The home page of the TrueCrypt virtual-disk encryption project was suddenly taken down, replaced with an announcement "Using TrueCrypt is not secure as it may contain unfixed security issues." The page contains a link to a new version of the software -- a read-only version that can only be used to recover pre-existing encrypted files.
While it's not uncommon for volunteer open-source software projects to fade away and vanish, this event does seem to be, as ComputerWorld calls it, a "baffling move":
In a move that appears designed to provoke widespread questions, the anonymous managers of the TrueCrypt open-source encryption project abruptly pulled the plug on the effort without explanation.The shutdown page suggests that the end of the project is related to the end of Windows XP support. This seems like a dubious explanation, given that TrueCrypt is multiplatform (Windows, Mac, Linux) and thus should not be so closely tied to Windows-specific developments; also, not all currently supported versions of Windows include full read-write Bitlocker (the suggested replacement).
A mysterious message posted on the project's website on Wednesday warned users of unfixed security errors in TrueCrypt and cautioned them about the software not being secure.
The website provided detailed steps for TrueCrypt users to migrate to BitLocker, a commercial encryption tool. BitLocker is also Microsoft's encryption tool that ships with Windows....
The announcement caused widespread bafflement in the IT security industry....
As the article succinctly puts it:
Almost no one is buying that.Other theories lie at the end of the Orange Twist Road....
Theory 1: The TrueCrypt team rage-quit
As I noted above, open-source projects get discontinued all the time. Usually, they just stop updating; it's highly unusual for the developers to take down all the files (version history, souorce code, bugfix notes, etc), release a crippleware version, and declare the software to be fundamentally unsound. Since the TrueCrypt team is anonymous, there's no way to tell whether any of them had a proclivity to take this sort of step or why they might have done it. Thus, it's possible that they (or just one of them with administrative control of the website) might have pulled an Eric Cartman "screw this, I'm outta here".
Theory 2: The TrueCrypt audit discovered a fundamental flaw
While the source code for TrueCrypt has been published for some time, it has only recently been subjected to a full audit. The first stage of the audit project turned up some bugs, but no critical problems; it's possible that the ongoing second stage discovered something that convinced the development team to write off the project.
Theory 3: The security-state apparatus leaned on them, and they shut down rather than comply
This is similar to the Lavabit scenario, except that Lavabit's announcement was much more straightforward in making the situation clear despite the gag order. Of course, the government may have written a tighter gag order to close off that loophole, leaving only the option of hinting via suddenly shutting down and offering a questionable rationale.
Unfortunately, none of these theories really lend themselves to confirmation or denial, at least in the near future. The completion of the audit (which is still in progress) may shed light on the matter, at least to the extent of confirming or refuting that theory.
One bright note: A team in Switzerland plans to fork (i.e. create an independent version of) the project, if the legal and technical issues can be resolved.