Encryption software TrueCrypt closes doors in odd circumstances

encoding tool TrueCrypt has closed its doors, removed its downloads and advised users to switch to a rival, citing merely the end of liveliness of Windows XP as a argue. To fans of the app, which lets users ( including the Guardian ) encrypt stallion hard drives to ensure security and privacy, that rationale makes no sense – and many of them are casting around for other plausible reasons why the app and its development would cease then abruptly. “ The development of TrueCrypt was ended in 5/2014 after Microsoft terminated digest of Windows XP, ” is the explanation given on the software ‘s web page. “ Windows 8/7/Vista and late offer integrated support for code disks and virtual harrow images. such incorporate support is besides available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual harrow images supported on your platform. ”

But many users of TrueCrypt are, and always would be, reluctant to pass control of their security system over to Microsoft. That ‘s partially because of the belief in the cryptanalysis community that open-source software, where the code that handles the encoding systems can be read and checked by anyone, is inherently more secure. And it ‘s partially because of general distrust of Microsoft. furthermore, the date of Microsoft ‘s result of support for Windows XP has been known for two years ; it makes little sense to abruptly shut down TrueCrypt without warning, owing to an consequence which has been in diaries since April 2012 .

Has Truecrypt shut because of a government warrant?

The TrueCrypt growth team has constantly remained anonymous, and is n’t speaking about the software ‘s death beyond the sparse advice left on its download page – leaving users who do n’t believe the rationale ample room to speculate about other possibilities. One of the more popular suggestions is that the act is a adaptation of what ‘s known as a “ justify canary ”. Warrant canaries are legal tricks employed by conscientious organisations to get around the fact that certain demands from the uracil government can not be disclosed publicly. For case, a company which has received a national security letter, commanding it to turn over user data, may not tell its users that fact. To manage that problem, firms such as Tumblr employ “ canaries ”. Tumblr ‘s foil report, issued in February 2014, says that the firm has “ never received a National Security Letter ”. If late versions of the report do not contain that phrase, users can assume that Tumblr has received such a demand between the two reports. disclosure without disclosing. Some TrueCrypt users wonder if the firm is taking a similar stable gear. “ With these events, TrueCrypt jumped identical high on the fishy software list, ” says klti on the Reddit train of thought about the closed down. “ possibly that ‘s the solid point ? ” If TrueCrypt had received a demand from the security services that it did n’t want to comply with, closing development and warning users aside from the software entirely is surely one way to fight back.

Better to close down before a flaw is identified?

Others question whether the exploitation team is n’t fighting back, therefore much as giving up. Despite the software ‘s open codebase, the privacy behind its team means that it ‘s never been given a fully third-party review. As the exemplar of OpenSSL ‘s massive Heartbleed flaw demonstrated last month, merely being outdoors does n’t help security if no one else is checking for bugs. The security research worker Matthew Green raised $ 70,000 in December 2013 to do good such a check. While the first share of the code review, an analysis of the software ‘s bootloader, came back by and large clean in February, Green tells Krebs on Security that he ‘s “ a little worry that the fact that we were doing an audit of the crypto might have made them decide to call it quits. ” In other words, possibly there ‘s a wiretap in the software sol great that it ‘s easier to walk away than fix it. Why do so in such an obfuscatory fashion ? Because it ‘s better to make sure that all your users have switched to a guarantee alternate before you reveal a flaw that renders their security consider. Or it may be that the developers plainly wanted to quit. Leaving an unmaintained objet d’art of security software populate is a dangerous thing : flaws may be found, and never fixed. Better to warn users that the software is dead before it becomes insecure, preferably than after. The one user who managed to get a answer from the coders reports that that ‘s their submit argue :

@ matthew_d_green Doubt it. He said Bitlocker is “ well adequate ” and Windows was original “ goal of the project ”. No note of audit in reply .— Steven Barnhart (@stevebarnhart) May 30, 2014

@ matthew_d_green 1 more “ I were happy with the audited account, it did n’t spark anything. We worked hard on this for 10 years, nothing lasts everlastingly. ”

— Steven Barnhart (@stevebarnhart) May 30, 2014

As for the oddity of the advice, from developers of a multiplatform security app, to switch to a proprietorship Windows-only surrogate, they have this to say :

@ matthew_d_green Doubt it. He said Bitlocker is “ good enough ” and Windows was original “ goal of the project ”. No mention of audited account in reply .— Steven Barnhart (@stevebarnhart) May 30, 2014

That might satisfy some, but others will constantly be left wondering. They can choose to ignore the expressly stated reasons, but if they do, they should besides settle for the fact that we may never know the true reason for the death of the software .

Leave a Reply

Your email address will not be published.