ED#174 : The Mystery Of TrueCrypt's Disappearance

Sometime on the 28th of May, 2014, the anonymous developers of TrueCrypt mysteriously pulled the plug on their popular encryption software. They shut down the TrueCrypt.org website and redirected visitors to a simple page hosted by SourceForge, with a disturbing warning :

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

That warning is then followed by instructions on how users may migrate from TrueCrypt to BitLocker. Right at the end is a link to TrueCrypt 7.2, the first update since TrueCrypt 7.1a was released in 2012. However, this version of TrueCrypt will only decrypt TrueCrypt containers - its encryption ability has been disabled / removed.

This sudden development is extremely troubling because TrueCrypt has been the bulwark of the security-conscious for many years. It is not only free to use across multiple platforms, it is also an open-source encryption software whereas most encryption software are proprietary in nature. Its open source nature is important because the biggest potential vulnerability in any encryption software is the inclusion of a backdoor, which cannot be revealed without inspecting the code. This is why many users still prefer to use TrueCrypt, even when major operating systems like Microsoft Windows and Mac OS X offer their own disk encryption software. Even Edward Snowden endorsed it.

Of course, just because its source code is available for inspection does not mean someone has actually gone through it. That's where Matthew Green (a Cryptography Research Professor at the Johns Hopkins University), and Kenneth White (a Principal Scientist at BAO Systems) come in. They launched the TrueCrypt Audit, which recently cleared TrueCrypt in the Phase 1 tests (PDF) (which found no evidence of backdoors or otherwise intentionally malicious code) on the 14th of April and was scheduled to begin Phase 2 (formal cryptanalysis).

Update : TrueCrypt developer drops new bombshell - open source fork "impossible"!

How to fix GDI leaks in Internet Explorer

What's Going On?

The whole security community has exploded with all sorts of theories about this mysterious move, but no one knows for sure what's going on, much less why. Even Matthew Green and Kenneth White, possibly the only two persons who have ever communicated at length with the anonymous developers of TrueCrypt, are perplexed.

Matthew Green thinks that the developers are just calling it quits, perhaps because their identities were about to be revealed. Maybe Snowden's endorsement put the spotlight on their efforts and they were feeling the heat. If so, they didn't give any sign of it before they pulled the plug, as Matthew noted :

While this sudden development is mysterious indeed, and puts the future of TrueCrypt in jeopardy, we feel we must address a very important point :

TrueCrypt is NOT dead!

Some mainstream media have painted the picture that TrueCrypt is not safe to use, or no longer usable. That's not true. If you are using TrueCrypt, it remains fully-functional.

How to fix Whatsapp chat history corruption

What Should You Do?

TrueCrypt will continue to work, as long as you do not upgrade to TrueCrypt 7.2. So our advice is to continue as you did. Nothing has changed, even though they have taken the website down.

Despite the ominous warning, there's no apparent sign of any deep-seated security issues in TrueCrypt. As Phase 1 of the TrueCrypt Audit shows, there is "no evidence of backdoors or otherwise intentionally malicious code" in TrueCrypt 7.1a, which has been in use since the 7th of February, 2012. So we highly recommend you do not panic and unencrypt your TrueCrypt volumes or containers.

If we have to summarize this in a picture, it would be like this :

TrueCrypt was deemed safe, safer than BitLocker and FileVault by many people. That was true before their developers suddenly said otherwise on the 28th of May, and that remains true even so. Nothing has changed. TrueCrypt remains as safe today as it was before.

Note that even their warning alluded to the end of Microsoft's support for Windows XP, not to any particular deficiency or backdoor per se. If you ask me, it was their way of saying that they are stopping the development of TrueCrypt and it could potentially be "exploited" in the future since they won't be around to patch bugs.

So let's hope the security community come together to take over the support and development of TrueCrypt. In the meantime, keep calm and carry on!

How to fix Keychain Corruption in OS X Mavericks

Where Can I Still Download TrueCrypt?

If you lost your copy of TrueCrypt 7.1a, or accidentally installed TrueCrypt 7.2, we are providing the following downloads for your convenience.

Microsoft opened a security hole in Internet Explorer 11

Has TrueCrypt Been Revived?

The Internet is abuzz with news that TrueCrypt has been revived at TrueCrypt.ch, which is based out of Switzerland. There's even talk that the TrueCrypt developers are ceasing to be anonymous. Well, that isn't true at all.

TrueCrypt.ch was set up by Thomas Bruderer and Joseph Doekbrijder to "organize" an effort to provide support and possibly continue development of TrueCrypt. Even their slogan says it rather clearly - "TrueCrypt must not die", instead of "TrueCrypt is not dead".

The actual TrueCrypt developers continue to remain anonymous. It is merely TrueCrypt.ch's proposal that the future developers of TrueCrypt should not remain anonymous. However, I don't think this will be a major sticking point. If several eminent cryptographers sign up to join the effort but insist on their anonymity, you can bet they wouldn't protest too much.

At this time, there's nothing on the TrueCrypt.ch website, other than downloads of TrueCrypt 7.1a (which we are already providing above). There is not community to speak of, and avenue for a community to form either. The only interesting thing really is their proposed name change (TrueCryptNext) and objectives :

Will TrueCryptNext (or TCNext) be able to encourage developers to join them and take over the job of forking the development of TrueCrypt? That's hard to say. We certainly hope either they, or some other FOSS (free open-source software) group will take over the task.

The Solid State Drive Optimization Guide

Other Scoops

• Windows May Fail To Boot Up After Installing Latest IE Patch
• Intel Xeon "Haswell Refresh" CPU Details Leaked
• Should You Select MBR Or GPT When You Install A New Drive?
• Bitcoin Malware Infects Apple iAd!
• These Malware Could Be Using Your Smartphone To Mine Cryptocurrencies!
• How To Fix The Apple iCloud Bug (Missing Contacts)
• Big Brother China Censors WeChat... Again
• Intel Haswell Refresh CPU Details Leaked!

If you have a scoop you want to share with us, just contact us! It doesn't have to be security-related. It can be anything in the tech industry, from mobile phones to P2P software. Just drop us a message!

Support Tech ARP!

If you like our work, you can help support out work by visiting our sponsors, participate in the Tech ARP Forums, or even donate to our fund. Any help you can render is greatly appreciated!

Questions & Comments

If you have a question or comment on this editorial, please feel free to post them here!