TrueCrypt’s Demise

A few days ago the open-source disk encryption tool TrueCrypt suddenly closed its doors. Though it’s clear the developers had been planning to close up shop for some time, this nevertheless came as a huge shock to the tech community.

Particularly opaque are their reasons for doing this. The “Snowden-endorsed” tool (whose security I’ve called into question in the past, after GCHQ seemed to decrypt Miranda’s hard drive remarkably fast) gave no credible reason for the shutdown.

Instead, they suggested people use the almost-certainly-backdoored Microsoft BitLocker disk encryption software.[1]

In further comments to Steven Barnhart [3] the pseudononymous developer(s) suggested they’d simply gotten tired of it. Is this true? Possibly.

On the other hand, this comes at a midpoint in open source community’s effort to formally audit TrueCrypt’s security. The first part of the audit (reviewing the code) was already complete… but still to come was a look at the underlying crypto.

In other words, the part where a deliberate backdoor or flaw in the crypto design would be found.

As the lead man on the audit project put it, “Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green said. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.” [2]

For sure, if the developers know there’s a flaw in the crypto, it would certainly explain them headlining their shutdown message… “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”

(Commentators have pointed out the amusing, but probably coincidental part of that: Truecrypt is
N_ot
S_ecure
A_s…)

[1] http://truecrypt.sourceforge.net/

[2] https://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

[3] https://www.grc.com/misc/truecrypt/truecrypt.htm

Advertisements
%d bloggers like this: