The developers of TrueCrypt, a once highly respected, open-source encryption application, have apparently folded their tents and disappeared.
Left behind are questions and paranoia — and a message that users should migrate to other encryption platforms.
Leading the way to public data encryption
TrueCrypt was first released back in 2004 — well before most other mass-market encryption platforms became mainstream, and certainly long before we became aware that the U.S. National Security Agency (NSA) was trying to tinker with these security apps for its own ends. It was built and has been maintained by an anonymous group of developers known simply as the TrueCrypt team. According to Wikipedia, the TrueCrypt moniker is “registered in the Czech Republic under the name “David Tesařík.”
TrueCrypt’s developers based their new encryption software on E4M (Encryption for the Masses) — code that was, according to a February 2004 usenet thread, stolen from security company SecurStar by ex-employee and E4M author Paul Le Roux. That dispute effectively shut down TrueCrypt distribution for several months.
TrueCrypt 2.0 was released in June 2004 and updated off and on until 2012. But then there were no new releases the following two years — a fact noted by several Windows Secrets readers who expressed concern that their favorite encryption software did not officially support Windows 8 or 8.1; nor did it support computers equipped with a Unified Extensible Firmware Interface BIOS. These enhancements were reportedly promised but never delivered.
One of the fundamental concepts of open-source software is that it can be audited for security flaws by any competent developer — not just by its authors. With millions of active TrueCrypt users, there was, not surprisingly, growing concern over the software’s lack of updates and the resulting possibility of new vulnerabilities.
That led to the creation of the not-for-profit Open Crypto Audit Project (OCAP; site), tasked primarily to conduct an external security audit of TrueCrypt’s code. The project would be funded via crowdsourcing, and various programming and security experts would volunteer their time.
Last April 14, OCAP completed its Phase I Audit Report (PDF download). The report found relatively minor problems with TrueCrypt’s code but no evidence of back doors or malicious code. OCAP reportedly will begin a Phase II audit this month.
TrueCrypt’s run comes to an unexpected end
May 28 brought shocking news for all current and would-be TrueCrypt users. A “new” Version 7.2 was released, along with an announcement that the project had been discontinued. Those going to the truecrypt.org site are now redirected to a SourceForge download page, where they’ll find a blazing announcement that TrueCrypt might contain unfixed security issues and is thus not secure (see Figure 1).
The site recommends that Windows and Apple users migrate their encrypted data to native-OS applications (Microsoft’s BitLocker in the case of Windows users). It advises Linux users to “Use any integrated support for encryption. Search available installation packages for [the] words encryption and crypt, install any of the packages found, and follow its documentation.”
Rumors were soon flying that the site was a hoax or had been hacked. There was also speculation that it was an elaborate form of warrant canary (more info), a security device used to inform your clients that you’ve been served with a law-enforcement warrant. These warrants may specify that those served can’t notify anyone else. The warrant canary is a sort of inverse notification: you regularly inform your customers, typically via a posting on your website, that you’ve not been served. Removing the notification tells all interested parties that you have been served.
However, in the case of TrueCrypt, none of these theories made sense — or was in any way supported by the facts. SourceForge, a highly respected software download site, found no signs of tampering. And no one has taken credit for creating a hoax page. The SourceForge notification also didn’t act like a warrant canary.
In fact, the only real consequence of the notification was to destroy trust in an application millions have relied on for years to secure their data. In the days following the announcement, numerous sources contacted the elusive TrueCrypt Team members for clarification. The response simply confirmed what had been posted on SourceForge: there would be no further development of TrueCrypt — the project had effectively been shut down and abandoned.
Is ‘In open-source we trust’ a myth?
I was among the many TrueCrypt users who became concerned about the lack of updates. Malware evolves rapidly, and security software must always stay a step ahead of it. That TrueCrypt’s developers were unknown made me only more uncomfortable.
Also, TrueCrypt was completely free; it had no obvious revenue stream to buttress its long-term development and support — a fact especially worrisome for business applications. Software is rarely free; it might be “free for personal use” and supported by paid business versions, or it could be a sideline hobby for its author. But with a sophisticated product such as TrueCrypt, those tasked with maintaining it ultimately have to keep food on the table.
If you think about it, it’s a mystery that we gave TrueCrypt such an extraordinary level of trust. Again, it had dubious legal foundations, its developers were unknown, and its support was primarily relegated to forums that are now missing. Those forums included person-to-person, cryptologic information that might be lost forever.
Moreover, we’ve often been told that we can trust open-source software. “Many eyes make all bugs shallow” is a saying that, in theory, embodies the advantages of open-source development. But TrueCrypt’s demise, along with the other recent open-source security implosion — OpenSSL — suggests that our trust in the open-source process can be misplaced; there might not be those “many eyes” at work.
For example, in the case of OpenSSL, it was basically one person authoring and another reviewing the code. As Brad Kovach points out in his blog, we build much of the Web on open-source software, often relying on volunteers to build and secure the code. As Blanche DuBois declares in A Streetcar Named Desire, “I have always depended on the kindness of strangers.” I’m doubtful that’s the best policy for software such as TrueCrypt — or for Internet security.
There’s even debate whether TrueCrypt qualifies as open-source. There are basically two ways to develop, release, and support software. The source code for the commercial software you purchase is typically closed; its structure is never publicly released. The obvious example is Windows and most other software Microsoft sells. We use the software, but we don’t know exactly how it’s built. (What we know is usually revealed by coders who have reverse-engineered the code.)
Open-source software should be completely transparent. For a specific open-source project — variations of Linux, for example — each developer posts his code to the project servers so that another developer can modify it to make it better. That developer then posts his changes back to the project servers, where other developers can build on that foundation. According to the Open Source Initiative (site), a specific license must be attached to any open-source software release — typically under the GPL v2 or GPL v3 licenses.
Reportedly, TrueCrypt never included a standard open-source license. Its code was never thoroughly audited until now. And yet we trusted it to encrypt and secure our systems. Why? In large part because it was free and it worked. (Despite repeated attempts, TrueCrypt was never publicly cracked.) Effectively, its huge number of users became both the product testers and marketers. Windows Secrets contributors have, on occasion, discussed and recommended TrueCrypt.
I think we’ve all received a wakeup call. We might need to step back and question the source of our open-source software — and in the future, review its pedigree before installing it.
Protecting our sensitive data in the future
As a first step toward protecting sensitive data, you should follow the posted advice to “Search available installation packages for [the] words encryption and crypt, install any of the packages found, and follow its documentation.” Fellow Windows Secrets contributor Lincoln Spector is working on a follow-up article about replacement encryption software. And Fred Langa wrote about using 7-Zip to protect critical files in his May 15 Top Story, “Better data and boot security for Windows PCs.”
But the product at the top of my short list is BitLocker. It’s included with Windows 8 and 8.1 plus the Business and Ultimate versions of Windows 7. I’ve also used Symantec Encryption Desktop Professional (site), a product that doesn’t require all systems to have TPM chips (more info). Unfortunately, Symantec’s product starts at U.S. $215, and neither solution is cross-platform (Mac and Linux).
As reported on the Gibson Research site, TrueCrypt isn’t destined for the grave. There are just too many TrueCrypt supporters. The Linux Foundation and the Open Crypto Audit Project announced that they’ll bring back TrueCrypt in a process called “forking the code.” The new authors will restructure the software, provide a new license, and eventually release the product under a new name.
My recommendation to current TrueCrypt users? Don’t panic! But also don’t deploy any new versions of TrueCrypt; simply maintain what you have. Based on the OCAP audit, TrueCrypt does not have any back doors and still provides secure encryption that can’t be easily cracked.
By “easily,” I mean that the password can’t be stolen from your machine’s memory when the system is turned off. With most encryption software (including BitLocker), a user’s private encryption key can be extracted from RAM memory if the machine is running or in sleep mode, as noted in a Feb. 7, 2013, Top Story, “Legitimate app breaks popular encryption systems.” But in order to do this, the attacker must be physically present and chances are your system is owned already.
That said, I’ll return to my main point. Should we trust any free software from unknown sources? Free is rarely “free.” As noted above, it might be supported by paid business editions, advertising, unwanted software downloads, or limited support. In the case of TrueCrypt, it appears the price was paid with a lack of long-term support and planning.
Vendor-proofing your personal-computing system
The virtual death of TrueCrypt is echoed by the recent closing of cloud-storage service Norton Zone. As reported in a Techday story, Symantec is giving Norton Zone customers 60 days to move files out of the service. The report states, “After August 6, 2014, all files and related data, like file names, will be permanently deleted from the service, and neither the users nor Symantec will be able to access them.” The files you trusted to that service could be in limbo while you scramble to move data to other local or cloud locations.
As discussed in a recent article in a Network World story, you need to plan for the possibility that your cloud-storage vendor will shut down.
The TrueCrypt saga highlights the importance of having a Plan B for all our important computing services. For example, if your business has its website with a hosting service, what will you do if that service fails? You need to keep a list of alternative vendors and a plan to migrate your data quickly, if needed.
Also, review the health of any company you depend on. Is it sufficiently funded for longevity? The lack of TrueCrypt releases over two years should have been a warning that something was amiss. It’s a lesson for us all, and one we should apply to all software and services we rely on.The life and untimely demise of TrueCrypt