TrueCrypt quits? Inexplicable

TrueCrypt quits? Inexplicable

Summary: Nobody has a good explanation yet for what happened to the generally respected TrueCrypt project, which yesterday announced itself insecure and sent its users to Microsoft.

TOPICS: Security, Microsoft
(Image: ZDNet/CBS Interactive)

It may rank up there with the greatest mysteries of history: What is Stonehenge? Who was Jack the Ripper? What happened to TrueCrypt?

TrueCrypt (is? was?) an open-source software project for file and full-disk encryption. It was fairly well known and respected. A major volunteer project was under way, run by legitimate crypto people, to give it a formal security audit.

And yet, some time Wednesday, the TrueCrypt project site began displaying a message of abject surrender.

All day Twitter was full of speculation about what happened. The message on the TrueCrypt page is hard to take at face value. What "unfixed security issues?" They ended the project for that? The project was always somewhat mysterious, as the developers were anonymous, so there's nobody to go to for an explanation.

Early on, it was possible to dismiss as a defacement of the web site, but it's lasted a good solid day now and, more significantly, a new version of the TrueCrypt executable was digitally signed with the same key as the earlier versions.

Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute, led the TrueCrypt audit project, but he has no special insight into what happened. In an interview with Brian Krebs he said, as he had tweeted earlier in the day, that he believed the TrueCrypt team did it. His guess is that they just wanted to quit and this was their way of doing so with a bang.

He's probably right that, of all the bad explanations, the best is that the TrueCrypt team did it.

There had been real accusations that TrueCrypt could be compromised. As this conversation between Green, and reporter Glenn Greenwald shows, they think Greenwald's partner's hard disk, protected with TrueCrypt, was somehow penetrated by the authorities. Green tells Greenwald "...trusting an uncertified Windows binary from a mysterious anonymous organization isn't good practice."

I don't know that there are any security problems with TrueCrypt in the sense that the TrueCrypt site implies, and I suspect that the claim is phony. The idea that they would pack it in and tell everyone to use BitLocker just doesn't pass the laugh test.

This would all be a lot clearer if only it were April 1.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Too creepy for me

    I've been using TC containers for some years, on Win and Linux. Regardless what's going on here, it's time to move on.
  • Very odd, very sudden, and very suspicious . . .

    This is very odd, very sudden, and very suspicious . . .

    The explanation (that OSes contains their own encryption) doesn't seem right - they always had some features beyond what most OSes offered, and they did support more recent versions of Windows.

    This is a real head scratcher - I don't remember any news about a major security flaw in it, and I don't remember any news about them thinking about closing shop. There was a security audit, but so far it seemed okay.

    Surely it can't just be just because of the end of support for Windows XP, can it?

    I'm holding out for more information on this - it really doesn't seem right . . .
    • Perhaps, Windows XP was the last trustworthy client OS from Microsoft?

      But, were this the case, wouldn't the project continue on with alternative OSs like OS X and GNU/Linux? Perhaps, perhaps not.
      Rabid Howler Monkey
  • Cryptic Disk?

    What about Cryptic Disk, guys (works on Windows) ?
  • Anybody for conspiracy theories?

    This isn't based on any known facts. It's not even a rumor.
    - Perhaps USA intelligence demanded access. (not the first time)
    - Principled developers quit rather than concede. (not the first time)
    - Perhaps TrueCrypt isn't legally allowed to explain their actions. (not the first time)

    At best, this would mean that the current release is still secure for some time.
    • These seem just as plausible as any explanation given so far.

    • "this would mean that the current release is still secure for some time"

      Or not. Under this cloud, would you use the software on a PC connected to the Internet?
      Rabid Howler Monkey
    • That only applies *IF* they are in the U.S.

      But since nobody knows who and where the developers are - most likely, they're a multinational team - that isn't certain. And the U.S. is not the only possibility. The UK, Russia, China, India, all could crack hard on the developers if they were under their jurisdiction. The problem is, a coordinated action involving several different countries at once would be unlikely. The default interface and the user manual are definitely in American English, so it's fair to assume that at least part of the developers are U.S.-based. So, those issues may certainly be part of the reasons, but probably not all of them.
      • Slight problem....

