Yes… TrueCrypt is still safe to use.

So opens the short editorial I wrote this morning and placed at the top of GRC’s new TrueCrypt Final Version Repository page.

tc-logo

The impetus for the editorial was the continual influx of questions from people asking whether TrueCrypt was still safe to use, and if not, what they should switch to, and so on. By this time, one of the TrueCrypt developers, identified as David, had been heard from, and his interchange confirmed the essential points of my conjectured theory of the events surrounding the self-takedown of TrueCrypt.org, etc.

Rather than repeating that entire editorial here, I’m posting this as a pointer to it since folks here have thanked me for maintaining a blog and not relying solely upon Twitter.  And also, this venue supports feedback and interaction which GRC’s current read-only format can not.

Peace.

/Steve.

This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

91 Responses to Yes… TrueCrypt is still safe to use.

  1. Pie Man says:

    Great, thanks Steve I thought that would be the case but it’s nice to have it confirmed. I am so glad I stumbled upon your podcast when heartbleed hit as I knew where to come for for accurate and useful information.

    Looking forward to next weeks podcast….

    • Steve Gibson says:

      Yeah. This is big and interesting enough — from several angles — that I think it’ll give us plenty to talk about next week.

    • Pellucid says:

      Maybe I’m just overthinking this but something still seems wrong with this scenario. So these guys create an open source project, spend 10 years building in features like triple encrypted, hidden archives with “plausible deniability” into their software…and when they decide they want to move on, they say “don’t use our product, use MICROSOFT BITLOCKER.” Microsoft…the FIRST name on the timeline of compromised corporations in the Snowden documents.

      All this instead of saying something like: “We don’t want to work on this project anymore, we’ve changed the license to GPL and we’ll leave a copy of the source on our website for 1 month if anyone wants to download it and take over. We can no longer guarantee the safety or quality of the product to come, good luck.”

      • Steve Gibson says:

        If you read the snippets that were shared from their two eMails of yesterday, you’ll see, at least, that this is what they are claiming:

        • “We were happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”

        • Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”

        • “I asked and it was clear from the reply that “he” believes forking’s harmful because only they are really familiar w/code.”

        • “Also said no government contact except one time inquiring about a ‘support contract.’ ”

        • Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”

        • Developer David: “There is no longer interest.”

        People are, of course, free to “believe” anything that they choose. But as a software developer for 44 years, I see nothing whatsoever fishy or wrong with anything there. To me the picture appears to be entirely coherent and internally consistent.

        If you look at the development arc of TrueCrypt, that its last previous version was February of 2012, you’ll see the “steam” running out of the project over the years. Ten years is a LONG time, and these guys — who knows about their age or their lives?

        The lame-ass reference to Windows XP support ending, and “switching to Bitlocker” and “it was only really meant to be for Windows originally” reads to me as semi-guilty feeling excuses to pardon their behavior. They KNOW the world is going to be disappointed, but they ARE doing what they have decided to do. And, yeah, they really ARE DONE. They don’t want questions or comments or any more criticism. They are done. (They were probably actually done–emotionally–quite some time ago, but only they knew that. None of the rest of us were really paying attention.)

        And… what might the ongoing audit have required of them? Almost certainly MORE WORK of some kind. At least responding to eMails requiring their attention. To not reply would have appeared “irresponsible” — which is what people are saying of them anyway.

        They no longer have any interest. Yet, at the same time, they are possessive of what they created. They no longer want to work on it, but neither do they want the world to mess up their creation. And have YOU looked at their code? OMG, it’s truly a work of art. Whomever and wherever these guys are, SOMEONE is paying them some serious coin to create code of that caliber.

        So, yeah… They just want to go away, and they want us to go away. Now, please.

        /Steve.

        • Were these emails sent using encryption? Could they have possibly been under duress? I do think it is very odd as Pellucid noted that so much time and effort was spent — then all of a sudden — don’t use TrueCrypt.

        • Pellucid says:

          So the theory as it stands now is this?
          Crazy badass programmers, with a bit of narcissism, created an open source project (but not really because they just did it to show off their code and didn’t intend to have anyone continue their work). They then create an insanely secure, feature packed product to target just Windows, but then make it cross platform to work on Windows, Mac, and Linux. Then after 10 years and an insulting audit, they decide to quit but after all that work, they’d rather erase it from existence than have anyone else fork/continue work on it. With this intense pride in their work, they decide the only solution worth mentioning to replace it would be Microsoft Bitlocker because it runs on Windows, it’s “good enough,” and that’s all they really wanted these past 10 years. They then decide they should pack up everything, throw out a scary message and vanish in a single day because, although they’re thorough, systems minded, creative programmers, they couldn’t think of any other way?

          If this is the truth, reality really is stranger than fiction.

          • hazzaxb says:

            I can well understand that they would not want *anyone* else to touch something into which they poured so much time and effort.
            As Steve points out, they did not disappear suddenly; they have not made any changes for more than two years, even though there were things which sorely needed attention.
            Once Microsoft introduced BitLocker, it became the de facto standard for disc encryption by virtue of Windows’ huge user base and reach; providing it is ‘good enough’, then TrueCrypt is relegated to the sidelines.
            In this case apparent truth is not stranger than fiction, but it is a whole lot more depressing.

          • The Real Nirv says:

            narcissism is the operative word here, unless they choose to unveil themselves and provide a concise explanation. The latter may never happen. Very strange.

        • FSaved says:

          There are still many free and open source drive encryption tools out there. The fact that they are recommending closed source tools when the open source nature of TrueCrypt is one of its most important features reeks of selling out in some form. Whether the code is beautiful or functional is irrelevant. It may be the case that the LEAs made them an offer they couldn’t refuse and this was the honorable way of getting out of backdooring their software. If it passes the Phase 2 audit I see TrueCrypt 7.1a more or less being locked in place as the standard with very little change over the next 10 years.

      • UncleXNL says:

        I actually happen to know what happened:
        First do the domain lookup of Truecrypt.orv using ARIN-WHOIS, look at the Apache Server version, it is the same version with the well know Apache Exploit.

        That exploit can only erase a website and E-mail accounts and put an link in to another website. (NOTE: Hey that is exactly what has happened!)

        Don’t you guys know TrueCrypt never has been on SourceForge?
        TrueCrypt has public source, but is copyrighted, it is no open source. So officially you cannot have a source forge page for it. The developer, if any still alive would have announced on truecrypt.org they don’t need sourceforge they have a perfectly good domain. truecrypt.org

        What happened is, like Steve Jobs, this developer got Pancreatic cancer 2.5 years ago, and in 2 years you will be certainly dead more likely 1 year. So the guy payed for the site until 2022 look in ARIN-WHOIS, then died. And now some vandal hijacked his website using a know and simple exploit and is spreading rumors. Pathetic!

        There has been a time, before this mess a normal happy time, the developer worked with his users, we reported bugs and the software developed. (it is not that hard to imagine)

        One of my last E-Mails with the developer he told me he would have to stop cause: Pancreatic cancer He told me it would probably be the last time we mailed he had just to much pain, terminal you know… sad

        So in fact I know for about 2 years this Anonymous developer did not make it, there is no cure, it is terminal.

        This also explains, why truecrypt.org has not been restored form the Obvious Hijack by now. The developer can’t restore it, he passed away.

        So it is just a hijacked site of a developer that had already been dead for almost 2 years.

        You don’t have to believe me, I don’t care, but this story is so simple it actually might be true, and it is.

        UncleXNL

        Stupid rumors….

        From now anti-malware would have to block TrueCrypt if the version is not 7.1a with a correct MD5 checksum. For being Potentially Unwanted Modification software PUM also the hijacked sites must be blocked, the will not go away. Unless we release another Apache exploit maybe….

        Trust me source forge, cannot be trusted, with the info you have, you can conclude it is very possible the site has been hijacked.I’m 100% sure of it since dead developers do not modify their sites.

        You cannot deny this could be very well true.And it is, but that is my opinion. But for me it is fact, I know what happened. I have been using TrueCrypt for such a long time….

        • UncleXNL says:

          Sorry for the first typo it must be truecrypt.org the educated reader would have understood.

          • UncleXNL says:

            New version these guys seem serious: https://truecrypt.ch/
            But they still need to earn trust from the users.

            Really form all the versions of what happened out there, this is the only version making sense.And explained everything. Like all puzzle pieces fit, you guess why the pieces fit… It is not hard to imagine.

            But hey on the internet you can’t prove anyting everyting I say could be fake.
            -But the apache version is exploitable (fact fro arin-whois)
            -The website seems exploited
            -And must be exploited, the dev is dead.
            -The developer does not restore his website (Logic he died)
            -The website has been I believe 2022, a long time (Why pay that long ahead if you’re healthy)
            -And I know this, very well possible since there has been a time active development stopped and I’m an old geezer

            You can continue doubting if you want, I’m done with it. I know the facts and it is really not that strange or special.

            You will never have 100% truth, but if you for a moment look you see to much piece of this story fall in place. It is true.

  2. tez arn says:

    So can we take it future versions of “truecrypt” will be Foss?

    • Steve Gibson says:

      Yes. It’s not completely clear how the weird TC licensing limitations will be handled. Several dialogs are now open with the developers and asking for licensing relief is among the topics. I’ve privately suggested that money be raised to purchase the TC license for subsequent FOSS-mode development.

      • Larry Morgan says:

        This is s Best idea I have heard for taking tc forward.

      • Lex Luthermiester says:

        Actually, there is some input to make on the licensing/legal points. There are three key points the authors CAN lawfully enforce.
        1. No one may commercially profit from their work.
        2. No one may use their trademark name “TrueCrypt” in a derivative work. Names such as “TCNext” do not apply as this type of name only loosely makes reference to the original TM. The sub-word “Crypt” is not an exclusively trademarkable word. So a name like “GreatCrypt” is perfectly lawful.
        3. No one may claim sole ownership of their source code released or any derivative code.

        Here are points that are NOT lawfully enforceable;
        1. They have released the source code with the expressed intent of allowing the general public to inspect, investigate and use to assist in development/redevelopment of the original work. That action limits the control they have in the general public creating derivative works. Numerous copyright cases[including the recent Apple VS Samsung] have gained rulings that state copyright claims are very limited when the source code is intentionally released by it’s creators. And as the creators of TrueCrypt did just that AND have intentionally remained anonymous, they have put extreme limits on themselves legally.
        2. The fact that few credible claims have been made as to the sudden abandonment of this open source software means that the enforceability of the trademark for “TrueCrypt” comes into question.
        3. Having released the source code for each version and updating the license only a few times, each version of the source code is governed by the version of license in effect at the time of release. newer licenses are NOT retroactively applied to older versions of the code, legally. Therefore the license released with 7.2 does NOT apply to 7.1a, 7.1, 7.0a etc, etc.

        Simply put from a legal stand-point, derivative works[IE forks] ARE lawful, can NOT be prohibited and are legally safe to use. Such may be used in a commercial environment so long as profit is not derived from the software itself. And a perfect point of this is simple, Amazon continues to use it.

  3. vancedecker says:

    Steve, you’re not making any sense! Two blogs ago you said:

    “My guess is that the TrueCrypt self-takedown is going to turn out to be legitimate”

    …and now you’re telling us it’s safe? Those are two contradictory things.

    Which one is it? Did you get word from your handlers at the NSA?

    • Ozidug says:

      Two different statements: (a) TrueCrypt maintenance has died through lack of user engagement (even though it works fine) and (b) Its safety is as before. They are NOT contradictory.

    • Miguel says:

      He surely meant to say “legitimate” in the sense that it was taken down by the developers, not because the site was hacked or defaced.

