My analysis of what really happened to TrueCrypt
One of three possibilities:
1) There is no TC backdoor, TC devs not forced to shutdown, TC devs decided for whatever reason to shutdown and close shop on their own.
2) There always was a TC backdoor, and the TC devs feared the recent audits will bring that to light, therefore proactively terminated TC.
3) There is no TC backdoor, Feds/US gov came knocking on the door, wants TC devs to either backdoor TC or shutdown TC.
In scenario 1 :
TC devs bragged publicly on their website for years that one of the "selling points" of TC is that it has no backdoor, that they will never build a backdoor, and that it is open source and anyone can review the code, and even pointed to a case where FBI tried for years to brute force crack a TC user's laptop but could not get it decrypted.
So given the aforementioned assumptions of scenario 1 in that there isn't a backdoor, and the Feds didn't come asking TC devs to install a backdoor and TC devs were not compelled to shutdown, then why the ABRUPT shutdown that was so out of character?
If they decided they just wasn't interested in the project anymore, couldn't they have let the website sit as it is, as it had previously sat there dormant like the two years prior to the shutdown? Even if they wanted to shutdown abruptly, why not simply but a banner or notice on the main page stating that TC will no longer be actively developed, software is "as is", use at your own risk, etc? Why did they have to gut the entire TrueCrypt website, gut the entire TrueCrypt forums, and gut public access to all the documentation, to all the source code, and to even version 7.1a itself?
The fact that they would release a nuetered version 7.2 that ONLY decrypts and does not ENCRYPT means they are motivated and PREEMPTIVELY intent on no one else ever being able to ENCRYPT anything with TrueCrypt at all going forward anymore. But why go to these extremes?
Surely they know that anyone who TRULY wants to keep using TC can get access to it elsewhere on the Internet and can even compile their own TC, so shutdowning down TC the way they did and then releasing TC7.2 is a move that is either aimmed at forcing the common people off TrueCrypt and into the arms of Microsoft (BitLocker) AND/OR they were NSL'd and this was to appease TPTB as a public gesture of compliance and goodwill towards the masters. But the latter half goes against assumptions made in scenario 1. And the formal half makes zero sense either because the recommendation to use BitLocker is just out of line on so many levels.
BitLocker is closed source so it will never get audited openly. Microsoft is in bed with the NSA, no one seriously doubts that. So while we don't know if TrueCrypt has a hidden backdoor or fatal vulnerability what we do know is that BitLocker cannot be trusted. Absent positive evidence to the contrarty, any security minded person would much rather use TrueCrypt than BitLocker. For the TC devs to recommend BitLocker (TC devs don't have access to BitLocker source code and can't possibly know WHAT is in it) is just crazy and entirely out of character.
And then, to pile insult to injury, their stated justification for shutting down TC has something to do with Microsoft not supporting XP? Or that Bitlocker is "good enough"? This is a retarded excuse, so retarded in fact that it makes one suspicious that they are secretly hinting at something else.
For one, not every version of modern Windows comes with BitLocker, so it is not a replacement for TrueCrypt. Many versions of Windows 7 (which will be supported until 2020) do not have BitLocker built in, and TC was always a multi-platform OS agnostic encryption tool that allowed encrypted containers to span different operating systems, this is something BitLocker will never be able to support. Furthermore, Windows XP still to this day has a sizeable install base, and likely this will stay the course for the foreseeable future, and people choosing to use an old OS not supported by Microsoft has nothing to do with anything.
Why give lame ass excuses for shutting down? If you want to shutdown just shutdown, no need to give excuses, especially lame ass ones.
And the TC7.2 move is suspicous on so many levels. Users already on TC7.1a don't need to download TC7.2 to decrypt their files. Users that need to decrypt their files and suddenly find themselves in the situation of not being able to find a TC7.1a locally and then not being able to redownload TC7.1a due to the abrupt TC site shutdown is probably going to be sophiscated enough to find another source for 7.1a on the Internet and also have no need to download 7.2. The TC7.2 is nothing but a underhanded public image move... but for what reason and purpose?
So to recap, the combined factors of 1) abrupt shutdown 2) removal of all forums, docs, source code, binaries 3) the wierd release of TC 7.2 4) lame ass excuses like XP not supported and BitLocker being good enough makes me completely rule out Scenario 1....
No reasonable mind could come to the conclusion that this was a voluntarily shutdown. Something must have happened.
In scenario 2 :
Let's say that TC always had a backdoor.
If TC was an NSA project then very likely the audit wasn't going to find it anyway. It wasn't going to be an obvious backdoor anyhow, so like the bug with OpenSSL, NSA can just play dumb and it would never be attributed back to the NSA.
The odds that TC did the abrupt shutdown BECAUSE of a government backdoor (or fears it was going to get found out soon) are slim to none. Either the backdoor would never be found (most likely) or they could have simply chanced it and waited until something hit the fan to make a move, but a proactive move like this gains them nothing and is very unnecessary.
Let's say the government had no involvement. Let's say the TC devs themselves were evil and put a backdoor in TC for their own purposes. Maybe the whole thing was a prank, or maybe their were just perverted and wanted to abuse people's trust and wanted to be able to spy or have power over as many people as possible. But I just don't find it very likely to be the case at all.
I don't think there are any intentional backdoors, intentional exploits or vulnerabilities in TC.
In scenario 3 :
So we are left with the only other plausible explanation:
"There is no TC backdoor, Feds/US gov came knocking on the door, wants TC devs to either backdoor TC or shutdown TC. "
Certainly this is consistent with the following facts:
1) TC abruptly shutdown, with no prior hint or notice
2) Website seems like it was almost defaced
3) All source code and binaries removed and deleted
4) All forums and docs removed
5) A "decrypt only" version of TC released. 7.2 doesn't do anything that 7.1a can't do, so why not just leave 7.1a available for download, put up a reminder that TC is not supported anymore, instead of go out of their way to delete all traces of TC7.1a and then go out of their way again to pimp out a downgraded TC7.2?
6) Lame ass excuses for the shutdown, excuses that were completely retarded and completely unnecessary.
7) Recommendation of Bitlocker
8) Step by Step instructions on how to migrate to BitLocker.
None of the above facts support the theory that TC had a backdoor or that TC devs were simply tired. All dots connect and point back to an NSL of some sort.
Luckily the cat is out of the bag, the genie is out of the bottle and the source code is out in the wild and can't be completely shutdown.
But of course the government knew this all along..... the purpose and intent of their NSL?:
- Make people never trust TC7.1a again and move to BitLocker or other backdoored versions of encryption tools, or less secure encryption tools. ("ShitLocker is Good Enough")
- Prevent TC devs from completely a GPT/UEFI version of TC and hope that as hardware support for legacy BIOS eventually become less common and completely phases out and legacy OS (like Windows 7) phases out (the hint with XP perhaps?) and gets replaced with Windows 8/9 that TC will become outdated and unuseable for the common masses.
- In the future most people will just buy a computer that comes preinstalled with Windows 8/9, in the future most harddrives will be using GPT as opposed to MFT, and in the future it is quite possible that motherboards will not support legacy BIOS anymore... Effectively this means the death of TrueCrypt as far as the masses are concerned.
The government did not want secure encryption to "catch on" with the populus and even though it could not put the genie back into the bottle, it effective kills TrueCrypt going forward by making sure that trust in the brand was lost and that there will not be a full disk encryption version that supports GPT/UEFI/Windows Next/etc.....