Last fall, we noted that the popular disk encryption software TrueCrypt was undergoing a security audit
, inspired by the Snowden revelations. At issue: TrueCrypt is open source and widely used and promoted (hell, Snowden himself apparently taught
people how to use it), but no one really knew who was behind it -- raising all sorts of questions. A little over a month ago, we noted that the first phase of the audit didn't find
any backdoors, but did note a few (mostly) minor vulnerabilities.
However, a little while ago, TrueCrypt's SourceForge page
suddenly announced that " WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" and furthermore: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP."
While some initially questioned if this was a hoax
, others quickly noted that a new version of the program was signed with the official TrueCrypt private key -- meaning that it's either legit, or TrueCrypt's private key has been compromised (which would obviously present another serious issue). If you happen to use TrueCrypt, you should be very, very careful right now.