What happened to Truecrypt - May 2014

From ETCwiki
Jump to navigationJump to search

Truecrypt, the popular disk encryption software has recently changed its website to a security warning that states Truecrypt is not secure anymore, and to switch to BitLocker for Windows, or No encryption for Mac. It does not even mention Linux. This article was written May 29, 2014 at 12:30PM

This article was updated May 29, 2014 at 2:30PM, 5:36PM, 7:05PM, 8:43PM

This article was updated May 30, 2014 at 12:00AM, 2:00PM, 4:30PM - Final Answer now first section -- please read

TrueCrypt 7.2 Warning

Download TrueCrypt All Versions: All TrueCrypt files, binaries, keys, source, all versions

ValdikSS Analysis on Github Gist | Russian Version

Final Answer - Solved?

The Premise

As per recent posts from Matthew Green and Steven Barnhart, it appears as though we have an answer. The dev claims to have just gotten tired of maintaining the program Truecrypt. He claims that he does not want anyone using the source code for the bootloader and the GUI because "that's harmful because only they are really familiar w/code".

Is this really what happened though? I mean what about the panic stricken Bitlocker page and the mysterious method used to leave the software world? What about the refusal to let others build on the code that was nearly open-source? It still seems fishy, but we do have an answer from the dev at least...



@matthew_d_green 1 more "I were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever."


The facts

These are facts of what I have seen that may offer some insight into the cause of TrueCrypt's recent decision.

  • Sourceforge Account
  • The Webhost for Truecrypt.org
    • Still has the same IP address of many years back DNS History for Truecrypt
    • DNS was not modified
    • The entire site redirects to the SourceForge project page
TrueCrypt's Website on SF
  • The Website code for Truecrypt.org
    • Now redirects to the SourceForge page for Truecrypt using a 301 permanent redirect
  • The Content on Truecrypt.org
    • The main page has been replaced with instructions to switch to Bitlocker for Windows
    • There is a mention of the end of Windows XP support, and an incorrect date for its end of life, 5/2014 instead of 4/2014
    • The directions for Bitlocker are only possible for the few people who use Ultimate and Enterprise versions of Windows, less then 20% of users
    • The directions for Bitlocker migration are simply wrong (you should unencrypt before you go to bitlocker, but they say the reverse)
    • The directions for Mac encryption say to use "none"
  • The Mail Addresses of Truecrypt.org
  • The new TrueCrypt version 7.2
    • Has a lot of changes that appear to have been in development for a while, like an incomplete new version
    • Removed the ability to create encrypted volumes and drives
    • Added a bunch of messages saying the exact same thing on the website-- TrueCrypt is insecure
  • The Truecrypt terms of use
    • Removed the clause requiring a link to truecrypt.org or to say your code uses TrueCrypt
    • Changes every "U.S." to "United States" (possibly irrelevant)
Truecrypt.org Manually removed from Webcitation
  • TrueCrypt on the Internet
    • TrueCrypt is now being removed from all "wayback machine" like sites where you can view websites as they used to look source
  • The Truecrypt dev team
    • They are anonymous, nobody knows who made TrueCrypt
    • Nobody can reach them now
  • The audit and the audit team
    • They have not heard from Truecrypt Devs yet, last word was they were looking forward to phase 2 of the audit
    • Matthew Green is keeping people up to date on his blog blog

Speculation of what happened

Again, this is only speculation, I have read a lot and spoken with a lot of people about the possibilities and I have come up with a few theories that could match the facts.

#1 - Coercion

The premise

Lavabit Letter to Public

The TrueCrypt dev team was told by a government agency to add a backdoor to TrueCrypt.

See: Wikipedia Warrant Canary

See: Wikipedia Rubber Hose Cryptanalysis

My Reasoning

The whole situation with TrueCrypt is just a bit off, none of it makes sense from our viewpoint. It is possible that there was a subpoena was issued to reveal information that would compromise the security of TrueCrypt, whether this is knowledge of any possible security flaws, private keys, or the request to add a backdoor to TrueCrypt. This is exactly what happened to Lavabit email service a while back, and resulted in a similar outcome to what we see today in TrueCrypt. The combination of the factors below indicate to me that the developer was trying to say his software is no longer safe BUT he cannot say why due to a warrant canary.

  • Strange wording on the TrueCrypt site (Windows XP end date incorrect among others)
  • Recommendation of BitLocker - this is the complete opposite of TrueCrypt and is a horrible piece of advice
  • Recommendation for Mac to use no encryption - Are they trying to tell us something?

#2 - Unappreciated

The Premise

The TrueCrypt audit project raised over $62,000 US dollars source to investigate whether the TC dev team was hiding things in the code that could bypass encryption, literally tearing their project up with a huge budget. Meanwhile, the TrueCrypt foundation gets so little donations, that it was too disheartening to continue because everyone was against them.

My Reasoning

  • There were very few donations to TC Foundation. I do not know the exact number of course, but it is safe to say the audit raised way more money than Truecrypt itself
  • As an anonymous developer, you get no credit for your contributions, and nobody to say thank you every day
  • All of these changes appear suspicious but still likely made by the dev himself or the foundation

#3 - Defacement or Hacked Account

The Premise

Someone gained access to all of Truecrypts keys and logins for both the program, the webserver, and SourceForge

My Reasoning

This is the least likely scenario in my mind at this point. It would be too elaborate for vandalism. Still here are the supporting reasons:

  • Idiotic recommendation to use Bitlocker instead of an open source solution
  • No warning to being shut down

#4 - Real Life

The Premise

The dev got bored of supporting the project, or had issues in real life that took precedence over TrueCrypt.

My Reasoning

It happens to everyone

  • claiming TrueCrypt is not safe is a good idea in this scenario, as it will no longer have official updates
  • All of the suspicious changes appear to have been made by the developer

#5 - Government Trying to Smoke out Developers

The Premise

Someone gained access to all of Truecrypt's keys and logins for both the program, the webserver, and SourceForge, but could not find the developers.

My Reasoning

A government might have enough resources to break the developers' public-private key pairs and hack into the site.

  • Making an absurd recommendation that everyone switch to Bitlocker might goad the real developers into responding.
  • The government might have enough power to break the public-key encryption used to authenticate the developers.

#6 - Major Flaw

The Premise

The developer was working on new features for 7.2 based on the diff of the source. It is possible there was a major flaw that was found by the dev and nobody else yet. Instead of releasing the vulnerability and making it public which would allow everyone to open anyone's Truecrypt containers, the dev decided to close the project and convince people that the program is no longer secure by destroying its credibility.

My Reasoning

Yes, I know that there were no flaws found in the audit YET, but still here are my reasons:

  • TrueCrypt cannot regain the trust of the world again after this nefarious activity, effectively killing it
  • The methods used to "shed" users were very mysterious on purpose-- to make it very public that nobody is safe

#7 - Irate Developer

The Premise

We know nothing about the dev team for TrueCrypt so this is pure speculation but sometimes dev teams disagree, and it can turn into something like this. If one irate developer had access to the private keys for the program, access to the webserver, and access to the SourceForge account, this is a possibility.

My Reasoning

  • This happens sometimes (yes a weak argument but statistically it should be on this list)

External Links

Related Posts