Good Sam Community

It would be nice if the TC devs said that the system level encryption was a no-go, and still kept a product that could maintain file/disk encryption, similar to how TC was created initially. That way, once a dev that could work on boot level encryption was found, the feature could be re-added.

In another forum (The Krebs one), there were claims by the SecurStar people about TC having licensing issues, as it also originated from a product called E4M. So, maybe the fact that there were doubts cast on the source code, the auditing, lack of funding, a lot of demands on their forums, and many other items, this might have been the straw that broke the camel's back and the people running the TC Foundation just dropped their cards on the table and moved on to other things. I was worried when I had permission issues when attempting to run TC under Windows 8 and 8.1, no updates were made to address this, so I had to run TC in a VM so I could decode existing containers, while new files went into BitLocker protected .VHD files.

What TrueCrypt brought to the table was the ability to use hidden containers. This way, truly confidential data (business accounts payable/receivable) would be on the hidden volume while decoy stuff (like false spreadsheets) would be on the outer volume. A friend of mine who travels overseas learned to do this when the government on the other side not just demanded his laptop, but demanded all passwords to all E-mail accounts and containers, and refusing to give access was a life sentence in prison. (The way they would give a life sentence was clever. Every time one refused to answer a question, they would get 3-4 years in the slammer. So the interrogator would ask them 20-30 times in a row, tacking on the years each time.)

For Windows, I use BitLocker because it is available, and very easy to deal with. However, for cross platform compatibility, I may end up moving back to Jetico's BestCrypt (a program I used before TrueCrypt was out for both containers and system encryption.) It isn't open source, but it does have hidden container protection.

Another option I might do is look at Symantec's Encryption Desktop (formerly PGP Desktop.) It works on Mac, Windows, and Linux, and offers the only public key protection on data volumes out there. This is an excellent product, but not cheap, although the source code is downloadable.

I did read the Krebs article early on, and he does seem to be accurate in his reporting. Here's a comment I read on Slashdot which appears to support his assumption that the Truecrypt developers may have decided to end the project:

They probably just decided to end the project. My experience is that it has been slowly dieing for a long time. I have been heavily involved with truecrpyt and its source code for many years. I make programs to custom edit the boot screen and otherwise customise TC's appearance. My programs are not forks, rather they edit the actual binary code installed, so that users can easily use it on existing installations. What you have to understand is that truecrypt has added very little functionality for a very long time. In particular they seem to have lost the key developers who did the code in the boot sectors. For those who don't know, along time ago the program was to big to fit into the boot sectors, and a special deflate algorithm was added to decompression the boot sector code. My code to unzip the boot program and edit its string display strings is still the same code from tc 5.0, and it still works on the latest edition. The guys who code this section appear to be long gone from the project, hence absolutely nothing done over UEFI. The changes that have occured look questionable, in that the people making them seem to have very limited assembly understanding and were hacking on bits instead of properly modifing the programs flow. Secondly getting TC to work with operating systems is extremely complicated, especially for windows. It was micorosoft who eventually released the API's that were used to make truecrypt properly handle sleep/hibernate. These API's are not forthcoming to Win8 or beyond, and in all honesty - windows is the only market that matters. I am going to guess that one of the last known developers knows there is a bug that they can not longer believe they have the experience or skill to fix properly, and hence has decided to shut it down.

Source: Slashdot.org.

I don't see where there are any non-proprietary cross-platform solutions. BestCrypt is cross-platform, but proprietary.

I guess it also depends on if you're looking for FDE (full disk encryption) solutions or container solutions since Truecrypt offered both.

Mini wiki war
https://en.wikipedia.org/w/index.php?title=TrueCrypt&action=history

Sure is a fun mystery to watch. Speculation all over the board, the team behind TC were so secretive it makes it difficult to verify anything. Outside influence, or internal team strife, hmmm :h Looking at the DiskCryptor website they seem to only support Windows.

Edit: I liked this write up, just passing it along
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

Fastfwd75 wrote:
Maybe they got into trouble with the government for not wanting to add a backdoor.

Lavabit had a similar problem when they were asked to hand over the confidential keys to owner's email.
http://lavabit.com

This seems like the most likely scenario given their opposition to proprietary encryption in the past. Recommending BitLocker is about as out of character for the Truecrypt folks as possible, almost as if it's so unbelievable as to be a message. But who knows? No one even knows who the developers are.

Maybe they got into trouble with the government for not wanting to add a backdoor.

Lavabit had a similar problem when they were asked to hand over the confidential keys to owner's email.
http://lavabit.com

As to what is going on with Truecrypt.org, two members of the audit team, Matthew Green, who apparently is a skeptic of Truecrypt, posted this comment:

Matthew Green @matthew_d_green

I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite



Matthew Green @matthew_d_green · 15h

.@leEb_public @mattblaze The audit did not find anything -- or rather, nothing that we haven't already published.

For which Kenn White tweeted:

Kenn White @kennwhite
Follow

Same here. A site that's been maintained for 9+ yrs going static w/ a redirect to SF seems out of character, but no idea. @matthew_d_green

Krebs on Security is also reporting that in a phone interview with Matthew Green, that he thinks the anonymous developers may have decided to end the project.

Matthew Green @matthew_d_green · 13h

An alternative is that somebody was about to de-anonymize the Truecrypt devs and this is their response.

1492 wrote:
The theregister.co.uk is also reporting that the new TrueCrypt 7.2 binaries posted have been altered, and only decrypt volumes. It's encryption capabilities removed. But could also possibly contain malware? They also report that although these files appeared to be digitally signed by the developers, that a "new and untrusted key was used"?

This mystery just gets better and better? :h

I'm not sure I'd go by anything The Register says - they're kind of technology's version of the National Enquirer. This article is probably a better source and it doesn't say anything about a "new and untrusted key". Also the "big news" from the auditors was about a new auditing project. It sounds much more suspicious the way The Register writes it.

mlts22 wrote:
What really worries me is that the TrueCrypt 7.2 files were not just signed by the Windows Authenticode key, but the PGP/gpg key as well. If this was a hacker, it was an extreme compromise, as private keys are usually kept offline.

Serious stuff here, be it a hacker or worse.

The theregister.co.uk is also reporting that the new TrueCrypt 7.2 binaries posted have been altered, and only decrypt volumes. It's encryption capabilities removed. But could also possibly contain malware? They also report that although these files appeared to be digitally signed by the developers, that a "new and untrusted key was used"?

This mystery just gets better and better? :h

Frontline recent broadcasts revealed the use of thousands of none-disclosure under penalty of law notices issued to tech companies. But it's also apparently known, and taught in forensic discovery about the use of backdoors in commercial encryption programs, and the legal requirement of non-disclosure of such.

Open-source encryption apps at least allow the possibility of auditing the code to examine for such exploits. Could this be the end of such programs?

What really worries me is that the TrueCrypt 7.2 files were not just signed by the Windows Authenticode key, but the PGP/gpg key as well. If this was a hacker, it was an extreme compromise, as private keys are usually kept offline.

Serious stuff here, be it a hacker or worse.

Maybe, Truecrypt was too good? I would be suspicious of the notice posted on Truecrypt.org:

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

What does the end of Windows XP support have to do with the end of Truecrypt development? Nothing really?

In fact, an independent audit of Truecrypt is currently ongoing, with the initial phase complete, indicating "no backdoors discovered" by IsTrueCryptAuditedYet?. Some weaknesses have been noted, including the recommendation of using a strong password to avoid brute force password attacks. But "nothing" posted on their site indicating critical vulnerabilities that would warrant such a warning on Truecrypt website?

The real question is who posted that warning? Could the website have been hacked, the domain seized or developers under a legal gag order?

What's even more confusing is the recommendation to migrate to a commercial encryption package such as Bitlocker? Though noted as an effective solution for Windows, questions remain about its code integrity? Specifically, reports of law enforcement requesting developers engineer backdoor access? Even some suggesting MS was compensated to do so, and legally required not to disclosure such?

I would not download any newly posted files on Truecrypt.org until more info surfaces. Especially, since its been reported that these new binaries only decrypt existing Truecrypt volumes, and do not offer encryption capabilities?

However, you can still get the previous versions from a repository such as truecrypt-archive. At least for now?

UPDATE: A Forbes article Open Source Crypto TrueCrypt Disappears With Suspicious Cloud Of Mystery speculates as to why it suddenly disappeared?

As an alternative, there is always Diskcryptor which branched from TrueCrypt.

Of course it could be the NSA that got to the site and they want to make sure you use the windows tool because they have a back door 😛