TrueCrypt's Mysterious Vanishing Act
Jun 2, 2014 2:00 PM PT
Anyone would be distressed to discover the disappearance of a favorite piece of software, but when the software in question was open source and endorsed by Edward Snowden -- and when the developer's site begins offering instructions for migrating to a Microsoft product instead -- alarm bells are sure to begin ringing throughout the FOSS world.
That, sure enough, is just what's been going on following the apparent discontinuation last week of free and open source TrueCrypt encryption software.
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," the newly revised TrueCrypt site read. "This page exists only to help migrate existing data encrypted by TrueCrypt.
"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," the page went on. "Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
Next on the site were instructions for migrating to Microsoft's BitLocker.
The sirens began screaming in the Linux blogosphere last Wednesday, and there hasn't been a moment of peace ever since.
'What the Heck?!?'
"The first thing that came to mind when this appeared was, 'What the heck?!?'" Linux Rants blogger Mike Stone told Linux Girl. "To me -- and apparently others -- this seemed to come completely out of left field."
Stone has been using TrueCrypt for years, and "it's always been a great solution," he said. "I keep hoping that it's a hoax or a hack of some kind, but the longer it goes unchallenged by the original authors, the more 'real' it seems."
The warning page, meanwhile, "feels like a page that you'd see 10 years after a product has been discontinued," Stone added. "It feels like it's being abandoned. I keep hoping that the page will go back to what it was before, but it's starting to feel like I should be looking for other solutions."
For Google+ blogger Rodolfo Saenz, "the main question is, Why?" he told Linux Girl.
"I hope this is not an attempt to have more control over our private data, encouraging us to use BitLocker so they can decrypt our stuff," he said. "The other reason I can think of is a hostile takeover from Microsoft... "
'The Feds Found Out'
Similarly, "they got NSLed," opined SoylentNews blogger hairyfeet. "I think it's pretty obvious -- bringing up the completely pointless XP EOL reference and then pointing users to bitlocker, which isn't designed for the task at hand -- and can probably be bypassed by the feds since it's NOT made for anything but corporate, and corps like having a way for management to get past disgruntled ex-employees."
Most likely, "the feds found out who one or more of them are, waved an NSL in their face and said, "you WILL put in a backdoor and hand us the keys or shut down,' and just like Lavabit they torched the place rather than become a puppet of the feds," hairyfeet added.
"Welcome to the USSA, folks, where freedom is just a slogan on a sweatshop flag," he concluded.
'What Do We Use?'
Blogger Robert Pogson had a different take.
"Clearly the authors of TrueCrypt saw their product as no longer necessary and have provided advice for using M$'s solution or other solutions on MacOS and GNU/Linux," Pogson told Linux Girl. "That's OK by me. A software product has a life cycle and the authors seem to see M$'s world as their raison d'etre."
Using the death of XP as justification for ending the project, however, doesn't make sense, Pogson added.
"XP is still on more than 100 million PCs -- a huge 'market' for FLOSS," he explained. "Rather than steering users to M$'s solution on other versions of M$'s OS, I would have advised users who wish to continue encrypting data to switch to GNU/Linux and to get off the Wintel treadmill."
Indeed, "I think someone just threw up their hands when they saw that encryption is now included in the OS," consultant and Slashdot blogger Gerhard Mack suggested. "But there is still the question: What do we use when we need something both easy to use and cross-platform?"
'If in Doubt, Fork It!'
There is still hope for the software "thanks to the power of open source," Google+ blogger Brett Legree pointed out. "If in doubt, fork it! Or, make plans to do so."
Forking the project could be difficult, however, because "the developers used a nonstandard license," noted Google+ blogger Kevin O'Brien, citing cryptographer and Johns Hopkins professor Matthew Green.
"Never do this," O'Brien said. "There are sufficient OSI-approved licenses to fit any real need, and if you don't choose one of them you are an idiot."
Also underscored by the case, meanwhile, is the importance of having open code that is audited in this space, O'Brien suggested.
"It is entirely possible that the TrueCrypt developers had hidden some backdoors and were about to be discovered," he explained. "We rely on secure crypto for so much these days that we need to have a verified, secure, open source system."
A Double Benefit
Last but not least, "it is really easy to be pessimistic, but open source, community-developed implementations are clearly needed because they lack the singular control of the current proprietary implementations," agreed Chris Travers, a blogger who works on the LedgerSMB project.
"It is far easier for the NSA to pressure Microsoft into adding back doors than it is for them to pressure everyone in the OpenSSL project to do the same," he explained.
Moreover, "open source implementations protect not only the users of open source software but the users of proprietary software as well," Travers added. "Knowing that requirements for backdoors cannot apply to open source implementations strengthens the hand of Microsoft and other entities when it comes to pushing back."
Looking ahead, "a healthy variety of these in crypto space is important and protects everybody," Travers concluded. "Hopefully we will see more scrutiny applied to open source projects in this area so the open source implementations will improve significantly."