May 29, 2014

The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.

tcSometime in the last 24 hours, truecrypt.org began forwarding visitors to the program’s home page on sourceforge.net, a Web-based source code repository. That page includes instructions for helping Windows users transition drives protected by TrueCrypt over to BitLocker, the proprietary disk encryption program that ships with every Windows version (Ultimate/Enterprise or Pro) since Vista. The page also includes this ominous warning:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

“This page exists only to help migrate existing data encrypted by TrueCrypt.”

“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently.

What’s more, the last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired.

That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden.

“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”

Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) —  far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF).

Green said he’s disappointed that the TrueCrypt team ended things as abruptly as they did, and that he hopes that a volunteer group of programmers can be brought together to continue development of the TrueCrypt code. That could be a dicey endeavor given the license that ships with TrueCrypt, which Green says leaves murky and unanswered the question of whether users have the right to modify and use the code in other projects.

“There are a lot of things they could have done to make it easier for people to take over this code, including fixing the licensing situation,” Green said. “But maybe what they did today makes that impossible. They set the whole thing on fire, and now maybe nobody is going to trust it because they’ll think there’s some big evil vulnerability in the code.

Green acknowledged feeling conflicted about today’s turn of events, and that he initially began the project thinking TrueCrypt was “really dangerous.”

“Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green said. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.”

Whether or not volunteer developers pick up and run with the TrueCrypt code to keep it going, Green said he’s committed to finishing what he started with the code audit, if for no other reason than he’s sitting on $30,000 raised for just that purpose.

“Before this happened, we were in process of working with people to look at the crypto side of the code, and that was the project we were going to get done over this summer,” Green said. “Hopefully, we’ll be able to keep TrueCrypt.”


363 thoughts on “True Goodbye: ‘Using TrueCrypt Is Not Secure’

  1. JCitizen

    Funny how for YEARS I was pummeled by advice to use TrueCrypt, and one blogger and forum poster after another extolled its virtues to the point of legend, and now? POW! It ALL OVER! HAAA! 😀

    Now I’m glad I’ve been dragging my feet recommending ANY encryption scheme – better to let the client make their own mistakes. :/

    1. Someguy

      Interesting that I watched DEA and other TLA folk using TrueCrypt on their own disks for years. My bet is it was secure til now – til TC Devs got an NSL.

      1. Sasparilla

        Hopefully we find out what the real story was – but with the harried low brow new look of the SourceForge, along with making the product not able to encrypt (only decrypt) and statements o its unsupported – definitely makes the NSL (lavabit) scenario seem plausible (and of course they’d be a prime target of the NSA – they sure don’t want reliable encryption out there – unless its under the control of a company that they serve a NSL to).

        1. JCitizen

          Not only that but SourceForge itself has been getting accused of putting malware in many of the downloads. I’ve been reading complaints all over the web about that – sounds like they’ve been going the way of CNET and the CBS sister sites.

          Perhaps it is nation state pollution of the servers at SourceForge? Hmm?!

          1. Snowbody

            Sourceforge doesn’t put malware in the downloads…but they do allow malware pushers to put ads all over the download page that say “Click here to download the software” and the real download icon gets lost amidst all the spammy ads. I *NEVER* instruct someone to get software from SourceForge or freecode due to these ads unless I’m right there to stop them from clicking on the malware installers.

        2. Gray Dee

          As i mentioned, Maybe the start & end of Truecript was a “Top Secret”-Operation…

        3. Gray Dee

          Probably then The Story will be setup equate, the way THEY WNAT IT to be. Just in case…

    2. JEB

      Client of 10+ years decided to listen to the sharp guys upstairs on his new server (they sold him). They recommended and installed TrueCrypt. Ah, well, time to tell him my rates just went up.

      1. JRR

        Why? Truecrypt still works as well today as it did last week. It hasn’t changed in any functional way in years now. I’m continuing to use it going forward. It’s doing no harm on systems. If there are vulnerabilities, they are currently unknown, and it’s got a security audit going on. There is no doubt that it will reawaken under some other team’s control and will be fully compatible.

        I’d certainly still rather be running TC than Bitlocker. I can’t really be convinced that there are no backdoors in Bitlocker (or in the TPM platform that it’s built upon).

        1. JohnFen

          While I’d trust TrueCrypt over BitLocker any day of the week, I never really trusted TrueCrypt. The way that entire project went from the start seemed very suspicious. I still won’t use or recommend TrueCrypt to anybody until the review is complete.