        Out of the countries you mentioned, the United Kingdom, India and the United States are not totalitarian regimes but democracies where such events could only occur in the fever dreams of the paranoid. Speaking of the paranoid, maybe it was Greenwald's factless speculating that finally pushed TC developers too far.
    • Anybody for reality theories?

      As a reformed ex-conspiracy monger, let me chime in:

      US intelligence agencies are not law enforcement agencies and cannot demand or compel access to anything. Without force of law there is no power to "demand" anything. They could request something, but then, so could I.

      What's most likely is the most probable, based on what we've actually seen: developers with large egos who "pick up their bat and ball and go home" when the quality of their work is challenged. All the unfounded insinuations of nefarious doings with TrueCrypt ticked them off and they said, "Screw it, we're out of here". Now THAT would not be the first time... I could exceed my post size limit listing all of the open source developers who have walked away from projects or created forks of projects they developing once someone challenged them.
      • No Details

        There are no details so any semi-plausible story is just as likely as any other. If I had to guess the NSA threatened a resident alien (green card) in the US with deportation if he refuse to cooperate.
      • The NSA of course

        'US intelligence agencies are not law enforcement agencies and cannot demand or compel access to anything.'

        Wrong! These kind of threats are always made outside of the law. Considering what NSA has done so far I would not be surprised at all if threats have been made to the programmers of TrueCrypt. I suspect that the current version is quite possibly written so well that even the NSA can't break it. And since the program is already out, the only way NSA can get access to encrypted data is if people abandon TrueCrypt and switch to another, less secure encryption program, such as MS et al.
        As far as I can understand, an encryption algoritm has no relevance at all to the OS it works on. I'm going to keep the current TrueCrypt version and not upgrade even if a new version is released, because the new version very probably has a NSA backdoor.
  • It's obvious

    They didn't want the Snowden endorsement after that interview last night. And he says no one's been hurt by his revelations. Spies should be made of sterner stuff.
    • You can keep your tinfoil hat . . .

      You can keep your tinfoil hat . . .

      Even if they don't like Snowden all that much, that's not really a reason to shut down their product.
  • They done been Lavabit'ed!

    Weird. Tempting to say "script kiddies", but they didn't hax0r the language, used decent grammar, and even provided reasonably valid instructions for BitLocker. Plus, when did a script kiddie make code changes to put in "don't trust this code" statements. And the subtle irony of recommending BitLocker, and blaming the ending of XP as the reason. And the timing with the audit team about to come out with "some 'normal' vulnerabilities only" type statement, apparently.

    • Your conclusion doesn't follow.... presented absolutely nothing that resembled Lavabit.
      • Try this analysis at Threatpost

        Perhaps. Perhaps, not. It's interesting, though, that the last version of the TrueCrypt software supports decryption only.
        Rabid Howler Monkey
  • Who benefits most from discrediting TrueCrypt????

    Just think about it! If you've used TrueCrypt, you know that it works, and work well! It does exactly what it's supposed to do: makes it more difficult for the creeps to get at your stuff.

    By raising doubts about its use, it benefits!

    Me, I'm gonna keep using it !!!
    • Except their website says not to

      and they haven't bothered changing it. I'm not encouraged about using TrueCrypt.
  • Most likely it's legal requirements.

    More and more regulations, industry-association requirements and non-governmental "best practices" standards are requiring encryption. Many regulations specify that the encryption must meet specific FIPS standards. It's hard to believe a program from an anonymous source has passed any particular certification tests.

    Although I don't know much about TrueCrypt, as an attorney in the healthcare field I couldn't see telling a client, "yes, you can meet expected security practice standards by using encryption software from an anonymous source."

    Also, with the discontinuation of XP, upgrade consultants have been getting massive amounts of work advising healthcare providers. Providers are always looking for "cheapest available solution" and their staffs are pretty much always massively overloaded (not just IT, but all departments). "Free built-in" is almost always considered best.