Something Rotten Has Occurred in TrueCrypt Land

An extremely significant event affecting TrueCrypt has occurred. It is not yet clear whether it is legitimate or a hoax, and if legitimate, what it means. The truecrypt.org web site has been redirected to a sourceforge landing page advising that development has ended and warning, ambiguously, that the program either is not secure or may not be secure in the future. The messaging proceeds to push users onto BitLocker or other native disk encryption programs. A newly built, apparently legitimately signed, but crippled set of installers numbered version 7.2 are offered. No one is sure exactly what has happened, whether this is a defacement or the real deal, and if it is real, how to interpret it. The matter is still unfolding and being debated.

So much speculation is taking place right now about the surprise move, I cannot possibly capture it all here. Obviously the situation – a highly regarded open source tool used by professionals worldwide being abruptly cut off in an unorthodox manner and under mysterious circumstances – stinks of malfeasance. But on the part of whom? This is all taking place in a transitional epoch for computer security and privacy in which old security models have blown up. There are stakeholders who would like to and would have always liked to see TrueCrypt disappear. There may be compulsion at work. Meanwhile there have been no updates from the anonymous authors in nearly two and a half years – the last update, version 7.1a, was released way back in February 2012 – building on a well established track record of opaqueness and eccentricity on their part. The community has started to get antsy, funding a formal audit that has been ongoing since last year, but has turned up no defect in the TrueCrypt program so far.

Defacement by hackers would actually be the easiest explanation (and would be a major security incident even if so). But there is no evidence of account compromise as of yet, and there are many signs that the new messaging and builds have come down from the real authors. And if that is true, their motives are thrown wide open to interpretation. There could have been a fundamental flaw discovered in the encryption logic. They could have been coerced to end development, or to insert backdoors, possibly electing to shut down development to avoid complying. They could be trying to convey a hidden message to those who would read between the lines. It has been suggested that there could have been a power conflict within the ranks of the authors. Or they could merely have lost interest in the project with everyone breathing down their necks to continue development, and decided to renege on their previously disseminated commitments.

It could take some days for this to all shake out. In the meantime my recommendations to TrueCrypt users are as follows:

  1. Do not under any circumstances download, install, or run the version 7.2 installers now offered on the sourceforge site. The new builds are still being analyzed and evaluated to determine their safety, and besides, they are known to be crippled, with the capability to perform new encryption disabled. Stay on version 7.1a or your earlier installed version.
  2. Continue to use your existing TrueCrypt processes and procedures normally until we all figure out what’s really going on here. There is no proof yet of any security flaw in the existing program. Do not start migrating to BitLocker or another solution just yet. That’s a whole mess of its own as I will get to in a future post.
  3. Stay advised of this developing situation by using the resources linked below.

All the previous contents of truecrypt.org have been taken down, but prior to yesterday the frequently asked questions section in the TrueCrypt documentation contained the following entry:

Q: Will TrueCrypt be open-source and free forever?

A: Yes, it will. No commercial version is planned and never will be. We believe in open-source and free security software.

While this move hasn’t violated the letter of that promise (the commercial part), it’s hard not to feel that it’s violated the spirit of it (the forever part). Those of us who believed and trusted in TrueCrypt are stunned right now.

I will follow up with a further determination when I have it.

Resources

Github Gist chronicle

The Open Crypto Audit Project / istruecryptauditedyet.com / their Twitter feed

Slashdot: TrueCrypt Website Says To Switch To BitLocker

Ars Technica: “TrueCrypt is not secure,” official SourceForge page abruptly warns

Krebs on Security: True Goodbye: ‘Using TrueCrypt Is Not Secure’

The Register: TrueCrypt considered HARMFUL – downloads, website meddled to warn: ‘It’s not secure’

3 Comments

  1. Jack

    Fork code, do fresh audit, host in other country and do development remotely. NSA served one of the no discuss notices most likely and shut it down.

Comments are closed.
Top