Usually, the end of life for a software solution tends to be its death knell. It may resurface years later in the popular media, usually on a specific anniversary: its 20th year since making its initial splash, its 30th year since it stopped selling, etc. TrueCrypt, the celebrated full disk encryption solution, appears to be an exception to the rule. It’s been officially discontinued last year and yet it’s been showing up in the news more than ever before.
Earlier this month, it was revealed that TrueCrypt has a vulnerability that “allows [a] full system compromise” on Windows machines. In a sense, it’s not a vulnerability with TrueCrypt itself. A top-to-bottom analysis of the encryption solution’s code that finished earlier this year showed it to be remarkably robust. “Remarkably,” because TrueCrypt’s provenance was and remains unknown. During the time it was being supported, plenty of people wouldn’t use the disk encryption solution for this reason alone: who knew what devious schemes or unintended vulnerabilities lay hidden within its code?
The 2015 review of the code assuaged those fears. And yet, here we are, six months later.
More specifically, the problem that was unearthed relates to the Windows drivers used by TrueCrypt. Whether this is truly a problem with TrueCrypt or not appears to be of some debate. But there’s no question that it introduces vulnerabilities to TrueCrypt’s effectiveness in keeping data secure. Or that any fixes would have to come from TrueCrypt (a fork of the disk encryption solution, called VeraCrypt, has already provided patches to fix the problem).
Whether similar problems exist with the Mac version of TrueCrypt is unknown.
It Takes More than a Village
Of course, the latest findings opens up a can of worms. Knowing that TrueCrypt had already passed a quite comprehensive review, and that the vulnerabilities were found less than a year later, what other problems reside within the solution’s code? Possibly none, although that’s quite unlikely.
As the discoverer of the flaw noted, Windows drivers are complex. Missing the flaw during the original review is understandable. Plus, let us not forget that complexity imbues any code that is worth its salt; there’s no escaping it, really, whether it’s TrueCrypt or some other program.
There is, then, an argument to be made for disk encryption solutions that are sold (yes, for money), where a company with financial means can bring together people whose skills cover a wide array of expertise. TrueCrypt was, supposedly, created and maintained by a handful of developers in their spare time. TrueCrypt’s power, and that it is surprisingly free of problems, does credit to these developers’ skills and expertise. But they, too, must have limits to what they can tackle. The counterargument, of course, is that the code was open for inspection by anyone, so the potential number of eyeballs looking over it was many factors higher than the resources a company can allocate to the same task.
And yet, there’s no escaping that a comprehensive review was only carried out ten years after the solution saw daylight, or that the latest flaw was discovered after the product was off the market. Or that a fix won’t be forthcoming, at least not for the original TrueCrypt.
For all the grumblings one hears, there is something to be said about a full disk encryption solution that undergoes FIPS 140-2 validation, is proactively supported, and is constantly tested.
Related Articles and Sites: