Well, gee, how coincidental ... Just recently Sourceforge requested a mass password reset.
Subject: SourceForge.net Password Reset Required
SourceForge.net Team <firstname.lastname@example.org>
May 21 (7 days ago)
To make sure we're following current best practices for security, we've
made some changes to how we're storing user passwords. As a result, the
next time you go to login to your SourceForge.net account, you will be
prompted to change your password. Once this is done, your password will be
stored more securely. We recommend that you do this at your earliest
convenience by visiting the SourceForge website and logging in.
And, as always, be vigilant about password security. Use a secure password,
never include your password in an email, and don't click on links for
unsolicited password resets.
If you have any concerns about this, please contact SourceForge support at
SourceForge.net has made this mailing to you as a registered user of
the SourceForge.net site to convey important information regarding
your SourceForge.net account or your use of SourceForge.net services.
We make a small number of directed mailings to registered users each
year regarding their account or data, to help preserve the security of
their account or prevent loss of data or service access.
If you have concerns about this mailing please contact our Support
team per: http://sourceforge.net/support
I checked the gpg signature of the 7.2 file using their older key from last year - the signature is correct :-/
I cannot image them being so naive and recommending a closed source software which besides being a no-go because of closed source alone, obviously very probably has backdoors because it's from M$. Maybe their acc has been hijacked, maybe they are trying to tell us something, we'll see.Their web-site, hosted on SourceForge, also encourages users to switch over to Microsoft's BitLocker encryption software as an alternative.
LUKS (and cryptsetup in the userspace) is a much better and safer (full-disk encryption is always a safer option).
Note that new versions of cryptsetup support opening truecrypt format volumes which might help you migrate.
I wasnt a big fan of TCrypt as well since i always counted PGP a better choice for the next door Joe and Jane trying to provide a bit of security to his / her files.
Matthew Green, who according to Heise.de is one of the TrueCrypt Auditors, claims on twitter:
"I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite"
"Der erste Teil der Quellcode-Prüfung von Truecrypt hatte keine nennenswerten Probleme aufgedeckt; der zweite hat noch nicht begonnen."
"The first part of the source code examination didn't uncover any noteworthy problems; the second part hasn't begun yet"
My reading of the message regarding unfixed security issues is that it's no longer being maintained. That said, it could also be a subtle indication that there are bugs in there they are being coerced not to fix.
It's also interesting that they're suggesting people use the integrated encryption support, which is closed source (for both Windows and OS X).
They haven't provided any links to alternative software for Linux, even though there are some fairly comprehensive summaries on both the Ubuntu and Arch websites. It's possible that they didn't want to recommend an open source program.
For now, the only conclusions that can be drawn are:
- we can't trust the latest version
- we can't trust any of the older versions, since they could be compromised
- we can't trust BitLocker, since that's what they want us to (plus it's closed source)
Therefore, anyone who's using Truecrypt for anything really important needs to change to another open source solution, like LUKS or ecryptfs. There are Windows programs compatible with both of those listed on the Arch wiki article posted earlier, though I imagine anyone doing anything really important probably isn't running Windows.