Is TrueCrypt pining for the fjords?

Filed Under: Cryptography, Featured, Podcast, Privacy

TrueCryptBrokenLogo170As Monty Python famously opined in the Parrot Sketch from Monty Python's Flying Circus, no amount of jostling, explanations or hopeful wishes will bring back something that is well and truly dead.

The mystery surrounding the demise of TrueCrypt continues, but not without additional drama from those who refuse to let go.

Last week John Leyden, writing for The Register, posted about an attempt at keeping TrueCrypt alive on a site hosted in Switzerland by Thomas Bruderer and Joseph Doekbrijder.

The site is in clear violation of the TrueCrypt license 3.1 as revised with the final 7.2 release of TrueCrypt on the 28th of May. The license states:

TrueCryptLicense31-500

"c. Your Product (and any associated materials, e.g., the documentation, the content of the official web site of Your Product, etc.) must not present any Internet address containing the domain name truecrypt (or any domain name that forwards to the domain name truecrypt) in a manner that might suggest that it is where information about Your Product may be obtained or where bugs found in Your Product may be reported or where support for Your Product may be available or otherwise attempt to indicate that the domain name truecrypt is associated with Your Product."

While Thomas and Joseph likely have the best intentions, simply hiding a website in Switzerland doesn't really change the fact that they are acting against the wishes of the authors and may struggle with legal issues using any code they release.

The letter of the law and the intent of the owner(s) may be two different things, but should you ever intentionally violate their wishes?

Whatever your beliefs on this point, there are bigger questions to be pondered than small print and license concerns.

Earlier this week we surveyed just over 100 IT professionals over on Spiceworks, a community for the people who have to actually get the work we talk about done.

TrueCryptCriticallyChart250In fact, one of the more interesting results in our survey was that 64% of TrueCrypt business users are thinking more critically about choosing TrueCrypt after learning about the questions that have been raised by its sudden disappearance.

We can only speculate as to why people are less sure than before. Perhaps the message from the developer(s) saying the code is insecure and not to use it is having its intended impact.

TrueCryptCryptoTypeChart250The percentage of TrueCrypt users was no small number; it tied for first place in the survey.

Exactly 1/3 of all respondents who use encryption are using TrueCrypt at home, at work or both.

I am sure that popularity is due to the small and mid-size of the companies represented in the survey. 87% of respondents worked for organizations of 1,000 or fewer users.

TrueCryptUsageChart250Another interesting finding was that only 52% of the IT people who participated say that their organization uses encryption to protect their data.

30% said they don't use encryption at home or at work, 28% said they use encryption at home and at work and 24% only use encryption products at work.

This entire drama has been very interesting and educational. It has allowed me to start a conversation about data protection and hear from a lot of people about their opinions on the topic.

I get the impression that a lot of people were unaware of TrueCrypt's origins and will likely rethink whether they want to continue to use it with the cloud that is now hanging over its status now and in the future.

John Shier had some time last week to interview me for a short podcast on the topic. If you have a few minutes, why not give it a listen?

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

For those interested in moving away from TrueCrypt or simply interested in data protection, we have put together a page with some help information at http://sophos.com/truecrypt.


, , , , ,

You might like

28 Responses to Is TrueCrypt pining for the fjords?

  1. How do you deduct "Users think more critically about Truecrypt" from the question "Do you think more critically about encryption products after the Truecrypt uncertainty"?

    I'd actually interpret this as "We really have to stop taking solutions for granted" - but it's NOT a vote of non-confidence against Truecrypt 7.1a

    • Paul Ducklin · 80 days ago

      Don't want to put words in Chester's mouth, but I'd guess the deduction went a bit like this:

      "Users are now thinking more critically about encryption. TrueCrypt is encryption. Therefore users are thinking more critically about TrueCrypt."

      On top of that, the reason that people are thinking more critically about encryption in the first place is because of TrueCrypt's sudden demise.

      You can spin it however you like, but the message - loud, clear and uncontested - on the TrueCrypt website says that the product is insecure, and tells you not to use it. The current version (ignoring the death-rattle 7.2 release, which is only a decryption product) is 7.1a.

      That's not a *vote* of no-confidence in 7.1a. It's a *statement* of no-confidence.

      What I don't understand is why many people who seem to love TrueCrypt very much are expressing their love and respect by saying and doing exactly the opposite of what the developers have said and clearly seem to want.

      • Esher · 80 days ago

        I am personally sad to see it go but the story is fascinating. It seems like there is more to it than the developers just going full Dave Chappelle and walking away. As far as what they "clearly seem to want," I don't think there is anything clear about their statement on the website. Saying they are stopping because of XP EoL is like me saying I am selling my Apple stock because of cats. It sets a tone of "Uhh... what?!" for the rest of the page. I know conspiracy theories abound though. It will be interesting to see how this one pans out. We already leverage Bitlocker for FDE for business. I don't trust it but we have to have something and we are a Microsoft shop. Bitlocker would be the least of our worries regarding backdoors.

        • Paul Ducklin · 80 days ago

          I don't find the "XP end of life" story bizarre. I have no way of saying if it's true, of course, and it may be wrong, but it's by no means impossible to believe. After all, XP was the only platform left for which TrueCrypt had what you might call a Unique Selling Point.

          IIRC (correct me if I am wrong), TrueCrypt didn't yet officially support Windows 8, and had no FDE support for OS X or Linux. So there would have been a lot of work to catch up to dmcrypt, FileVault and BitLocker...add to that there hadn't been an update for a long time, so for all we know the developer (was there more than one?) hadn't even looked at the code for a couple of years. And there were bugs found in the audit that would need at least some attention.

          With more and more Linux distros making FDE easy to turn on; with OS X doing exactly the same; with Windows 8 users out in the cold; and with XP dead...

          ...and a whole bunch of work looming if he wanted to bring out another release...

          ...maybe the developer really did just decide to focus on the day job, given an already dwindling "market" for his product?

          Given the whole anonymity thing, why is it so weird if he chose to go out with a simple statement of fact (there are bugs, he's not going to fix them, ergo it is insecure), albeit with a touch of mystery?

          He doesn't owe anyone anything, after all :-)

          Note I am not trying to claim this as fact, just to suggest that it doesn't seem any more far fetched than some of the conspiracy theories I've heard, so to dismiss it as "obviously bizarre" seems a step too far.

  2. Techno · 80 days ago

    I think the Truecrypt website message is written for a future audience. The development has stopped, and the author is anticipating a message that is safest for future audiences.

    So if somebody reads it in ten years time, the author is saying they can make no guarantee it is safe because they haven't worked on it for ten years, which is the safest message to give under the circumstances.

    • Paul Ducklin · 80 days ago

      It sounds as though you very badly want it to be untrue that TrueCrypt is broken...but the message doesn't say what you're suggesting.

      It says, "WARNING: Using TrueCrypt is not secure." In BIG RED LETTERS.

      I'd say the most sensible conclusion to reach from this is that it is unwise to keep using TrueCrypt. I mean...that's what it says, in red-and-white!

      • Anon · 80 days ago

        There is no evidence that Truecrypt IS broken yet. The Audit is still ongoing into it and so far it has found nothing wrong with it at all.

        Edward Snowden himself recommended Truecrypt as a secure tool for privacy.

        For a statement to suddenly appear saying "its insecure, abandon ship" Smacks of the NSA closing down the project and trying their best to encourage people off of it.

        We already know from Snowden that Microsoft co-operates with the NSA and has backdoors into its products. For bitlocker to be endorsed so heavily on truecrypt's new site is very suspect.

        • Agreed, unless/until there is hard evidence that proves insecurity, I am still considering it a viable product.

          • Nigel · 78 days ago

            Wow.

            If I were a TrueCrypt user, I would err on the side of caution, given the unequivocal (albeit mysterious) declaration by the developer that the product is not secure. But I guess some folks are determined to believe what they want to believe.