        2. lsplsh

          Agree, reasonable opinion, under one condition thatverstion 7.1a was not compromised, which we don’t know and need to wait ofr the security audit report which will be ready in couple of months in summer

    3. RayZfox

      Yes, it is better to be unencrypted than to have encryption on the off chance the encryption might be broken in the future and your data unencrypted. YOU ARE A FUCKING TARD.

  2. Cryptic Crossword

    So hunting (well just dreaming up) conspiracies:

    1) TC was an independent project – all OK
    2) Audit showed some major reworking needed
    3) “Oh s** it”, let’s close down, but …
    4) Let’s flog the project to M$, and …
    5) Let’s make it look as if we were under NSA pressure

    Not sure I can get any more in at the moment!

  3. Alenonimo

    What people really thinks is that the TrueCrypt Foundation received the NSA supoena and it’s being forced to put backdoors on the program. So they’re supposedly doing a Lavabit and telling people to not use any new programs from them, but since they can’t actually say what’s happening though a gag order, they’re giving us the dead canary.

    1. John Doe

      so this dead canary is with regard to NSA whacking the last/latest versions of TC and not much older versions. just don’t update if you have a much older version.

      the NSA could be hoping the reporters with the Snowden truecrypt files will update their TC and then somehow introduce/embed the backdoor onto those Snowden truecrypt files that they can later break into if the NSA ever gets a hold of them.

      1. Sasparilla

        If all the NSA needed to do to rid the world of (non commercially controlled) TrueCrypt is to serve a letter to the devs after working with the FBI to find them – that’s all upside for them – why not do this (from their standpoint)?

        The NSA wants total surveillance, with commercial control (with the NSA’s NSL’s that means govt control) of all encryption tools. This is an absolute huge win for the NSA, IMHO…

      2. jane doe

        Wait a minute. So NSA needs a backdoor to be able to read their own files?

    2. Joseph

      What world do you live in? The NSA isn’t a legal authority and it can’t legally compel anyone to do anything.

      The things kids say today about “the NSA” are even whackier than what we were saying about “Area 51” in the 1990s… well, the theory about the underground alien base in Dulce NM was probably the wackiest of all….

      1. Not Secured As AREA51

        @joseph
        so the NSA and the UFOs in Area 51 are not real???
        guess all my top secret UFO pictures in my encrypted truecrypt container files are worthless and don’t have to worry about the NSA getting into them….

      2. Gray Dee

        @Joe:
        They have the competence of doing whatever they want for more than a decade, and will continue for the next century

      3. Gojoe

        NSA authorizes every algorithm encryption you see today. NO algorithm encryption is allowed to market with out their knowledge. TC uses known algorithm encryption

        AES
        Serpent
        Triple DES
        Twofish
        AES-Twofish
        AES-Twofish-Serpent
        Serpent-AES
        Serpent-Twofish-AES
        Twofish-Serpent

        These were all authorized by NSA

        1. meh

          Supposedly they are working on/have a quantum computer which would make most of the modern computational algorithms worthless anyway… This is a real problem since strong encryption is the core of being able to trust commercial/sensitive data is not being read or altered at whim everywhere – it needs open and reliable funded and international/no-nation sponsorship to trust that it doesn’t contain dirty little weaknesses.

    3. Ernest

      Assuming that the TrueCrypt developers are even in the US.

    4. jack

      It’s a decent theory, except how would the authors of truecrypt even receive a National Security Letter if they are themselves anonymous?

      1. Sasparilla

        They were anonymous, somewhat, people had ways of talking to the authors electronically – if the FBI/NSA decided to invest some time and energy into finding them – unless they were living like spy’s – they’d probably be able to find them.

  4. a4657103

    The announcement contains some steganography in plain sight, by way of intentionally lousy grammar:

    From the “new” website, in red letters:

    …TrueCrypt is not secure as…

    Now, with added emphasis:

    …TrueCrypt is
    N ot
    S ecure
    A s…

    NSL for sure. Nicely sidestepped.

    1. mehmet

      Wow, nice catch mate.
      I’m not sure if they did this unintentionally.

    2. Drafty

      By your logic I could take this message from the “other platforms” page:

      WARNING: Using TrueCrypt is not secure

      … and conclude the INS is responsible (that’d be US Immigration, by the way).

      Foof.

      1. jon banquer

        The INS has been gone for years. I don’t remember what it’s called now but it ain’t the INS.

  5. MemyselfandI

    Seems like a crap story to me. They cannot crack the encryption therefor they decide to attack its reputation and legal status. Pathetic figures who’re behind this.

  6. Jason

    Shocked, but received 2 replies from an e-mail previously used by a “David”. “There is no longer interest”

    @ stevebarnhart

    @SGgrc

    1. Michael

      I can confirm the name “David”. A while back I got a reply from a TC developer when asking for UEFI+GPT code status. The reply came from an email address @truecrypt.org consisting of a full name.

      First name was “David”.

      That was beginning of 2013.

  7. Hearth

    Steve Gibson has posted a nice abstract of recent communications *with the TrueCrypt developer(s)* and Steven Barnhart.

    I tend to agree with his summation, that we will all still be ok to use TC v 7.1 given that it looks like:
    a) the audit is going to be completed, and;
    b) the Linux Foundation may be creating a true FOSS fork.

    https://www.grc.com/misc/truecrypt/truecrypt.htm

    He also has v7.1 available for download from that page for anyone looking to grab a copy, binaries and source.

    1. True

      TrueCrypt was bleeding skill and knowledge, they no longer have the capability to keep up with new features, and in fact some of the “quality issues” highlighted in the audit also indicate they have run up against design limitations / code quality limitations / knowledge that enables them to squeeze in what they need to the boot loader. That explains why they cannot add Guid Partition Table Support.

      http://it.slashdot.org/comments.pl?sid=5212985&cid=47115785


      They probably just decided to end the project. My experience is that it has been slowly dieing for a long time. I have been heavily involved with truecrpyt and its source code for many years. I make programs to custom edit the boot screen and otherwise customise TC’s appearance. My programs are not forks, rather they edit the actual binary code installed, so that users can easily use it on existing installations. What you have to understand is that truecrypt has added very little functionality for a very long time. In particular they seem to have lost the key developers who did the code in the boot sectors. For those who don’t know, along time ago the program was to big to fit into the boot sectors, and a special deflate algorithm was added to decompression the boot sector code. My code to unzip the boot program and edit its string display strings is still the same code from tc 5.0, and it still works on the latest edition. The guys who code this section appear to be long gone from the project, hence absolutely nothing done over UEFI. The changes that have occured look questionable, in that the people making them seem to have very limited assembly understanding and were hacking on bits instead of properly modifing the programs flow. Secondly getting TC to work with operating systems is extremely complicated, especially for windows. It was micorosoft who eventually released the API’s that were used to make truecrypt properly handle sleep/hibernate. These API’s are not forthcoming to Win8 or beyond, and in all honesty – windows is the only market that matters. I am going to guess that one of the last known developers knows there is a bug that they can not longer believe they have the experience or skill to fix properly, and hence has decided to shut it down.

      TrueCrypt died two years ago it looks like, they just didn’t have the courage to announce it then and came up with this rubbish excuse to save face.

      1. marcus

        “My experience is that it has been slowly dieing for a long time.”

        The funny thing is that if the NSA _was_ behind this, they’ve just shot themselves in the foot by galvanizing the community into revitalizing the project. For that matter, if the developers just decided to quit but thought that the project should continue, how better to insure it (and stick a thumb in the eye of the three-letter agencies)?

  8. Schneier

    TrueCrypt was bleeding skill and knowledge, they no longer have the capability to keep up with new features, and in fact some of the “quality issues” highlighted in the audit also indicate they have run up against design limitations / code quality limitations / knowledge that enables them to squeeze in what they need to the boot loader. That explains why they cannot add Guid Partition Table Support.

