Bombshell TrueCrypt advisory: Backdoor? Hack? Hoax? None of the above?

Wednesday's bombshell advisory declaring TrueCrypt unsafe to use touched off a tsunami of comments on Ars, Twitter, and elsewhere. At times, the armchair pundits sounded like characters in Oliver Stone's 1991 movie JFK, as they speculated wildly—and contradictorily—about what was behind a notice that left so many more questions than answers. Here are some of the more common theories, along with facts that either support or challenge their accuracy.

Warrant or National Security Letter canary

Theory: Borrowing a page from the Lavabit crypto service that former NSA contractor Edward Snowden used, Wednesday's advisory was what legal practitioners call a "canary," intended to signal receipt of a confidential demand from a law-enforcement or national security entity. Since National Security Letters (NSLs) can impose draconian penalties on those who make the demands known, this theory goes, the TrueCrypt developers issued a thinly veiled warning to users that they should no longer count on the program to prevent snooping by the US government.

Pros: Several elements of the advisory left many readers with the vague sense that the writers' tongues were planted firmly in their cheeks. Most obviously was the advice that TrueCrypt fans—a mish-mash of privacy-loving Linux, Mac, and Windows users—should abandon the cross-platform app for BitLocker, Microsoft's proprietary encryption program that runs only on selected versions of Windows. With much less prominent mention of FileVault or LUKS—the rough Mac and Linux equivalents of BitLocker, respectively—some people regarded the advice as so absurd as to be a wink and nudge signaling something much more serious was going on.

Read 10 remaining paragraphs | Comments