I thought it wouldn't take long. The story has been picked up and is being discussed and debated in a number of places. Read for instance the comments appended to Brian Krebs' article -
And the Wilders Security contributors also think there's something very strange going on
Bruce Schneier is sitting on the fence : he doesn't know anything either but he's given links to other sites who also don't know much.
As for the download on the Sourceforge site, DON'T DOWNLOAD IT !
According to theRegister, the download is highly suspect.
Even more worrying, The Reg has confirmed that a binary TrueCrypt 7.2 installer for Windows, downloaded from the TrueCrypt SourceForge site, contained the same text found on the rewritten homepage – confirming the download has also been fiddled with amid today's website switcheroo.
Don't run that binary! Someone has built versions of TrueCrypt from vandalised source code (click to enlarge)
We ran the executable in a virtual machine so that you don't have to, and on Windows 8.1 it was blocked by the SmartScreen feature, suggesting it may contain malware. Launching it on an older system immediately displayed the "warning" message before installation proceeded, and the dropped executables contained the above quoted text.
Edit : SANS have something to say about the certificate used for the download
- The new "decrypt only" binary was signed with what looks like a valid Truecrypt code signing key (I believe GRC.com investigated this)
- The PGP signature was valid as well
- The Truecrypt development team is anonymous, and so far, no word if the code review team was able to reach them.
Interesting read...Thanks Hayton.
The plot thickens. What on earth is this all about? Slide 23 has been censored by the US Government ...
That could have been an interesting slide, judging by the one detailing successful attacks against BitLocker
Edit - Oh, and as various contributors have been pointing out, TrueCrypt was used by Edward Snowden and Glenn Greenwald to encrypt the contents of drives containing copies of assorted NSA documents, particularly when Greenwald was in transit. If someone had access to a clone of one of those drives - such as might be obtained, say, by detaining Glenn Greenwald for 8 hours at an airport for questioning while his laptop was taken somewhere else for examination - it would be helpful, to say the least, to have some means of accessing the encrypted contents. This story has as many layers as an onion, and as many red herrings as a Chinese fish market.
The TC team were never fans of Microsoft - it's a red flag for me that they would promote bitlocker so aggressively when there are a number of good open source and commercial alternates.
Also the whole message is weird. If they were tired of the project, all they had to do was say so. If they found critical bugs, I'd have expected them to point them out.
I'm sure this will unfold in interesting ways.
The TC team were never fans of Microsoft - it's a red flag for me that they would promote bitlocker
That has been noted by a number of people. As I said, it's very strange.
I'm sure this will unfold in interesting ways.
Oh, I do hope so. There's a lot more here than has been publicly revealed. I'll keep an eye on it and as soon as there are any new revelations (or even interesting gossip) I'll post some more.
Edit - Conspiracy theories are everywhere. How about this one for a start - from the Sourceforge web page :
"Using TrueCrypt is not secure as it may contain unfixed security issues"
Embedded content : "TrueCrypt is not secure as"
Boils down to "Not Secure As"
which .... ah, you're ahead of me.
There's more to this than just discontinuing product development. The sourceforge web page is a 301 (Moved Permanently) redirect from the TrueCrypt web site (www.truecrypt.org), where there appears to have been a massive purge of everything related to the project - the site itself, the user forum, code repository, everything.
Someone pointed out the strange coincidence that SourceForge last week issued a force-password-reset notice. "No known breach or compromise" must mean what it says, but it leaves open the question whether there was a suspected but unproven breach.
Edit : SourceForge insist there was no compromise - https://news.ycombinator.com/item?id=7813121
https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html (and except where specified otherwise)
... this has wiped out the TrueCrypt forum too.
There were hundreds of users at the TC forum (myself included), which contained a goldmine of information, not just about TrueCrypt itself but also crypto and computer security in general.
.... it would seem that that repository of knowledge is gone at a stroke.
the "hacker" didn't just take over truecrypt.org in order to serve malware from it. It is using the domain to discredit TrueCrypt, which makes this a more elaborate attack...
"the binary on the website is capable only to decode crypted data, not encode, and may contain trojan. The binary is signed with the valid (old) key. All old versions are wiped, the repository is wiped too."
So it looks like a hack
this executable was “certified with the official TrueCrypt signing key, proving that whoever updated the website is also in a position to release and certify new versions of the encryption software.”
Various posters have speculated that what we have seen is either an emergency counter-response - a scorched-earth policy - or else an automatic fail-safe - a Dead Man's Handle.
It has the mark to me of a counter-hack - someone (one or more devs, outside hackers, FBI/NSA/FSB/etc or a combination thereof) gained or asserted control of the project and, to forestall this, someone else (one or more devs not in the first group) broke into the site, trashed as much as possible, and urged everyone away from the project.
The highly atypical endorsement of BitLocker raises a number of red flags, and almost everyone has pointed to it as being a deliberate plant. If there was dirty work involved in this project takedown then the Bitlocker endorsement might be a way of signalling to those who know that that's what happened. If there was Acronym involvement then pushing people towards BitLocker makes little sense even if BL (as is widely assumed) has NSA backdoors built-in; it would have been better to have compromised TrueCrypt and let Persons Of Interest keep using it. Also,
The XP thing makes no sense. Windows 7 is moving to dominance and bitlocker is not available to Windows 7 home edition users -- a large portion of that code base.
The TrueCrypt code was in the process of being audited. The first stage of the audit is complete. If there were a serious vulnerability, or a deliberate backdoor, in the code the audit should have detected it. The results of the first stage of the audit have now been made public, and so far no significant problems have been detected. The team doing the audit have said they intend to continue with their work - and start the second stage - even though TrueCrypt appears to have been abruptly abandoned.
Steve Gibson has been in contact with Professor Matthew Green of John Hopkins University, who has been one of those conducting the audit
Research Professor Matthew Green, Johns Hopkins Cryptographer who recently helped to launch the TrueCrypt Audit, is currently as clueless as anyone. But his recent tweetsindicate that he has come to the same conclusion that I have:
- I have no idea what’s up with the Truecrypt site, or what ‘security issues’ they’re talking about.
- I sent an email to our contact at Truecrypt. I’m not holding my breath though.
- The sad thing is that after all this time I was just starting to like Truecrypt. I hope someone forks it if this is for real.
- The audit did not find anything — or rather, nothing that we haven’t already published.
- The anonymous Truecrypt dev team, from their submarine hideout. I emailed. No response. Takes a while for email to reach the sub.
- I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site.
- Unlikely is not the same as impossible. So it’s *possible* that this whole thing is a hoax. I just doubt it.
- But more to the point, if the Truecrypt signing key was stolen & and the TC devs can’t let us know — that’s reason enough to be cautious.
- Last I heard from Truecrypt: “We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!”
This whole thing remains a mystery, which is why it's generating so much furious debate.
Let the final word (for now) go to David Meyer at gigaom.com, which has a wry comment on the tendency to look for over-complicated solutions to intractable problems. Maybe we're all overlooking something blindingly obvious and terribly simple.