Indications suggest that the silent and anonymous creators of TrueCrypt, the widely popular open source freeware application, often used to secure bitcoin wallets, may be responsible for a sudden halt in services. The service, which was primarily used for protecting personal and sensitive details and data, was suddenly updated with a rather unusual message.
The TrueCrypt site surprised its users with the following message reading, “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.” In additional guidance, the site’s developers added:
“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The page, which according the the message “exists only to help migrate existing data encrypted by TrueCrypt,” further suggests that its users should migrate their existing data from their service into Microsoft’s encrypted BitLocker drive. BitLocker, according to PCWorld, is only available on Windows 7 Pro and Ultimate Editions, and Windows 8.1 Pro and Windows 8.1 Enterprise, which makes the solution abysmal at best due to its limited accessibility.
The move is a surprising one due to the fact that the service was recently granted approval from a iSec, a highly regarded full-service security firm who asserted that in respect to TrueCrypt, they “found no evidence of backdoors or intentional flaws”.
Meanwhile, The Register reports that the service “appears to have been compromised.” The service, was a favorite often used by NSA whistleblower Edward Snowden; and indications point that either the service has been long compromised, or as some worry, may have been hijacked. The Register further reports that as recent as Wednesday, a Wikipedia user under the handle “Truecrypt-end” persistently attempted to make changes to the TrueCrypt page but was blocked from doing so by moderators.
A recent crowd-funded audit proved consistent that while there were minor security flaws within TrueCrypt, there were no serious concerns. Kenn White, who headed up the TrueCrypt code-auditing project took to twitter to insist that he has no explanation for the latest developments.
No one on the TC audit project has anything to do w/ its development or the TC site. We will share any credible updates w/ the community.
— Kenn White (@kennwhite) May 28, 2014
Despite the skeptics, Matthew Green, research professor at the Johns Hopkins University Information Security Institute, who also headed up the crowdfunding efforts believes that TrueCrypt’s developers are behind the move. In an interview with Krebs On Security, the cryptographer explained:
“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”
Green says he is disappointed that efforts have ended this way, he explains that there were plenty of alternatives in regards to continuing TryeCrypt’s usability. Green says there were many ways in which they could have passed the code along without shutting down the service all together.
Last I heard from Truecrypt: “We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!”
— Matthew Green (@matthew_d_green) May 29, 2014
“Before this happened, we were in process of working with people to look at the crypto side of the code, and that was the project we were going to get done over this summer,” Green told Krebs. “Hopefully, we’ll be able to keep TrueCrypt.”
Nonetheless, as Green states, there is unlikely going to be a way to restore trust in the terminated service now that legitimacy has been compromised. While it remains unclear as to whether or not user information has too been compromised, the site, along with security proponents are warning users to stay away while seeking alternative.
Image Credit: Wired