The death of TrueCrypt: a symptom of a greater problem

Open Source Software (OSS) is in danger.  We rely on OSS every day to encrypt online banking and shopping, serve our web pages, move and deliver our email, render our web pages, manage our websites, power the world’s encyclopedia, and so much more.

These projects are essential to the backbone of the internet.  Typically, they rely on volunteers for development, testing, reporting bugs, and evangelism.  They also, typically, rely on donated financing as well…

So, these projects, free as in speech and as in beer, are powering significant portions of the web.  In the case of Apache Web Server, “Apache is used by 60.5% of all the websites whose web server we know” (W3Techs, May 2014). OpenSSL is used to encrypt 16% of websites among Alexa’s top million websites (Datanyze, May 2014).

But these projects are struggling.  Recently the TrueCrypt Foundation announced the end of the TrueCrypt project.  Some suspect foul play from three-letter government agencies.  Others suspect hackers.  But the undeniable reality remains: TrueCrypt is an open source project written and maintained by anonymous volunteers.

TrueCrypt has fallen under intense scrutiny lately.

  • a third-party audit (an important but still gut-wrenching process for the developers)
  • increasing reliance on TrueCrypt as Snowden’s NSA revelations come to light
  • angry reactions to open source failures, namely the OpenSSL Heartbleed Vulnerability.

While the tinfoil hat conspiracies are fun to entertain, it is likely not the reality here.  TrueCrypt’s developers have shown us the reality of the world without free, open-source security.  We are left to trust our OS vendors and their closed-source unverifiable encryption.  The “ominous” message posted to the TrueCrypt SourceForge page, in my opinion, is designed to be hyperbolic and terrifying!  Without the support of the open source community, TrueCrypt cannot survive.  Without a compassionate community that understands that TrueCrypt is a hobby for the developers, it is unsafe for TrueCrypt to continue the project.  Potential for legal liability is high (even though the developers are completely anonymous).

In other words, if your hobby ever becomes the golden standard for file encryption, and it is being used to rifle state secrets about the globe, or to foil a child pornography investigation, you might want to take a step back.  And it’s possible that that’s exactly what TrueCrypt’s developers have done.

After the world’s kneejerk reaction to the OpenSSL Heartbleed vulnerability, people got mad at the small development team for pushing such shoddy, insecure software.  But the reality is this: the OpenSSL library, for its one failure, has had billions of successes.  But nobody cared.  Heartbleed scared people, and that, in the court of public opinion, overshadowed those billions of successes.

Suspicious Shutdown…

People are citing an out-of-character shutdown for the TrueCrypt project.  Some consider it to be a warrant canary (since their behavior is so different from TrueCrypt’s MO).  Many of the recommendations made by the TrueCrypt team are ironically terrible advice considering how cautious we’ve become with TrueCrypt at the helm.

If you have files encrypted by TrueCrypt on Linux:

Use any integrated support for encryption. Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation

In other words they’re saying “just search for something and use it.”

On the Windows end of things, they’re simply stating that we should embrace a closed-source solution that they’ve been subverting for the past 10 years.

This is satire.  In satire, irony is militant.  And the point of this satire is: “good luck without us.”

If you were a TrueCrypt developer…

So taking the totality of the current state of TrueCrypt into account, it’s a massive burden for the development team to bear.  On one hand, it has been a monumental success for privacy advocates and data security, but on the other hand one small vulnerability could destroy its credibility and its meteoric rise to fame might collapse in days.

So the developers did what anybody in this position might do.  The called the game.  They left us with an ominous picture of the world without TrueCrypt: trusting our data to closed-source solutions, with little to no recourse against three-letter agency interests in backdoors.  Developing TrueCrypt was a thankless job, and they don’t want to be responsible for its collapse.

If the world doesn’t want to invest in open source software, it’s the world’s loss.

I hope the developers of TrueCrypt are safe, and that the conspiracies are not true.  This might be the wake-up call open source needs.

Let’s discuss this on Twitter. Follow @bradkovach to chat with me.

Further Reading

The Great Walmart-Facebook Conspiracy

Walmart has started grooming a massive Facebook presence lately.  In stores, they’ve been urging customers to “Like your local Walmart on Facebook.”  Interesting.  It seems that, among big-box mega-mart retailers, Walmart is late to the game!

But this looks like a game that Walmart is prepared to win.  Here’s the key difference between Walmart’s Facebook strategy and, say, Target’s Facebook strategy.

Walmart is (professionally) maintaining a presence for every individual store.

All of the other big-boxes are not reaching down into individual communities to aggressively engage their markets.

This is impressive.  Here’s how I think they’re doing it.

Here’s the conspiracy: Walmart “community pages” are pushing out updates from an app called “My Local Walmart.”  “My Local Walmart” is an in-house app Walmart is using to auto-push updates to thousands of Facebook pages a day.  The content is run-of-the-mill tame promotional garbage, but that ROTMTPG is genuinely more effective when they have connected users on the local level, rather than the national level.

And it appears to be working.  The engaged users on my Walmart’s community page are talking to Walmart, airing their grievances, and getting responses.  They already have over 2000 Likes.

For Walmart, this seems like a huge achievement.  They’ve launched social media in a big, more-personal way than other brands, but they’ve still been able to maintain control of the situation.

… more as this develops.