Ever since TrueCrypt disappeared a few days ago, there has been a lot of speculation as to what happened. There are plenty of theories on r/netsec, r/linx, and r/crypto. Even Bruce Schneier doesn’t know what’s going on.
There is a theory that the developer threw in the towel, however, the most popular theory going around is that the NSA/FBI/other-three-letter-organization was involved and this is TrueCrypt’s warrant canary. Because they would not legally be allowed to divulge the fact that they were being forced to backdoor their software, they decided to suggest alternatives known to be backdoored, knowing that users would understand the secret message.
Personally, I think a tinfoil-style comment on Ars Technica sums it up best:
Consider the logic of it.
The version with the warning is signed with the true private signing key. So it is authentic.
The explanation about this being related to Windows XP support is ridiculous.
The suggestion to use BitLocker is quite telling.
Now suppose that the author received a secret order from a secret court that required the author keep secret the secrecy of the secret order from the secret court. Furthermore, the author was secretly required to turn over his secret signing key to a secret third party.
If you were the author, what would you do? Consider your options.
One is that you could issue an update with a warning that the program is no longer secure. Even though the program really is, at this moment, secure. The only source code changes are to insert the warnings. But what the warnings are warning you about, but cannot just come out and say, is that the program will not be secure in the future because a third party now has the keys to sign authentic new insecure versions.
This wouldn’t be unlike Lavabit shutting down. The author is choosing to fall on his sword for the good of everyone.
Up until v7.2, TrueCrypt was the best at what it did. In theory, as long as there was no flaw in the code, you could still use older versions of TrueCrypt without issue. Good news for you, as plenty of sites are now hosting archives of those older versions:
- TrueCrypt.ch – Hosted in Switzerland
- GitHub – Team behind TrueCrypt audit
- Gibson Research Corporation