    • Steve Gibson says:

      The blogs were written, each a day apart, and each against the context of the moment. On Wednesday, the overwhelming chatter was that the authentic Truecrypt.org site and sourcefourge pages had been hacked. I read the available evidence differently. The changes to the code, the changes to the v3.1 license, and the fact that the signatures all matched up spoke of this being from the legitimate developers. Thus my saying that what we were seeing, a “self-takedown” as I described it, would turn out to be legitimate.

      And, so, yes… now I’m telling you that TrueCrypt is safe because v7.1a has been in use for about 28 months, since February of 2012, and nothing about it is known to be unsafe. The developers appear to simply want to take it away from us completely. So discouraging its use and recommending lame alternatives is the best they can do… if that’s their goal.

      /Steve.

      • Lex Luthermiester says:

        Qoute; “The developers appear to simply want to take it away from us completely.”

        Ah but they can’t. They have released the source code. And under law in most countries, that limits how the authors can dictate terms to end users/developers. They don’t have the right to limit derivative works.

  4. I hope it continues. I also hope we get to hear who the new official people are who have taken the project on. I, for one, will be trying other software. I will gladly swap to what ever the new software is when it has more features and abilities than TC7.1a. I am experimenting with DiskCryptor at the moment, another FOSS alternative. It has raw DVD image support which TC promised and never delivered. It works differently it seems than TC because you do not mount things with a different letter, it mounts the device and the letter it was mounted to before is what it is mounted to now. So you can effectively mount an encrypted DVD without having to image to hard disk and process.

  5. DedRyzing says:

    Where TC excelles is in it’s being crossplatform across Linux, Mac and Win. It is sure nice to encrypt a USB drive, or file container, and be able to take it to any other system and read it. Not sure of any other free / open source solution that offers this. For full disk / volume encryption, I use other solutions, but for portable encryption, will continue using TC until such time there is a reason not to.

  6. M. Julio says:

    Steve, A quick thank you for your abiding commitment to making the increasingly complex subject of computer security understandable through your beautiful and elegant prose.

  7. Steve, My apologies if this has already been brought to light, but I kind of side a little bit with the way in which the developers made their exit (if that was indeed their intention).

    If this exhibition of cryptographic perfection (TrueCrypt) were something that I was intimately involved in (or any other project for that matter), I would not want any living soul to tamper, besmirch or corrupt the masterpiece – the magnum opus that I had created and refined with such drive that it consumed every waking moment I could spare. The straw that broke the camels back would be users complaining about its future functions.

    I agree wholeheartedly with the developers (if they are making the case) that forking the project would be a terrible mistake. I would refine that statement by saying that it would be a terrible injustice to hand over new developers a priceless Van Gogh (of sorts) and expect they will take the same obsessive care to ensure its functional integrity and beauty. This is not to say the same type of developers exist elsewhere, but I don’t believe the probability is high that other such developers would “take up the tourch” with the same vigor. As you just noted last week in your podcast, when you’re mono-tasking on a side project (of sorts), it takes time to re-gain context and return to that sense of “flow” (psychological term) where you feel that each piece of code is fulfilling its desired objective in the most efficient and elegant manner possible.

    I could go on, but I will spare you all my ranting monologue. Suffice to say, I would have NO problem donating (as I recall I have) per installation to the project developers, but this must be a mass effort and I doubt the developers would return to the project on the hope that this might happen or even if people pledged to do so. The thanklessness at this point has gone too far (if this is indeed what is at issue).

    Random: Props for this form not requiring JavaScript!

  8. theonlyandyt says:

    OK lets think about it.

    If I’m a developer that has been working to create a free crypto tool that is cross platform for many years, why would I all of a sudden up sticks and decide to point people to an inferior product? To my mind we are missing a piece of the puzzle. A few ideas have popped into my head.

    1. They got a job with the Microsoft crypto dev team …….

    2. An internal argument and breakdown of communication between team members.

    3. Intimidation by NSA or other spook agencies from round the world, after snowdon endorsed TruCrypt.

    • I love this post — especially the part where you say they may have gotten a job at Microsoft. I almost fell out of my seat laughing – not because it might not be true, but because – well, that’s about as polar opposite as it gets (as closed source as it gets). If indeed there is a version that has been compromised, a high premium will be place don finding out EXACTLY which version is kosher and securely downloading and archiving that version.

  9. DedRyzing says:

    All the speculation about what happened nad why. Like we have a right to know, as if the dev team owes us an answer. They don’t owe us anything as we’ve all taken the fruits of their labor and product of their blood, sweat and tears, and used it freely for a decade…without so much as a thank you. It’s the same scenario played out with most open source projects. Tools we all use, depend on, and take for granted.

    We don’t know why they decided to move on, and maybe we never will. We don’t know the dev team, what they think, how they feel or the circumstances of their lives. So many conspiracy theories, yet maybe it’s as simple as they are bored and want a new challenge. Maybe they started a family and want to focus more time on that. Maybe a family member, or a dev, became ill. Maybe creditors started knocking and they needed to find a job, or a second job. We don’t know and we have no more right to know than they have to know why we do what we do.

    Fact is, over time, things change. People change. Motivations change. Ideals change and beliefs change. Life happens.

    Maybe now is a good time to look at the open source community and start giving back to the projects we love. Who knows, they might just disappear tomorrow.

    • MichaelO says:

      DedRyzing,
      Your statement is so dead-on, succinct and appropriate to the situation it can’t be improved upon. I’m appalled at the “entitled” attitude that’s emerged from people who take a a superb open-source product, use it at no cost (often to support a profit-making operation) and then “go off” when the project’s developers either don’t give them features they demand or ultimately decide to move on with their lives. TrueCrypt developers listen up! Thank you! Your wisdom and skill have secured my digital assets for years and I hope everything works out well in your future endeavors. You deserve nothing but the best. You’ve paid your dues.

    • Karl Lorre says:

      How do you know it’s the same scenario played out with most open source projects? Many people support open source projects, such as Steve’s Spinrite. You sound butt hurt over something!
      ‘without so much as a thank you’ Excuse me, but what gives you all this inside knowledge, are you actually a TrueCrypt dev? I support free software and send thanks (when there is a contact address)
      Unless rich, most people have other financial commitments apart from donating to software developers, but probably give back when able. Don’t be so negative!
      Calm down Bro!

      • DedRyzing says:

        I am calm. Thanks for your concern.
        If you give back to the open source community, then good on you. I’d wager you are in the vast minority. Yes, even notes of encouragement can be enough to keep projects going.
        Thanks, bro, for sharing your opinion about my state of mind.
        Now, will go looking for links to a free, licensed, version of SpinRite…or at least the source code, because maybe I am mistaken in thinking it’s a closed source commercial product.

      • SpinRite is certainly NOT an Open-Sourced software. I work with a group on a FOSS Android Project, and indeed, the sense of entitlement astounds me at times.

        In our project, we all have lives, families, and jobs that support us. Even if we deal with the “secluded basement-dwelling codemonkey” mentality and eliminate the first two, working 40+ hours a week and then coming home, sitting down and deciding “What can i give away for free today?” only keeps you going for so long.

        The outright anger I see surrounding this shows the mentality most seem to have towards open-source community. The OpenSSL developers faced a backlash most of us will never have to deal with. Having their name attached to such a project is a sense of honor, until something goes wrong. At that point, does the taint continue to follow? Sometimes.

        • A sense of entitlement has ruind everything good and beautiful. Perhaps we should onsider adjustin the model a bit before all good projects become relics of the past and are taken for granted just like water or air. Although I am conscious of my own shortcomings when it comes to this human trait, it turns my stomach to see the utter gull users have to demand the earth and sky without anything in return. i will neverbelieve this is something that can be fixed by the standard mediums we have popularized … awareness, etc. something must fundementally change in the way people exchange these pieces of art.

    • The devs are obviously entitled to do whatever they want with their project, including stopping development. No question.

      The _way_ they did it, on the other hand, is completely unacceptable. Sorry, but they do have a responsibility to their user base. This not some fun widget: people are a really banking quite a lot on truecrypt doing what it is supposed to do. Setting up some childish explanation about XP end of support (I honestly thought that their site was defaced), hinting to some unknown vulnerability and pointing users to closed source crypto is beyond irresponsible. I muss confess that this bothers me quite a bit – if they where as sloppy with their coding as concerned with their user base then we really have a problem (which will most likely surface at some point),

      I can’t discount completely the “lavabit” theory but at the moment the facts point to some possibly brilliant coders with very poor social skills.

      • hazzaxb says:

        No. Read the licence. In the open source world, software is provided “as is” and the suppliers are devoid of any legal commitment to the end user. I would suggest that their moral commitment is the same. If you choose to rely on a piece of software over which you exert no control, that is your choice and your problem. What do you mean, you have no plan B ?

        Nothing which has happened in the last week has compromised the integrity or usefulness of TrueCrypt version 7.1a and nothing can happen in the future which will compromise it. We may or may not revise our views about the trustworthiness of the developers, but the product itself remains and will remain unchanged. It is either (as we hope and pray) a really solid and effective piece of code or it has been compromised for some time.

        If the developers have had enough, they are not likely to spend much time crafting a beautiful farewell, are they ? Besides, “brilliant coders with very poor social skills” are not exactly uncommon creatures.

        • Carl says:

          > If the developers have had enough,
          > they are not likely to spend much time crafting a beautiful farewell, are they ?

          Yes, they are. These developers are not sloppy people. That “farewell message” was a sloppy one, at best (or, a smart one, if they were “Lavabitting”).

          Even if you are a developer who has lost interest and felt that the project has been a burden for years, the day that you finally “pull the plug” is going to matter to you. Even if you’ve been uninspired for a long time, when you kill off your baby that’s been part of your life for the last decade, it does matter to you. Perhaps you feel a sense of relief that you can, finally, put this behind you and move on. Most likely there is also a moment of reflection and a sense of accomplishment about having produced this amazing piece of software that so many people have used for the past 10 years. Either way, you feel SOMETHING and that will be reflected in the farewell message you leave.

          In this case, we saw none of those emotions (or any other emotions) and no explanation was given…

          Sure, it COULD be a real message, conveying the developers’ real sentiments about the end of TrueCrypt – but I highly doubt it!

          Until we learn otherwise, my bet will be on this being a form of “Lavabitting”, and I applaud them for it (and for their wonderful software)! Hope to “see” you again in the future, TC developers!

  10. Jason says:

    Maybe Steve can do some research on other solutions and do a podcast on them so that we know what to use as alternatives. I am using TC WDE on win 8.1 64. My system does not not use UEFI and GPT; so I am able to use WDE. When the time comes and I get a new system, I will probably be out of luck, since the new system will probably UEFI and GPT.

    I assume that I will be able to continue to use TC to create file containers as long as the new OSes support the files system that TC support (FAT and NTFS). My only concern is system partition and whole-drive encryption.

  11. deandownsouth says:

    This whole mess illustrates the bad and good of Open Source. It’s bad in that a group of anonymous developers can just walk away leaving us hanging. It’s good that anyone including companies can pick up at the last good build and create an even better product. All without messy legal wrangling, having to rely on a company to invest and buy the code and so on. It is isn’t perfect but I’ll take it over closed doors and non-copmete/non-disclosure agreements any day of the week. IMO, that is.

  12. Tim says:

    http://digital-forensics.sans.org/summit-archives/2010/18-lord-cryptanalysis.pdf

    Look at page 23 of that PDF file. The author was going to make a presentation about TrueCrypt, but he received a takedown request from the government.

  13. Inspector Gadget says:

    My theory, for what it’s worth is that the team behind TrueCrypt has just realized that one of its members has links to the NSA (or GCHQ etc) and believe that there’s every chance that backdoors have been buried in the code. Easier to just shut the project down, and tell everyone it’s not safe than to try to re-engineer the code.

