Reprint-What happened to the TrueCrypt? -What happened to Truecrypt-may 2014

Truecrypt, the popular disk encryption software has recently changed it website to a security warning that States truecry PT is not a secure anymore, and to switch to BitLocker for Windows, or No encryption for MAC. It does not even mention Linux.

TrueCrypt 7.2 Warning

Download TrueCrypt all Versions:all TrueCrypt files, binaries, keys, source, all Versions

VALDIKSS analysis on Github Gist | Russian Version

Contents

• 1 Final answer-solved?
• 2 The Facts
• 3 speculation of what happened
  • 3.1 #1-coercion
  • 3.2 #2- unappreciated
  • 3.3 #3-defacement or hacked account
  • 3.4 #4-real life
  • 3.5 #5-government Trying To Smoke out developers
  • 3.6 #6-major flaw
  • 3.7 #7-irate Developer
• 4 External Links

Final answer-solved?

The Premise

As per recent posts from Matthew Green and Steven Barnhart, it appears as though we had an answer. The dev claims to has just gotten tired of maintaining the program Truecrypt. He claims that he does not want anyone using the source code for the bootloader and the GUI because "that ' s harmful becaus E Only they is really familiar w/code ".

Is this really what happened though? I mean what is the panic stricken Bitlocker page and the mysterious method used to leave the software world? What is the refusal to let others build on the code, was nearly open-source? It still seems fishy, but we did have a answer from the dev at least ...

Sources:

https://twitter.com/stevebarnhart/status/472200478345150464

@matthew_d_green 1 More "I were happy with the audit, it didn ' t spark anything. We worked hard on this for ten years, nothing lasts forever. "

Https://twitter.com/matthew_d_green

The Facts

These is facts of what I had seen that could offer some insight into the cause of TrueCrypt ' s recent decision.

• Sourceforge Account
  • Signed keys were updated 3 hours before posting version 7.2 by an apparently legitimate source Sourceforge, Truecrypt Acco UNT History RSS version
  • Sourceforge changed its password Policy 1 week before the incident source
  • Sourceforge claims there is no suspicious activity on the admin account source

• The webhost for truecrypt.org
  • Still have the same IP address of many years back DNS history for Truecrypt
  • DNS is not modified
  • The entire site redirects to the SourceForge project page

TrueCrypt ' s Website on SF

• The Website code for truecrypt.org
  • Now redirects to the SourceForge page for Truecrypt using a 301 permanent redirect

• The Content on truecrypt.org
  • The main page has been replaced with instructions to switch to Bitlocker for Windows
  • There is a mention of the end of Windows XP support, and an incorrect date for it end of life, 5/2014 instead of 4/2014
  • The directions for Bitlocker is only possible for the few people who use Ultimate and Enterprise versions of Windows, les S then 20% of users
  • The directions for BitLocker migration is simply wrong (you should unencrypt before I go to Bitlocker, but they say the Reverse
  • The directions for MAC encryption say "none"

• The Mail Addresses of truecrypt.org
  • Is all bouncing messages confirmation

• The new TrueCrypt version 7.2
  • Has a lot of changes so appear to having been in development for a while, like a incomplete new version
  • Removed the ability to create encrypted volumes and drives
  • Added a bunch of messages saying the exact same thing on the website--TrueCrypt is insecure

• The Truecrypt terms of use
  • Removed the clause requiring a link to truecrypt.org or to say your code uses TrueCrypt
  • Changes every "U.S." to "states" (possibly irrelevant)

truecrypt.org manually removed from webcitation

• TrueCrypt on the Internet
  • TrueCrypt is now being removed from all ' Wayback Machine ' like sites where can view websites as they used to look sour Ce

• The Truecrypt Dev Team
  • They is anonymous, nobody knows who made TrueCrypt
  • Nobody can reach them now

• The audit and the audit team
  • They has not heard from Truecrypt Devs yet, last word is they were looking forward to phase 2 of the audit
  • Matthew Green is keeping people up to date in his blog blog

speculation of what happened

Again, this was only speculation, I had read a lot and spoken with a lot of people about the possibilities and I had come Up with a few theories that could match the facts.

#1-coercion

The premise

Lavabit to Public

The TrueCrypt Dev team was told by a government agency to add a backdoor to TrueCrypt.

