Thursday, May 29, 2014

TrueCrypt's demise

As of the time of writing TrueCrypt is pretty much gone. The two most likely scenarios explaining what happened are that the developers just gave up and decided not only to abandon their project, but that they adopted a full scorched earth strategy, and give the world a big finger. The alternative explanation is that the TrueCrypt Foundation suffered a full and complete systems compromise.

But it really doesn't matter. It is really irrelevant whatever the root cause may turn out to be.

Because of their lack of communication, and their apparent disregard for the sense of dismay voiced by the infosec community, the TrueCrypt Foundation is no longer trustworthy (assuming it ever was). Consequently, it means that their product also cannot be trusted.

Is it really that black and white? Yes: when it comes to crypto, it is. Cryptography is based on absolute trust. Even the smallest crack in that trust foundation is enough to discard a product.

Assuming that the open source audit comes back clear, it will just provide us with an audit of a snapshot in time; any development taking place after that point (if any) would only be able to slowly regain and rebuild some level of trust if it was done fully in the open, by people who are recognizable and who have a good reputation.

This episode is a great reminder of the fact that monocultures are ridiculously dangerous for availability assurance. To the best of my knowledge, there is NO robust alternative for TrueCrypt's ability to function across platforms. Sure; all major OS'es have their own crypto product. But, as good as they are, they are specific for the platform on which they were built.

My use case is that I want to be able to mount a volume (read-only and/or read-write) across platforms. My typical use of TrueCrypt was having the encrypted volume sit on Dropbox and accessing it from all of my devices. Semi-sensitive documents were kept there. Now I have to find another way of doing it.

For enterprise planning, it really shows the need for reliable backups. Make sure you keep original installation media for software, in a particular version, and do not assume that you can just download it again when you need it. Yesterday's events show, once more, that to not be the case.

Update: It looks like the TrueCrypt developers threw the towel into the ring themselves. More info at https://www.grc.com/misc/truecrypt/truecrypt.htm

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.