True mystery of the disappearing TrueCrypt disk encryption software

Webdriver Torso has nothing on this week’s mysteries!

First we had Apple iDevices in Australia announcing “Device hacked by Oleg Pliss” and demanding a $50 Moneypak voucher or $100 via PayPal.

No-one seems to know how, or why, and (to make things yet weirder) the PayPal address given for payment didn’t actually exist.

Now, the website of venerable free disk encryption software TrueCrypt is telling us:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

Not only that, but the page goes on to state that the project has been closed down, following the end of support for Windows XP:

The motivation seems to be that on all supported operating systems for which TrueCrypt was available, there’s now some sort of built-in full disk encryption system.

Yet more curiously, there’s a new version numbered 7.2 that can apparently only decrypt, intended to help you migrate away from the now-defunct TrueCrypt product.

The 7.2 “decrypt only” version can be downloaded for Windows, OS X and Linux.

What gives?

Is it a hack?

If so, no-one from TrueCrypt has yet come forward to suggest so.

Is it malware?

We don’t yet know, but the unlikely, unprofessional-looking and abrupt download page suggests that you’d be unwise to trust anything about it.

Is it the result of a legal threat?

Some have suggested that there might be legal pressure on TrueCrypt, combined with some sort of gag order that prevents the full story being told, so that this was the only lawfully clean way of closing the project.

Sort of like what happened to Lavabit, but deliberately wrapped in mystery.

But wouldn’t just closing the project with no explanation at all be even cleaner?

Is it a panicked response to a failed audit?

TrueCrypt announced a big code audit recently, as a way of restoring confidence in encryption software following the many Snowden allegations about government surveillance.

The results of the first part of the two-stage audit were published last month, apparently finding nothing untoward at all.

But even if the second part of the audit had revealed something terrible, why not simply say so, given that the audit would be published anyway?

Is it a side-effect of SourceForge’s recent forced password reset?

SourceForge recently announced it was boosting the security of its password storage, and would require everyone to choose new passwords as part of the improvement.

But it’s not clear how this could lead to a TrueCrypt shutdown.

Even if crooks had acquired TrueCrypt’s SourceForge passwords in the past, and realised their window of opportunity to abuse those passwords was closing, why take this sort of action now?

Is it a publicity stunt?

Well, if it is, it’s worked, but not in any positive way.

The bottom line

It certainly looks as though TrueCrypt is finished.

If the new web page is true, the project has ended explicitly.

If it isn’t true, then it’s going to be tough to re-establish trust in the code, and the project has ended implicitly.

→ The mysterious decrypt-only version 7.2 is apparently digitally signed with TrueCrypt’s private key, making the most likely explanation either that this is intentional by the developers, or that it is an unlawful hack. TrueCrypt’s private key would not be accessible via a SourceForge compromise, implying that this goes deeper than the Sourceforge-hosted content.

Do you know anything we don’t? Please tell us if you do – we’d love to get to the bottom of this mystery.