  14. Mark says:

    Steve,

    I would love to subscribe to your RSS feed but it is not valid.

    http://feedvalidator.org/check.cgi?url=http%3A%2F%2Ffeeds.feedburner.com%2FSteveGibsonsBlog

  15. Dave says:

    The sense of entitlement by TrueCrypt users astounds me too, I have no doubt that the developers were being honest when they said they were simply tired of it.

    While recommending Microsoft’s offering seems out of character, and being closed proprietairy code is less than ideal, they are right that it’s plenty good enough for a very high percentage of users, who merely need to protect personal information against theft of portable hardware.

    That said, should it prove that the licencing issues are insurmountable, I would be interested to hear Steve’s views on alternatives such as DriveCryptor, or any others he’s aware of, where do people uncomfortable with Microsoft go if it turns out there is some problem?

    Not that I expect there to be one, but it never hurts to have a plan B

  16. Pingback: Yes, Virginia, TrueCrypt is still safe to use UA Technology Services

  17. rafferty says:

    Why is your *leave a donation in a pink color background, when it used to be blue?

  18. Nicolae Crisan says:

    I was a little (understatement) disappointed at Leo’s reaction to the TrueCrypt news. While I had a similar question in my mind about the first line of the TrueCrypt website, I do NOT believe the code within TC has in any way compromised the security of any user. To be fair, we don’t know yet, but the evidence clearly shows no foul play. To me, this careful orchestrated exit clearly points to a legal maneuver to rid themselves (the developers) of ANY legal liability — which is being used as a clean break. After all, if you are asked in court ‘did you believe at that time that your product was compromised?”, the answer can be a resounding yes and NO blame can be attributed to anyone’s claim that TrueCrypt caused them harm.

  19. deandownsouth says:

    Just listened to the SN netcast on Truecrypt and while yes, it isn’t GPL, but it is definitely “an” Open Source license. IANAL, but the very fact that anyone can fork the project (with the proviso that you remove the Truecrypt name (and can’t have any derivatives (i.e. iTruecrypt)) and do not change the license, you can create a version. So it is entirely possible to create a fork and call “Bob’s Disk Encryption Extravaganza (BDEE) and offer up disk encryption. It’s the same thing with how CentOS distribution is created from commercial Red Had Enterprise Linux (RHEL). They download the source from Red Hat and they create a derivative distribution. They have to release their distribution as GPL and have to remove Red Hat trademarks etc.

    Am I reading the license wrong???

  20. Rich says:

    “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

    To me, the key word in their statement is “MAY”.

    This does not confirm any particular problem with the code now, but leaves open the possibility that a currently undiscovered bug/vulnerability may possibly be discovered in the future and not be patched now that the developers have retired work on the project.

    Given the fact that there is no evidence of TrueCrypt’s security ever being breached (correct me if I’m wrong!), I see no reason to stop using it. Until there is a documented way to hack TrueCrypt I’ll keep using it (aside from brute forcing passwords).

  21. Josh F says:

    Part of the issue with the Devs warning is that “secure” is, itself, a term that is defined differently by different people. For those of us who are truly security conscious, we would define “secure” as meaning “known (or proven) to be safe.” By extension, anything that hasn’t been proven to be secure would be “not secure.” Unfortunately, there is quite a lot of runway separating these two terms. The one thing we can’t seem to know the answer to is the following: do the TC Devs have affirmative knowledge about a discreet vulnerability that we don’t know about; or, are the Devs simply speaking in an abundance of caution because the Devs will no longer be giving TC the attention necessary for them to be confident in TC’s effectiveness on a forward-looking basis.

  22. Bruce Elig says:

    To the authors of TrueCrypt if you are reading this: Thank you.

  23. Josh F says:

    I also wanted to mention that, as an attorney, the language that the TC Devs used expressing that “Using TC is not secure” is exactly what I would have advised a client to say if their goal was to completely disclaim everything about the software. If the Devs goal is to never have to deal with any future problem that may occur with TC, the only way for them to achieve that goal is to get the user base to stop using it altogether. This isn’t like a disclaimer that would accompany a commercial software package that seeks to limit their potential liability to TC users; on the contrary, it stands for the very simply proposition that the Developers only express representation to the world is that they shouldn’t use it at all.

    • Nicolae Crisan says:

      I haven’t read the terms or license agreement for TC, but I would imagine that it states something like “we make no claims as to the fitness of this product to accomplish anything” (paraphrase). This, in conjunction with the CLEAR statement that the product should NOT be used would all but eliminate the developers from any potential “loss” or liability – would it not? I would think it would be difficult to mount an effective defense against the development team with such a clear statement.

  24. Pingback: Truecrypt: Updates: Perspectives and New Website « blog.dntopping.com

  25. When you make your initial contact,bring a list of questions with you.
    Rest assured that the responsible party is also dealing with an attorney who is at
    least consulting them, so you never want to give them the upper hand when it comes to your settlement.

    A few financial damages that are considered are lost past and future salaries and cost of repairing damaged
    property and can be claimed in the financial damages.

  26. Wait and See says:

    One item I have not seen mentioned anywhere in this firestorm over the apparent demise of TrueCrypt is reference to an assertion I remember being made by the TC developers (unfortunately, I no longer have a link to it) that according to knowledge they had, TC had been subjected to over a year of intense attack by FBI experts, both employees AND outside consultants (and the government CAN hire the best if they so choose), in a Federal case, AND TC HAD NOT CRACKED! However, if memory serves, this was from 2-4 years ago.

    So, one of two possibilities suggests itself:
    1) TC was finally cracked.
    2) TC never cracked.

    In case 1, the developers’ abrupt departure is self-explanatory.

    In case 2, people in authority intensely dislike their authority being flouted, and the U.S. Government can bring intense pressure on ANYONE worldwide, not just U.S. citizens.

