Plenty of unanswered questions remain following the unexpected closure of TrueCrypt, leaving the security community...
to wonder why the venerable open source full-disk encryption software project shut down with little warning or explanation.
A message appeared on the front page of TrueCrypt's website Wednesday providing a terse explanation of the shutdown, though the message itself offered contradictory reasons, referencing both inherent security problems as well as issues related to the recent Windows XP end-of-life:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms.
The message goes on to explain how TrueCrypt users can transition away from the open source utility to Microsoft's proprietary encryption offering BitLocker, an encryption tool built into recent Windows releases.
Rumors immediately circulated on Twitter and other online forums that the TrueCrypt site had been hacked and the message was a hoax. However, none of the developers behind the TrueCrypt project have yet to disavow the message nearly two days after it first appeared, leaving little question as to whether the shutdown is legitimate.
No details were provided as to why TrueCrypt's encryption software is no longer secure, leaving some to speculate that the open source project suffered a similar fate as email encryption service Lavabit. That service closed down last year reportedly to avoid providing the U.S. government access to its clients' data, the most prominent of which was former NSA contractor turned whistle-blower Edward Snowden.
The TrueCrypt shutdown comes as Matthew Green, a noted cryptography researcher and professor at John Hopkins University, had successfully crowdfunded a professional security audit of TrueCrypt's code. The first leg of the audit -- a code review of TrueCrypt's bootloader -- was completed earlier this year by iSEC Partners.
In an October 2013 blog post, Green said the audit was necessary as it's impossible for encryption software users to know whether they can trust code after Snowden's leaks showed the NSA was actively tampering with encryption standards.
Green's suspicions of TrueCrypt's code were also heightened by the fact that TrueCrypt's developers have remained anonymous, and that the code does what he termed "damned funny things that should make any [correctly] paranoid person think twice.
"The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, 'Authorship is a better predictor of quality than openness.' I would feel better if I knew who the TrueCrypt authors were," Green said. "Now please don't take this the wrong way: Anonymity is not a crime. It's possible the Truecrypt developers are magical security elves who are simply trying to protect their vital essence. More prosaically, perhaps they live in a country where privacy advocates aren't as revered as they are in the U.S. (I kid.)"
Speaking with veteran security journalist Brian Krebs this week, Green said he believes the TrueCrypt shutdown is real, and he hopes volunteer programmers will continue the encryption project's development.
Regardless of whether that happens, Green indicated he plans to complete the TrueCrypt audit as promised, though he said the decision by the developers to shutter the project with no advanced warning will again raise concerns about whether the code can be trusted.
There are a lot of things they could have done to make it easier for people to take over this code, including fixing the licensing situation. But maybe what they did today makes that impossible," said Green in an interview with Krebs. "They set the whole thing on fire, and now maybe nobody is going to trust it because they'll think there's some big evil vulnerability in the code.
"Today's events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn't want their names out there," Green continued. "But now this decision makes me feel like they're kind of unreliable. Also, I'm a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits."
While enterprises requiring encryption software typically implement products other than TrueCrypt that offer a broader set of features and management capabilities, TrueCrypt is a popular tool in pockets of the information security, business and intelligence communities. Initially released in 2004, the tool gained notoriety recently when it was reported that reporter Glenn Greenwald had used TrueCrypt to safeguard data reportedly provided to him by Snowden.
Brendan Rizzo, technical director for Cupertino, California-based security vendor Voltage Security, said TrueCrypt has long been seen as a good open source option for encrypting data, but its abrupt shutdown highlights how using an open source tool on an enterprise-wide basis comes with some risk.
"While some startup companies may choose a more risky approach in order to try and save money, larger companies know that attempting this approach at scale is a fool's errand," Rizzo said, "especially when it comes to something as critical to a business' success as encrypting its most sensitive information."