I haven't heard anything since the first few forum posts. Did we ever figure out definitively if it was a hack, information operation, canary, dead man's switch or what?
Conjecture:
TrueCrypt was developed by mainly by one person. This person did write TrueCrypt to encrypt his WinXP Laptop/PC, but does not need it anymore now, because he can now use Bitlocker.
TrueCrypt is a consumer facing Open Source project. Those rarely have a large developer community and seldom get patches. Most successful ones are backed by corporate interests (Firefox, Eclipse, VirtualBox, ...).
Having no need of TrueCrypt himself, no other developer in the community to whom he could entrust the project and faced with drudgery the like he probably also has at his job (except he gets payed there), he probably did not want to continue developing and improving TrueCrypt (e.g. EFI support).
At this point. Since it is a critical security product there is no other option then to warn of all users. If there is a fork, it has to earn its reputation first.
I view truecrypt.ch as a bad development, since a) TrueCrypt is trademarked by the developer and b) the TrueCrypt license explicitly says that you cannot fork the project without renaming it to something other than TrueCrypt.
A person who the Truecrypt Audit Project has some evidence is the actual Truecrypt developer, in an email I've seen (because I'm working with the project), more or less confirmed this story.
In particular: many people on HN seem to think that Linux Truecrypt is the most important product of the Truecrypt project, but the developers don't see it that way; they started the project for Windows, and Windows has good FDE now.
It is worth being clear that TrueCrypt is not an 'Open Source project'. The source is available, but it is under a proprietary license designed to discourage forks and reuse and allowing the original authors to sue you. The one-off TrueCrypt license means that TrueCrypt code can not be utilized under any OSI-recognized open source licenses as it is incompatible with them. The FSF, Ubuntu, etc all agree that TrueCrypt can't be considered open source. The source is available, but it's difficult for you to use it other than to analyze it.
My issue with the fork is the two guys who threw together the site to get "FIRST!!" dibs don't actually seem like developers capable or willing to continue the fork themselves. They just want credit for the work they want others to do for them.
Truecrypt is not open source if its license is ever enforced. It forbids commercial distribution. This does not fit the open source definition, which means a lot more than merely "the source is visible".
I had to use this mirror recently as there are already bad copies floating about; it is a trusted hosting for the last ungimped version for windows and linux. check the hashes n' sigs!
I would encourage you to listen to Steve Gibson's Security Now podcast on Twit. But the gist is TrueCrypt has not been hacked. Take a listen to the "TrueCrypt WTF?" episode.
[+] [-] tobias3|11 years ago|reply
TrueCrypt is a consumer facing Open Source project. Those rarely have a large developer community and seldom get patches. Most successful ones are backed by corporate interests (Firefox, Eclipse, VirtualBox, ...).
Having no need of TrueCrypt himself, no other developer in the community to whom he could entrust the project and faced with drudgery the like he probably also has at his job (except he gets payed there), he probably did not want to continue developing and improving TrueCrypt (e.g. EFI support).
At this point. Since it is a critical security product there is no other option then to warn of all users. If there is a fork, it has to earn its reputation first.
I view truecrypt.ch as a bad development, since a) TrueCrypt is trademarked by the developer and b) the TrueCrypt license explicitly says that you cannot fork the project without renaming it to something other than TrueCrypt.
See https://www.grc.com/misc/truecrypt/truecrypt.htm "And then the TrueCrypt developers were heard from . . ."
[+] [-] tptacek|11 years ago|reply
In particular: many people on HN seem to think that Linux Truecrypt is the most important product of the Truecrypt project, but the developers don't see it that way; they started the project for Windows, and Windows has good FDE now.
[+] [-] JohnTHaller|11 years ago|reply
[+] [-] nhayden|11 years ago|reply
[+] [-] jordigh|11 years ago|reply
http://jordi.inversethought.com/blog/5-things-we-have-forgot...
[+] [-] u124556|11 years ago|reply
[+] [-] imaginenore|11 years ago|reply
BitLocker is not open source and is pretty much guaranteed to have a backdoor considering Snowden's leaks about Microsoft and NSA.
[+] [-] MiWDesktopHack|11 years ago|reply
I had to use this mirror recently as there are already bad copies floating about; it is a trusted hosting for the last ungimped version for windows and linux. check the hashes n' sigs!
[+] [-] aaw|11 years ago|reply
[+] [-] pessimizer|11 years ago|reply
[+] [-] abdullahkhalids|11 years ago|reply
There were a bunch of other tweets with further details, but those seem to have been deleted.
https://twitter.com/AlyssaRowan/status/472303977997279232
Note: I am not claiming this is necessarily true.
[+] [-] tptacek|11 years ago|reply
[+] [-] dewey|11 years ago|reply
I haven't come across any new and definite information since the hack/shutdown.
[+] [-] korzun|11 years ago|reply
This is pretty sad/funny.
[+] [-] dfc|11 years ago|reply
Dino's Pizzeria is my favorite place to get pizza. I have never had a pizza from Dino's Pizzeria.
[+] [-] hbeaver|11 years ago|reply
http://twit.tv/show/security-now
[+] [-] nodata|11 years ago|reply