See:wikipedia Warrant Canary

See:wikipedia Rubber Hose cryptanalysis

My reasoning

The whole situation with TrueCrypt are just a bit off, none of it makes sense from our viewpoint. It is possible this there was a subpoena were issued to reveal information that would compromise the security of TrueCrypt, Whether this was knowledge of any possible security flaws, private keys, or the request to add a backdoor to TrueCrypt. This is exactly-happened to Lavabit e-mail Service A while back, and resulted in a similar outcome to what we see Toda Y in TrueCrypt. The combination of the factors below indicate to me, the developer was trying to say he software is no longer safe BU T He cannot say why due to a warrant canary.

• Strange wording on the TrueCrypt site (Windows XP end Date incorrect among others)
• Recommendation of Bitlocker-this are the complete opposite of TrueCrypt and are a horrible piece of advice
• Recommendation for Mac to use no encryption-are they trying to tell us something?

#2-unappreciated

The Premise

The TrueCrypt Audit project raised over $62,000 US dollars source to investigate whether the TC Dev team is hiding things In the code this could bypass encryption, literally tearing their project up with a huge budget. Meanwhile, the TrueCrypt foundation gets so little donations, that it is too disheartening to continue because everyone w As against them.

My reasoning

• There were very few donations to TC Foundation. I don't know the exact number of course, but it's safe to say the audit raised the it's more money than Truecrypt itself
• As an anonymous developer, you get no credits for your contributions, and nobody to say thank
• All of these changes appear suspicious but still likely made by the Dev himself or the foundation

#3-defacement or hacked account

The Premise

Someone gained access to all of truecrypts keys and logins for both the program, the webserver, and SourceForge

My reasoning

This is the least likely scenario in my mind at this point. It would is too elaborate for vandalism. Still here is the supporting reasons:

• Idiotic recommendation to use Bitlocker instead of an open source solution
• No warning to being shut down

#4-real Life

The Premise

The Dev got bored of supporting the project, or had issues in real life that took precedence over TrueCrypt.

My reasoning

It happens to everyone

• Claiming TrueCrypt is isn't safe is a good idea in this scenario, as it'll no longer have official updates
• All of the suspicious changes appear to has been made by the developer

#5-government Trying to Smoke out developers

The Premise

Someone gained access to all of Truecrypt's keys and logins for both the program, the webserver, and SourceForge, but Coul D not find the developers.

My reasoning

A government might has enough resources to break the developers ' public-private key pairs and hack into the site.

• Making an absurd recommendation, everyone switch to Bitlocker might goad the real developers into responding.
• The government might has enough power to break the Public-key encryption used to authenticate the developers.

#6-major Flaw

The Premise

The developer is working on new features for 7.2 based on the diff of the source. It is possible there were a major flaw that were found by the Dev and nobody else yet. Instead of releasing the vulnerability and making it public which would allow everyone to open anyone ' s Truecrypt containe RS, the Dev decided to close the project and convince people, the program are no longer secure by destroying its Credib Ility.

My reasoning

Yes, I know that there were no flaws found in the audit yet, but still here is my reasons:

• TrueCrypt cannot regain the trust of the world again after this nefarious activity, effectively killing it
• The methods used to "shed", users were very mysterious on purpose--to make it very public, nobody is safe

#7-irate Developer

The Premise

We know nothing on the dev team for TrueCrypt so it's pure speculation but sometimes dev teams disagree, and it can Turn into something like this. If one irate developer had access to the private keys for the program, access to the webserver, and access to the SOURCEFO Rge account, which is a possibility.

My reasoning

• This happens sometimes (yes a weak argument but statistically it should is on the This list)

External Links

Related Posts

• How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries
• Ycombinator-a Long Comment page with lots of useful information and links
• TrueCrypt page on sourceforge-the truecrypt.org address redirects here
• Twitter-matthew D Green The lead of the audit team who is in contact with TC devs
• Sumotorrent-truecrypt Master archive-all sources, binaries, and keys for every OS and all versions of TC in a torrent File
• Istruecryptauditedyet.com-the name says it all

News

• ZDNet article on TrueCrypt ' s issue
• Forbes news-encryption Tool endorsed by Snowden abruptly shuts

Reprint-What happened to the TrueCrypt? -What happened to Truecrypt-may 2014