The understatement of the month would be calling this a peculiar moment. This is far from peculiar–this is straightup WTF?!
My favorite encryption software, TrueCrypt, has been abruptly and mysteriously shut-down(que dramatic music!!!). The official TrueCrypt website now only has some information on ‘alternatives’ and offers the following advice.
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
TrueCrypt was really awesome, it had features like full-disk encryption and even encrypted volumes within encrypted volumes for ‘plausible deniability’. The anonymous authors of the software have apparently thrown in the towel on what was the best free encryption software on the web.Yes, TrueCrypt was free just like Apache and OpenSSL, and just like them was pervasively used by tech-savvy web users. So any vulnerability on TrueCrypt would have severe ramifications–just like Heartbleed had for OpenSSL.
To avoid any ‘heartbleed-like’ issues with TrueCrypt–an initiative from within the security community was kicked off to perform a full security audit on TrueCrypt. Support for the initiative wasn’t hard to come by in the wake of recent developments like PRISM, specifically the revelations that the US government was intentionally making encryption software weaker to allow exploitation further down the road.
But just when the audit was making good progress the TrueCrypt team dropped their bombshell. Brian Krebs suggest that the shut-down is legit, and this isn’t some web-site hack or hoax. The speculation churning machine (a.k.a the entire internet) has been rife with guesses as to what really occurred, but honestly no one has the answer, except the authors of TrueCrypt–who are anonymous.
The problem for people who are using TrueCrypt–is what to do? TrueCrypt recommends bitlocker, but BitLocker isn’t available for basic version of Windows–the version most people use? Also, Bitlocker hasn’t been audited either and forgive me if I’m still a bit edgy about using Microsoft products. What with them spying on my Skype conversations and all.
I’m sticking to TrueCrypt for now, and wait till the dust settles before I decide to re-encrypt my drives with a new piece of software.After all the audit hasn’t found any serious flaws, and even if it did I’m betting someone will fork the code as soon as it happens