What really happened to TrueCrypt back in 2014? Did anyone ever find out?
It was a widely used encryption tool, that was suddenly dropped with the message " not safe, use something else".
It became VeraCrypt.
I remeber it happening. There was no backdoor. It was during that time there was a push to put backdoors or weaken public encryption in the name of national security. Truceypt didnt want to play and were threatened with possible legal action. Rather than fight it they decided to stop the project.
My assumption has been that the author was pressured to add a backdoor or abandon the project since it was an issue for law enforcement. After TrueCrypt stopped releasing new versions, it was audited and there was no sign of any backdoor or flaw in the encryption. Now on device encryption is more common but so are cloud backups, and law enforcement has found that going after cloud backups is much easier to subpoena. Plus there is a more mature industry for law enforcement to provide tools tools to bypass encryption without the developer complying.
This was always my assumption as well. When they quit the project, didn’t they leave some message recommending Microsoft BitLocker as an alternative? Everyone at the time interpreted this as the clearest “they’re already in the room with me” warning sign, given that that kind of project would NEVER reasonably make such a closed source, corporate centered recommendation …
Also if you sign into the Microsoft cloud, your bit locker keys are backed up there.
“For your convenience”
The story I heard is that the creator got a national security letter, which forced him to add backdoors or go to prison, and so he did the minimum necessary by law, meaning the last few versions of it are probably compromised, but also took out a clause from the user agreement that stated that he had not received a NSL. That was sort of a canary to get around the gag order and stuff at the time.
Honestly who knows though? That was over 10 years ago when I heard that.
If I had to guess he was using his own encryption method that wasn’t crackable. It is well known that the NSA bought up some standard setting organizations for encryption. Normally rolling your own encryption would be risky if you dont know how to depattern it. I suspect that many common encryption standards are picked because they have a shortcut to cracking them.
All of these claims are easily able to be checked from the archived version of the site . It was not using home grown encryption algorithm.
The last version released was independently audited and “found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances”
I had never heard of the warrant canary for TrueCrypt, and quickly searching for news of the time, was unable to find anything to indicate that there was ever a mention of NSL on the website, so nothing to remove if they were served with a NSL.
If he received a national security letter that had an indication of the government possibly taking over the project and adding in their own back door, that would be a reason to say the software wasn’t safe (from future changes). If there wasn’t follow through then it would pass an audit.
deleted by creator
TrueCrypt used the encryption method you chose, it didn’t have a custom one. Usually that entailed triple layer encryption such as AES-Twofish-Blowfish, but you could use weaker encryption if you desired to.
It was forked to veracrypt from memory. And LUKS was already widely available on Linux as alternative.
This is not really the question though. It was forked BECAUSE of the whole “fiasco”. OP is asking what happened, as in, what made the dev give up on the project. This was a big topic back then.
And LUKS was already widely available on Linux as alternative.
Yeah, I found LUKS and LVM to be more intuitive for creating encrypted partitions, and had that on my daily driver by around 2009 or so, so I never really felt the need to try Truecrypt.
Yeah but I never found a way to do whole disk encryption with a decoy OS like TrueCrypt could. Really I don’t have a need for that, but it was an amazing feature in my mind.
We have nothing but speculation. Dude could have just gotten tired. Appreciate that the developer announced no future development.
IIRC (but don’t quote me on it), it had some vulnerability, and was gag-ordered to not touch it by some government, and that was the extent to which they could.
I’ve read multiple times that no vulnerability has ever been found, so I’m interested in knowing more about this.
The Internet was rife with rumors at the time, this is likely just an echo of the rampant speculation that was occurring.
It was around the time that TOR hidden services were making their way into mainstream tech circles (and law enforcement) and people were getting arrested with encrypted hard drives and law enforcement was upset that they couldn’t subpoena Mathematics and force it to turn over the keys.
So, when
BitlockerTruecrypt stopped updating and the message appeared people just tied it into the things that were happening at the time.So, when Bitlocker stopped updating and the message appeared people just tied it into the things that were happening at the time.
I think you wanted to say truecrypt
x.x
My brain and fingers are conspiring to make me look dumb.
Was the developer ever heard from again? One possible theory is that they died suddenly. This is assuming that the team was actually one guy
It could be the same thing that happened to me. The dev could have realized what people were using it for and quit to not be a part of that.
I used to run an encrypted messenger called Tunnelgram. It had some advantages and disadvantages compared to something like Signal (signing in on multiple devices, the web, you didn’t need an existing device to set up a new one, the chat history was saved on the server (encrypted), groups were easy to manage and new users could be added on the fly and see all the old messages, but it didn’t have forward secrecy (if someone got your key, they could see all the messages you sent in the future)). After Jan 6, and reading about how the insurrectionists planned their attacks on encrypted messengers, I just didn’t want to be a part of that anymore.
that’s weird
Try searching truecrypt and criminals
To explain, I read about this many years ago. It’s about a journalist who tried to find out what was happening with TrueCrypt, and it turned out it was apparently connected to serious criminals who were killing people, etc. The story is actually really interesting, and I’d love to find the original piece. I have nothing against TrueCrypt, and in fact, I used it back then and still use it now (VeraCrypt).
Maybe March 30, 2016:
The Strange Origins of TrueCrypt, ISIS’s Favored Encryption Tool
By Evan Ratliff for The New Yorker (paywall)
In isis’s training and operational planning, Callimachi reported, the group appeared to routinely use a piece of software called TrueCrypt. When one would-be bomber was dispatched from Syria to France, Callimachi writes, “an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.”
That wasn’t the article. It was in some lesser-known magazine (maybe even a blog) and it wasn’t about ISIS or the terrorists we know today. It was written specifically about the guy who created the program and his connection to drug cartels, if I remember correctly.
