Something odd is happening with the popular open source encryption program TrueCrypt. The download page for the program was changed Wednesday to display an ominous warning about the software: "Using TrueCrypt is not secure as it may contain unfixed security issues," it reads. "This page exists only to help migrate existing data encrypted by TrueCrypt."
The site provides further instructions for how to shift data to Bitlocker, a Microsoft encryption program. The notice on the site also references the company, saying the "development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP" and that later Windows operating systems offered integrated support for encrypted and virtual disks.
An updated version of the program was also released, but privacy and security researcher Runa Sandvik says it contains the same sort of warning as the site. And features are disabled: Namely, the encryption ability -- although decryption is still functional. The file size of this release, labeled number 7.2, is smaller than the last release. But Sandvik says it was signed with the same encryption key as previous releases -- as does Matthew Green, an associate professor of computer science at Johns Hopkins University.
It was not immediately clear if this represented some sort of hostile take over of TrueCrypt assets, or merely was the exit strategy of TrueCrypt's mysterious, anonymous development team -- although both scenarios are potentially troubling. The project is open source, and done by an entirely volunteer workforce says Green. While the group accepted donations, he doesn't know how many they received -- and wouldn't be surprised if this was the development's send off to the software, although he has not been able to confirm the situation.
"The worst case scenario would this to be the end of TrueCrypt with developers deciding to just end it in this very weird way," Sandvik says, adding that TrueCrypt was widely used and trusted -- as well as available on a range of platforms. "I can remember using it probably 10 years ago," she says. Sandvik says former National Security Agency contractor Edward Snowden even taught others how to use the program during a Hawaii "Cryptoparty" with Sandvik in December 2012 -- during the same time period he was reaching out to journalist Glenn Greenwald.
Sandvik is also a technical adviser to the Freedom of the Press Foundation, of which Snowden is a board member -- as well as a technical adviser to the TrueCrypt Audit Project, which was started by Green and other privacy researchers wanting to take a hard look at the security of the tool in light of its wide use.
The first phase of the audit, which was released in April, was promising with a few minor issues, but Green says the whole process was still underway.
For Green, the latest turn of events with TrueCrypt raises issues about the dependency of the crypt community on volunteer projects when it comes to encryption. "We used to think these were toys, and along the way we turned them into things people really rely on," he says.
If posting and update represent some sort of hack on the development team, they weren't as secure as everyone thought, Green says -- since the key used to sign the update was most likely kept offline and may have required the physical tacking of the group. And if it is actually the developers closing shop, it's a sign they weren't as put together as you might want them to be to rely on them in that way.
Just last month, a significant vulnerability was found in another open source project -- the Heartbleed bug in OpenSSL, which was used by sites across the Web to secure sensitive browsing data. It left some major tech companies scrambling to update when it was discovered that a bug could leak random bits of data from the servers memory due to a change made some two years earlier. At the time the Heartbleed bug was disclosed, the group that supported the project consisted of fewer than a dozen people across the globe, with one single employee of the associated foundation working out of his home near Frederick, Md.