Thinking about downloading the latest version of TrueCrypt? Forget about it. According to ZDNet, TrueCrypt developers shuttered their website on May 28 and redirected traffic to this webpage in the same mysterious fashion that the premier open-source encryption application came into existence. First impressions were that the TrueCrypt website was hacked.
However, Brian Krebs and Dan Goodin, independently, determined that is most likely not the case. Krebs said, “A cursory review of the site’s historic hosting, WHOIS, and DNS records shows no substantive changes recently.”
Krebs said, “What’s more, the last version of TrueCrypt uploaded to the site on May 27 shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014. Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired.”
For those not familiar with TrueCrypt, ZDNet said it was “an open-source software project for file and full-disk encryption. It was fairly well known and respected. A major volunteer project was under way, run by legitimate crypto people, to give it a formal security audit.”
TrueCrypt’s developers have been steeped in mystery ever since the first version came out ten years ago. Case in point, only a chosen few even know who the developers are. The only public interview (albeit unsubstantiated) I located was the September 10, 2005 dialogue between blogger WolfManz611 and TrueCrypt developer Ennead:
WolfManz611: What’s your position in the TrueCrypt project?
Ennead: I’m 29 and my main project roles are the following: Project Administrator, Developer, and Designer. I am also responsible for the documentation and the website.
WolfManz611: How much time have you spent on the TrueCrypt project getting it to where it is today and how many developers are working on it?
Ennead: There are currently two main developers (who are also the project administrators) working on TrueCrypt. As for how much time we have spent on the project, I think quite a lot. We usually take a short break after a major release (unless there are major issues that need to be resolved immediately) and then begin working on a new version. A considerable portion of our time is devoted to the work on the project.
Hoax or for real?
Both Krebs and Goodin relied on the opinion of Matthew Green, a cryptographer and research professor at John Hopkins University. Green has been critical of TrueCrypt, and to that end was one of the experts who led the recent crowd-sourced audit of TrueCrypt: IsTrueCryptAuditedYet? (more on the audit later).
Krebs reported in his blog that Green said, “I think the TrueCrypt team did this. They decided to quit and this is their signature way of doing it.” Green told Goodin that he had no advance notice of the announcement and that he was in private contact with the TrueCrypt developers.
The possible explanations are rampant on the internet. I’ve culled a few of the more interesting ones:
TrueCrypt is compromised: Proponents of this theory feel that government pressure forced the TrueCrypt developers to either do as ordered or shutter the website similar to what happened to Lavabit. This theory is based on unsubstantiated evidence like the Twitter conversation between Matthew Green and Glenn Greenwald about the seized data from the computer of Greenwald’s partner that was supposedly encrypted with TrueCrypt.
Issues surfaced causing the audit to fail: Security firm iSec completed the first portion (analysis of the bootloader) of the TrueCrypt audit. The report’s summary mentioned:
“Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.”
That may sound worse than it is. The report rated the issues by severity; of the 11 found, most were medium or low. However, proponents of this explanation are wondering if the second part of the audit uncovered a major issue.
Microsoft bought TrueCrypt: Buying out the competition is not unheard of, this explanation is fueled by the detailed instructions on how to migrate to Microsoft Bitlocker.
Just wanted to quit: After the initial shock and knowing the website is still up, those close to the story are even more convinced the TrueCrypt developers just had enough. Taking care of a complicated application per gratis for as long as they did should afford them all sorts of kudos from every TrueCrypt user.
One security developer commented on the Ars Technica post, “If I developed a piece of security software, and wanted to cease development; I’d make a similar statement.” The commenter also mentioned if the software is not maintained, and people using it found a vulnerability, it would be bad.
Will Bitlocker fulfill the need?
A large portion of the announcement contained instructions for migrating from TrueCrypt to Bitlocker. As to that being everyone’s course of action, time will tell. TrueCrypt’s multi-faceted capabilities made it unique. As the developers suggested, Bitlocker can replace TrueCrypt for hard drive and removable drive encryption.
However, replacing the portable version of TrueCrypt is going to be a different story. After some initial checking, Secret Space Encryptor by Paranoia Works, also an open-source encryption application, might work as a replacement.
The spotlight is now on Microsoft. And remember, the software giant has been accused of aiding government agencies by placing backdoors in several of their products including Bitlocker.