The death of TrueCrypt: a symptom of a greater problem

UPDATE: 29 May 2014 at 9:30 MDT

The TrueCrypt development team has broke their silence to the audit team.  My suspicions articulated in this post were correct.  You can learn more at GRC.  TrueCrypt will be adopted by the Linux Foundation, ensuring its continued vitality and success as an open source project in the free world.  Join the Linux Foundation if you can.

Open Source Software (OSS) is in danger.  We rely on OSS every day to encrypt online banking and shopping, serve our web pages, move and deliver our email, render our web pages, manage our websites, power the world’s encyclopedia, and so much more.

These projects are essential to the backbone of the internet.  Typically, they rely on volunteers for development, testing, reporting bugs, and evangelism.  They also, typically, rely on donated financing as well…

So, these projects, free as in speech and as in beer, are powering significant portions of the web.  In the case of Apache Web Server, “Apache is used by 60.5% of all the websites whose web server we know” (W3Techs, May 2014). OpenSSL is used to encrypt 16% of websites among Alexa’s top million websites (Datanyze, May 2014).

But these projects are struggling.  Recently the TrueCrypt Foundation announced the end of the TrueCrypt project.  Some suspect foul play from three-letter government agencies.  Others suspect hackers.  But the undeniable reality remains: TrueCrypt is an open source project written and maintained by anonymous volunteers.

TrueCrypt has fallen under intense scrutiny lately.

  • a third-party audit (an important but still gut-wrenching process for the developers)
  • increasing reliance on TrueCrypt as Snowden’s NSA revelations come to light
  • angry reactions to open source failures, namely the OpenSSL Heartbleed Vulnerability.

While the tinfoil hat conspiracies are fun to entertain, it is likely not the reality here.  TrueCrypt’s developers have shown us the reality of the world without free, open-source security.  We are left to trust our OS vendors and their closed-source unverifiable encryption.  The “ominous” message posted to the TrueCrypt SourceForge page, in my opinion, is designed to be hyperbolic and terrifying!  Without the support of the open source community, TrueCrypt cannot survive.  Without a compassionate community that understands that TrueCrypt is a hobby for the developers, it is unsafe for TrueCrypt to continue the project.  Potential for legal liability is high (even though the developers are completely anonymous).

In other words, if your hobby ever becomes the golden standard for file encryption, and it is being used to rifle state secrets about the globe, or to foil a child pornography investigation, you might want to take a step back.  And it’s possible that that’s exactly what TrueCrypt’s developers have done.

After the world’s kneejerk reaction to the OpenSSL Heartbleed vulnerability, people got mad at the small development team for pushing such shoddy, insecure software.  But the reality is this: the OpenSSL library, for its one failure, has had billions of successes.  But nobody cared.  Heartbleed scared people, and that, in the court of public opinion, overshadowed those billions of successes.

Suspicious Shutdown…

People are citing an out-of-character shutdown for the TrueCrypt project.  Some consider it to be a warrant canary (since their behavior is so different from TrueCrypt’s MO).  Many of the recommendations made by the TrueCrypt team are ironically terrible advice considering how cautious we’ve become with TrueCrypt at the helm.

If you have files encrypted by TrueCrypt on Linux:

Use any integrated support for encryption. Search available installation packages for words encryption and crypt, install any of the packages found and follow its documentation

In other words they’re saying “just search for something and use it.”

On the Windows end of things, they’re simply stating that we should embrace a closed-source solution that they’ve been subverting for the past 10 years.

This is satire.  In satire, irony is militant.  And the point of this satire is: “good luck without us.”

If you were a TrueCrypt developer…

So taking the totality of the current state of TrueCrypt into account, it’s a massive burden for the development team to bear.  On one hand, it has been a monumental success for privacy advocates and data security, but on the other hand one small vulnerability could destroy its credibility and its meteoric rise to fame might collapse in days.

So the developers did what anybody in this position might do.  They called the game.  They left us with an ominous picture of the world without TrueCrypt: trusting our data to closed-source solutions, with little to no recourse against three-letter agency interests in backdoors.  Developing TrueCrypt was a thankless job, and they don’t want to be responsible for its collapse.

If the world doesn’t want to invest in open source software, it’s the world’s loss.

I hope the developers of TrueCrypt are safe, and that the conspiracies are not true.  This might be the wake-up call open source needs.

Let’s discuss this on Twitter. Follow @bradkovach to chat with me.

