[Cryptography] What is going on with TrueCrypt?

Peter Fairbrother zenadsl6186 at zen.co.uk
Thu May 29 21:01:26 EDT 2014


On 29/05/14 16:03, Peter Trei wrote:

> On Thu, May 29, 2014 at 1:42 AM, Tom Mitchell <mitch at niftyegg.com
> <mailto:mitch at niftyegg.com>> wrote:

>
>>     Add patent litigation to the list of unknown interactions.
>
> Good point, but that's not really consistent with the form of the change
> - they'd have no reason I can think of not to call it out.
>
> Another possibility I've heard is that there's been a falling out among the
> (anonymous to most) devs, and one decided to send the project up in
> flames. However, the provision of modified versions seems over-elaborate
> for such an action.
>
> ATM, I'm still thinking 'Warrant Canary'. The longer the site remains
> modified, and the devs silent, the stronger that option becomes, imho.


I discard outright any possibility of it being an outside website hack - 
too hard, an attacker would need access to the TC website, the 
Sourceforge TC site, and to the code signing key.

The "Warrant Canary" theory doesn't seem to make a whole lot of sense 
either. It's possible, but why recommend BitLocker? When did someone 
have time to write all those code changes?

The theory which makes most sense to me is that it was an at least 
partly commercially-motivated self-takedown by the devs.



The recent change in name on the otherwise "same old code and binary 
signing key" is possibly significant here - the developers, or perhaps 
just some of them, may want to start up a commercial product in the new 
name.

The devs' commercial aspirations are well-known, witness the previous 
license issues, the failed crowdfunding and donations campaigns, the 
"TrueCrypt Developers LLC" registered in Nevada (thanks to Piergiorgio 
Sartor for that info). And they already own a good chunk of the the IP 
rights in the TrueCrypt source.

The ending of the project was graceful, to some extent at least - people 
were not left with unrecoverable archives, and temporarily acceptable 
but not-as-good alternatives were suggested. A whole lot of work went 
into that.

It is obvious that this wasn't done in the heat of the moment - it must 
have taken at least several weeks to do the code revisions for the 7.2 
release. There have also been hints (eg the robots.txt file) for some 
months that something might be happening.

The only reason I can think of for doing all that work is maintaining 
reputation (or technical reputation at least - TrueCrypt devs are not 
exactly known for being people people, or for being particularly into 
"free open source" either).

No reasons why the code is/may be broken are given. Actually the 
"WARNING: Using TrueCrypt is not secure as it may contain unfixed 
security issues" does not even actually say TrueCrypt is broken, just 
that it may be.

And any unfixed issues might be fixed later, in the commercial version.

( Which would have been independently audited... at no cost to 
TrueCrypt... )



just a theory,

-- Peter Fairbrother


More information about the cryptography mailing list