That is nonsense. The TrueCrypt developers turned over code and assisted in the initial audit. iSEC found no serious issues.
Granted they only evaluated the bootloader under the first contract, but if you were going to slip in a backdoor or if a serious crypto bypass would be possible it would have likely been there.
The project was in contact with TrueCrypt developers (someone who could sign messages using the release keys, and provide images of the build machine that is nearly impossible to reproduce).
They reviewed the bootloader which is one of the most complex parts and touched all the crypto and found no serious issues. That suggests that the rest of the mundane code is probably in pretty good shape.
Of course it is not a guarantee that things are perfect, but it suggests that the developers a) knew what they were doing b) had no issues with an external audit.
If that were true, and they were so sure of the quality of their code then they'd keep going, wait for the all clear and say: "Look, we've been doing this for 10 years, our system is now independently audited, will you please support us..."
I suspect that would have brought in a few dollars in the current climate.
That might make sense in a world of perfectly rational unemotional robots.
In the real world, if you worked for years trying to make people safe, and you felt (correctly or not) that you were being disrespected while others were being respected for picking at your nits, you might say "fine, fuck you all, have fun," too.
To be clear, I don't know what's going on. A "rage quit" is the most likely scenario IMHO, but this is all very weird.
EDIT: On reflection, a rage quit fits my priors, which say "there's no such thing as free-as-in-beer[1] software." So you and I should both be a little skeptical when I find it the likely explanation.
[1] It does exists, but it's the exception, and each project where it works has its own particular quirks that make it work. The successful ones typically rely on someone having a particular and unusual mental setup that doesn't mind free loaders. Stallman and de Raadt develop software for their own use, and the rest of us can use it, too.
Off-topic, but considering the sheer amount of stuff on GitHub, I'm not sure it's about free loaders - whether or not it's useful, the fact that so much code is published demonstrates that many people are okay with it being used by others.
Aren't you worried you'll insult the Truecrypt developers?
I sure hope not, since we're all after the same thing.
Remember, our goal isn't to find some mythical back door
in Truecrypt, but rather, to wipe away any doubt people
have about the security of this tool.
But perhaps this will tick people off. And if you're one
of the developers and you find that you're ticked, I'll
tell you exactly how to get back at us. Up your game.
Beat us to the punch and make us all look like fools.
We'll thank you for it.
The sad state of OSS is that it's much more profitable to find security holes, fork existing good code bases, write articles, write blogs, teach, go on stage in conferences than to do some original work.
I wonder what would happen if all original workers united and did the same as the Truecrypt people...
I object to the implicit criticism of the value of the audit here: independent audits drastically increase the value of security systems, because having someone without an existing mental model scrutinize code is a very good way to catch bugs, so users correctly consider an audited system more trustworthy. The audit is not more valuable than the original code, but it is much more valuable than the types of derivative work you mentioned.
the "current climate" is one where security defects lead to highly visible public witch hunts and shaming and then the forking of code (see: OpenSSL). OpenSSL only just today got funding and an additional two developers. Despite pretty much the entire world using and depending on it for years now. Despite the fact that it's open source and anyone anywhere could have taken the time to conduct an audit.
If the system works fine, and the auditors are paid and they have certified that the system works, where is the need for any more financial support? I agree that the work should be recognized, but there is no need to pay to support work that has already been completed, as anyone who's ever applied for a research grant already knows.
I doubt that's the reason - Greene says that the audit is going ahead. The other fact that makes this unlikely is that Green's team has the source, so his team can poke around all it likes anyway. Ergo quitting is no guarantee that something won't be found.
But quitting and hence most likely ending the project will substantially increase the chance that Green decides spending the rest of the money auditing it is a waste of cash.
"'I think the TrueCrypt team did this,' Green said in a phone interview. 'They decided to quit and this is their signature way of doing it.'"
"I’m a little worried that the fact we were doing an audit of the crypto might have made them decide to call it quits.”