If you work in anywhere even vaguely related to the tech industry, and haven’t been living under a very large rock, you probably know already that TrueCrypt has been declared dead.
I’ve been holding off writing anything about this until a little more information came to light, and while things still aren’t overly clear, it seems like a good time to dispel a little paranoia.
When I first saw the updated TrueCrypt page (which suggests moving to Bitlocker instead), my immediate reaction was “oh, that’s disappointing – they’ve decided to stop developing the project”. It read to me exactly like “we’re outta here, you’re on your own” – no conspiracy required.
However, as seems to be common in recent times, conspiracy theories have been plentiful, mainly variations on:
- The project was terminated in such an abrupt and “bizarre” manner because somehow the US government had identified the developers, who were under US jurisdiction, and were served a National Security Letter forcing them to insert some form of backdoor.
- Hackers managed to take control of the website, and squandered the opportunity for massive financial gain and mischief by replacing the page with an “obviously” hacked page. Oh, and add to this the fact that the developers didn’t seem concerned by the hack, and haven’t reached out to SourceForge to take control of their account.
The “we’re outta here” theory seems to be backed up by comments apparently from the developers (selected comments taken from grc.com):
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):
- TrueCrypt Developer “David”: “We were happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
- TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
- Quoting TrueCrypt Developer David: “There is no longer interest.”
Unless further information comes to light, I think this is still the most likely scenario – the developers have been working hard for no reward for a decade, and they’ve had enough, and they don’t want to be held responsible for any bugs/security flaws that are discovered after today. The good news is (potential licensing issues aside), that the wider IT community seems to be taking the recent issues with Open Source software projects seriously, and I’m sure a suitable replacement won’t be too far off. In the mean time, I’ll still be using TrueCrypt 7.1.