The Mysterious Death of One of the Internet's Most Popular Encryption Tools
Thursday, May 29, 2014 - 10:40 AM
TrueCrypt is a program that allows users to do "on-the-fly encryption," meaning it essentially creates a little partition between your encrypted and unencrypted files. It's really easy to use relative to most encryption software, and a lot of security experts like Bruce Schneier publicly recommend it. Or at least they used to. Yesterday, the official download site for TrueCrypt warned users that the program was no longer secure, and advised them to stop using it.
The problem is that the anonymous developers who made TrueCrypt gave no indication of exactly why it was no longer safe, which has whipped the internet's privacy nuts and hackers into a speculation frenzy. The most obvious theories are that they received a government subpoena, or were hacked by either the government or someone else. Still others speculate that it was infighting amongst the developers.
In the wake of all the Snowden revelations, an independent audit of TrueCrypt was funded on indiegogo last fall. The idea was for security experts to pore over the program and just make sure it does what it says it does with no weaknesses, and the first phase of that audit was completed just last month.
As a security layperson, my totally uneducated speculation isn't worth much, but it could be that the developers of TrueCrypt knew that futher auditing would reveal security issues, Haystack-style, and decided to shut it down before that could happen. But who can say? It's hard enough to know the efficacy of a privacy program like TrueCrypt as a security researcher, so for those of us without computer science degrees, it's totally opaque. PJ compared it to buying narcotics - unless you have a trusted relationship with the dealer, the purity of your security program remains an open question. Is there any way to apply the 10 Crack Commandments to internet encryption software?