    Whatever the real reason behind TC’s abrupt departure, I would agree with most of the opinions being put forward: keep using TC 7.1a until either the audit later this summer 2014, or some other hard evidence, shows any vulnerabilities in TC’s security.

    BTW, I like the double key/infinity sign logo suggested for any future branches of TC (https://www.grc.com/misc/truecrypt/truecrypt.htm). I WAS going to suggest “SCrypt” (Secure Crypt) as any follow-on branch code name, but I see that has already been taken. Too bad.

    I will add my thanks to the developers of TC, whoever and wherever they may be. Well done!

    • Lex Luthermiester says:

      Quote; “I will add my thanks to the developers of TC, whoever and wherever they may be. Well done!”

      Completely agreed! To the folks at TrueCrypt, You should be proud of your work! It’s saved me from headache on a couple occasions. Once when a notebook was outright stolen and twice when my PC was accessed without my permission. Got as far at the password prompt and no further. So Thank You very much.

      That having been said, you will NOT be taking it away from us. The source is out there and you don’t have the right to take it back after so long. Not morally nor legally. Though out of respect for you I’m sure those who take over your work will keep it as lean, clean and artful as possible.

      Hopefully you will see reason and wish us all the best, as we do you!

  27. Al says:

    I concur with Steve and will continue to use Truecrypt for personal use. I would like input on whether to recommend it to businesses and workers in the legal profession. If you wouldn’t, then what else would you recommend?

    My concern is that truecrypt wouldn’t stand up in court. Don’t get me wrong, I wholeheartedly believe in Truecrypt’s ability to protect any data, if used properly. However in court, the opposing team will totally twist the facts around.

    Lawyer: you are using Truecrypt, a product that the developers have said to be insecure, correct?
    You: yes
    Lawyer: and you understand that Truecrypt is no longer being worked on, correct?
    You: yes
    Lawyer: furthermore, you are aware that iSec has found some security flaws, correct?
    You: yes
    Lawyer: as you can see, [defendant] has admitted to using an encryption product that is known to be insecure and therefore the defendant has failed to meet basic IT security practices.

  28. Ethan S. says:

    Steve, I noticed you mentioned Amazon uses TrueCrypt for data exports to customers. Kroll OnTrack data recovery also uses TrueCrypt for users’ recovered data when they ship it back on a hard disk.

    Disclaimer: I’m not affilliated with Kroll, just a pleasantly surprised and satisfied customer.

  29. olegos says:

    Please add a link to CipherShed https://ciphershed.org/ in your posting.
    (I’m not affiliated with them)

  30. If you are injured due to another person’s neglect it is at all times advised that
    you find an expert personal injury lawyer to claim damages.
    However, in order to ensure you receive these benefits, you ought to keep a few
    points in mind when deciding on the lawyer. Theo Theodorakis,
    Doug Hoo and Turtle Wexler listen as the two men tell them how
    a pair of kids went into the Westing house on Halloween for a
    bet.

  31. More than just finding a company for you, they also focus on finding the company that has the particular set of
    drivers that can understand your load and then take the steps
    cording. When you open that Christmas present on Christmas morning, or when you drink that eggnog, or slice into that Christmas ham, or fill up your gas tank on your way to grandma’s house, I want you to think about something.
    Giving such service is certainly not obligatory for Freight Guru
    but our motive of providing complete customer satisfaction urges us to give you
    this service charging not even a penny.

  32. We’ve just produced software system which can routinely scrape associated
    contents of a subject matter (and even the topic your web
    blog is focused on) through the internet search engines to generatte immense 100%
    copyscrape-passed information. Will you be fascinated to learn it?

  33. Vladimir Tess says:

    All I do is keep the Truecrypt origninal software and methods, just on top of it I am encrypting the software behind the image.

  34. I’m a plugin creator for wordpress blogs. We’ve created a plugin which is
    able to pull together web surfer’s emails in your database without needing their communication and interaction. I have been looking for
    beta testers and also since you happen to be getting awesome levels of website traffic, I am planning on both you and
    your blogs. You’re interested?

  35. Hello guys if you can’t earn any money online try – bluehand roulette system
    – it earns me decent money everyday, just google it

  36. 3dsoftology says:

    Whats the latest with TC? Do I decrypt my entire network and look for something else or wait the audit report? I have TC 6.2.1 running atm. It will be a pain to get Type 2 done again :/

    Any feedback will be highly appreciated.

    • Nicolae Crisan says:

      You probably already know that your version is old. My first move would be to check the changelogs from your version to 7.1a (what I consider to be a known good version). Perform the decryption on the original drive (using the function in TC). Then, Clone the decrypted drive to a RAW image file or something similar for backup purposes. Run D.B.A.N. On the original drive to ensure a secure erasure. Install fresh O.S., setup BitLocker or alternative means of encryption and slowly migrate data over. It goes WITHOUT saying you should image files in an encrypted vault of some kind.

      I realize the process is nowhere near being tailored to your situation. Just trying to get the mental ball rolling for you.

  37. Uncle X says:

    TrueCrypt never had a sourceforge site, signature on version 7.2 does NOT match. So I’m pretty sure the site is hijacked. I don’t even know if the developer(s) realize the site is hijacked since for years TrueCrypt has not been updated and I did not get replies from the developer, the last 2 years.

    If the developer realized the site has been hijacked, he would contact the site ISP and quickly fix that, since he pay’s the hosting bill.

    My guess is the site is hijacked and the developer(s) have not (yet) noticed it.

    Someone should contact the truecrypt.org ISP and notify them this site is probably hijacked, the ISP could then inform the site owner.

    Updating to version 7.2, would not be wise. The 7.1a version has been up all these years, I would keep using that and be sure it is the real version by using MD5 hash.

  38. Uncle X says:

    Soon we will know more, I’m sure of it now.

