TrueCrypt forum gone? (TrueCrypt either stopped development or was hacked?)

From the original Ars Technica article:

"The SourceForge page, which was delivered to people trying to view truecrypt.org pages..."

Not just GRC...

They're all over github:
https://github.com/DrWhax/truecrypt-archive
https://github.com/FreeApophis/TrueCrypt
https://github.com/search?q=truecrypt

Even on FileHippo:
http://www.filehippo.com/download_truecrypt/history

...heck, even check that truecrypt.ch site you linked has almost the entire history:
http://truecrypt.ch/download/older/

 

I wonder if the reason for abandonment (not matter who instigated it) is around UEFI support ?

Recommending Bitlocker over TC also seems very odd, is this hinting that TC 7.2 and possibly older (implied by their statement to migrate away rather than use old versions) is LESS trustworthy than Bitlocker ?

Why take down old versions and the repositories, but leave a migration message?
Why post 7.2 with 7.1a allows decryption (and is widely tested as reliable/stable) and you will have to have it installed already to of created the containers in the first place ?

I've seen projects quit before and non produce death-bed releases, especially when not offering anything new and very untested and instantly. They leave a good by and thanks for the support type message. You can't even consider it a genuine goodbye present when it does less than than the previous version.

Maybe the encryption code was the canary !

I still think that this was not done out of the Devs ownfree will, hackers/authorities/insider or canary, and not just because Win XP ceased to be supported !

 

Gibson seemed to think so in part (or at least in a similar regard to MBR => GPT)...
http://steve.grc.com/2014/05/29/an-imagined-letter-from-the-truecrypt-developers/

And it kind of sounded that way (i.e. that basically when the project was started there was no real alternative for FDE/OTFE, but now there are big box common retail solutions)...
https://twitter.com/stevebarnhart/status/472332234385801217

Only in the sense that BitLocker is supported/maintained, whereas TC isn't any longer.

https://www.grc.com/misc/truecrypt/truecrypt.htm

(But of course, there are those in the security community who maintain that closed source products (particularly those made by large corporations that are ripe targets for govt pressure to collude or at least weaken their products) are more likely to be unsecure than source-available solutions. (And why not? We've already got tons of proof of govt meddling in retail products.)

To be fair, there were only 3 previous versions available on the site before it was taken down anyway. When you're essentially telling people "this is a security product that is no longer maintained, so consider it risky to use", it's not good policy to officially continue to let people download it.

This is much like the Windows XP situation. You don't see Microsoft still selling copies of XP do you? It's not as if they couldn't make money by doing so. I'm sure plenty of people would pay for new copies. They don't sell them because they're no longer supporting the OS, so it's like providing a product that may prove to be insecure, knowing that you won't do anything to patch it.

For one thing, I read someone here say that 7.2 has decryption capability that 7.1a doesn't have, thus making it easier for people to migrate to something else.

But more important than that, I think it was important to offer substantial digital proof that the whole move was legit. Most of what convinced everyone was the fact that the sigs verified, and the 7.2 source did not contain any malware, but simply the changes to remove encryption capability. (What kind of nefarious hijacker would go to all that trouble? What's the payoff?) This is why early on people said that if it was a hack, it's the most elaborate (and yet ultimately boring) hack the community has ever seen.

Also notable is the changes to the license, forming TrueCrypt License 3.1, which may actually finally make the project acceptable to OSI and FSF standards...meaning it can be freely and easily forked.

Yeah, but how many of those projects were complex cross-platform cryptographic endeavors, maintained over 10 years, strong enough to foil LEAs up to the highest branches of the most powerful governments in the world...all produced by no more than a small handful (possibly one single) developer(s)...more or less in secret, constantly scrutinized and rarely thanked, yet with a product that was pervasively used (to literally save lives, no less)...all done as a hobby?

I posted this earlier. Sure it's meant to be funny, but I can't say it's completely outside of the realm of possibility at least to some (possibly large) degree.

(In fact, it would seem to be more or less confirmed with the response from "David" (I assume, Tesařík) literally stating: "there is no longer interest.")

