Spoiler: This blog post doesn’t have the answer. If you’re already up on the case or just don’t have time for the waffle, this is the point.
2nd Update: Below is the legacy blog post for your reading (dis?)pleasure. It’s been confirmed in various places (this one is fairly comprehensive) that the TrueCrypt developers themselves killed the project by releasing a handicapped version with 7.2.
The real final version, 7.1a, which is subject to the current open security audit is still usable and according to Phase 1 of the audit, while there are some issues with the code in terms of cleanliness, the “iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”
Attacking the encryption of files secured with TrueCrypt looks like it remains a difficult task. More importantly, there are movements afoot to rescue it. The experts currently auditing TrueCrypt may also decide to adopt developing it.
“TrueCrypt’s formal code audit will continue as planned. Then the code will be forked, the product’s license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won’t allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.” — Steve Gibson, software engineer and security researcher
Tl;dr: There is no known reason
to stop using TrueCrypt Version 7.1a
TrueCrypt is dead, or unsupported, which is kind of the same thing in technology. It’s a complicated status of being in software, because it’s an area where zombies can lumber on for years. And when it comes to software aimed at protecting your privacy, the undead can do massive damage. And sometimes the dead return to life.
It’s creators and development team have announced they’ll no longer be working on it. Anyone following the right people over on The Twitter will have seen it kick off on #truecrypt yesterday evening. More discussion of the latest continues on Reddit.
The Register has the basic story, so no need to repeat it here. Currently, beyond the opening line (“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“) I wouldn’t trust anything on TrueCrypt’s download repository page. Why it says what it does is a matter of rife speculation. We’ll hit the leading theories in just a bit. Before that, a quick eulogy, and before that, an obligatory PSA:
Do not download or upgrade
to TrueCrypt 7.2
“We used to think these were toys, and along the way we turned them into things people really rely on.” — Matthew Green, an associate professor of computer science at Johns Hopkins University
It’s difficult to overstate the situation. The software itself was an extra-ordinary piece of kit. It was cross-platform, on-the-fly data encryption, with the ability to create hidden file structures.
This was encryption for the masses, or pretty close, anyway. And it included some decent extras, like being able to add key files, a sort of 2-step authentication method. The impact on whistle blowers, journalists, human rights activists and others is huge.
It was created through thankless, volunteer toil of unknown developers, and sort of fit in with the internet activist culture of doing instead of talking. It was used by Edward Snowden and Glenn Greenwald to store NSA files on USB sticks for travel. It played a huge role in one of the greatest stories of the decade.
Best articles thus far
- Encryption Tool Endorsed By Snowden Abruptly Shuts Down by Runa Sandvik
- True Goodbye: ‘Using TrueCrypt Is Not Secure’ by Brian Krebs
- Mysterious announcement from Truecrypt declares the project insecure and dead by Cory Doctorow
- Alternative TrueCrypt Implementations by Hacker Tradecraft
- 7 TrueCrypt Alternatives by Krati Dubey
Now that we’ve dispatched with fact, let’s unleash the wild speculation, of which there is scads. I’m not a huge fan of the “cui bono” method of inquiry. A person can find £20 on the street and benefit from it without having caused it to be there. But there are plenty of suspects with motive, and then there’s the not entirely impossible chance of suicide.
The spooks did it: As soon as truecrupt.org changed its home page and its DNS redirected to the strange warning text, the notion that it was an NSA casualty was a popular one. TrueCrypt was the encryption software (among others) promoted by Edward Snowden, and the email service he used, Lavabit, was also a casualty of the government’s investigation into him. This also comes on the heels of the Heartbleed “bug” effecting thousands of SSL connections on the web, which the NSA knew about for nearly two years and likely exploited. There’s also the strange message on the web page itself, urging users to switch to a Microsoft product that many users believe to have a back door accessible by the NSA.
Internal spat: There’s a certain trollish language to the sourceforge page‘s updated text. This could have been the result of a disagreement between the developers about the security of the program. Or they could have been fed up with users who for some reason insist on using XP for whatever reason. You would think they’d do a better leave then that, though.
Hacking: Not impossible, but a lot of speculation seems to suggest it’s not likely unless someone was able to get hold of numerous passwords a signing key and, of course, find one of the anonymous developers. Still…
Audit Failure: TrueCrypt has been around for a decade and during most of that time, no one has really inspected how it works. An extensive audit was recently started, and TrueCrypt performed well in the first phase. Maybe they got bad news about the second phase and committed a premature act of seppuku.
I should reiterate once more, that the above is all guessing. Let’s add alien abductions. Or maybe they just got tired of not getting paid. Or maybe they really were just pissed that Windows XP wasn’t being supported any more, but I think the aliens theory might be more likely then that.
A flawed existence
The “TrueCrypt Team” itself has always been anonymous, which is hard to sync with the needs of transparency and accountability, and has fuelled a few conspiracy theories about who has actually been behind it.
And even though it was by far one of the more accessible file encryption tools out there, it was buggy, not that intuitive for today’s less-than-patient computer user expecting Flappy Bird ease. And it was very easy to misuse and wipe the wrong file. All this is saying something about many other options that aren’t as polished.
What the world needs now
Here’s the point. The details will emerge, but until that happens, no one knows what really transpired. TrueCrypt was an invaluable resource for easy data security. It worked on Mac, Windows and Linux. It created hidden partitions. It didn’t require someone to launch into their computer’s terminal to use it. It was many steps in the right direction.
What’s needed now is a solid, cross-platform GUI that’s actually open source and has an available, known team developing code that’s open to peer review as it’s being made. It also needs the User Experience love that’s missing in so many of these projects and actually leverages developers’ expertise for the average user, with in-application support and explanations. What’s needed is TrueCrypt, only, I don’t know, Truer or True-Point-Two or something else more witty. Maybe the start of developing something like that could begin on the 5th of June.