Further Reading

44 responses to “The death of TrueCrypt: a symptom of a greater problem”

  1. @bradkovach Avatar

    Folks, I have no idea where the comments are. I’ll fix it later after this little burst of traffic dies out.

  2. weathertop Avatar

    Excellent article, and it hits the nail right on the head. The likelihood this was some black SUV operation is small, instead it is likely a “I’m taking my ball and going home” situation.

    1. @bradkovach Avatar

      Thank you for visiting and taking time to leave a comment. “I’m taking my ball and going home” is a fantastic way to summarize what I described in 800 or so words.

    2. noBCA Avatar

      If there’s anything we’ve learned post-Snowden it’s that where you suspect there might be a black suv there are probably at least two, plus a helicopter. Just because we don’t have evidence that some sort of government interference is at work doesn’t mean we should declare it’s unlikely.

      I’m not aware of the developers requesting nor being open to outside offers of help short of the donation button on the site, in fact quite the opposite.
      Further, the audit of the project represents outside help (you can’t get much more help than a focused team looking for bugs and vulnerabilities, can you?), so this idea of “we aren’t getting any help so we’re shutting down” doesn’t make sense.

      This abrupt ending of the project doesn’t match protocol. The manual for 7.1a is 150 pages of very carefully detailed instructions. I think it very unlikely that people who put such time and effort into this work would abandon it so recklessly, unless they were under extreme duress or suffered a mental breakdown. And why bother going to the trouble of pushing a new release for decryption when the current one does that just fine? A simple disclaimer “WARNING: Truecrypt encryption isn’t secure. Truecrypt should only be used to decrypt files that have been encrypted by Truecrypt.” would be sufficient if the security has in fact been compromised, and much easier to do than edit the existing code to strip out the encryption. And, if they REALLY wanted to terrify the security community they’d just pull the plug and take the site offline without warning.

      The mention of XP is puzzling since BitLocker isn’t available for it, nor is it available for consumer versions of Windows Vista and up. Leaving that aside, if we take the explanation at its word and it truly is from the Truecrypt team, it seems something compromised the product and they’re unable to fix it. There could be any number of reasons for this from nation-state interference to a team member being incapacitated. I don’t buy this idea of they had enough and quit, I view that as the LEAST likely cause. Worst case scenario, they determined all encryption is broken and so one product is just as good (meaning useless) as another. That would explain the recommendation to start using built-in OS encryption like BitLocker and the somewhat baffling “use whatever you can find” (paraphrasing) for Linux.

      I’ll be interested to see the results of the audit which is going to continue.
      Whatever the reason I’m saddened by this event. Products like this will be more and more necessary as governments around the world grow more intrusive and adversarial towards their citizens.

      1. @bradkovach Avatar

        Thank you for reading and taking the time to comment! At the moment, we have nothing to worry about, as the developers have spoken, and the conspiracies are not true–they are tired, and they are abandoning the project.

        More information can be found here:

        1. noBCA Avatar

          I’m not convinced it’s that simple, in part because of the untidy shutdown, and I think Steve G. is premature in saying it’s still ok to use Truecrypt (unless your main concern is your laptop getting stolen at the bus station then I’d guess it’s probably ok). I hope it’s the case that things are exactly as you and Steve describe. Unfortunately the nature of the situation (anonymous developers etc.) means we’ll probably never have a completely satisfactory explanation.

          Thanks for the blog.

  3. Markus Lochmann Avatar
    Markus Lochmann

    why not start a kickstarter to fund a fork if money was the issue?

    1. @bradkovach Avatar

      Thank you for visiting my blog and taking time to comment!

      Something a little more substantial than a Kickstarter is going to be required to sustain OSS financially. There is exciting news today about some initiatives put in place to provide this support to FOSS projects. You can read more about this announcement here:

  4. Mark V Avatar
    Mark V

    Thanks for the Article. I have used TrueCrypt in a variety of ways and am sad to see it end this way. I’m not much of a conspiracy buff. And yet, if some 3 letter institution showed up and hassled you, would you really be up for implicating them? Probably not. More likely, you’d say general, ambiguous things like being “tired” or “it’s time to move on”. lol. Now that TC is going open source, how hard might it be to hassle the next gen of developers and the the source auditors? I’m thinking of Linus’s confession about Linux. Ah Hell… I’m rambl’n again.

  5. […] also see Brad Kovach’s blog posting about this topic. Very […]

Leave a Reply

Your email address will not be published. Required fields are marked *