That's entirely possible, and I don't know if I'd ever rule it out. There is certainly a lot of weirdness surrounding the whole thing, but ultimately, as I said earlier, I don't think it really matters.

EDIT TO RESPOND TO YOUR EDITS:

Well, yeah that suggestion has been raised. And admittedly I thought the discontinuation of official Microsoft support for XP was a weird reasoning too, but when you think about it, given the supposed goal of the TC devs, it makes sense. This was also covered in that Barnhart Twitter thread.

Windows XP was the last widely used OS that didn't offer a robust encryption capability. Now that Microsoft is effectively forcing people off of it, there isn't much of a need to maintain TC anymore (at least in the eyes of the devs apparently), because the main purpose of TC was to provide a solution where there was none.

 

The audit found 11 bugs. Not serious enough to stop use, but you just know the dev didn't want to deal with the "When are you going to fix them!" comments, 24/7, from the planet. And that was just Phase 1. How many in Phase 2 or 3, etc...? I assume he/they went - "It works with no major problems right now...let's end it".

 

Certainly good enough for these guys (and who knows how many others)?

https://en.wikipedia.org/wiki/TrueCrypt#Legal_cases

 

Since i posted yesterday, a few hours later i was able to go Directly to http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure Without getting MITM'd by my ISP ! And also just now.

Quite what the Real reason/s were for the intercept ? But it's VERY suspicious

Did anybody else try the link yesterday ? If not why not ? Or have you since ?

 

Probably because of David Cameron's porn filter. Check to see if your ISP is in any way associated with the IWF. It's not impossible for someone to intentionally post a link in the comments to some questionable content and go off pointing fingers for big nanny. Besides, Brian Krebs reports on the dark side of the internet, so it's no surprise he has people looking not too kindly on his work. His site did get ddosed and he was the victim of swatting.

 

For what it's worth, an anonymous Slashdot user explicitly says that the odd behavior is a known and agreed-upon warrant canary:

http://it.slashdot.org/comments.pl?sid=5212985&cid=47117051

And here's this (hehe)...

https://twitter.com/0x009AD6_810/status/472331500638064641/photo/1

 

@ SpousalMilk

Yes my ISP is associated with the IWF, as it's they who tried to redirect me. If you look @ the sceenies i posted earlier, you'll see it blanked out by me. I doubt if the link had something dodgy in it, but ?

Anyway, all VERY strange & it's the 1st time i've experienced that.

********

I'm surprised that NObody else tried the link & posted what they found, one way or the other ? A few years ago lots of members would have joined in tests etc such as that ! If we don't help each other, what's the point ! ?

 

I'd just come back from following the link when I saw the post, didn't happen to me.. didn't want to clutter the thread saying so, in addition to not having been here long and not wanting to spray posts liberally before I got a feel for the board. As to if the difference was due to a different ISP or merely different timing, any answer would be pure speculation.

 

I'd take what that anonymous user said with a grain of salt...

 

I think the excuse with windows XP's support end ist just that an excuse...
think about it, bitlocker does not replicate TC's functionality, you can for example not create a hidden os, and no hidden volumes.

 

I agree with DavidXanatos. The developer gave a pretty lame excuse for stopping development for TC. Bitlocker is not a replacement for TC. The developer should change the license so that the opensource community can continue TC development. I may be wrong, but I think his unwillingness to change the license to allow others to build upon his work is stingy. I think someone put pressure on him to stop development, and he gave in.

 

I never had any issues when I visited there.

 

They did change the license. I mentioned that earlier on this page...

 

Yeah, I saw they had changed the license. I think further changes will be needed to the license to allow development to continue. Also, I was reading that a hyperlink pointing to truecrypt.org would be required to use the code if I read that correctly. Who would want a hyperlink in the code pointing to a webpage telling them not to use it? They will need someone else to acquire the web domain now, or no one will trust TC. I believe the hyperlink requirement should be taken out of the license agreement. Also, will the new license pertain to prior versions of TC. I read TC 7.2 only decrypt data which is a joke. If the new license only pertains to TC 7.2 then its pretty useless. I'm still investigating the license change.

 

Well, that depends on what you mean by "development". There's already other projects based on the source code and have been for years.

You didn't read it correctly.
That was the part of the license that was removed. Why didn't you just look at the link?

Here it is again:

https://github.com/warewolf/truecrypt/compare/master...7.2#diff-dc5cde275269b574b34b1204b9221cb2L1

 

I did look at the link. The link is where I read about the hyperlink to truecrypt.org. I will look at it again when i'm at a workstation. Look at lines 115-118. If it's displayed in red then does that mean it was removed?

 

*facepalm*
Look at the red background engulfing that entire section, and the minus (-) symbol next to all those lines.

 

Also, is the new license applicable to version 7.1a? I will see what info I can find later on it.

 

@Randcal
Okay, so he doesn't know how to read the code display. Some people just don't know stuff. Don't get frustrated.

@Cutting_Edgetech
That link is a diff compare that highlights changes between two scripts. Anything new is highlighted in green and has a plus sign next to it. Anything removed (i.e. text that was there in the previous version but doesn't appear in the new comparison) will appear in red with a minus sign.

Look at line 1 of that same "License.txt" document.

 

Whats with the attitude? "facepalm" Really? I asked a question about the color coding. Almost the entire license agreement on that page is in red. There's multiple articles on the internet from only 2 days ago about the license issue with TC. Are you a developer of TC?

 

hi

Another repo http://cyberside.net.ee/truecrypt/

No need forensic linguistic as we do not know devs behind TC...but as said Bossuet, what is clear in mind must be said simply...
If we have seen the resurection (maybe not this thursday/Acenscion) of TrueCrypt in Switzerland, it is already dead even on Webarchive
http://web.archive.org/web/*/truecrypt.org

And it appears difficult to believe and trust the Bitlocker advice, as it was the case of Peter Kleissner bootkit dev
http://archive.today/h68Xb
And AQ technicians have already move to alternatives http://blogs.wsj.com/cio/2014/05/09/report-al-qaeda-tries-new-encryption-post-snowden-leaks/
https://www.schneier.com/blog/archives/2014/05/new_al_qaeda_en_1.html
As maybe for Sarah Dean and its Free OTFE, i guess that the truth is in the page number 23 of this interesting paper (change .pda to .pdf of course)
http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pda
And as the Egyptian police with Mike Giglio, law enforcement and GVT special forces can be very persuasive, certainly with more appropriate arguments...
http://blog.bullguard.com/2013/09/egyptian-police-show-uncanny-expertise-for-password-hacking.html
http://www.cryptolaw.org/cls2.htm

From an ethical angle and perspective, it appears difficult to leave and let live an unbreakable armor that help criminals and child predators to follow the Bible law ("be fruitful and multiply"), and on the other hand, unbreakable armor are sometimes necessary for columnists, dissidents and so on
http://www.slideshare.net/eschnou/digital-security-forjournalists
And many training, guide and advices (TC as a must have) are provided by RSF http://en.rsf.org/safety-of-journalists.html
As usual things are not so simple..not black and white but often grey....and i guess that the historical words said to Clovis can also be applied to TrueCrypt
"Worship what you have burned, and burn what you have worshiped."

Rgds

 

Okay let's back up.

First off, sorry for the frustration. I didn't realize you didn't know how to read the comparison display. Sorry. But don't pretend like you didn't edit your post to add that question about the coloring. That was not there when I was submitting my reply.

As for almost the entire license being in red, no, just the portions that were changed. A diff-compare is not going to waste screen space displaying entire portions of text/code that don't include any changes. (Have you ever edited Wikipedia? It's like that.)
There's more to the license. Go download it and see for yourself. It's the License.txt document.

Lastly, what articles are you talking about?

 

Thanks Blainefry. I thought that was probably what the color coding implied after I looked at it again, but I wanted to be sure. I think it might be a little easier to look through the rest of license now that i'm at a workstation. I was looking at it on my iphone.