Possible hidden Latin warning about NSA in Truecrypt's suicide note

When the anonymous authors of the Truecrypt security tool mysteriously yanked their software last month, there was widespread suspicion that they had been ordered by the NSA to secretly compromise their software. A close look at the cryptic message they left behind suggests that they may have encoded a secret clue in the initials of each word of the sentence ("Using TrueCrypt is not secure as it may contain unfixed security issues"), the Latin phrase "uti nsa im cu si" which some claim can be translated as a warning that the NSA had pwned Truecrypt.

The final and best criticism of this article is the fact that the hidden message is bad Latin. It's bad enough, so say some people, that it could just be a coincidence or a random accident. Essentially, they say that there is no hidden message, because there is no Latin, but I think that's going too far, and I disagree. The critics are correct, it is bad Latin. But, the English phrase it came from was bad English too. The only important thing is that the Latin was good enough for the meaning to be apparent, and I think the odds of that happening completely coincidentally are too small to be believable. If it looks like a duck, walks like a duck, and quacks like a duck, it's a duck!

On the other hand, there are some good reasons to formulate a hidden message in bad Latin. Firstly, what I'm claiming is going on here is the TrueCrypt developers are giving us a warrant canary, which is a warning that they're being forced to do things with TrueCrypt that they don't want to do (Apple has a warrant canary too). If their warrant canary is too obvious, it could cause serious legal troubles for them, so the wisest thing to do is to make the warrant canary deniable. I believe they have done that. The bad Latin is bad enough that anyone can credibly state that it's a hugely unlikely coincidence, but still only a coincidence.

The important thing is that the hidden message - even if it doesn't exist - has succeeded in getting people to question whether the NSA might be trying to tamper with the security of TrueCrypt. That's a bona fide "mission accomplished" from the point of view of the TrueCrypt developers, and there's really nothing more to say about it.

Hidden message on the new sourceforge TrueCrypt site

Notable Replies

  1. This is getting way too much into symboligy for my taste. This is like Dan Brown discovering that the Holy Grail exists because two lines join at an angle (spoiler alert).

  2. Let's say TrueCrypt wanted to say, "Don't use TrueCrypt, because there are issues that make us think the NSA can read TrueCrypt-secured data." Why not just say that, instead of using some silly (and truly bad) Latin initialism that sort of suggests something about the NSA if you squint at its translation? ESPECIALLY since "Hey, the NSA broke TrueCrypt" is exactly the conclusion everyone who saw the TrueCrypt announcement immediately leaped to?

    Or, okay. Let's say they've been warned by the NSA not to disclose that the NSA has access. What makes them think that their hidden message will be deciphered by the heroic net denizens they intend to warn and not by, say, the most technically accomplished codebreaking organization in the world?

  3. But the Latin is so bad it doesn't appear even to be Latin. Admittedly, it's been a long time, but I majored in this stuff. "Uti" and "si" are Latin words, though you'd expect "si" at or near the beginning of the sentence, not at the end.

    "NSA" isn't Latin, obviously.

    Which leaves us with the curious "im" and "cu." Google Translate sure thinks they mean "I" and "wish," respectively, but that seems like a real stretch to me. The pronoun "I" in Latin is declined ego, mei, mihi, me, me. The closest I can get to "im" meaning "I" is that it's a first-person singular irregular suffix for "be" verbs in the present subjunctive (e.g., "sim"). Here, it's not attached to a verb--it's just hanging out in the sentence.

    "Cu" is no less opaque. I think Google Translate is tying it to cupio, which indeed means "want" or "desire," but it's not actually a form of that verb. And if I'm remembering right, cupio is generally more along the lines of greed or carnal desire rather than a preference or wish (for which, again if I'm remembering right, you'd use volo, velle).

    And add to that the fact that even the Google Translate translation doesn't really suggest what this author wants it to suggest. "If you want to use the NSA" makes no sense on its own as a warning, and it also doesn't make sense when appended to the sentence: "Using TrueCrypt is not secure as it may contain unfixed security issues if you want to use the NSA."

    There's plausible deniability and then there's obscurity beyond all reasonable bounds. If they were trying to go for the former, they've veered WAY over into the latter territory.

  4. There's always plausible deniability, but their actions caused people to leap to one of two conclusions:
    1. TrueCrypt was already compromised and they didn't want it to be discovered during the upcoming crowd funded security audit.
    2. TrueCrypt had been NSLed.

    Personally, I find it funny how no one takes the "We don't care about this software anymore," they provided as being legitimate.

    Also, what's up with all this crypto stuff being done anonymously? It's like someone wants to live in the Sprawl.

  5. rwmj says:

    I just had to log in here and say that the phrase simply is not Latin. Only 4 of the letters, taken far of context, are Latin words (UT and SI). But they are in the wrong positions in the sentence, and in any case the rest of the letters don't form Latin words.

    (And yes, I have studied serious classics)

Continue the discussion bbs.boingboing.net

53 more replies

Participants