TrueCrypt: Its last bow

June 2016 update: Link repairs.

TrueCrypt is a discontinued free disk encryption utility for Windows, Mac, and Linux. It is a free and shared-source alternative to BitLocker, but is not restricted to the high-end editions of Windows and does not need Trusted Platform Module (TPM).

TrueCrypt v7.1a running on Windows 8.1

TrueCrypt v7.1a running on Windows 8.1

TrueCrypt’s sudden end of life on 28 May 2014 become controversial, since unlike most computer programs, TrueCrypt’s authors beheaded it with the release of version 7.2.

Overview

TrueCrypt can encrypt actual hard disk partitions or create encrypted virtual partitions. Its encryption strength is top-notch and its features far outmatches BitLocker, despite the fact that it does not support GPT partitions and does not use TPMs. The authors describe the product as “free and open-source” but this description does not accurately tallies that of OSF definition. According to OSF, an open-source product involves the public in development, which TrueCrypt does not; TrueCrypt is free and shared-source. Nevertheless, because it is free, its source code can be studied, audited and even be used to make a derivative work. It seems the authors of this program, who call themselves “TrueCrypt Foundation”, have kept their identity a secret.

Open Crypto Audit Project is currently performing a “comprehensive” cryptanalysis of TrueCrypt (analyzing its strengths and weaknesses and making sure there is no backdoor or security problem with it) and the first phase of their analysis is complete.

TrueCrypt foundation rarely released more than one new version each year. But on 28 May 2014, something unprecedented happened: Their website showed the following message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

Accompanying the message were instructions on how to create virtual hard disks (VHDs) and encrypt them with BitLocker, as well as a newly-released TrueCrypt 7.2 which could only decrypt but not encrypt.

That the message is badly written and mostly nonsense was easy to see: BitLocker and VHD support are only available on the most exotic editions of Windows and are far underfeatured in comparison to TrueCrypt, which is still needed on other editions. Also, the message contradicts itself by stating two equally unlikely reasons for discontinuation: Adherence to the support policy of Microsoft (presumed a non-involved company) and probability of existence of security vulnerabilities in this masterpiece of art and technology. Finally, it is as if this message is written by a child whose knowledge of both computer and English was limited. Pay attention to “Using TrueCrypt is not secure” instead of “TrueCrypt is not safe”, “may contain” and the redundant “unfixed”. “Windows 8/7/Vista and later” is used instead of “Windows Vista and later”. (But reserve your comments for now; I have more to say on this.)

Naturally, many thought TrueCrypt website is hacked and the release is malicious. The “many” part is obvious from the edit history of TrueCrypt article on Wikipedia and its metadata page, as well as the news reports by Ars Technica and Daily Dot.

Gibson Research Corporation’s interpretation

Steven Barnhart of Gibson Research says that contrary to the badly written message’s claim, TrueCrypt is still very secure and very safe. But he also says the that the release of TrueCrypt 7.2 is authentic, using the digital signature and PGP signature as his evidence. He claims that TrueCrypt foundation was tired of developing this tool but also didn’t want others to adopt their precious brainchild. So, they killed it. They don’t want derivative works.

Alternative explanation

On 17 June 2014, several news outlets, including The Guardian, reported that the badly written warning actually contains a coded message.

In this message:

Using TrueCrypt is not secure as it may contain unfixed security issues

… collecting the first letter of each word results in:

u t i n s a i m c u s i

It is claimed that the letter can form the following allegedly Latin sentence:

uti NSA im cu si

It is also claimed that the Latin sentence is translated into:

if you wish to use NSA

And it is also claimed that a more accurate meaning-based translation would be:

it is under the control of NSA

These allegations are entirely nonsense. “Uti NSA im cu si” is not Latin. It does not translate into “if you wish to use NSA” and it certainly does not translate into “it is under the control of NSA”. Google Translate shows this exact translation only because it is user-contributed.

The allegations of NSA interference is not new. As the linked sources hint, some people believe that NSA personnel are not all saints (or are outright immoral torturers), that they are more harmful to average God-fearing citizens than to drug lords, that they have taken down Lavabit.com  out of spite just because it was connected to Edward Snowden, and that they have put TrueCrypt developers under duress, forcing them to kill TrueCrypt, again, because it was connected to Edward Snowden. I am neither in a hurry to dispute them nor join their ranks. But this? This is going too far. I’d have probably accepted the NSA’s duress theory without this wordplay.

Advertisements

Posted on 19 June 2014, in Computers and Internet and tagged , , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: