zenadsl6186 at zen.co.uk
Fri May 30 02:20:39 BST 2014
I guess you have all seen the news about the TrueCrypt takedown, eg
Basically the TrueCrypt website has mostly closed it's doors in a
surprise move. There is a new version which only decrypts existing
volumes, the earlier versions have gone.
There are lots of theories about why, from a hack through a "Warrant
Canary" to an existing backdoor or hole.
I discard outright any possibility of it being an outside website hack -
too hard, an attacker would need access to the TC website, the
Sourceforge TC site, and to the code signing key.
The "Warrant Canary" theory doesn't seem to make a whole lot of sense
either. It's possible, but why recommend BitLocker? When did someone
have time to write all those code changes between being served the
warrant and having to execute it?
An existing hole or backdoor, which may have been about to be revealed
by the audit? But the audit people say there is no sign of that, at
least so far.
The theory which makes most sense to me is that it was an at least
partly commercially-motivated self-takedown by the devs.
The recent change in name on the otherwise "same old code and binary
signing key" is possibly significant here - the developers, or perhaps
just some of them, may want to start up a commercial product in the new
Their commercial aspirations are well-known, witness the previous
license issues, the failed crowdfunding and donations campaigns, the
"TrueCrypt Developers LLC" registered in Nevada (thanks to Piergiorgio
Sartor for that info). And they already own a good chunk of the the IP
rights in the TrueCrypt source.
The ending of the project was graceful, to some extent at least - people
were not left with unrecoverable archives, and temporarily acceptable
but not-as-good alternatives were suggested. A whole lot of work went
It is obvious that this wasn't done in the heat of the moment - it must
have taken at least several weeks to do the code revisions for the 7.2
release. There have also been hints (eg the robots.txt file) for about
six months that something might be happening.
The only reason I can think of for doing all that work is maintaining
reputation (or technical reputation at least - TrueCrypt devs are not
exactly known for being people people, or for being particularly into
"free open source" either).
No reasons why the code is/may be broken are given. Actually the
"WARNING: Using TrueCrypt is not secure as it may contain unfixed
security issues" does not even actually say TrueCrypt is broken, just
that it may be.
And the unfixed issues might be fixed later, in the commercial version.
Which would have been independently audited... at no cost to TrueCrypt...
-- Peter Fairbrother
More information about the ukcrypto