Also, it appears someone finally got a hold of a Truecrypt dev. The project was just shut down from lack of interest. No drama about auditing or, crazy NSA conspiracies after all:
<a href="https://twitter.com/stevebarnhart/status/472203503478509568" rel="nofollow">https://twitter.com/stevebarnhart/status/472203503478509568</a><p>Edit: That tweet was deleted for some reason, but the rest of the thread is still there:
<a href="https://twitter.com/stevebarnhart/status/472192457145597952" rel="nofollow">https://twitter.com/stevebarnhart/status/472192457145597952</a>
It would be nice if the people who pick up and run with the "reboot" of Truecrypt's project management had a background in cryptography. Do these people?
I don't believe the TrueCrypt license allows this kind of redistribution, does it?<p>Then again, with anonymous developers and unknown jurisdiction, it may be moot.
My opinion, the fact that some security researcher was going to be getting more money than the actual developer ever made off the project must have been infuriating. I think that's good enough reason to burn the project to the ground.
This looks like a bootstrap site that was thrown together in an hour by two guys with twitter accounts and $10 for a domain name. I really doubt they're going to be doing any dev work.
Still have no idea what's the "unfixed security issues", and few guys mention about it.
I image there the "security issues" will be (if it exist):
1. because key are easy to stolen by coolboot or trojan.
2. because it has backdoor, will save key to a hidden place.
3. because it will leave some information in other place, like 2 but it's implantation problem.
4. because it use a vulnerable algorithm to generate key.
5. because pbkdf2 or aes256 is <i>broken</i> but nobody known it.
exclude 2 and 3, change to other software it's not help at all, algorithm almost same.
if the developers of Truecrypt are anonymous and the license doesn't allow something like this, would this allow us to find out who the developers are if they sue?
Honestly, I was hoping this drama would result in the implementation of hidden containers for other crypto solutions (dm-crypt, etc).<p>Hopefully that may still happen.
This is a bad idea. TrueCrypt should be put to bed for good. An event of this magnitude is easy justification for dropping TrueCrypt. It serves an extremely delicate purpose and this raises far too many red flags to ignore.<p>Place your energy in the alternatives. I wish you could downvote things on HN, if only because this is downright dangerous and needs to be read by as few people as possible.
I would love to see it live on with no new unneeded features, no changes made unless they are to fix bugs. Keep a stable long-term product and get as many people as possible looking over that code for flaws.
Search off the phrase "TrueCrypt Developers Association. All rights reserved." and you will find many other projects that include embedded TrueCrypt code. Food for thought...