I Feel Shafted By Truecrypt

Topics: Users Discussion
Dec 19, 2014 at 8:14 AM
Between 2008 and 2012 I donated approx. $77 USD to Truecrypt and this is what I got in return. Nothing and I am at risk now.

Well if Idrassi is prepared to take on the project for next 5-10 years I'll be happy to double that.

How much have you donated?
Are you expecting people like me to donate on your behalf?

Come on guys support the project. Xmas is around the corner.
Dec 19, 2014 at 2:22 PM
I am not here to defend TrueCrypt, but I would like to ask you some questions if that's ok.

You say you received nothing from TrueCrypt, didn't they provide you with an encryption program ?

I have not seen any crypto evidence that TrueCrypt containers are at risk now, have you ?

Are you really saying you are only prepared to donate if you are guaranteed between 5 to 10 years dedicated support ?

Is there any other open source program offering this guarantee ?

VeraCrypt is better security than TrueCrypt but TrueCrypt is not broken. If you are referring to the cryptic message left on the TrueCrypt site, it was written in a "huff". There is no known weakness in TrueCrypt yet. Well, their password hashing was a little weak but not broken.

I recommend if security is your priority then switch over to VeraCrypt. If Veracrypt is useful to you then donate what you believe it is worth. I do not believe it is reasonable to expect 5 to 10 years dedicated support and make that a condition of any support you offer, however limited.
Dec 19, 2014 at 8:24 PM
Edited Dec 19, 2014 at 9:40 PM
Hello Mr Flot,

TrueCrypt (TC) is still very secure. Unless you are using weak passwords, the TC low iteration for the hash is not an issue. I look forward to the results of the TC audit second phase which I believe was to analyze the implementation of the encryption algorithms. I am not sure if the second phase of the audit will included the hash algorithms.


I agree with your post of getting people to donate to VC but not for the reasons you specified.

I will share my thoughts as to why I believe TrueCrypt failed to attract sustainable donations which led to the “lack of interest” from the TC developers.
  1. The lack of developer interaction with the user community. The developers did not participate in the TC forums. Requesting a feature or bug fix via the TC website resulted in no feedback from the developers. In my opinion, this turned-off many people from wanting to contribute money to TC. There was no connection or ideas being exchanged between the developers and user community that could have improved the product and the security of TC.
  2. Lack of updates before the official announcement in May 2014 which had the user community commenting that TC was dead. Although the fanboys of TC felt that the developers were busy working on the next big release. :)
  3. At one point on the TC website, they posted a donation goal of $150,000 USA dollars with no explanation. The user community wanted to know what the purpose was for the money. Again, no response from the developers which made people question donating money to TC. Within a month, the donation goal was quietly removed from the website’s main page. Some TC forum members speculated that the developers wanted to pay themselves for their time and effort which is fair. However, the developers never came out and said that was the purpose for the donation goal.
  4. Not knowing the TC developers identities made me uneasy about donating money to a secret group of people that may have questionable links to other groups that would put you "on the radar" of government agencies.
Donate to VeraCrypt

As a point of reference, I checked on a couple disk encryption products and their current prices to provide the VC user community with some idea of what might be a reasonable amount of money to donate to VC if you were to purchase closed-source encryption software which includes one year of support.

Purchase prices generally were around $85 to $100 USA dollars for disk encryption. For file containers, products charged another $60. Support was only for one year. Many lack implementation of hidden volumes and hidden OS features.

I would suggest people consider donating once a year like when you purchase an upgrade for commercial software rather than a one-time donation which is not a sustainable business model.

Consider that as more users switch from TC to VC along with first time new users, the demands will increase which require more attention to the software and responding to users on the forums. However, just like the rest of us, the developers of VC have bills to pay and need reoccurring revenue from the donations if they are to provide increased development efforts and support of VC. Sustainable donations to VeraCrypt may prevent what I feel was part of the demise of the TrueCrypt software development.

Thank you,
Jan 9, 2015 at 6:04 PM
I like Enigma2Illusion believe the reason the developers ceased working on TC was because they simply didn't want to continue working on it. The reason they indicated TC was no longer secure was because they couldn't predict what problems would be found, and since they would not be in a position to address that future problem, it was a statement to actually have people act on their encryption needs.

As for the reason they ceased working on TC. The one feature that had to come next was UEFI and GPT support. In a very short amount of time our devices will unlikely support MBR/Legacy mode for various reasons including the storage size of those devices. Windows and OS X in the near future will expect GPT partitions, once that happens its safe to say the majority of Linux distributions will mark MBR support as a legacy feature, and any problems with MBR support could have come up wouldn't have been easy to fix.

To put it bluntly.

TrueCrypt was using an ancient build system, had numerous problems with using the correct type of variable within its code, and was looking at trying to push GPT and EFI support on top of all the other minor problems that existed. The independent security audit that took place was both good and bad. It showed that their legacy build system and the code itself was safe, but it also pointed out, that it needed a great deal of work for it to be considered truly safe.

The developers simply didn't want to adapt so they decided to take the Truecrypt behind the shed. Truecrypt might have had a few good years in her but considering all the minor and major development hurdles that needed to be done its understandable they decided to simply walk away.