    http://it.slashdot.org/comments.pl?sid=5212985&cid=47115785


    They probably just decided to end the project. My experience is that it has been slowly dieing for a long time. I have been heavily involved with truecrpyt and its source code for many years. I make programs to custom edit the boot screen and otherwise customise TC’s appearance. My programs are not forks, rather they edit the actual binary code installed, so that users can easily use it on existing installations. What you have to understand is that truecrypt has added very little functionality for a very long time. In particular they seem to have lost the key developers who did the code in the boot sectors. For those who don’t know, along time ago the program was to big to fit into the boot sectors, and a special deflate algorithm was added to decompression the boot sector code. My code to unzip the boot program and edit its string display strings is still the same code from tc 5.0, and it still works on the latest edition. The guys who code this section appear to be long gone from the project, hence absolutely nothing done over UEFI. The changes that have occured look questionable, in that the people making them seem to have very limited assembly understanding and were hacking on bits instead of properly modifing the programs flow. Secondly getting TC to work with operating systems is extremely complicated, especially for windows. It was micorosoft who eventually released the API’s that were used to make truecrypt properly handle sleep/hibernate. These API’s are not forthcoming to Win8 or beyond, and in all honesty – windows is the only market that matters. I am going to guess that one of the last known developers knows there is a bug that they can not longer believe they have the experience or skill to fix properly, and hence has decided to shut it down.

    TrueCrypt died two years ago it looks like, they just didn’t have the courage to announce it then and came up with this rubbish excuse to save face.

    1. meh

      That would only affect full drive/boot containers though wouldn’t it? Wouldn’t using regular containers still be as secure as anything else out there?

      What else is there that works as well across platforms or for various data types?

      1. schneier

        Yes, but , remember, defence in depth and layers.

        FDE is to protect against offline reading of the HDD medium.

        There is no avoiding GPT, it is here, it is getting bigger (literally with HDD media normalizing at 2 to 4 terrabytes on the system drive and 4 to 10 TB on other storage, not including JBOD’s, RAID’s, NASs et al.

        TrueCrypt works fine, until you run up against those limitations, and we need a truely open security platform for the future (read as serving the community for the next 10 years).

        1. meh

          If you’re the famous schneier I’m sure you’ve already come across this but I generally just use TC for smaller containers, I don’t see a ton of value or need to encrypt the entire drive, other than meta-data/leaks… If someone sees a full drive encrypted they know it pretty quick, hopefully with smaller containers it would be less obvious and still benefit from strong encryption if it doesn’t have any backdoors and hasn’t been loaded into memory recently..

          1. Schneier

            You cannot encrypt your application and system setting values, you cannot encrypt your email inbox and calendar content, these reside on your applicaiton folders, TrueCrypt containers cannot easily be used there.

            This is why you need to encrypt the full drive, to protect against reading those when hooked up to an offline HDD reader.

            The fact that I can gain information about you via your structure of your system (or any other) drive gives me more intel on you to use against you (it is very rare that it is used to help you).

            If you just rely on encrypted containers, you have a big glaring hole in your personal security that can and WILL be used against you.

            1. Gray Dee

              Let us stay serious: Let us imagine that we (me, like in this case here, THIS Reply) in Future have to (will) post an answer (or Reply (like this one)) in a (encrypted) Way. After that possibility (that will be (at some moment) in time), we will have to rethink, and (before posting another comment) rethink, to double up that security (measure), to afterwards upgrade it again, by securing a 3rd time. But because we arent sure about the third option, we can (will) encrypt it a 4th time. Then, while we learned that the first 2 times isnt sure enough, we will retry a 5th time. That will let us feel sure more and more. But because the first 3 Times did not convince us, we will try another sytem once more…………….Now we are at 2.231, and still remain paranoia ! I hope the next term will convince US !

            2. meh

              True but I don’t use outlook and don’t put anything in calendars anyway, most of my email is all webmail which they probably already have full access to via backend… I’m thinking mainly for stuff like passwords, program keys, contact info, tax records, etc that will all easily fit in a smaller container.

  9. Resurrectio

    Do not be unduly worried.

    If you are interested in supporting the development of Truecrypt, please surf to http://truecrypt.ch/

    Yes, it is being revived….resurrected….it will rise again.

    1. Sam

      It is not wise to revive this project without having a copy of their bug database and check-in history.

      1. Resurrectio

        I don’t see a problem there, Sam.

        The Truecrypt revival project could ask users to re-submit their bug reports.

        Moreover there is an ongoing audit on version 7.1a. It will reveal major and minor vulnerabilities that need fixing. I consider it to be more important than the bug database.

        1. risky

          And what about the other bugs that are fixed? There is the risk of REGRESSIONS

          You honestly expect people to remember the bugs they entered lol

          You are obviously grasping at straws with no real grip on the reality of the situation.

