Last week we reported on how the TrueCrypt devs appeared to scotch their own product, saying that it wasn’t secure, and recommended users migrate to alternative whole drive encryption programs.
This news took the security world by storm. To quote encryption guru Bruce Schnieir,
‘TrueCrypt WTF…I have no idea what’s going on with TrueCrypt. There’s a good summary of the story at ArsTechnica, and Slashdot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow.
Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we’ll have to wait and see what develops.’
It’s been almost a week now since the announcement, and no-one really seems any the wiser about what happened. However, two main camps have emerged (the idea that the TrueCrypt website might have been hacked seems to have faded away)…
Chill out, it’s all ok!
This line of thinking is spearheaded by those who believe that the TrueCrypt developers voluntarily abandoned the project because they want to move on to other things. The Gibson Research Corporation (who now house a repository of TrueCrypt’s final release files) argues that,
‘The TrueCrypt development team’s deliberately alarming and unexpected “goodbye and you’d better stop using TrueCrypt” posting stating that TrueCrypt is suddenly insecure (for no stated reason) appears only to mean that if any problems were to be subsequently found, they would no longer be fixed by the original TrueCrypt developer team . . . much like Windows XP after May of 2014.’
To support this theory GRC point to an email exchange between Steven Barnhart, who wrote to an email address for a TrueCrypt Foundation member he had used in the past, and received several replies from ‘David’ (all the TrueCrypt devs are anonymous), which went as follows,
- ‘TrueCrypt Developer “David”: “We were happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”
- Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
- Steven Barnhart: “I asked and it was clear from the reply that “he” believes forking’s harmful because only they are really familiar w/code.”
- Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
- TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
- Quoting TrueCrypt Developer David: “There is no longer interest.”
The Gibson Research Corporation argues however, that whatever the original developers’ desires, TrueCrypt is too useful, too in demand, and too ‘out there’ (seeing as its source available) to be allowed to die,
‘The mistake these developers made was in believing that they still “owned” TrueCrypt, and that it was theirs to kill.
But that’s not the way the Internet works. Having created something of such enduring value, which inherently requires significant trust and buy-in, they are rightly unable to now take it back. They might be done with it, but the rest of us are not.’
Following this reasoning, a group of researchers organized by Thomas Bruderer and Joseph Doekbrijder have set up shop in Switzerland (because ‘independent hosting in Switzerland will guarantee no interruption due to legal threat’) at the domain truecrypt.ch, with the aim of creating a fork of TrueCrypt.
Run for the hills!
Those of a more paranoid disposition see aspects of the message used to close down TrueCrypt as a form of warrant canary, designed to warn users that TrueCrypt was compromised and the developers issued with National Security Letters (or something similar – it is not known under which country’s jurisdiction the anonymous devs operate under).
The admittedly bizarre aspects they point to are:
- ‘The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP’ – the termination of Windows XP support can have absolutely no impact on the security of TrueCrypt
- They then go on to recommend using BitLocker, a proprietary whole disk encryption program built by Microsoft, and baked into Windows Vista/7/8. Microsoft products are widely believed to be backdoored by the NSA, so many refuse the TrueCrypt devs (open source devotees who had spent years of their lives creating one of the most secure encryption programs around) would ever in seriousness recommend such a program.
And in the meantime…
In among all the speculation, the team behind the crowdfunded Open Crypto Audit Project have announced that they will press on with Phase 2 of the project, which will perform formal cryptanalysis on TrueCrypts binaries.
What they find (or don’t find) should prove very interesting…