  39. Full Review says:

    ecig battery Yes… TrueCrypt is still safe to use. | Steve (GRC) Gibson’s Blog

  40. Uncle X says:

    I am not convinced “Dave” has anything to do with the TrueCrypt project, since false rumors are spread. And the developers of TrueCrypt are shielded by the TrueCrypt developer association. So you don’t know “Dave” has anything to do with TrueCrypt. In fact he may be the one spreading false rumors and using the Apache exploit on the truecrypt.org domain.

    I know the developer of TrueCrypt a little, since we mailed a long time ago. I know for 2 years there has been no maintenance on the website or software and no response to E-mail. (He did not have the time for it) So I guess nobody that knows anything about truecrypt, has noticed their website has been hijacked.

    With the developers unknown, the e-mail accounts (that where not read anyway) have been also erased by the Apache exploit. (it does that) Nobody could inform the developer about the hijack.

    As a computer programmer with 32 years of experience I also know a well known exploit in the Apache server. With this exploit it is possible to erase a website, but put a link in to another website.

    That is exactly what happened. And the Apache server used, well you guess right, has this vulnerability.

    Why would the developers create a sourceforge project, just to announce the end of a project? Since TrueCrypt never had a source forge website before…. HIGHLY suspicious.

    Why would the developers of TrueCrypt, not announce the end on TrueCrypt on truecrypt.org? Why the elaborate scheme with SourceForge?

    And why is the way truecrypt “ended” is exactly the same as the the Apache exploit?

    Why would developer of truecrypt recommend a Microsoft solution, build in to Windows, but your computer must have the hardware TPM module in the CPU? Only the latest computer models have that, most older computers don’t. Even the most quad cores still don’t have a TPM module in the CPU. So that advice is useless to most people.

    These are all questions I have and until I see them answered in a way logic deduction is correct. I assume their website has indeed been hijacked and truecrypt on sourceforge is a hoax.

    I just know they have been hijacked, I’m sure of it by logic deduction. Not a 100% sure, but 99.999999999999% sure.

    Can anybody explain why an Apache exploit has been used to modify the TrueCrypt website so it links to SourceForge? Since I know that is what happened, I found that out myself. I need a really good answer to convince me that is not a hijack.

  41. Josh Fenton says:

    Well, the dilemma about continuing to use TC may self-resolving for OS X users. I have confirmed that TC will not launch under Yosemite. Some very brief research suggests that a possible cause is that TC is incorrectly interpreting OS X version 10.10 as version 10.1, and thus below its minimum requirement of 10.4.

  42. Brown and his wife have two daughters, Ayla and Arianna.

    3 liter V8 was only backed by a 4-speed automatic transmission, limiting its efficiency and
    lagging behind when the Sierra and Silverado were fitted with 6-speed trans, increasing their MPGs.
    GMC went back to its core roots and injected some of the ‘Professional Grade’ DNA from the full-size truck lineup.

  43. This means that if you do not manage to settle with an adjuster, and you want to pursue your child’s claim,
    you will need the help of a lawyer. Most aid youth,
    education, and healthy sports and exercise programs for kids.

    To learn more about selecting the right Milwaukee personal injury
    attorney, go to.

  44. bassclef78 says:

    Steve, have you looked into the Ciphershed fork?

  45. mjb.jp says:

    The last application for this venerable optical device
    was the US Forest Service which used a specific type of alidade.
    Also, buying this product can make you learn how to assemble the helicopter model since it will be sent to the customer on a
    kit form. already passed the base it also allows for the
    capacity to “go underground” to avoid prying eyes.

  46. of torque mated to a Hydra – Matic 6T40 6-speed automatic transmission. The interior of Buick Encore is finely crafted and is packed with gadgets that are any tech-savvy driver.

    The cargo area includes a cover, side storage compartments, (which come in handy for items
    such as dirty shoes), and a cargo net.

  47. lackofconfidence says:

    Three main problems I have with Truecrypt that need clarification.

    1) Licensing and ownership issues with the code.

    2) Development obscurity.

    3) The possibility of being compromised before or during development.

    It seems to function as advertised while looking at it from the outside. What is really going on the inside? We can hardly claim confidence in it’s security.

    An audit has begun yet to become further in depth. So far it found this program has the potential of being insecure. At the very least code that is in need of attention. The auditors have stated that “it did not meet their expectations”. With no further development we can no longer be assured problems found will be addressed.

    Currently we are being led to believe the developers gave notice that Truecrypt in no longer secure or going to be developed. It all makes for a very dramatic ending. If you weren’t suspicious before certainly this has now ended trust.

    Was this a legal problem with licensing and code ownership or confidence with the security of the development process? What a shame such a useful program has ended. Hopefully in the future someone will do this right from the very beginning.

  48. hazzaxb says:

    @lackofconfidence
    Yes, but …

    Your points apply just as much to conventional commercial products e.g BitLocker as they do to TrueCrypt.
    Below, I use the term ‘spooks’ to mean any or all government intelligence and security organisations e.g NSA, FBI, CIA etc.

    1) Licensing and ownership issues with the code.
    a) These have no effect on the quality and security of the existing code.
    b) You can find a full copy of the TrueCrypt licence at this web address :

    https://github.com/FreeApophis/TrueCrypt/blob/master/License.txt

    In essence it states that forks are allowed so long as the new authors keep the existing TrueCrypt licence intact, remove all references to TrueCrypt in the code, state that the new work is based on TrueCrypt, and give the new product a name which cannot be confused with TrueCrypt. IMO the terms of the licence are entirely reasonable, easy to comply with, and certainly not a cause for any concern or lack of confidence.
    c) Note that TrueCrypt is NOT an open-source product; the source code is published in order that the program may be verified as genuine and non-malign.

    2) Development obscurity.
    Was the development of TrueCrypt any more or any less obscure than the development of BitLocker ? In practice we know almost nothing about any developer of any program, either individual or corporate. There are very good and positive reasons why the developer(s) of TrueCrypt might wish to remain anonymous and hidden, for example so that the bad guys and the spooks cannot apply malign influence on them or their work.