          1. coerciblegerm

            Which bugs would those be? There hasn’t been a new release (apart from 7.2) since 2012, and the 7.2 release certainly wasn’t teeming with bugfixes, since it has removed the option to encrypt data. You’re speaking out of your rear end.

          2. Resurrectio

            @ risky

            I agree with what coerciblegerm wrote.

            There hasn’t been a new release since 2012 and Truecrypt’s developers shut down their website towards end of May 2014. That’s about an interval of almost 2 years.

            Moreover don’t forget there is an ongoing security audit of Truecrypt 7.1a by an independent third party.

            risky, if you have viable alternatives, please state them here. Otherwise stop spreading FUD.

            1. meh

              You are probably right but they face a major uphill battle to regain trust, something most people had for the later versions of Truecrypt but won’t have for anything possibly tampered with by the NSA or closed source.

    2. JCitizen

      The audit reported they were using insecure std string functions and other known unsafe API’s in Windows instead of stringcch et al.

      Forking based on this API usage is not wise.

      They also have issues with their boot loader code, that is why they cannot get Guid Partition Tables to work.

      1. JCitizen

        I don’t know who you are, but you are definitely not me! 😀

  10. AlphaCentauri

    I can certainly understand a scenario where developers got tired of working on this project, developers got tired of the struggle to maintain anonymity, developers got to hate their co-authors and wanted out, developers came to feel that TrueCrypt was providing people a false sense of security when the XKCD Password Wrench (xkcd.com/538/) would defeat it, etc.

    Personally, I can’t imagine Homeland Security allowing an encryption product to be distributed via servers in the US this long without a backdoor in it, but maybe there’s an innocent explanation why they want out.

    But is there a convincing innocent explanation of what the sunset of support for XP has to do with continuing support for TrueCrypt?

    1. JohnFen

      My understanding is that with Windows XP being retired, there was no Windows platform that didn’t have BitLocker anymore — and they apparently feel that BitLocker is adequate (and they don’t care about nonwindows platforms).

      1. MABUTO

        If they feel that BitLocker is adequate then they are basically saying that NSA can already defeat all crypto by using OS-level backdoors or key loggers, and for other adversaries who do not have such access any crypto, such as the ones built in the OS, is sufficiently powerful. *puts on tinfoil hat*

  11. bumperotto

    @pyllyukko mean in Eglish “@bumman”.

  12. Gray Dee

    Then, there might be another possibility noone ever had the courage to think about: Could the Crew behind Truecript, be an Agency Team (Not a specific one, although everyone probably comes to the specific one making headlines for almost a year now) that now in the wake of Snowden, they recently split up, because…hmm…the real reason is that no agent wants to get excavated, and especially a “Special Team”, being set up on a special Mission (by having the full authority of a (EN)-Criptionprogram, means having access to specific encripted data). Now lets run someone said….The earlier youre out of sight, the higher your chances are not getting caught..

    All in all, this is just a thaught out of Millions…

  13. Crash Resistant

    This is shaping up to be a big year for infosec.

    This volume was not cleanly dismounted.

    1. meh

      So would that mean older versions have issues? It would seem undesirable to hose their entire project over such a thing, there would have to be a better way to let people know where the cutoff between NSA involvement would be. If it did have known vulnerabilities it seems hard to imagine they would be so massive as to derail the entire project indefinitely.

  14. Gray Dee

    Hey, isnt it weird that this thing about TC comes just several hours after Snowdens everfirst interview to US media, and just weeks after Greenwalds book. Possibly there will soon be a next leak from Snowden in near Future.

    http://www.youtube.com/watch?v=I-xxzOwr7I4

        1. Gray Dee

          Now this Vid has been taken down too. Can someone else find the newest one. After 2 (Eight) i am tired 😀

        1. Gray Dee

          Right. Or should i say WRONG: STEP by STEP (New Kids on the Block)

          1st: Registrant (REGISTER has been Made yesterday according to WHOIS
          2nd: Do you know for sure (to say WRONG without hesitation) that crypto.ch is just standing behind that new registration ? Why ?
          3rd: Jos Doekbrijders registred Domain from Yesterday looks to be just One Hop away from Herrliberg (crypto.ch (42.5 Km))
          SEE:
          https://www.google.com/maps/place/Steinhausen/@47.1429867,8.5676,11z/data=!4m2!3m1!1s0x479000a6d3474587:0x400ff884018e970
          AND
          https://www.google.com/maps/place/Herrliberg/@47.2559287,8.7368759,11z/data=!4m2!3m1!1s0x479aa5eb69c1e581:0x4b472c45bb069b3

