TrueCrypt, leading encryption software touted and used by no less than Edward Snowden and Glenn Greenwald, now appears to be dead, according to its recently updated website, but no one seems to know why—or if the program’s ominous warning is legitimate.
“WARNING,” the site reads in large red letters. “Using TrueCrypt is not secure as it may contain unfixed security issues.”
A 10-year-old application, TrueCrypt has long been used for encrypting hard drives and USB sticks on Windows, Linux, and Macs.
The open source program was developed by the pseudonymous TrueCrypt team, who have made no public comment since the program’s site changed drastically, leaving many to wonder if the website was hacked or if the warning is legitimate.
However, the newest version of TrueCrypt 7.2 has the same ominous warning message now showing to users, suggesting that this isn’t simply a website-related issue.
Nobody knows whats going on. So grab some popcorn, relax and enjoy the show. #Truecrypt
— {0x41} (@Geekpirat) May 28, 2014
What’s wrong with https://t.co/jixNupQw6x? This seems very sketchy, /cc @kaepora @ioerror @matthew_d_green @csoghoian pic.twitter.com/fSQZI6ZEjl
— Justin Bull (@f3ndot) May 28, 2014
The TrueCrypt website now offers step-by-step instructions on how to transfer encrypted files to BitLocker, a competing full disk encryption program included in Microsoft Windows Vista, 7, and 8.
In a 2012 CryptoParty workshop, Snowden taught local Hawaiians how to use TrueCrypt to protect their data, saying that while no one knew who made it, it was one of the best open-source solutions available.
Bruce Schneier, a leading information security researcher, has long used TrueCrypt including to safeguard the computer he uses to work on leaked NSA files. Although he’s said he prefers TrueCrypt to BitLocker because it’s developed independently, he has pointed out multiple flaws with the program including with TrueCrypt’s hidden volume feature.
An independent partial audit of TrueCrypt’s code done as recently as last month found “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”
“[The results] don’t panic me,” Johns Hopkins cryptography professor Matthew Green, told Ars Technica last month. “I think the code quality is not as high as it should be, but on the other hand, nothing terrible is in there, so that’s reassuring.”
The second and crucial step to perform a “detailed crypto review and make sure that there’s no bug in the encryption” has not yet been released.
Despite early rumors, Green denies that the audit he led has anything to do with the shut down and is less than pleased with the new developments.
The sad thing is that after all this time I was just starting to like Truecrypt. I hope someone forks it if this is for real.
— Matthew Green (@matthew_d_green) May 28, 2014
This story is developing. We will update as new information becomes available.
Photo via r.nial.bradshaw/Flickr (CC BY 2.0)