Skip to main content

The home page of the TrueCrypt virtual-disk encryption project was suddenly taken down, replaced with an announcement "Using TrueCrypt is not secure as it may contain unfixed security issues." The page contains a link to a new version of the software -- a read-only version that can only be used to recover pre-existing encrypted files.

While it's not uncommon for volunteer open-source software projects to fade away and vanish, this event does seem to be, as ComputerWorld calls it, a "baffling move":

In a move that appears designed to provoke widespread questions, the anonymous managers of the TrueCrypt open-source encryption project abruptly pulled the plug on the effort without explanation.

A mysterious message posted on the project's website on Wednesday warned users of unfixed security errors in TrueCrypt and cautioned them about the software not being secure.

The website provided detailed steps for TrueCrypt users to migrate to BitLocker, a commercial encryption tool. BitLocker is also Microsoft's encryption tool that ships with Windows....

The announcement caused widespread bafflement in the IT security industry....

The shutdown page suggests that the end of the project is related to the end of Windows XP support. This seems like a dubious explanation, given that TrueCrypt is multiplatform (Windows, Mac, Linux) and thus should not be so closely tied to Windows-specific developments; also, not all currently supported versions of Windows include full read-write Bitlocker (the suggested replacement).

As the article succinctly puts it:

Almost no one is buying that.
Other theories lie at the end of the Orange Twist Road....

Theory 1: The TrueCrypt team rage-quit

As I noted above, open-source projects get discontinued all the time. Usually, they just stop updating; it's highly unusual for the developers to take down all the files (version history, souorce code, bugfix notes, etc), release a crippleware version, and declare the software to be fundamentally unsound. Since the TrueCrypt team is anonymous, there's no way to tell whether any of them had a proclivity to take this sort of step or why they might have done it. Thus, it's possible that they (or just one of them with administrative control of the website) might have pulled an Eric Cartman "screw this, I'm outta here".

Theory 2: The TrueCrypt audit discovered a fundamental flaw

While the source code for TrueCrypt has been published for some time, it has only recently been subjected to a full audit. The first stage of the audit project turned up some bugs, but no critical problems; it's possible that the ongoing second stage discovered something that convinced the development team to write off the project.

Theory 3: The security-state apparatus leaned on them, and they shut down rather than comply

This is similar to the Lavabit scenario, except that Lavabit's announcement was much more straightforward in making the situation clear despite the gag order. Of course, the government may have written a tighter gag order to close off that loophole, leaving only the option of hinting via suddenly shutting down and offering a questionable rationale.


Unfortunately, none of these theories really lend themselves to confirmation or denial, at least in the near future. The completion of the audit (which is still in progress) may shed light on the matter, at least to the extent of confirming or refuting that theory.

One bright note: A team in Switzerland plans to fork (i.e. create an independent version of) the project, if the legal and technical issues can be resolved.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Bad news at best. (3+ / 0-)
    Recommended by:
    stevemb, HoundDog, River Rover

    For the time being I am changing my passwords.

  •  This is unfortunate... (5+ / 0-)
    Recommended by:
    stevemb, quill, HoundDog, kharma, DMentalist

    Isn't TrueCrypt the encryption software that Snowden used/uses primarily?

    "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." - 17th-century French clergyman and statesman Cardinal Richelieu.

    by markthshark on Mon Jun 02, 2014 at 11:22:52 AM PDT

    •  Yep, that's it. (5+ / 0-)
               Snowden's Security Tips:  

      Full disk encryption—This protects your hardware, meaning your physical computer. TrueCrypt is a good free option. It is open-source encryption for Macs, Windows 7/Vista/XP, and Linux.

      Network encryption—Browser plug-ins and SSL (Secure Sockets Layer) will suffice. Block Prism for Chrome secures Facebook messaging. NoScript for Firefox, ScriptSafe for Chrome, and Disconnect for Safari are viable plug-ins.

      Tor—Tor is a more dramatic step you can take to stay secure. It's a network of virtual tunnels (a mix routing network) that sends your ISP to a cloud through a network of routers, making it impossible for your telecommunications provider to spy on you by default. Learn more at

          First Snowden's email provider Lavabit suddenly and mysteriously shuts down, then Snowden's favored encryption software ALSO suddenly and mysteriously shuts down.  Coincidence?

           If you're a privacy software developer and your product has been endorsed by Edward Snowden, you're probably not sleeping well these days...

  •  I've been following this story from the start. (10+ / 0-)

    I have to say I'm strongly inclined towards theory #3 - that the USG was trying to force them to introduce a back door or vulnerability by way of an NSL with gag order attached.

    As you say, no real evidence for that, just a hunch base in part on the rather odd nature of the announcement.

    "Turns out I'm really good at killing people." - President Obama

    by jrooth on Mon Jun 02, 2014 at 11:29:02 AM PDT

    •  The "Switch To BitLocker" Advise Was Totally WTF (1+ / 0-)
      Recommended by:

      BitLocker is a closed-source program from a corporation with a reputation for being in bed with the Feds. Why on earth would the TrueCrypt developers recommend it as an alternative?

      It's as if you surfed here one day and got a message purportedly from kos saying that the site was being taken down and recommending that you read FreeRepublic instead.

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Tue Jun 03, 2014 at 08:15:36 AM PDT

      [ Parent ]

      •  Yes, and the Linux advice was even worse ... (1+ / 0-)
        Recommended by:
        If you have files encrypted by TrueCrypt on Linux:

        Use any integrated support for encryption. Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation.


        If that isn't a big fat "don't trust anything we're saying" I don't know what is.

        "Turns out I'm really good at killing people." - President Obama

        by jrooth on Tue Jun 03, 2014 at 08:37:58 AM PDT

        [ Parent ]

  •  Smells like they got hit with an NSL requiring ... (7+ / 0-)

    Smells like they got hit with an NSL requiring them to put in a backdoor, and they shut down rather than give the American Stasi satisfaction.

  •  So what is the best encryption software for an (2+ / 0-)
    Recommended by:
    wilderness voice, stevemb

    average person to use to improve security. Maybe not enough to thwart the NSA but at least the kids down the street, or the average cyber-criminal.  

    Humor Alert! No statement from this UID is intended to be true, including this one. Comments and Posts intended for recreational purposes only. Unauthorized interpretations may lead to unexpected results. This waiver void where prohibited.

    by HoundDog on Mon Jun 02, 2014 at 12:42:59 PM PDT

    •  one time pad n/t (0+ / 0-)

      Rivers are horses and kayaks are their saddles

      by River Rover on Mon Jun 02, 2014 at 01:18:04 PM PDT

      [ Parent ]

      •  That's Not A Realistic Answer (0+ / 0-)

        A one-time pad is about the least useful option for "an average person to use to improve security" -- the logistical requirements of generating a truly random key as big as all the files that will ever be encrypted with it (and making sure to never reuse any part of it even once) are too demanding.

        On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

        by stevemb on Mon Jun 02, 2014 at 02:28:45 PM PDT

        [ Parent ]

    •  depends on what you want to encrypt (1+ / 0-)
      Recommended by:

      for whole disk encryption take a look at DriveCrypt.  If you travel with your laptop best to encrypt your hard drive in case it should ever fall into the wrong hands.

    •  It Depends On What You Need It For (0+ / 0-)

      If you're securely archiving some files that only need to be accessed occasionally, a file compression program with strong encryption like 7-zip will do the job. It's a bit awkward, though -- in order to read or work with the files you'll need to decompress/decrypt them manually (and then recompress/reencrypt them and securely erase the unencrypted working copies).

      CryptSync uses the same encryption and combines it with sync functionality (i.e. you set up two folders, one unencrypted and one encrypted, and the program synchronizes them, creating new encrypted files in one folder to match new/modified ones in the other). Again, remember to securely erase the unencrypted files after working with and encrypting them.

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Mon Jun 02, 2014 at 02:47:26 PM PDT

      [ Parent ]

  •  DistroWatch also had a paragraph on this. (4+ / 0-)
    In a move which surprised many people last week the TrueCrypt website announced the popular volume encryption project was coming to a close. For years the TrueCrypt software has been used by thousands of people to keep their data private and it was an unpleasant surprise when the following message appeared on the TrueCrypt website: "Using TrueCrypt is not secure as it may contain unfixed security issues. This page exists only to help migrate existing data encrypted by TrueCrypt." No explanation for the open source project being shut down was given, leading to much speculation as to the developers' motivations. Since TrueCrypt's surprise announcement, a new project has started up which provides TrueCrypt packages and, the team claims, will continue work on the TrueCrypt software.
    DistroWatch Weekly, Issue 561, 2 June 2014 Miscellaneous News (by Jesse Smith)

    The new project is at:

    The web page says that they have all of the downloads that you can no longer get from, they are making the source code available with a github repo, and that the development will no longer be anonymous.

  •  The security-state apparatus (2+ / 0-)
    Recommended by:
    stevemb, DMentalist

    That's my bet.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site