          Now The NSA gets into play (Wow, a rhyme):
          http://it.slashdot.org/story/00/09/26/1836244/ex-nsa-analyst-warns-of-nsa-security-backdoors
          Crypto.ch & the NSA are (have been) tied already long before you gave your WRONG (and make no doupt about it, and check the date

          (s) 2000)

          Maybe not wrong, but right 😀

          SO:
          Crypto AG has been accused of rigging its machines in collusion with intelligence agencies such as the German

          Bundesnachrichtendienst (BND) and the United States National Security Agency (NSA), enabling such organisations to read the

          encrypted traffic produced by the machines.

          http://en.wikipedia.org/wiki/Crypto_AG

          Final mention is that your WRONG looks like a TRY to getting OFF TOPIC (leading onto a foreign path). But no problem: i aint the single HOP? who sees it that way.

          😉

  15. JohnP

    We don’t really know anything at this point and may not know anything more, ever, if a NSL was involved.

    Everything else is guessing and I’d much rather stick to the facts.

    1. Gray Dee

      @JohnP
      Where there’s smoke, there’s a fire

  16. Cinthia

    “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” —–> Not Secure As —> NSA

  17. SpyHunter

    The NSA can force MS via NSL to detect TC running on Windows. There might be journalists who know more about this already from undisclosed Snowden documents. They might have told TC developers. They might not be able to guarantee secure encryption anymore and do not want to fight. Why not?

    1. lost

      And do they have the bug database not a good idea going forward with no idea of the past and current bugs, due to the risk of 1) regression and 2) missing active bugs.

      It will take them a year to ramp up anyway by then, the market will have moved on, also, if they don’t have Guid partition tables high on their next version list, kiss it good bye.

      1. GPL

        Also without a GPL license, we can end back up here again full circle.

      2. Resurrectio

        @ lost

        You are welcome to quit using Truecrypt.

        Last I heard there are some people who have managed to retrieve 70% to 80% of Truecrypt’s website and are in the process of obtaining important info out of it.

        Even if the bug database is irretrievable, Truecrypt fans such as myself will continue to support its development. Why? There is an ongoing audit of Truecrypt’s innards. It will expose/reveal its vulnerabilities and propose fixes for them. The audit is better than having the bug database.

  18. Mr Conspiracy

    So TrueCrypt posts this message: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

    No one can understand why. Let’s go conspiracy theory. Take the first letters and you get:

    UTCI NSA IM CU SI

    IM CU SI -> Romanian to English google translator: “I’m with and”
    https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=IM%20CU%20SI%20romanian%20to%20english&safe=off
    UTCI -> Urban dictionary “Under The Cover Ipodding”, definition is as follows: http://www.urbandictionary.com/define.php?term=utci

    So, conspiracy theory wise, this update tells us that the author of that message @ TrueCrypt.org REALLY said: I’m with the NSA and UTCI’ing

    In other words: The NSA is at my home and forcefully installing backdoors into the TrueCrypt Software. This software is no longer safe, DONT USE IT!

    The UTCI means he’s in the can sending the message and can’t make it longer or the agents will come in and catch him.

    And THAT my friends, is how you conspiracy theory.

    1. Furrow Brow

      TrueCrypt is one word, so the warning spells
      “uti nsa im cu si”
      translate that from Latin to English, and
      you get
      “If I wish to use the NSA”

  19. jackal4

    Dev abandoned after a letter was followed up by a vist from NSA.

  20. Gray Dee

    Lets keep it Short:
    1. Snowden & Greenwald & Poitras still are in contact.
    2. They still use(d) TC.
    3. Some Agency wants to:
    a) isolate
    &
    b) read whats being communicated
    and
    c) thats the most one can conclude about this manner to leave the Theatre.
    1-2-3

  21. Blaze Knick

    What about Free OTFE an open source Software which provides the privilege of On fly encryption..can we consider this as an alternative for true crypt?

    1. Schneier

      FreeOTFE is no longer maintained.

      You are better with either 1) DiskCryptor or 2) waiting for a TrueCrypt fork.

  22. Brianne

    Hi it’s me, I am also visiting this website daily, this site is really nice and the visitors are actually sharing good thoughts.

Comments are closed.