One of my favorite security tools must now be added to my blacklist. Yesterday all hell broke loose as the TrueCrypt website had a rather dramatic update. It now redirects visitors to a SourceForge site that warns users to not use TrueCrypt anymore and to instead rely on the encryption features built into most operating systems. Needless to say this has caused quite a stir.
There are a lot of theories surrounding what really happened. Many people are claiming that the TrueCrypt website was hacked. If that is the case then the hack was really good. In addition to redirecting users to the SourceForce site the hackers would have also obtained the private key used by the TrueCrypt team to sign their releases as a new version of TrueCrypt, which was signed by the team’s key, was made available on the website. The hackers would have also had to write the newly released version of TrueCrypt, which removed all of the encryption capabilities (it’s basically a TrueCrypt partition decrypter now). While all of this isn’t outside the realm of possibility it would require either a great deal of sophistication or an insider.
Others have theorized that this reaction was due to the TrueCrypt team receiving either a National Security Letter (NSL) or being otherwise coerced by the state. This, in my opinion, is more likely than a hack. Lavabit shutdown rather than comply with the state’s demand to provide a means to decrypt user e-mail. It’s possible the TrueCrypt team decided to abandon its product rather than compromise it.
I also have a theory that, like all of the other theories circulating, has no evidence to back it up. For a while the primary focus of TrueCrypt has been booting Windows from an encrypted partition. This feature is not really possible on systems that utilize Secure Boot. Perhaps in a fit of frustration the TrueCrypt team decided to give up on future development because their pet feature was no longer viable. Or they may have decided the work to support other operating systems was no longer worth the effort since Windows, Linux, and OS X all have the ability to boot from an encrypted drive.
Regardless of the reason it’s fairly safe to recommend that people stop using TrueCrypt. This could very well be a very good hack but we don’t know and since we don’t know we have to assume that what the site says is legitimate and that TrueCrypt may have some major security flaws in it.