TrueCrypt takedown

Peter Fairbrother zenadsl6186 at zen.co.uk
Fri May 30 02:20:39 BST 2014


I guess you have all seen the news about the TrueCrypt takedown, eg 
http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ and 
http://www.theregister.co.uk/2014/05/29/truecrypt_analysis/ .

Basically the TrueCrypt website has mostly closed it's doors in a 
surprise move. There is a new version which only decrypts existing 
volumes, the earlier versions have gone.

There are lots of theories about why, from a hack through a "Warrant 
Canary" to an existing backdoor or hole.


Some thoughts.

I discard outright any possibility of it being an outside website hack - 
too hard, an attacker would need access to the TC website, the 
Sourceforge TC site, and to the code signing key.

The "Warrant Canary" theory doesn't seem to make a whole lot of sense 
either. It's possible, but why recommend BitLocker? When did someone 
have time to write all those code changes between being served the 
warrant and having to execute it?

An existing hole or backdoor, which may have been about to be revealed 
by the audit? But the audit people say there is no sign of that, at 
least so far.



The theory which makes most sense to me is that it was an at least 
partly commercially-motivated self-takedown by the devs.

The recent change in name on the otherwise "same old code and binary 
signing key" is possibly significant here - the developers, or perhaps 
just some of them, may want to start up a commercial product in the new 
name.

Their commercial aspirations are well-known, witness the previous 
license issues, the failed crowdfunding and donations campaigns, the 
"TrueCrypt Developers LLC" registered in Nevada (thanks to Piergiorgio 
Sartor for that info). And they already own a good chunk of the the IP 
rights in the TrueCrypt source.

The ending of the project was graceful, to some extent at least - people 
were not left with unrecoverable archives, and temporarily acceptable 
but not-as-good alternatives were suggested. A whole lot of work went 
into that.

It is obvious that this wasn't done in the heat of the moment - it must 
have taken at least several weeks to do the code revisions for the 7.2 
release. There have also been hints (eg the robots.txt file) for about 
six months that something might be happening.

The only reason I can think of for doing all that work is maintaining 
reputation (or technical reputation at least - TrueCrypt devs are not 
exactly known for being people people, or for being particularly into 
"free open source" either).

No reasons why the code is/may be broken are given. Actually the 
"WARNING: Using TrueCrypt is not secure as it may contain unfixed 
security issues" does not even actually say TrueCrypt is broken, just 
that it may be.

And the unfixed issues might be fixed later, in the commercial version.

Which would have been independently audited... at no cost to TrueCrypt...


-- Peter Fairbrother



More information about the ukcrypto mailing list