This page has moved to a new address.

TrueCrypt is Still Safe

Sunday, July 13, 2014

TrueCrypt is Still Safe

I want to preface this with a note from me: "Hey all, I apologize for not publishing anything recently; I've had writer's block and now I'm doing research for my next big post (get ready for it!) amidst dealing with crashed hard drives and OS transfers. 

But, inspired by a the comment "dude, truecrypt is dead" that I saw on IRC, I want to write a short statement about TrueCrypt. Now it's no secret I'm a TrueCrypt fanboy so this will be a tad biased, but please hang with me."

Since 2004, TrueCrypt has been the go to OTF encryption tool and has served probably millions of users (myself included). TrueCrypt had been in active development getting to version 7.1a when, on May 28, 2014, displayed a very odd message warning of the insecurity of the software.

Although no one knows for sure why the develops suddenly stopped (although there are a few conspiracy theories), we do know that TrueCrypt is still safe.

Don't believe me? Fine. But there are a few resources I would like to point you towards.

First, there has been an effort to audit TrueCrypt and see if there actually are any security flaws and, thus far, the first report looks pretty good (you can read it here - it's pretty dense but a very interesting read) with no major holes.

Second, PCAdvisor indicates that the sudden shutdown was an attempt to kill TrueCrypt as opposed to being a true warning.

And third, the famous Gibson Research Center, industry leaders in privacy and security related software, say that yes TrueCrypt is still safe. To quote in full, this is what they have to say on the issue:

Although the disappearance of the TrueCrypt site, whose ever-presence the Internet community long ago grew to take for granted, shocked and surprised many, it clearly came as no surprise to the developers who maintained the site and its namesake code for the past ten years. An analysis of the extensive changes made to TrueCrypt's swan song v7.2 release, and to the code's updated v3.1 license, shows that this departure, which was unveiled without preamble, was in fact quite well planned.

For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt's developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt's longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes.

Then, leveraging the perverse and wrongheaded belief that software whose support was just cancelled renders it immediately untrustworthy, they attempted to foreclose on TrueCrypt's current and continued use by warning the industry that future problems would remain unrepaired. This being said of the latest 7.1a version of the code that has been used by millions, without change, since its release in February of 2012, more than 27 months before. Suddenly, for no disclosed reason, we should no longer trust it?
The mistake these developers made was in believing that
they still “owned” TrueCrypt, and that it was theirs to kill.

But that's not the way the Internet works. Having created something of such enduring value, which inherently requires significant trust and buy-in, they are rightly unable to now take it back. They might be done with it, but the rest of us are not.

The developers' jealousy is perhaps made more understandable by examining the code they have created. It is truly lovely. It is beautifully constructed. It is amazing work to be deeply proud of. Creating something of TrueCrypt's size and complexity, and holding it together as they did across the span of a decade, is a monumental and truly impressive feat of discipline. So it is entirely understandable when they imply, as quoted below, that they don't trust anyone else to completely understand and maintain their creation as they have. Indeed, it will not be easy. They might look at the coding nightmare atrocity that OpenSSL became over the same span of time and think: “Better to kill off our perfect creation than turn it over to others and have it become that.”
Those who believe that there is something suddenly “wrong” with TrueCrypt because its creators have decided they no longer have so much to give are misguided.

TrueCrypt's creators may well be correct. TrueCrypt may never be as pure and perfect as it is at this moment, today—in the form they created and perfected. Their true final version, 7.1a, may be the pinnacle of this story. So anyone would and should be proud to use and to continue to use this beautiful tool as it is today.

TrueCrypt's formal code audit will continue as planned. Then the code will be forked, the product's license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won't allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.

There will be continuity . . . as an interesting new chapter of Internet lore is born. (x)
And the founder of GRC has written three articles on the subject located here, here, and here which I suggest you read.

And to quote some words from TrueCrypt's developers that may give one some idea of why they stopped:

Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):
  • TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
  • Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
  • Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
  • Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
  • TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
  • Quoting TrueCrypt Developer David: “There is no longer interest.”
SO, if you're like me and still want to use TrueCrypt, the folks at GRC have archived the setup files which will be posted below. Additionally, if one is worried about the setups being compromised, one can verify the TrueCrypt 7.1a hashes here.

But if you're extremely worried and want to jump ship, PC World has complied a list of alternatives for you.

TrueCrypt v7.1a installation packages (these will be mirror on my site later too):

Labels: , , , , , , , ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home