May 29, 2014

The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.

tcSometime in the last 24 hours, truecrypt.org began forwarding visitors to the program’s home page on sourceforge.net, a Web-based source code repository. That page includes instructions for helping Windows users transition drives protected by TrueCrypt over to BitLocker, the proprietary disk encryption program that ships with every Windows version (Ultimate/Enterprise or Pro) since Vista. The page also includes this ominous warning:

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”

“This page exists only to help migrate existing data encrypted by TrueCrypt.”

“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently.

What’s more, the last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired.

That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden.

“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”

Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) —  far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF).

Green said he’s disappointed that the TrueCrypt team ended things as abruptly as they did, and that he hopes that a volunteer group of programmers can be brought together to continue development of the TrueCrypt code. That could be a dicey endeavor given the license that ships with TrueCrypt, which Green says leaves murky and unanswered the question of whether users have the right to modify and use the code in other projects.

“There are a lot of things they could have done to make it easier for people to take over this code, including fixing the licensing situation,” Green said. “But maybe what they did today makes that impossible. They set the whole thing on fire, and now maybe nobody is going to trust it because they’ll think there’s some big evil vulnerability in the code.

Green acknowledged feeling conflicted about today’s turn of events, and that he initially began the project thinking TrueCrypt was “really dangerous.”

“Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green said. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.”

Whether or not volunteer developers pick up and run with the TrueCrypt code to keep it going, Green said he’s committed to finishing what he started with the code audit, if for no other reason than he’s sitting on $30,000 raised for just that purpose.

“Before this happened, we were in process of working with people to look at the crypto side of the code, and that was the project we were going to get done over this summer,” Green said. “Hopefully, we’ll be able to keep TrueCrypt.”


363 thoughts on “True Goodbye: ‘Using TrueCrypt Is Not Secure’

  1. JC

    Ha!Been recommending that one for years, and then poof! Gone.So much for open source eh?

    Then the recommend bitlocker.HAHA!

    Good thing i already made that transition.

  2. RockDoctor

    Seems like a fine time to drop it and be your kids’ soccer coach.

    Hmmm, so you get 6 months as your kid’s soccer coach and then the black-windowed SUV is waiting to collect the two of you after soccer.
    And then TrueCrypt reappears. So your kid can continue breathing through it’s remaining nostril instead of through a straw.
    Nope – retiring from this game of tiger-tail-pulling by letting-go is only going to get you mauled.

  3. DJ

    I think this is another Lavabit incident…
    Better to close the project than to betray the users.

    “I fight for the users”
    Tron

    1. reine

      Thought the same, I think this appends, NSA came…

  4. root

    Using TrueCrypt is not secure as it may contain unfixed security issues

    Not Secure As (NSA)

  5. buzz

    A couple years ago there was a powerpoint file released that Microsoft created for law enforcement that showed them how to easily bypass Bitlocker encryption. I still have that actually.

    TrueCrypt to the best of my knowledge had no backdoors. And now they push us to Bitlocker? Something doesn’t add up. If you use Bitlocker, you are not using secure encryption. Anyone can access via the backdoor once they know how.

  6. MASTAB

    A possibility that no-one else has suggested before, at least to my knowledge: NSA guys knocked at the door of the C devs, and showed that they can break any crypto with their brand new D-Wave quantum computer. Dishearted, the developers decided to give up crypto completely and suggest that people use the tools provided by the OS makers, since they’re as good as any against kids and hackers, and as useless as any agains the mighty Illuminati controllers.

  7. Personal Injury Lawyers Boston MA

    The guilty party includes, but is not limited
    to, an individual person, a company, a government department, a
    public servant company or some other entity.
    In any event, the next time you see a G-man (or woman), is that a gun he’s packing or a calculator.
    To learn more about selecting the right Milwaukee personal injury attorney,
    go to.

  8. Alex

    And here I was wanting to download the latest version of TrueCrypt.

    yay.

  9. Joe Kurtis Jr

    After watching the tutorial on the tutsteach youtube I gave it a try. It has been one week since I started using diskcryptor and I am so impressed that yesterday I move all of my files around and now all I use is diskcryptor. It gets my thumbs up as my alternative to TC.

Comments are closed.