Is TrueCrypt truly safe?

Solution 1:

I'll go through the article point by point:

No one knows who wrote TrueCrypt. No one knows who maintains TC.

There is a quote right after that says the trademark is held by Tesarik, who lives in the Czech Republic. It's pretty safe to assume that whoever owns the trademark maintains the product.

Moderators on the TC forum ban users who ask questions.

Is there any proof of this, or is it just anecdotal? And by proof, I mean first-person proof, screen shots, et cetera.

TC claims to be based on Encryption for the Masses (E4M). They also claim to be open source, but do not maintain public CVS/SVN repositories

Source control is certainly an important part of a group programming project, but it's absence certainly does not decrease the credibility of such project.

and do not issue change logs.

Yes they do. http://www.truecrypt.org/docs/?s=version-history. Not all OSS publishes extremely clear change logs, because it's simply too much time sometimes.

They ban folks from the forums who ask for change logs or old source code.

Because it's a stupid question, considering that there is a change log and old versions are already available. http://www.truecrypt.org/downloads2

They also silently change binaries (md5 hashes change) with no explanation... zero.

What version is this of? Is there any other proof? Downloadable, signed old versions?

The Trademark is held by a man in the Czech Republic ((REGISTRANT) Tesarik, David INDIVIDUAL CZECH REPUBLIC Taussigova 1170/5 Praha CZECH REPUBLIC 18200.)

So what? Someone in the Czech Republic owns a trademark for a major encryption technology. Why does it matter?

Domains are registered private by proxy. Some folks claim it has a backdoor.

Who? Where? What?

Who Knows? These guys say they can find TC volumes: http://16systems.com/TCHunt/index.html

Duh, the TC volumes in the screenshot all END WITH .tc.

And anyone seen this image on the Contact page?

TrueCrypt Foundation address

Solution 2:

Read these articles, the FBI has failed to decrypt 5 hard drives protected with truecrypt

http://www.net-security.org/secworld.php?id=9506

http://techie-buzz.com/foss/fbi-fail-decrypt-hard-drive-truecrypt.html

Solution 3:

I believe that TrueCrypt might be provided by the NSA, CIA, or one of those big Federal agencies for the purpose of promoting encryption for which they have the back door, in order to decrease the use of other encryption that they can't crack. That's the reason for their secrecy around it, and that's why it also is such a well-polished product with good documentation, despite neither being a commercial product nor having the widespread participation of open source developers.

See this document, which explains that the government's goal is to encourage the widespread use of encryption for which they can recover the keys: http://www.justice.gov/criminal/cybercrime/cryptfaq.htm

Actually, the Administration encourages the design, manufacture, and use of encryption products and services that allow for recovery of the plaintext of encrypted data, including the development of plaintext recovery systems, which permit through a variety of technical approaches timely access to plaintext either by the owners of data or by law enforcement authorities acting under lawful authority. Only the widespread use of such systems will both provide greater protection for data and protect public safety.

....

The Department's goal -- and the Administration's policy -- is to promote the development and use of strong encryption that enhances the privacy of communications and stored data while also preserving law enforcement's current ability to gain access to evidence as part of a legally authorized search or surveillance.

...

In this regard, we hope that the availability of highly reliable encryption that provides recovery systems will reduce the demand for other types of encryption, and increase the likelihood that criminals will use recoverable encryption.

Solution 4:

Well, the TrueCrypt project may well be run in a fashion that is inhospitable/hostile to outsiders (anonymous devs, no Changelog), but I don't see how that relates to it being secure or not.

Look at it like this: If the devs really wanted to screw people by putting backdoors into TrueCrypt, it would make sense for them to be nice, so people are less suspicious.

In other words, whether the software is trustworthy is quite independent from whether the devs are sociable people or not. If you you believe the availability of source code is not enough to ensure security, you will have to organize a code audit. There certainly are people outside the TrueCrypt project who look at the source code, so a deliberate backdoor is probably hard to hide, but there might be hidden bugs. This bug in Debian's OpenSSL package went unnoticed for quite a while.