The popular drive encryption software TrueCrypt issued a mysterious warning on the open-source project’s website yesterday, indicating that the product is not safe for use. The news has shaken up groups of privacy and security-minded users as the nature of the statement has not been made clear. What is known is that the warning is prominently placed on the home page and it is found in the code. Internet researchers have discovered that the latest download version released simultaneously with the announcement can only decrypt files, and cannot encrypt files, volumes or drives. The announcement further pointed users to look to operating system embedded options such as Windows BitLocker.
Comments and stories related to the TrueCrypt situation are emerging throughout the web. On Twitter, infosec guru and Security Conference ‘BSides’ Co-founder ‘Jack_Daniel’ stated:
So, yeah: hack, troll, ragequit, whatever- silence means TrueCrypt org can’t be trusted, so neither can TrueCrypt. Damn.
— Jack Daniel (@jack_daniel) May 29, 2014
Security writer Brian Krebs also covered the issue in a story that included an interview with cryptographer and research professor Matthew Green.
“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”
TrueCrypt was driven by a secretive team of anonymous developers, and was a completely open-sourced project. It was notoriously updated rarely, so this announcement and release have surprised many. Various theories on what events led up to these developments have emerged, none of them confirmed as the authors are difficult to identify and approach. The easily implemented software was favored by people and companies that were interested in privacy. Among the crowd that utilized this tool to keep prying eyes out were NSA whistleblower Edward Snowden and journalist Glenn Greenwald. That notoriety has given rise to a number of notions that entail government pressure playing a role in this development.
Among the possibilities is that the developers may have lost control of the digital signing keys. This would mean that the digital master key is out there, under the control of unknown parties. Many recall how the anonymous email service Lavabit was shut down about a year ago, apparently under government duress. We may be seeing that whole chain of circumstances play out in a similar fashion once again. It is also possible that the statement of insecurity is due to the discovery of outside access that is not government related. As an open-source product, it has been inspected and audited for flaws for years, and it most recently got passing marks. For some, that only leaves the only option that control has been seized from the developers. In the case of Lavabit, secret court orders at the time demanded the allowance of government visibility into customer email, and rather than complying, the company simply shut its service down.
Privacy, open-source takeaways
Questions about the security of open source software have been dragged into the spotlight recently. HeartBleed, the OpenSSL vulnerability is one such example. If the security industry relies on free, but underfunded open source products, it could be setting itself up for failure, as we saw with the HeartBleed flaw affected so many. However, the open source model is valid, as long as the projects are well funded and undergo comprehensive and regularly scheduled security audits. Well-funded projects are pretty rare. OpenSSL, OpenSSH and Network Time Protocol all got just such a funding boost from the Linux Foundation in an announcement today laying out a $5.4 million plan to get a security audit and two full-time developers. Funding like this helps boost the position of the products in security circles as underfunding has been a point of weakness and criticism. For TrueCrypt, this project appears to be over, unless another group can somehow up the banners of security and privacy, and run with this code.