Hi,
TrueCrypt is not secure," official SourceForge page abruptly warnsOne of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use.
Quote"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," text in red at the top of TrueCrypt page on SourceForge states. The page continues: "This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
The advisory, which Ars couldn't immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet's encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.
http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/ (http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/)
Further reading:
http://truecrypt.sourceforge.net/ (http://truecrypt.sourceforge.net/)
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/ (http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/)
http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html (http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html)
https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html (https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html)
(My search : http://www.version2.dk/ )
I've seen a few comments suggesting a Lavabit comparison as mentioned by Bruce Schneier.
Yep, plodr mentioned Bruce Schneier's blog (https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html) over at Scot's Newsletter Forums. I went and got link to the specific blog posting:
https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html
He shares a couple great links to Brian Krebs and the one below from Cory Doctorow's BoingBoing blog post.
Interesting quote from Cory Doctorow's BoingBoing (http://boingboing.net/2014/05/29/mysterious-announcement-from-t.html) article:
QuoteTruecrypt is a widely used system for disk-encryption, and is particularly noted for its "plausible deniability" feature, through which users can create hidden partitions within their cryptographic disks that only emerge if you enter the correct passphrase; this is meant to be a defense against "rubber hose cryptanalysis," in which someone is physically or legally threatened in order to coerce them into yielding up her keys. In the "plausible deniability" scenario, the victim can give up the keys to a "harmless" partition while keeping the very existence of a second partition for sensitive material a secret. I am a Truecrypt user, as, apparently, is Edward Snowden, who lectured on the software's use at a Cryptoparty he held in Hawai'i (http://boingboing.net/2014/05/21/edward-snowden-hosted-a-crypto.html) before going on the run.
I begin to smell a rat.
Remember Lavabit (http://lavabit.com/)...