Security

The mystery surrounding TrueCrypt's departure

In a surprise move, TrueCrypt's developers appear to have closed up shop. As to why, that may never be known.

Data_security_1600x1200_030314.jpg
 Image: iStock

Thinking about downloading the latest version of TrueCrypt? Forget about it. According to ZDNet, TrueCrypt developers shuttered their website on May 28 and redirected traffic to this webpage in the same mysterious fashion that the premier open-source encryption application came into existence. First impressions were that the TrueCrypt website was hacked.

However, Brian Krebs and Dan Goodin, independently, determined that is most likely not the case. Krebs said, "A cursory review of the site's historic hosting, WHOIS, and DNS records shows no substantive changes recently."

Krebs said, "What's more, the last version of TrueCrypt uploaded to the site on May 27 shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014. Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired."

For those not familiar with TrueCrypt, ZDNet said it was "an open-source software project for file and full-disk encryption. It was fairly well known and respected. A major volunteer project was under way, run by legitimate crypto people, to give it a formal security audit."

Some history

TrueCrypt's developers have been steeped in mystery ever since the first version came out ten years ago. Case in point, only a chosen few even know who the developers are. The only public interview (albeit unsubstantiated) I located was the September 10, 2005 dialogue between blogger WolfManz611 and TrueCrypt developer Ennead:

WolfManz611: What's your position in the TrueCrypt project?

Ennead: I'm 29 and my main project roles are the following: Project Administrator, Developer, and Designer. I am also responsible for the documentation and the website.

WolfManz611: How much time have you spent on the TrueCrypt project getting it to where it is today and how many developers are working on it?

Ennead: There are currently two main developers (who are also the project administrators) working on TrueCrypt. As for how much time we have spent on the project, I think quite a lot. We usually take a short break after a major release (unless there are major issues that need to be resolved immediately) and then begin working on a new version. A considerable portion of our time is devoted to the work on the project.

Hoax or for real?

Both Krebs and Goodin relied on the opinion of Matthew Green, a cryptographer and research professor at John Hopkins University. Green has been critical of TrueCrypt, and to that end was one of the experts who led the recent crowd-sourced audit of TrueCrypt: IsTrueCryptAuditedYet? (more on the audit later).

Krebs reported in his blog that Green said, "I think the TrueCrypt team did this. They decided to quit and this is their signature way of doing it." Green told Goodin that he had no advance notice of the announcement and that he was in private contact with the TrueCrypt developers.

The scuttlebutt

The possible explanations are rampant on the internet. I've culled a few of the more interesting ones:

TrueCrypt is compromised: Proponents of this theory feel that government pressure forced the TrueCrypt developers to either do as ordered or shutter the website similar to what happened to Lavabit. This theory is based on unsubstantiated evidence like the Twitter conversation between Matthew Green and Glenn Greenwald about the seized data from the computer of Greenwald's partner that was supposedly encrypted with TrueCrypt.

Issues surfaced causing the audit to fail: Security firm iSec completed the first portion (analysis of the bootloader) of the TrueCrypt audit. The report's summary mentioned:

"Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth."

That may sound worse than it is. The report rated the issues by severity; of the 11 found, most were medium or low. However, proponents of this explanation are wondering if the second part of the audit uncovered a major issue.

Microsoft bought TrueCrypt: Buying out the competition is not unheard of, this explanation is fueled by the detailed instructions on how to migrate to Microsoft Bitlocker.

Just wanted to quit: After the initial shock and knowing the website is still up, those close to the story are even more convinced the TrueCrypt developers just had enough. Taking care of a complicated application per gratis for as long as they did should afford them all sorts of kudos from every TrueCrypt user.

One security developer commented on the Ars Technica post, "If I developed a piece of security software, and wanted to cease development; I'd make a similar statement." The commenter also mentioned if the software is not maintained, and people using it found a vulnerability, it would be bad.

Will Bitlocker fulfill the need?

A large portion of the announcement contained instructions for migrating from TrueCrypt to Bitlocker. As to that being everyone's course of action, time will tell. TrueCrypt's multi-faceted capabilities made it unique. As the developers suggested, Bitlocker can replace TrueCrypt for hard drive and removable drive encryption.

However, replacing the portable version of TrueCrypt is going to be a different story. After some initial checking, Secret Space Encryptor by Paranoia Works, also an open-source encryption application, might work as a replacement.

Last thought

The spotlight is now on Microsoft. And remember, the software giant has been accused of aiding government agencies by placing backdoors in several of their products including Bitlocker.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

12 comments
seanferd
seanferd

@Michael Kassner 

I don't think the questions are with the code, but whether the NSA has a way into the algorithms.  The code is certainly maintainable, but the previous devs know it isn't fully current from the audit, and since they no longer dfevelop it, it cannot be secure as it will be unmaintained. I imagine those forking the project will do just fine. I'm sure if the code was all that bad, you would have heard about it long before now from OSS developers who check out code like Truecrypt's.

seanferd
seanferd

So far, I've found all the speculation reasonable, although I hadn't heard that the site was "hacked", which does seem unlikely. The warning message could be an indication of a problem with the algorithms (+ or - any direct or upstream involvement of the NSA), or it could simply be a warning that the code is unmaintained and does need some already known fixes - it's just like your standard AV warning when you haven't updated or scanned within the expected time window. (The default communication mode isn't that "we haven't checked lately", but "you could be in trouble!".)


NickNielsen
NickNielsen moderator

"WARNING: Using TrueCrypt is not secure."

Any encryption algorithms been revealed to have vulnerabilities recently?

windfix
windfix

The devs left us a message in plain sight. "Using TrueCrypt is not secure as it may contain unfixed security issues".  Replace three consecutive words with their initials and you have "Using TrueCrypt is NSA". The unfixed security issues probably refer to backdoor access or pressure to implement them, courtesy of NSA.

Craig_B
Craig_B

Bitlocker is not supported in all versions of Windows.  Windows 7 Enterprise or Ultimate and Wndows 8 Pro and Enterprise are supported, other versions are not.

Michael Kassner
Michael Kassner

@seanferd


That is the point though, Sean. I have asked and there is no real vetting of trueCrypt to anyone's knowledge. It is too complex. The audit is spnding over 70, 000 dollars from what I understand. 

Michael Kassner
Michael Kassner

@seanferd


To me this calls into question open-source. I am a firm believer in it, but what is the value in it if the code is so complex even those qualified to understand the code have questions. How that gets solved is a huge unknown to me.

Michael Kassner
Michael Kassner

@hvonfintel


That is good news. But the detractors will remain. I wionder if the current audit will have significance if the new developers successful? 

Michael Kassner
Michael Kassner

@NickNielsen


Not that I haveheard of, Nick. I will be interested to read the second half of the audit, if it gets published. 

PhilippeV
PhilippeV

@windfix There's another possibility: pressure by some mysterious patent holder to cease immediately or support the cost of a very long trial to defend their case.

Most probalby te developers of TrueCrypt don't have the necessary money to defend their work, so they choose to retire.

Note that the NSA could also have influenced the patent holders (notably RSA Labs, which already abuses of its position as the provider for all US recognized algorithms..)


RSA Labs and the NSA has also already threatened the GNU Crypto project, or the author of PGP (who accepted some changes, driving to the fork of the project with GPG)


My opinion is that the TrueCryt.CH forl is intended : the authors want to close their project in US and find a better haven to secure their work.


Or it's possible that they needed money and had to enter in contract with Microsoft or one of its subsidiaries, and due to conflict of interest, had to stop working on TrueCrypt.


Editor's Picks