TrueCrypt is Now Abandonware?!

[mwb1100]

Another problem with that scenario is that while Vista and later support BitLocker, not all editions of Windows support it. You need to have Ultimate or Enterprise (or Pro on Win8). Home, Home Premium, or Pro (on Vista or Win7)  won't cut it.  And that's putting aside the trust issues that people might have with BitLocker.

It's certainly possible that the devs (I thought there were 2 or 3) don't want to work on the project anymore and might not think it's as important as it once was.  But it would be a pretty mean thing to remove people's ability to continue to choose to use the encryption capabilities as they existed in 7.1a just because there are alternatives out there. Then again, they weren't being paid by the users (or if they are, it's donations only), so other than by way of goodwill, there's no reason to expect that the devs should provide anything.

I wouldn't be too surprised if the devs simply resent that the audit effort got a rather large funding pretty quickly (I think that it's possible that the $70K crowdfunded for the audit might be more than the TrueCrypt project received in donations), and decided to pack it in as a result.

[Stoic Joker]

Another problem with that scenario is that while Vista and later support BitLocker, not all editions of Windows support it. You need to have Ultimate or Enterprise (or Pro on Win8). Home, Home Premium, or Pro (on Vista or Win7)  won't cut it.  And that's putting aside the trust issues that people might have with BitLocker.

-mwb1100 (May 30, 2014, 04:02 AM)

That's a really big (like $200) sticking point to contend with. Especially when coupled with the fact that BitLocker requires the existence of a system partition and a TPM chip or thumb drive "key" to implement, so it's really - a bit of a PITA - not a 2 click fix.

[rgdot]

How many used TC for whole disk encryption vs containers? In the case of the latter, which I guess had more users, Bitlocker is not even an alternative.

[phitsc]

If a crowd-funded security audit of your FOSS project doesn't convince you that there is a tremendous interest in your project, I don't know what will.

Also, bitlocker cannot replace TrueCrypt, as bitlocker is not cross-platform.

And then, why no encouragement for someone to fork, if they see a need for the tool?

Even for someone not usually into conspiracy theories this sounds rather fishy.

[40hz]

I'm guessing somebody hired them. Hence the abrupt cessation with no advance warning or details given.  

Forking in the usual sense isn't possible. Truecrypt has its own somewhat ambiguous license which is most assuredly not written in the spirit of the GPL. The FSF has disputed TC's characterization of itself as a "free open source" project for some time now. And with the recent news it's been noted that the license has also been changed so that all "attribution" language has been removed. Since that language also spoke of derivative works, the right to do derivatives or incorporate TC into another product (in exchange for attribution to TC) also appears to no longer apply - hence: no fork. Legal opinion seems to concur that TC's code cannot be forked or incorporated in something else under the current licensing language.  

Expect a commercial product release in the near future.

[wraith808]

So... anyone have a spare copy of an earlier version lying around?  Redoing my computer, and realized that I didn't keep a copy...

[40hz]

So... anyone have a spare copy of an earlier version lying around?  Redoing my computer, and realized that I didn't keep a copy...

-wraith808 (May 30, 2014, 09:27 AM)

Filehippo.com still shows older pre-7.2 versions available from them for download although I don't know if these versions have already been 'new' disabled or how long they'll remain up. Better jump on it and check. All the other major download sites I looked at are showing version 7.2 only.

[rgdot]

I have a "Truecrypt Setup.exe" 7.1a on my XP. If that's not ok I believe Filehippo keeps some old versions. http://www.filehippo.../download_truecrypt/

[rgdot]

I lost the race to 40hz  

[Jibz]

Theres some archived stuff at the bottom of https://www.grc.com/...ecrypt/truecrypt.htm

[wraith808]

I have a "Truecrypt Setup.exe" 7.1a on my XP. If that's not ok I believe Filehippo keeps some old versions. http://www.filehippo.../download_truecrypt/

-rgdot (May 30, 2014, 09:52 AM)

I got a 7.1a from FileHippo and I'll check it when I get home.  If it's not good, then I might be asking you for your setup file

I only use containers.. and bitlocker doesn't help with that.  *sigh*

How long before this is forked?  I mean, the source *was* available, right?

[40hz]

I lost the race to 40hz  

-rgdot (May 30, 2014, 09:53 AM)

I probably only had the jump because I've had clients all in a tizzy start e-mailing me about this beginning at 5:00 this morning -  so I've had time to go look.  

I can't sympathize too much with their moaning. Much as I like TrueCrypt, I've warned them repeatedly to be cautious about deploying or depending on it since (a) AFAIK nobody really knows who's behind it; and (b) it's a 'free' product - and sometimes free products just disappear without warning leaving you high and dry.

Guess I was right on both points.

I hate it when that happens.

[wraith808]

Theres some archived stuff at the bottom of https://www.grc.com/...ecrypt/truecrypt.htm

-Jibz (May 30, 2014, 10:01 AM)

Wow, thanks!  That's a very useful link!

I can't sympathize too much with their moaning. Much as I like TrueCrypt, I've warned them repeatedly to be cautious about deploying or depending on it since (a) AFAIK nobody really knows who's behind it; and (b) it's a 'free' product - and sometimes free products just disappear without warning leaving you high and dry.

Guess I was right on both points.

-40hz (May 30, 2014, 10:05 AM)

Not with OSS   Which is why I lean towards that for free software that I'm really going to integrate into my workflow.

The mistake these developers made was in believing that they still “owned” TrueCrypt, and that it was theirs to kill.

[40hz]

How long before this is forked?  I mean, the source *was* available, right?

-wraith808 (May 30, 2014, 10:04 AM)

As previously mentioned, TC was never released under a standard FOSS license. And that license has since been changed. The new license makes no provision for using any part of TC's code (which is available) in (or for) something else. Most lawyers think TC cannot be legally forked given the license it's under.

Such is the danger of taking the label "free open-source software" as read without looking into the actual license that applies. Anybody can call anything a FOSS project without incurring any legal obligation or liability. And many individuals and companies (including Microsoft and Oracle) routinely use the word "open" to mislead and muddy up the waters.

Caveat emptor! And beware of geeks bearing gifts.

[40hz]

Not with OSS  Which is why I lean towards that for free software that I'm really going to integrate into my workflow.

-wraith808 (May 30, 2014, 10:10 AM)

You're probably a better coder than I'll ever be. There are several OSS products I depend on that I'd be forced to abandon unless somebody else continues to maintain them. Because I certainly couldn't. And also why I send them a check.

Having source available is all well and good. In theory. But unless you have the chops to maintain and develop it yourself - or the money to single-handedly fund ongoing work on it - once the project's dev team quits the field you’re up the proverbial creek. Or at least I'd mostly be. YMMV

[mwb1100]

And that license has since been changed. The new license makes no provision for using any part of TC's code (which is available) in (or for) something else.

-40hz (May 30, 2014, 10:15 AM)

The 7.1a release is licensed under the TrueCrypt License Version 3.0, which seems to permit forks (even if it's not truly an open source license due to attribution and renaming clauses or other restrictions).  As far as I know, the license that TrueCrypt 7.2 was released under wouldn't apply to the 7.1a release.

[40hz]

And that license has since been changed. The new license makes no provision for using any part of TC's code (which is available) in (or for) something else.

-40hz (May 30, 2014, 10:15 AM)

The 7.1a release is licensed under the TrueCrypt License Version 3.0, which seems to permit forks (even if it's not truly an open source license due to attribution and renaming clauses or other restrictions).  As far as I know, the license that TrueCrypt 7.2 was released under wouldn't apply to the 7.1a release.

-mwb1100 (May 30, 2014, 10:37 AM)

All of the TC licenses have been questioned by various Linux/FOSS groups. Several attorneys characterized the licenses as "a legal minefield" and "misleading."

I really can't see anybody (in a position to do so) wanting to have anything to do with TC going forward. The encryption methods are well known, and there are a lot of good programmers out there. What TC brought to the party was a simple GUI and easily installable binaries. It primarily made some complex technology accessible to the masses. Praiseworthy - but nothing that couldn't be done by others.

TrueCrypt's codebase is not essential for anything. There are already existing projects (e.g. tc-play and others) that have been released under genuine FOSS licensing. These could just as easily be used to provide the same functionalities TrueCrypt formerly offered - or to create entirely new encryption products.

I personally think TrueCrypt got used as much as it did for three very simple reasons: (1) It worked. (2) It was easy to install. (3) It was easy to use. None of that is something that couldn't be accomplished by other coders. Especially with the talent pool that's out there.

And it will.

So vaya con Dios, TrueCrypt...

So long, and thanks for all the fish.



----------------------------------------------------------------------------------------

Note: the thing that really makes this story interesting is wondering what actually went down.

Especially if it was another "Lavabit situation." Because if it was, it's something we all need to be concerned about.

[J-Mac]

I have the setup files for TC 7.0a and 7.0a1 if anyone is interested.

Jim

[CWuestefeld]

I just can't see that the means of announcing this is in character for this project. It just doesn't make sense to recommend BitLocker (given suspicion of MS being sympathetic to gov't surveillance), or to completely ignore Unix and Mac users. I think there's something more than meets the eye.

I’m giving equal odds between:

• Warrant canary^w (“we’re not saying that we’re being forced to introduce a vulnerability, but we have reason to believe that users of this program may be in danger”). While difficult to add an actual backdoor, it may be that they're being pressured to put a flaw into their PRG code or something subtle like that.
• The developer(s) is in a snit, maybe because of the trouble of the audit, and just wants to burn it all down
• The developer just wants to move on, and is taking an opportunity to make a political statement by stepping out in this way (like the Reichstag fire – cause the damage yourself, but make it look like your enemy caused it)

[mwb1100]

All of the TC licenses have been questioned by various Linux/FOSS groups.

-40hz (May 30, 2014, 11:37 AM)

Just for future reference, here's one of the better posts I came across about problems with the TC license. It's for license version 2.5 in this particular case - I have no idea if any of these issues were addressed by TC license v3.0 used by TC v 7.1a:

  - http://lists.freedes...-October/000276.html

[CWuestefeld]

I'm not very excited about any of the alternatives offered by ghacks. I'm looking for an encrypted container, and only a couple do that. And BestCrypt is very expensive, and the other one gives too few details to trust.

There'a a wikipedia article offering a Comparison of disk encryption software^w that might be a better place to start looking. There are a whole pile of programs considered, with comparison for OS supported and a bunch of features.

[TaoPhoenix]

Okay, here's a new angle.

From a "medium layperson" point of view, what's with this explosion of tools that aren't valid/supported anymore? Maybe MS's notes on the slow death of XP vaguely filtered to me, but I didn't see any articles ever of this current rash of stuff breaking.

Heartbleed, barely a one time shot (but shouldn't really), but truecrypt devs just getting "bored"/other and quitting bothering to update? What is it about May 2014 that takes one of the top contenders in encryption out of the game forever!?

(Rant)
What is with these .Gov depts claiming to spend *Billions* on "Cybersecurity" and then the next story out of Slashdot is "OpenSSL" (that basically the entire Internet uses) "gets two developers". So lemme do the math on my seven dollar calculator. A software routine that counts for like $555 Million in software security security services experiences the greatest hack ever in twenty years, and some foundation assigns Joe and Ted to fix it?!

Slashdot has a sharp eye for Security Theater but where's even the theater?! You see these weird proposals now and then for fancy new initiatives, but how about just funding five guys and a supply of pizza? Nope. Can't do that. It might even break six figures.

[40hz]

At this point I'd put my money on CU's earlier suggestion:

The developer just wants to move on, and is taking an opportunity to make a political statement by stepping out in this way (like the Reichstag fire – cause the damage yourself, but make it look like your enemy caused it)

   -or-

They were told to stop (i.e. threatened).

    -or-

They decided to roll up their mat - and bug out. Which is also plausible considering the abrupt nature of the cessation. Perhaps it was reaching the point where their identities risked being exposed. And being identified would have resulted in serious consequences for them. (It'd be a riot if these guys were NSA contractors who put TC together just to put a fly in the ointment.)

Whatever. I doubt we'll ever really know for sure.

[TaoPhoenix]

I just can't see that the means of announcing this is in character for this project. It just doesn't make sense to recommend BitLocker (given suspicion of MS being sympathetic to gov't surveillance), or to completely ignore Unix and Mac users. I think there's something more than meets the eye.

I’m giving equal odds between:

• Warrant canary^w (“we’re not saying that we’re being forced to introduce a vulnerability, but we have reason to believe that users of this program may be in danger”). While difficult to add an actual backdoor, it may be that they're being pressured to put a flaw into their PRG code or something subtle like that.
• The developer(s) is in a snit, maybe because of the trouble of the audit, and just wants to burn it all down
• The developer just wants to move on, and is taking an opportunity to make a political statement by stepping out in this way (like the Reichstag fire – cause the damage yourself, but make it look like your enemy caused it)

-CWuestefeld (May 30, 2014, 01:00 PM)

I just want to drift a little off topic to add exposure to a concept that I barely could reference before.

Warrant Canary/Canary Server/____

https://en.wikipedia.../wiki/Warrant_canary

I think this will become an undersold concept in security concepts. It runs like this:
"Today I was not arrested for ____".

While it is horribly vulnerable to slackards like me, for someone really on the front line of a top level issue, it's a way to send a negative signal that trouble is brewing. I'd seen it described once before a long ways back, but this thread produced a fresh new reference that I just had to echo.

I think it adds a (rather desperate) new level to "you have the right to remain silent".

[J-Mac]

Steve Gibson wrote earlier about some tweets between Steven Barnhart and his "contact" at TrueCrypt, someone named "David". As follows:

And then the TrueCrypt developers were heard from . . .
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

    TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
    Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
    Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
    Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
    TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
    Quoting TrueCrypt Developer David: “There is no longer interest.”

I don’t know if he's making it up (as he sometimes does) or if this is real info.

Page is at:  https://www.grc.com/misc/truecrypt/truecrypt.htm

Jim