What really happened to TrueCrypt back in 2014? Did anyone ever find out?
It was a widely used encryption tool, that was suddenly dropped with the message " not safe, use something else".
What really happened to TrueCrypt back in 2014? Did anyone ever find out?
It was a widely used encryption tool, that was suddenly dropped with the message " not safe, use something else".
The story I heard is that the creator got a national security letter, which forced him to add backdoors or go to prison, and so he did the minimum necessary by law, meaning the last few versions of it are probably compromised, but also took out a clause from the user agreement that stated that he had not received a NSL. That was sort of a canary to get around the gag order and stuff at the time.
Honestly who knows though? That was over 10 years ago when I heard that.
If I had to guess he was using his own encryption method that wasn’t crackable. It is well known that the NSA bought up some standard setting organizations for encryption. Normally rolling your own encryption would be risky if you dont know how to depattern it. I suspect that many common encryption standards are picked because they have a shortcut to cracking them.
All of these claims are easily able to be checked from the archived version of the site . It was not using home grown encryption algorithm.
The last version released was independently audited and “found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances”
I had never heard of the warrant canary for TrueCrypt, and quickly searching for news of the time, was unable to find anything to indicate that there was ever a mention of NSL on the website, so nothing to remove if they were served with a NSL.
If he received a national security letter that had an indication of the government possibly taking over the project and adding in their own back door, that would be a reason to say the software wasn’t safe (from future changes). If there wasn’t follow through then it would pass an audit.
deleted by creator
TrueCrypt used the encryption method you chose, it didn’t have a custom one. Usually that entailed triple layer encryption such as AES-Twofish-Blowfish, but you could use weaker encryption if you desired to.