TrueCrypt End of Life ?!

[SpywareDr]

Schneier on Security > TrueCrypt WTF

I have no idea what's going on with TrueCrypt. There's a good summary of the story at ArsTechnica, and Slashdot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow.

Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait and see what develops.

Tags: encryption, TrueCrypt
Posted on May 29, 2014 at 8:02 AM • 42 Comments

--

Over on Krebs they're saying:

The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.

?

[HAN]

Certainly strange goings on! How XP's EOL affects TC is beyond me. I never used TC much (AxCrypt has been the better choice for my needs.) But for container encryption, TC was very well thought out and pretty easy to use.

Strange this happens just as TC is being independently audited. https://opencryptoaudit.org/
There is supposed to be a comment from the audit team on Twitter later today (Thursday May 29) https://twitter.com/OpenCryptoAudit

[SpywareDr]

Yep, saw that.

Schneier on Security > Blog > Auditing TrueCrypt

Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis.

Quick summary: I'm still using it.

Posted on April 15, 2014 at 6:56 AM
...

[SpywareDr]

Latest: The Register > TrueCrypt turmoil latest: Bruce Schneier reveals what he'll use instead

...
One intriguing possibility – and one that's it's very difficult to either prove or disprove – is that this is a warrant canary triggered by pressure on TrueCrypt's developers by the feds to backdoor the software – which is favoured by the likes of Edward Snowden and his journo pals. Effectively, it would be a signal to the world that something is not right, without breaching any gagging order that may also be in place.

It could even be in response to a threat to unmask the development team.

"Somebody was about to de-anonymize the Truecrypt developers, and this is their response," suggested Prof Green.

Veteran security world watcher Graham Cluley said: "Whether hoax, hack or genuine end-of-life for TrueCrypt, it’s clear that no security-conscious users are going to feel comfortable trusting the software after this debacle. It’s time to start looking for an alternative way to encrypt your files and hard drive."

The outlook for those who rely on TrueCrypt to encrypt their drives and/or files just became overcast with doubt.

Johannes Ullrich of the SANS Technology Institute recommended FileVault and LUKS, for Mac OS X and Linux users, respectively, as potential alternatives. "Sadly, these are not compatible with each other. You will need to find a replacement for portable media that need to move between operating systems. PGP/GnuPG comes to mind as an option," he advised.

An earlier list of alternatives to TrueCrypt put together by security expert The Grugq can be found here.
...

--

arstechnica > Bombshell TrueCrypt advisory: Backdoor? Hack? Hoax? None of the above?

[HAN]

The Twitter link for the TC audit group has some updated info https://twitter.com/OpenCryptoAudit It's going to take some time for the dust to settle from all this hub bub...

[SpywareDr]

Yep, I've been watching it.

Since we don't know anything about the TrueCrypt team, we may never know exactly what happened.