            • Deonast · 77 days ago

              I've literally got no choice in the matter. Until it is shown to be insecure I'll keep using it. There really isn't a good alternative that is cross platform. I use a large encrypted container hosted on a server and accessed from a Mac, Linux and PC operating systems. Name another encryption platform that can do that and I'll consider it.

              The delcaration from the developer is dubious, I've heard from other chanels they don't want to develop anymore and this is thier attempt to migrate people quick and ditch support. The tie in to XP end of life is eronious, and has no impact on running it on other platforms.

              • GPG. I use it on all my devices for managing protected files.

                • Albin · 64 days ago

                  I've used TC for a dog's age across Windows, Ubuntu/Mint and recently Android. That is now thrown in the air, though I notice Steve Gibson is supporting use of 7.1 and providing links and the Sundin ppa for Ubuntu is active for that version.

                  After some digging I've come up with a pretty good free and cross-platform replacement for my one large encrypted container kept in an online storage service: BoxCryptor for Windows, Gnome ENCFS Manager for Ubuntu, nd Encdroid for Android. These are all user-friendly GUIs and work nicely on the same machines TC does: I'd be interested in this writer's thoughts about ENCFS encryption as a replacement for TC.

                  • Hi Albin,

                    I think your solution should work great and isn't dissimilar from my own. I use gnupg for most thing I need to personally encrypt.

                    Obviously that isn't a terribly scalable choice for an enterprise or organization with less technically minded staff, but as individuals it works quite well. The challenge is full disk encryption if you choose not to use BitLocker on Windows systems.

                    Full disk encryption is essential as lots of bits and bobs with sensitive stuff get written all over the place when you are accessing the files in your EncFS volumes. Especially page files or swap partitions.

                    • Albin · 60 days ago

                      Thanks for the response - it certainly is news to me that data in my encrypted container would be recoverable in page or swap files after mounting and accessing it. I've generally considered full disk encryption overkill, but this puts another light on it. Best regards

                    • Paul Ducklin · 60 days ago

                      There are other risks, too, such as temporary files, documents you saved outside the directory tree covered by the encrypted container, configuration or other software-related data that is stored outside the container...even something as apparently innocent as what software you have on your computer.

                      Why risk revealing any of that when you can make "the encrypted container" into "the whole disk"? (Strictly speaking it isn't the *whole* disk as you need some unencrypted part if only to load the drivers needed to decrypt the rest, but it can be pretty close to everything.)

                      The nice thing about full disk encryption is that you can stop worrying about whether this file or that file is encrypted...they all are :-)

        • Paul Ducklin · 78 days ago

          If you must have the NSA involved in the story, surely it's at least as reasonable to assume that the developer is sending a thinly-veiled warning that the NSA has already broken TrueCrypt and that the mainstream alternatives are no less risky?

          Thing is, there is nothing inaccurate about saying there are unfixed bugs in TrueCrypt. And they aren't going to be fixed now, because the project has neded.

          Are you suggesting the developer said what he did in order to convince you to keep on using the product? I'd have gone out differently if that were what I'd wanted to lead people to believe.

  3. jimcsecurity · 80 days ago

    At work we use a managed BitLocker encryption solution. At home I continue to use TrueCrypt file containers (rather than full disk encryption).

    Since Sophos SafeGuard Encryption is for commercial use, have you any suggestions for personal encryption alternatives other than Symantec Drive Encryption and DiskCrypto ? Thanks.

  4. Joe · 80 days ago

    Switzerland doesn't have fjords. "Taler" maybe, lakes even, but no Norwegian fjords.

    • Jake · 80 days ago

      Well, you wouldn't have to pine for fjords in a fjord-rich country like Norway, would you?

