[Sir_Cmpwn]

You are correct. These options are not very portable. My point here is not that the alternatives are ready for non-technical users, but that developers should focus on realizing that future instead of maintaining and advocating a fork of dangerous software.

Edit: I was wrong, dm-crypt is supposedly accessible on Windows and maybe accessible on OS X. Non-FDE methods have decent spread. https://wiki.archlinux.org/index.php/Encryption#compatibilit...

[Zancarius]

> instead of maintaining and advocating a fork of dangerous software.

This smells of hyperbole. Why do you consider TC to be _dangerous_ software? Lack of maintenance? Speculative possibilities regarding recent events?

If the rumors are true that the TrueCrypt devs are throwing in the towel, that discounts a couple of dangerous scenarios I can think of leaving only lax maintenance.

[neurobro]

Maybe the sudden, big, red "WARNING: Using TrueCrypt is not secure" from someone who is in the best position to know and who has been trusted for 10 years to make decisions about what is and is not secure?

Without anything else to go on, it seems the most responsible assumption (for now) is that the software is in some way dangerous.

[yebyen]

I think no. Given what we know, the most reasonable assumption is that the developers did not want to abandon the project to the wind and the future without leaving a proper landing page indicating that the project is unmaintained. Vulnerabilities could be discovered in the future.

This is true of every piece of software, always. No specific flaws have been mentioned by anyone. Here, the (supposed) developers flat-out told us they just lost interest. There hasn't been a release in years, and now -- if his identity were to become known -- a negative result on the audit (no vulnerabilities found) would not be interpreted as an endorsement from him that the software is secure.

When/if the vulnerability is found, he will not be required to say "I told you so" or "I'm sorry." The last ten years absence of evidence is not evidence of absence, that's just common sense.

And there is one vulnerability I think I've heard that's not surprising anyone -- TC keeps the keys in memory while the partition is mounted. Anyone with enough practice can supposedly freeze the chips, unplug them, put them into another machine, and boom grab your keys without disturbing the frozen bits. Presumably law enforcement and other APT entities will be getting better at this technique over time.

If you're worried about this and other threats, best to keep your partitions unmounted.