TrueCrypt, the venerable open source encryption software that turned 10-years-old earlier this year has shut down, and it looks like it may be for good. What’s known so far is this:
- On May 28, 2014, TrueCrypt’s (TC) website said it was shutting down operations.
- TC also noted that their software “may contain unfixed security issues”.
- TC encouraged people to switch to Microsoft’s BitLocker.
- People went crazy with speculation, including:
- The site was hacked.
- The NSA was behind the creation and dissemination of TC all along.
- The NSA is applying pressure on the TC engineers. The shutdown is a “canary.”
- The TC engineers shut down operations knowing they wouldn’t pass a security audit.
- Internal power struggle among TC engineers.
- A weakness that was impossible to fix.
- Someone at Gibson Research Corporation managed to get in touch with one of the TC engineers (“David”) who plainly stated that TC was just calling it quits.
Over the past couple of days, a number of these theories were debunked, such as the TC site being hacked.
The team running an audit on the encryption software (Dr. Matthew Green at Johns Hopkins University and others) haven’t come out with any definite conclusions, but a preliminary report earlier this year reported no major weaknesses. Dr. Green, who once felt that TrueCrypt was dangerous because of its lack of provenance, admitted that he “was starting to have warm and fuzzy feelings about the code, thinking [the TrueCrypt developers] were just nice guys who didn’t want their names out there.” (krebsonsecurity.com)
Could it be the NSA applying pressure? The theory goes, if the TC engineers are barred from mentioning NSA involvement, the open-source team’s only move could be to shut down operations, like Lavabit did. This is known as a “canary” because it alerts people of the possibility of something noxious permeating the environment without directly saying so (the canary in the coal mine). Tinfoil hat proof: why would they suggest BitLocker in place of TrueCrypt? Obviously they were pressured.
The problem with this particular theory is that…well, that undermines the point of using a canary, no? Isn’t the point of using a canary the ability to play legal jujitsu with your oppressor? How does that work if your opponent is calling the shots?
Let’s Not Get Crazy
My take on all of this is: the TC guys grew tired. When TrueCrypt debuted 10 years ago, the encryption landscape sucked. TrueCrypt was a breath of fresh air. Not only was it free, it was easy to use. Backing up encryption keys was easy as well. You knew that encryption keys were being generated randomly because you had control over it. TrueCrypt didn’t bog down your computer to the point of not working. It gave you “plausible deniability.” It wasn’t perfect, but it was up there with the other stuff.
Fast forward to 2014. The encryption landscape doesn’t really suck anymore. You have many different options. Most work exceedingly well. The top three operating systems come with built-in support for encryption (well, for Microsoft you have to shell out a little more moolah for the ones that do).
Plus, it’s been 10 years. That’s a long time for a handful of engineers to support a free project. Think about it. They probably have families, or maybe are planning to have one soon. Seeing how TrueCrypt does its thing very well, the TC engineers are a talented bunch. Chances are that they’ve taken on more responsibilities at work (you know, that thing that pays them money, unlike TC) or are involved in other projects. In other words, the time these guys (and gals. Who knows?) have for keeping TC up and running is probably dwindling down or non-existent. Their options are to have someone else take hold of the reins or shut it down.
The former, if the articles I’ve read can be trusted, is not really an option because TC is so complex that its creators are loth to put someone else in charge. What if weaknesses are inadvertently introduced due to the new engineers’ unfamiliarity with the code?
The logical action, then, is to kiss TrueCrypt bye-bye.
Viral Marketing Genius
But, if shutting down operations, how to do it so that everyone gets the message? Not only that TC will be no more but also that TC users should transition to some other encryption software? After all, you’re a good guy, you created and released this privacy-enhancing software for free… you feel a certain responsibility that people’s data should be secure… and using expired encryption software isn’t really going to cut it.
Forcing people to stop using software is nearly impossible, as many companies have found out (including Microsoft. Wasn’t XP supposed to be retired years ago?), so how to do it? The method for doing so is inspired: plant the seeds of uncertainty in a product people trust. After all, the one thing you won’t use, if you can’t trust it, is encryption software.
Plus, look at all the publicity it got. Would an announcement that lacked controversy gotten as much attention? (More publicity = more people who hear the news about TC and the transition to other encryption software.)
Which brings up the question, why BitLocker? Here’s my answer, which is obviously speculative: Microsoft’s entrenched worldwide. Collaborating with the NSA or other agencies to weaken BitLocker will blow up spectacularly in Redmond’s face, sooner or later. Microsoft can’t afford that because close to half of their revenues come from outside the US. As the PRISM scandal last year showed, the slightest controversy becomes a reason to use an alternative.
Also, Microsoft has got deep pockets. Microsoft’s cash flow and lawyers will allow them to mount an offense against any pressure, which they’ll have to do if they want to protect that cash flow. Only companies the size of Microsoft can realistically counter it.
Is this the correct explanation? I don’t know, but it’s pretty low on the tinfoil factor. That’s gotta count for something.
Related Articles and Sites: