The money was raised to audit TrueCrypt before the developers abandoned it. The money must go toward that audit. The fact that the TrueCrypt devs abandoned the project changes what we should expect from it. Specifically, we should expect that moving forward, it's going to be a bad idea to use it.
This viewpoint isn't just tptacek's. When the TrueCrypt devs shut down TrueCrypt, they posted in big red letters "TRUECRYPT SHOULD BE CONSIDERED INSECURE" or something to that effect. They did that because, like tptacek, they are responsible crypto devs and are doing their duty: when no one is actively maintaining a project, it is inherently insecure because the security landscape changes so rapidly.
If the TrueCrypt devs were to step out of the shadows with some money to audit TrueCrypt's current codebase, yet maintained their stance that not having an active dev team makes the project insecure, would you aggressively badger them for their "contradictory beliefs"?
There is value to be had in auditing an insecure project's open source codebase. If any security problems are discovered, users will be able to assess their potential impact based on how they were previously using TrueCrypt. If they have old images laying around which are discovered to be decryptable, users will be able to delete them before someone else discovers that flaw and steals their data.
Secondly, if the codebase survives the audit relatively unscathed, then it serves as an example of how to write production crypto code (at the time it was written, not presently!) similar to how tarsnap is currently such an exemplar. The TrueCrypt code can't be used directly due to licensing issues, but it nonetheless serves as a "here is how to use these arcane Windows APIs in the context of security." Such guidance will be extremely valuable for future similar projects.
Lastly, I am kind of afraid to talk to you at all in case I incur your bullying wrath somehow, because if that were to happen, you'd kill the fun of HN for me. I imagine you're killing the fun of HN for tptacek.
Actually, tptacek isn't suggesting that the murky status of TrueCrypt's source code is why you shouldn't use it, he's suggesting that the disk encryption mode itself (XTS) is why no one should use it.
This viewpoint isn't just tptacek's. When the TrueCrypt devs shut down TrueCrypt, they posted in big red letters "TRUECRYPT SHOULD BE CONSIDERED INSECURE" or something to that effect. They did that because, like tptacek, they are responsible crypto devs and are doing their duty: when no one is actively maintaining a project, it is inherently insecure because the security landscape changes so rapidly.
If the TrueCrypt devs were to step out of the shadows with some money to audit TrueCrypt's current codebase, yet maintained their stance that not having an active dev team makes the project insecure, would you aggressively badger them for their "contradictory beliefs"?
There is value to be had in auditing an insecure project's open source codebase. If any security problems are discovered, users will be able to assess their potential impact based on how they were previously using TrueCrypt. If they have old images laying around which are discovered to be decryptable, users will be able to delete them before someone else discovers that flaw and steals their data.
Secondly, if the codebase survives the audit relatively unscathed, then it serves as an example of how to write production crypto code (at the time it was written, not presently!) similar to how tarsnap is currently such an exemplar. The TrueCrypt code can't be used directly due to licensing issues, but it nonetheless serves as a "here is how to use these arcane Windows APIs in the context of security." Such guidance will be extremely valuable for future similar projects.
Lastly, I am kind of afraid to talk to you at all in case I incur your bullying wrath somehow, because if that were to happen, you'd kill the fun of HN for me. I imagine you're killing the fun of HN for tptacek.