Mysterious announcement from Truecrypt declares the project insecure and dead

The abrupt announcement that the widely used, anonymously authored disk-encryption tool Truecrypt is insecure and will no longer be maintained shocked the crypto world--after all, this was the tool Edward Snowden himself lectured on at a Cryptoparty in Hawai'i. Cory Doctorow tries to make sense of it all.


I suspect that the NSA required them to backdoor the project, if it wasn't already, and the developers burned it down rather than comply. The weird justification and suggestion to use Bitlocker are likely because they're also under order to not disclose the NSA request. Given that MS has never really been one to stand up to the government on backdoors, I think the Bitlocker suggestion is supposed to be a clue to why they're doing it.

The iSec initial audit report was very critical of the TC code quality, and implied that it looks like the work of a single coder. There was no update for 2 years. The build process requires a 20 year old MS compiler, manually extracted from an exe installer.

Imagine yourself as the lead/solo developer working on TC. No one pays you for this, governments hate you, much of the crypto community is throwing rocks at you while your user community spends half of its time joining in with clueless paranoia and the other half whining about feature gaps (e.g. GPT boot disks.) You have to eat, so you have a real paying job. You’re not so young any more (doing the TC crap for a decade) and maybe the real job now includes responsibilities that crowd out side work. Or maybe you’ve got a family you love more than the whiny paranoids you encounter via TC. And now iSec is telling you your code is sloppy and unreadable, and that you should take on a buttload of mind-numbing work to pretty it up so they will have an easier time figuring out where some scotch-fueled coding session in 2005 ( or maybe something you inherited from a past developer) resulted in a gaping exploitable hole that everyone will end up calling a NSA backdoor.

Maybe you just toss it in. Why not? Anyone with a maintained OS has an integrated alternative and as imperfect as they may be, they are better than TC for most users. Maintaining TC isn’t really doing much good for many people and the audit just pushed a giant steaming pile of the least interesting sort of maintenance into top priority. Seems like a fine time to drop it and be your kids’ soccer coach.

Yeah, both those lines of thought make sense... both the possibility of a "warrant canary" and the "I'm tired of this crap" motivation.

The recommendation to use BitLocker is sufficiently ludicrous that 'warrant canary' becomes more likely. The Linux LUKS system, however, is likely solid. You probably can't trust Microsoft or Apple encryption, but LUKS is probably good, or at least not deliberately compromised, as the corporate-backed encryption almost certainly is.

TrueCrypt probably didn't leave a Latin message alerting users to NSA spying.

Some users have tried to find evidence of misdeeds. But 'uti nsa im cu si' is meaningless in Latin – except to Google translate.

That... falls short of making sense.

The supposed Latin message wrote:

uti nsa im cu si

Uti and si are Latin words, but im and cu aren't. "Uti" can mean "to use", and "si" means if (and despite the flexibility of Latin word order, belongs at the beginning rather than the end of a clause), but it's really hard to turn a phrase that's mostly gibberish into

The supposed translation wrote:

Unless I want to use the NSA

"Nisi NSA uti velim" is how I would translate that (though I could see a case for other tenses of volo).

A certain degree of paranoia is probably healthy in a cryptographer, and the warrant-canary theory sounds plenty likely, but that forum post reads more like mental illness than keen insight to me.

Edit: Addendum to the Guardian (thanks, Edwin!): "uti" is an ambiguous form, their back-translation does't make sense either, and actually interestingly, it sounds like there's some Google Translate abuse involved!

I think the author's assertion was that any message left there would need to be *very* deniable, and abuse of Google Translate would make sense if they were in a hurry.

It's mildly interesting but doesn't really change much, since the overt message was clearly that everyone should treat it as insecure from now on for any reason.

I'm waiting to see what the independent audit of the TrueCrypt source code turns out.