      Less literally, it's a euphemism for 'dead', or more faithfully to the original, 'looking very dead but actually ok'

  5. Sad about the demise of TC · 80 days ago

    The issue I am facing as a personal user of Truecrypt is that I am not aware of any other free alternative product that does as much as Truecrypt did / does for personal use:

    Encrypted virtual drive: I have a couple of laptops that i take with me on my travels and both have tryuecrypt virtual drives where i keep sensitive personal information (securely !!!) including scans of my passport, travel insurance etc...I also have an encrypted on my home desktop.

    Portability: I use the portable version of Truecrypt thus I encrypt everything that I copy onto a USB pen drive because they are soooo easy to lose. I encrypt everything irrespective on whether it is personal information or not.

    If I were to buy software, I will need to purchase 3 licences which I cannot afford. Please do not miss understand me, I am happy to buy professional software but not 3 licences. For example, my paid for AV software gives me a 3 device licence,

    I am therefore sticking with Truecrypt for now until such a time as a free certified alternative becomes available or I come across a commercial product which provides the functionality I need and licences me to use it on more that 1 device.

    • Paul Ducklin · 80 days ago

      Not sure what OS you have but everything you want to do is available for free in Linux, and is included in OS X, which is included if you buy a Mac.

      I'm surprised you're insisting on a certified product to replace TrueCrypt, which wasn't certified. You might find some alternatives if you relax that requirement.

      • Sad about the demise of TC · 80 days ago

        Unfortunately, I am strictly MS Windows 7 pro and 8 pro. Even if i relax that requirement, I am still struggling to find any. Can you list some examples i could play with !!!!

        • Windows 8.1 Pro and Enterprise both include BitLocker which can be used for system and removable drives. Unfortunately in Windows 7 you need either Ultimate or Enterprise. There is a TrueCrypt derivative called DiskCrypt, but I cannot vouch for it.

    • jimcsecurity · 80 days ago

      I totally agree. I am also sad to see the demise of TrucCrypt. For me it does everything that I want it to yet it is simple to use and simple to manage program. TrucCrypt is no less secure that it was when the 7.1a version was made available.

      Like you I will continue to use it until another alternative is found. I believe that I am at limited risk since I am using its file containers functionality on Windows 8.1 64 bit. In addition I have EMET 4.1 Update 1 injected into the TrueCrypt.exe process (since it never supported DEP or ASLR) and I use a standard user Windows account (i.e. not an admin account).

      Please do not misunderstand me I am not saying TruCrypt is not without fault (or that we can totally be sure that it is secure) but we should await the final results of the audits before we declare with certainty that it is insecure. I am also aware that TrueCrypt had a dubious background since it was developed by anonymous authors.

      The first stage of the audit found no critical flaws (only medium and low importance flaws). I would be more than happy to switch to a supported new alternative that offers the simple functionality that I seek.

      • jimcsecurity · 80 days ago

        Apologies for the poor spellings of TrueCrypt in the above post.

  6. VL-S · 80 days ago

    What comment can you make about SOPHOS Free Encryption?

    • Paul Ducklin · 79 days ago

      Errrrrrr....I'm sorry to have to say that we discontinued it a year or so ago. Not quite as abruptly and mysteriously as TrueCrypt was discontinued, I hasten to add :-)

      So you won't find it on our Free Tools page any more, but the download is still available if you are keen. (It is easy enough to find, but watch out for all the unofficial sites out there have have copies they claim to be "mirroring" - only get it from a sophos.com server.)

      PS. It doesn't do full disk encryption. It was only ever intended as a simple and easy-to-use tool to create securely encrypted archives, e.g. of directory trees. It uses DEFLATE to compress the files, ZIP-style, into an archive, and AES to encrypt them with a symmetric key. That's it.

  7. I would not be surprised if Truecrypt has effectively been shutdown by the NSA types precisely because it *is too hard to crack*. I think it is the only encryption system with built-in plausible deniability - you can if forced, hand over the password for the outer container and the govt will never know that there is another container inside it.

    Perhaps the NSA would prefer everyone migrate to other (compromised) privacy solutions, and have applied pressure of the kind we don't want to know about to the developers of Truecrypt to make them put out that warning.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.