This story is over 5 years old.

NSA Paranoia Has Fanned the Flames of TrueCrypt Conspiracy Theories

The question is: Are any true?
May 30, 2014, 5:10pm

Paranoia is a funny thing, especially when it comes to the sudden shutdown—maybe—of a popular encryption service. TrueCrypt's great unraveling—detailed in a SourceForge post—has produced a wealth of theories, given that its anonymous creators shuttered the service, then directed users to BitLocker, which is a Microsoft product. The question is: Are any true?

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," reads the SourceForge post. "This page exists only to help migrate existing data encrypted by TrueCrypt." The post continues:


The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

It's worth noting that Edward Snowden publicly endorsed TrueCrypt's full-disk and virtual image encryption service, so it's reasonable to assume that this put the spotlight on TrueCrypt. The most likely scenario then, but one that cannot yet be corroborated with any certainty, is that the federal government came a-knocking—as it did for Lavabit, which was touted as Snowden's email service—on TrueCrypt's door. And TrueCrypt's creators, again, like Lavabit's Ladar Levison, simply shuttered the service instead of giving the NSA a backdoor.

This, of course, assumes that at least one of the creators resides in the United States. If one or more are US-based, they could be subject to a National Security Letter (NSL), the powerful and coercive legal instrument the US government used on Lavabit after Snowden publicly praised the service

Snowden's endorsement of Truecrypt almost certainly put a target on those anonymous developers, 100x so if moonlighting Feds.

— Dan Kaminsky (@dakami) May 29, 2014


Other speculation centered on the possibility that TrueCrypt auditors spotted a vulnerability in an audit, preventing TrueCrypt from further development. But Matthew Green, a cryptography instructor at John Hopkins University, who successfully launched a crowdfunding campaign to audit TrueCrypt's code, tweeted that nothing odd showed up in the course of the ongoing audit.

I have no idea what's up with the Truecrypt site, or what 'security issues' they're talking about. @kennwhite

— Matthew Green (@matthew_d_green) May 28, 2014

“Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green told Brian Krebs. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.”

The point here is that Green, auditor of the TrueCrypt code, doesn't even know what's going on. Though Green remains hopeful that TrueCrypt can be resurrected, his theories on why it ended are speculative—that is, TrueCrypt's creators were frightened into submission by the audit. Green believes that the TrueCrypt team shut down the service, and did so in "their signature way," whatever that means.

On Hacker News, user UVB-76 theorized that TrueCrypt's recommendation to migrate over to Microsoft's Bitlocker was so "patently absurd as to be a signal that the developers are under duress" from the US government. The user dsuth mused, "That's my take on it as well, even though it fails the Occam's razor test. This all sounds like a very understated way of saying 'we can no longer develop truecrypt with impunity, and the only other options are closed source, and highly likely to be compromised out of the gate.'"


Another theory is that TrueCrypt was the victim of a hacker hoax. Both Green and SourceForge found this explanation less than satisfactory. Green tweeted, "I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site."

SourceForge, posting on Hacker News, stated, "We see no indicator of account compromise; current usage is consistent with past usage," and "[o]ur recent SourceForge forced password change was triggered by infrastructure improvements not a compromise."

In the end, a note posted to the new TrueCrypt splash page suggests the project was ended because it wasn't needed anymore. "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," it states. "Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images." But if that's the case, why the dramatic shutdown notice in the first place?

In a world where we can never truly be certain if the government has accessed our various accounts, encrypted or otherwise, or if service providers like TrueCrypt are truly secure, then a a paranoia is created where we doubt everything and suspect anything. This effect doesn't have to be the handiwork of government crypto-spooks, but it sure is a useful byproduct.

Most importantly, will TrueCrypt be back? Green and company plane to audit TrueCrypt, although they don't plan to fork it, which TrueCrypt's licensing terms don't allow for. The TrueCrypt team also reportedly considers the project to have run its course. But with all of the attention it's gotten, should the source code be released for outside development, there are surely developers willing to get it back up and running.