    3) The possibility of being compromised before or during development.
    Security products may be compromised in different ways. TrueCrypt Foundation took steps to remain incognito, probably in order to reduce the possibility of being compromised. A big corporation like Microsoft cannot hide itself, and is vulnerable to the spooks. Microsoft has nothing to gain (certainly no commercial advantage) and a lot to lose by standing in the way of such organisations, who are able to make life very difficult for those who don’t comply with their wishes. It is quite possible that Microsoft has prioritised its commercial well-being, taken an amoral / morally neutral stance and given NSA a master key to BitLocker.
    Is it possible that a malign person or organisation could distribute an apparently benign cryptography product which secretly steals data and sends it to the distributors ? Of course, but there are many cautious and sceptical security experts who are on the lookout for such behaviour, so it would be a long shot at best.
    Which do you trust more a) a product developed by people who have a sober and professional approach, and who take care to avoid difficulties b) a product developed by a large corporation which acts in its own undeclared interests and is unlikely to resist the approaches of the spooks ?

    “Was this a legal problem with licensing and code ownership or confidence with the security of the development process?” Neither. There are no licensing issues (see above). Given the amount of time, care and pride invested in TrueCrypt, I would expect the developers to stay and fix any deficiencies in the development process.

    TrueCrypt may be dormant in its current form but there are a number of people who have not only expressed interest in creating and maintaining a fork, but have also already taken action, so I think there are grounds to believe that TrueCrypt can be re-vivified.

    Further thoughts:
    (When I mention TrueCrypt below, I mean version 7.1a, the most recent sensible and trustworthy release.)

    1) Quality of product – BitLocker or TrueCrypt. TrueCrypt every time. I have seen enough of Microsoft’s oeuvre to know that quality of product always comes a very poor second to commercial expediency.

    2) The actual words on the TrueCrypt website are “it may contain unfixed security issues”. We should not infer too much from that statement, it applies to every piece of code ever written at every stage of its development – it is what cautious people (such as cryptographers) say.

    3) Almost nothing can change the actual status of TrueCrypt. You either trust the developer(s) and the program enough to use it or you don’t. Words on websites might change perceptions, but they cannot change what TrueCrypt does or how well it does it.

    4) It is possible that within TrueCrypt there are security weaknesses which would render it useless, and it is possible that someone will discover and exploit those weaknesses. So be it. Until and unless that happens, it seems reasonable to believe that TrueCrypt is a useful tool. Rumour has it that the FBI tried very hard for a long time to break it and failed. I have used the program for six years and it seems to me to be well designed and well implemented – I think it is likely that it has been tested very thoroughly.

    5) Cryptography is a live art. As time goes by and available computing power increases, the time taken to break TrueCrypt by brute force will drop from unthinkable (hundreds of years) to feasible (many months), and it will become obsolete. Exactly when this happens depends on your risk aversion and the availability of something better. I have seen expert opinion that in the two and a half years since TrueCrypt was last updated, longer key lengths and better encryption algorithms have become available.

    6) TrueCrypt may contain unfixed security issues, but there exists a mechanism by which they may be fixed – make a fork, and support and maintain the new product. It seems that there exist enough people with relevant talent and goodwill for this to occur quite soon.

    7) The preliminary results of the audit suggest that some of the coding practices can and should be improved. There appears to be no evidence that these practices have caused any exploitable security weaknesses within the executable program.

    8) No program is or can be perfect, but it seems that most of the weaknesses posited for TrueCrypt are hypothetical, or at least very unlikely to occur in the wild.

    9) Think about the real world. In my case, I carry around important private data (e.g bank details) on an encrypted disk. How vulnerable am I to weaknesses in TrueCrypt ?
    I suffer only if the disk is lost or stolen, and subsequently falls into the hands of someone who has sufficient skills and computing power to decrypt it. A very remote possibility indeed, unless a fatal weakness in TrueCrypt is made public very soon after the disc is stolen.
    If anyone intends to steal money from me, there are many better ways to do so than by stealing and decrypting my disk.
    If the spooks decide to come after me, they have many ways of getting to me which are very much more effective than stealing a data disc and trying to decrypt it.

    On balance, I am happy to use TrueCrypt as it is. I look forward to a time when its forked child is a live product which is actively maintained and enhanced. Early signs are that such a time may not be too far away.

  49. TC 7.1a does still work on OSX Yosemite (10.10). You have to edit a line in distribution.dist in the installer package. Set line 17 to return true; It installs and runs without any further issue.

  50. Pingback: TrueCrypt is Still Safe | Peter Says Stuff

  51. Pingback: TrueCrypt is Still Safe | My great WordPress blog

  52. palak says:

    Its an awesome post..
    Thanx for sharing..

  53. John Richardson says:

    My suspicion is that TC is too good and the NSA does not have back door keys for it, thus prompting a National Security Letter requiring TC developers to cease and desist unless they provided them. This opens the door for MS Bitlocker to be promoted (which NSA obviously has the back door keys to, along with all other MS software).

  54. Usually I do not learn post on blogs, however I wish
    to say that this write-up very forced me to check out and do so!
    Your writing style has been surprised me. Thank you,
    quite nice post.

  55. bir seks says:

    Älä siis anna minkään tekisyyn olla esteenäѕi, kun mietit miten voksit päästä
    painnamaan naisia jo tänä iltana. Flirttaile
    siis villisti јa sovi heti tärskyt unelmiesi kumppanin kanssa.

    Ѵoi myös olla, että muusa tapauksessa еlämä νoi olla
    täysin ilman paria.

  56. Very good blog you have here but I was wondering
    if you knew of any community forums that cover the same topics talked about here?
    I’d really like to be a part of group where I can get advice from other knowledgeable individuals that share the same interest.
    If you have any recommendations, please let me know.
    Kudos!

  57. Mona says:

    I read a lot of interesting articles here. Probably you spend a lot of time writing, i know how to save
    you a lot of work, there is an online tool that creates readable, SEO friendly posts in minutes, just search in google – laranitas free content
    source

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s