Something really strange is up with TrueCrypt

[vezzy]

Apparently, they've officially announced that development is over and that people should migrate to BitLocker (Microsoft's integrated full disk encryption).

http://truecrypt.sourceforge.net/

Of course, nothing is as it seems.

Some insight from the /r/netsec thread:

TL;DR: Assumption #1 The website is presumed hacked, the keys are presumed compromised, the binary on the website is capable only to decode encrypted data, not encode, and may contain trojan (although I didn't find any, but don't believe me). The binary is signed with the valid (usual) key. All old versions are wiped, the repository is wiped too. Please do not download or run it. And please don't switch to bitlocker.

Latest working version is 7.1a. Version 7.2 is a hoax, although it's signed by a valid key and seems like was built on the usual developer PC (there are some paths like c:\truecrypt-7.2\driver\obj_driver_release\i386\truecrypt.pdb, which were the same for 7.1a).

On the SourceForge, the keys were changed before any TrueCrypt files uploaded, but now they are deleted and the old keys got reverted back.

Why I think so: strange key change, DNS record changed, why bitlocker?

Assumption #2 Something bad happened to TrueCrypt developers (i.e. take down or death) or to TrueCrypt itself (i.e. found the worst vulnerability ever) which made them do such a thing.

Why I think so: all files are with valid signatures, all the releases are available (Windows; Linux x86, x86_64, console versions, Mac OS, sources).

SourceForge sent emails on 22 May, they said they changed password algorithms and everybody should change their passwords.

TrueCrypt developers are unknown and currently there is no way to know who is who and who should we listen to.

From wikileaks twitter https://twitter.com/wikileaks/status/471769936038461440:

    (1/4) Truecrypt has released an update saying that it is insecure and development has been terminated http://truecrypt.sf.net

    (2/4) the style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement

    (3/4) the new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict..

    (4/4) in the dev team or psychological issues, coersion of some form, or a hacker with access to site and keys.

From Matthew Green (one of TrueCrypt auditor) twitter https://twitter.com/matthew_d_green/status/471752508147519488:

    @SteveBellovin @mattblaze @0xdaeda1a I think this is legit.

TrueCrypt Setup 7.1a.exe:

    sha1: 7689d038c76bd1df695d295c026961e50e4a62ea
    md5: 7a23ac83a0856c352025a6f7c9cc1526

TrueCrypt 7.1a Mac OS X.dmg:

    sha1: 16e6d7675d63fba9bb75a9983397e3fb610459a1
    md5: 89affdc42966ae5739f673ba5fb4b7c5

truecrypt-7.1a-linux-x86.tar.gz:

    sha1: 0e77b220dbbc6f14101f3f913966f2c818b0f588
    md5: 09355fb2e43cf51697a15421816899be

truecrypt-7.1a-linux-x64.tar.gz:

    sha1: 086cf24fad36c2c99a6ac32774833c74091acc4d
    md5: bb355096348383987447151eecd6dc0e

Diff between latest version and the hoax one: https://github.com/warewolf/truecrypt/compare/master...7.2

Screenshot: http://habrastorage.org/getpro/habr/post_images/da1/1bf/6a5/da11bf6a5225fa718987ba4e54038fc1.png

See also the HN thread: https://news.ycombinator.com/item?id=7812133

Either this is a full compromise, a false flag psyop to undermine encryption, the developers found a critical security bug and decided to go out with a bang so as to avoid disclosing it and potentially threatening lives, or they got sick of developing the software and so are going out with a bang.

There's also some really interesting speculation that the TrueCrypt devs use a very old Visual C++ version and build system to compile TrueCrypt that is now fully obsoleted with the EOL of Windows XP, and after their inability to port it, decided to just end it all.

Whatever it is, this will be fascinating to watch.

[Zesh]

Very interesting. Thanks for the share +1.

[lucid]

I knew there was a reason I dropped TrueCrypt.

[Architect]

Yeah I switched to LUKS full disk encryption a long time ago.
Too many threat models using TrueCrypt.

[Oni]

Incredibly worrying, considering many people I know rely on Truecrypt. I sure as hell wouldn't trust Bitlocker or anything managed by Microsoft. Like Architect, I think LUKS is much more reliable. Unfortunately, most of the people I know that rely on Truecrypt are using Windows.

[Kulverstukas]

Damn this is really interesting. If they did decide to drop it all then it's friggin' funny.

[Architect]

Either way it looks like the devs officially don't care about maintaining TrueCrypt source. Why? We may never know.

[rasenove]

The fact that TrueCrypt is suggesting people to migrate to BitLocker and the odd nature of their announcement makes me think, NSA is behind this?

[voodoo]

Somewhat of an unexpected event that had some of my coworkers shooting different conspiracy theories back and forth today.  The format of the announcement is what makes it seem odd to me.  Gonna keep my eye on this one.  *puts tin foil hat on*

[flowjob]

Two good comments I found on the reddit thread:
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/chtuusa
http://www.reddit.com/r/netsec/comments/26pz9b/truecrypt_development_has_ended_052814/chtm4xp

Changing the "English (U.S.)" to "English (United States)" seemed pretty weird to me too when looking through the diff...
Why would someone do that, when abandoning the project anyway?

[Architect]

I guess now we wait for a some type of "This domain has been seized because we're huge cocks over here at NSA" banner.

[vezzy]

I guess now we wait for a some type of "This domain has been seized because we're huge cocks over here at NSA" banner.

Intelligence agencies aren't responsible for domain seizures.

[Architect]

Jokes aren't responsible for your interpretation of the humor inside.

[Pussy]

Nsa Holds all big companies facebook, yahoo, apple, twitter, etc. and now they wanted to get hold of Truecrypt to hook public encrypted data. The only flaw in truecrypt is NSA, so now Devs are making people aware to of this issue, and yes we should stop using it until further Upgrades.

[Stackprotector]

The message on TrueCrypt's new website got me thinking:
Using TrueCrypt is not secure as it may contain unfixed security issues
 
Let's isolate the first letter of each word:
(U)sing (T)rueCrypt (i)s (n)ot (s)ecure (a)s (i)t (m)ay (c)ontain (u)nfixed (s)ecurity (i)ssues
 
Result?
utinsaimcusi
 
Let's spread that!
uti nsa im cu si
 
That is latin for
"If I wish to use the NSA"
 
Stay away from future Truecrypt releases. This is clearly a warning from the developers.