[Sir_Cmpwn]

This is a bad idea. TrueCrypt should be put to bed for good. An event of this magnitude is easy justification for dropping TrueCrypt. It serves an extremely delicate purpose and this raises far too many red flags to ignore.

Place your energy in the alternatives. I wish you could downvote things on HN, if only because this is downright dangerous and needs to be read by as few people as possible.

[Afforess]

I disagree. TrueCrypt (for better or for worse) made encryption available to the masses in an easy to use application. Without it, similar level of encryption requires knowledge of unix command line or expensive commercial products. The events that have unfolded do certainly raise the stakes for the TrueCrypt audit, but at present, I am still better off using TrueCrypt, than nothing at all.

[secfirstmd]

Having taught hundreds of people how to use True crypt over the years, I would certainly say that it was hardly easy for the average person to use.

[sentenza]

It was, however, easy enough to use for anybody capable of administering their own Windows PC, a situation which most of us on this site have been in at some point in our lives.

[secfirstmd]

Hmm, I think the YC News people are not the average users :)

The problem really came in Africa and the Middle East were overall IT literacy is low. People could often use a computer but were not familiar enough with it/scared to break something that they were afraid to really problem solve - esp human rights defenders in their late 40/50s in these places.

So for example, if taught A then B = C, TC was fine. The problem often came when A then B = Z, then TC became a problem. It's UI/UX and use of language (why call something "Mount"? Just use the word "Decrypt" for gods sake! - yes its not perfectly accurate but its easier for people to understand.) was pretty intimidating for many of the people who's lives really depend on it.

[Sir_Cmpwn]

I'm speaking to developers who would work on something like maintaining a TrueCrypt fork. Instead, improve the usability of the alternatives to solve the problems you've raised.

[kijin]

Who says they aren't going to fork and continue development?

It's just a landing page that a couple of guys put up while they try to figure out what direction to take. Since there's an audit going on right now, when it's done they'll probably start fixing the problems and releasing new versions. Have a bit of patience.

[Alupis]

There is a $30,000 audit currently underway. There will be no security problems un-turned when they are through. That's assuming there are any to begin with (Personally, I think not).

I see no issue picking up the codebase and running with it.

[hamburglar]

> There will be no security problems un-turned when they are through.

I really really doubt this is a claim the folks doing the audit would make.

[zurn]

If you can make that happen with $30k, you can get very rich!

[fpgaminer]

> That's assuming there are any to begin with (Personally, I think not)

They already found a few flaws. Nothing major though: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_A...

[Sir_Cmpwn]

Of all the subsets of the software development world, crypto is the one to be taken most seriously. TrueCrypt was always developed in the shadows, and the recent controversy takes the nails they've set and hammers them firmly into the coffin.

Audits aren't perfect.

[Alupis]

It's code. There are no secrets.

Problems come up when nobody reads the code. Right now, there's an awful lot of people reading this code (Given the strange warning's posted on the TC site).

[SoftwareMaven]

That's a fine attitude for normal code, but crypto is a whole different ball game. Linux security was significantly reduced at one point because somebody changed int i to int i=0, something most developers would thing is a positive. Side channel attacks are extremely easy to create and extremely hard to find. And, unfortunately, the "many eyes" thing doesn't work here because it requires experienced, knowledgable eyes, and there aren't enough of those, and they are usually busy getting paid, researching how to break software or building their own stuff.

[quasque]

> Linux security was significantly reduced at one point because somebody changed int i to int i=0

Could you please elaborate on this one?

[SoftwareMaven]

It's been a while. I should have restricted it to Debian: http://jblevins.org/log/ssh-vulnkey

[nikbackm]

Seems to me they relied on the uninitialized memory of a stack variable as a partial source of randomness for key generation.

Initializing the variable with 0 removed that part.

[andygates]

[fridge brilliance] Maybe, after the OpenSSL debacle, they realised that the only way to make a truly secure product was to get a lot of eyeballs on the code, hence the dramatic diva flounce to grab attention... [/fridge brilliance]

[sirsar]

Would you mind pointing me in the direction of a good alternative? Thanks.

[Sir_Cmpwn]

The Arch Linux wiki page has an excellent overview: https://wiki.archlinux.org/index.php/Encryption

[gaadd33]

Hmm, it doesn't appear that any of the options there work on Linux, OS X, and Windows?

[Sir_Cmpwn]

You are correct. These options are not very portable. My point here is not that the alternatives are ready for non-technical users, but that developers should focus on realizing that future instead of maintaining and advocating a fork of dangerous software.

Edit: I was wrong, dm-crypt is supposedly accessible on Windows and maybe accessible on OS X. Non-FDE methods have decent spread. https://wiki.archlinux.org/index.php/Encryption#compatibilit...

[Zancarius]

> instead of maintaining and advocating a fork of dangerous software.

This smells of hyperbole. Why do you consider TC to be _dangerous_ software? Lack of maintenance? Speculative possibilities regarding recent events?

If the rumors are true that the TrueCrypt devs are throwing in the towel, that discounts a couple of dangerous scenarios I can think of leaving only lax maintenance.

[neurobro]

Maybe the sudden, big, red "WARNING: Using TrueCrypt is not secure" from someone who is in the best position to know and who has been trusted for 10 years to make decisions about what is and is not secure?

Without anything else to go on, it seems the most responsible assumption (for now) is that the software is in some way dangerous.