange coincidence.
---

Summing it up, the way it was done states clearly, that 3th party was involved in TrueCrypt - that is the thing I'm, personally, sure about.

The whole thing put security of using any TrueCrypt in doubt - at the same time, when TrueCrypt got closed, while still having perfectly working 7.1 version, used successfully by thousands, including Snowden - another too strange coincidence. It almost looks like some party *want* people to stop using TrueCrypt (although believing people will just move to bitlocker is plain silly and I don't think anyone is so stupid to count on it... Thought, with gov guys, you never know, they're not most able and dependable folk, honestly).

Out best hope is the audit, and continuation of code development by FOSS Community under different name, by less secretive team (TrueCrypt team was never very transparent, to be honest - although, the code was...) - I really hope for it to happen, and I'm quite disappointed that it haven't sparked much more interest in helping the audit, by knowledgeable folks (especially, changes in code during last few years).

Personally, I'm going to still use latest "real" version, both on desktop and N900 for my selectivity-critical needs.

/Estel

Originally Posted by shawnjefferson

Estel, none of that actually stops true crypt however. If they have the sort of power you think they do, they could have seized the whole infrastructure (instead of killing the devs, although that's probably always an option if you are a conspiracy buff), pretended to be the devs and backdoored the packages themselves.

I doubt all these conspiracy theories and rather believe the story on it's face, even given the "strange" advice on the website-who knows who wrote that and what exactly their motivations were. Maybe they were in a hurry, maybe they didn't feel like creating a large tech manual explaining how to install, secure and maintain someone else's software. Maybe they just didn't care.

On the subject of "what do I use now" and "trust", to have complete trust you would have to:

1. have the source code, and the ability to review it for weaknesses or backdoors (including any libraries used that may effect the security or effectiveness of the encryption.)

2. ability to compile the binary yourself (and complete trust in the entire environment you compile it on).

Without doing those two things, you are putting your trust in someone else who could have been co-opted by the same power you are accusing the True Crypt developers of having been affected by.

As far as breaking device encryption, I believe there are better methods for the NSA or law enforcement than trying to shutdown TrueCrypt (which can't work, since you know someone else will just take on development, or people will just keep using the last version.)

- torture the password out of the person (these techniques are known to be used by some governments.)
- legally require them to provide the password (less teeth, but might work in some circumstances.)
- crack the password (I'm assuming the NSA has access to very good hardware and people)

Originally Posted by malfunctioning

The positive thing about TrueCrypt is that its code is open, so its soundness can in principle be proven to a reasonable degree of certainty.