At this point, it is still unclear. Speculation runs rampant as to whether it's a defacement or official retirement.
That said, it is noteworthy that the latest version of TrueCrypt (before the 7.2 version that's now posted) is over two years old. Also no apparent efforts have been made to support whole-disk encryption on Windows 8, which even older than TrueCrypt 7.1a if you count in the publicly-available pre-release versions of the former.
Many Windows 8 users who used to rely on TrueCrypt are probably already migrated to Bitlocker for whole-disk encryption, so moving the rest of their TrueCrypt-protected data (if they haven't already) is a logical next step anyway. For anyone else, it would probably be preferable to wait until this whole mess is cleared up.
The first phase of the TrueCrypt audit, covering the bootloader and Windows kernel drivers, turned up less than a dozen vulnerabilities - the worst of which were rated as "Medium" severity. The report also said the source code "did not meet expected standards for secure code".
One of their recommendations mentioned:
Due to lax quality standards, TrueCrypt source is difficult to review and
maintain. This will make future bugs harder to find and correct.
Another note stated:
The current required Windows build environment
depends on outdated build tools and software packages that are hard to get from trustworthy
sources
All of this, along with the two-year lapse in new releases and lack of full support for the latest OSs, does lend to the easy belief that TrueCrypt's team may indeed be throwing in the towel. If they did choose to do that, then TrueCrypt would in fact become insecure in very much the same way as Windows XP now is - any newly discovered security vulnerabilities would not be patched. A key difference between TrueCrypt and Windows XP however, is that compatible alternatives may still be developed and updated since TrueCrypt is open-source software.
Still, the very sudden and unexpected announcement is definitely worth some amount of skepticism. Until there's been further validation of the news, I would suggest that you not trust anything posted on TrueCrypt's website or SourceForge page - especially not the new "7.2" download.
Update: 2014-05-29 0645Z
Brian Krebs has reported on the issue, and given some sound reasoning as to why this is not likely a hoax. Additionally, he mentions that the people behind IsTrueCryptAuditedYet.com will continue their work despite the software project's current status.
Speculation still runs rampant online of course. However, though the continued anonymity of the TrueCrypt development team makes any undeniably authentic confirmation of their status nigh impossible. Matthew Green made a fair point in this tweet though:
But more to the point, if the Truecrypt signing key was stolen & and the TC devs can't let us know -- that's reason enough to be cautious.
Really, regardless of the signing key's status specifically, the fact that the TrueCrypt developers can't (or at least so far appear to not even have made any efforts to) issue any separate and authoritative communication to validate what's happened to their website should be enough to raise significant concern. If the TrueCrypt team is calling it quits, it's time to move on and find/make alternatives. If not, their lack of out-of-band response to this incident raises serious questions (more so now than ever) as to how much we can really trust them to maintain the sort of software we want to trust with our most valuable secrets.
Regardless of the status either way, it's probably best to seek alternative solutions. The recommendations on the TrueCrypt site aren't bad in general. However, they fall short of a few features TrueCrypt was known and loved for:
- Cross-platform compatibility
- Plausible deniability
- Hidden partitions
- Encrypted container files (you can do this with Bitlocker and VHDs, but it's not nearly as smooth and seamless as with TrueCrypt)
Update: 2014-05-29 1450Z
Jack Daniel has summed up my feelings on the topic quite well now, in a recent tweet:
So, yeah: hack, troll, ragequit, whatever- silence means TrueCrypt org can't be trusted, so neither can TrueCrypt. Damn.
Update: 2014-05-30 1545Z
GRC has posted claims that the TrueCrypt developers have been heard from, via Steven Barnhart.
https://www.grc.com/misc/truecrypt/truecrypt.htm
If the source can be believed (again, the public anonymity of the TrueCrypt development team makes certain authentication nearly impossible) then TrueCrypt is indeed no longer being actively worked on by the original team. Additionally, the license prevents anyone else from legitimately being allowed to write a new "TrueCrypt" (though it is possible they may be able to fork it under a different name).
One important thing to note, though GRC perhaps is a bit overly dramatic about it and may even be over-stating its value, is that the latest fully-functional version of TrueCrypt (7.1a) is - to public knowledge - still "safe" to use. Until such time as significant, and exploitable, vulnerabilities are discovered there's really no reason to consider 7.1a as inherently any more "unsafe" at the time of the truecrypt.org announcement than it was at any time before.
That said, one must also bear in mind (as noted earlier in this post) that any discovered vulnerabilities in TrueCrypt 7.1a will not be fixed in any future releases. Thus, it is still wise to begin seeking other alternatives. The same holds true here as it does for Windows XP - the only substantial difference being that XP has a much higher profile and will very likely accrue a very long list of un-patchable vulnerabilities (some likely exist already) much more quickly.
The Open Crypto Audit Project has tweeted a link to a "trusted archive" of TrueCrypt versions for those seeking older copies no longer available on truecrypt.org:
https://github.com/DrWhax/truecrypt-archive
Thanks to @Xander for pointing out the GRC article.
