Friday, May 30, 2014

What the termination of TrueCrypt Development means

So, a lot of hype has been going on the past few days about the "mysterious" circumstances which lead to the terminal of TrueCrypt development.

Since I truly believe that most of it is just hype (and a lot of it), I decided to put my two cents towards explaining what all of this means (and why it possibly happened).

TrueCrypt is Open Source

TrueCrypt is (or was) one of the most used Open Source projects out there. It has been throughout the years one of the go-to tools any security conscious persons' choice of encrypting either parts or their whole file system.

Let's not forget though what Open Source entails; you have several developers working on their own time, without compensation (and in the case of the TrueCrypt anonymous developers, without even recognition) to deliver a working, reliable tool. In cases where the usage of this tool is as popular as TrueCrypt, the weight on the developers shoulders is, to say the least, very very heavy. Additionally, testing is done again, on a personal time basis, by members of the community. Some are more savvy than others, which can always lead to bug reports that are difficult to even understand, let alone lead a developer to produce a fix (anyone that has worked professionally on a development project knows how difficult the whole DLC process is).

Let's also not forget that the project started 10 years ago. The person(s) that started and followed through this effort are more or less in a very different position in life than when this all started. Family, work and a plethora of other reasons make it increasingly more difficult for anyone to dedicate their precious time towards such an endeavor (especially when the only thing they get back is moral compensation).

So, what could the termination mean really?

I think that more or less the developers have lost interest. In this page from, TC developer "David" clearly states this. The intended target for TC was Windows. Now that Microsoft has terminated support for Windows XP, this means that the project would need to move on to (better) handle the newer OS versions. GPT is a very different beast than FAT or NTFS. It would be necessary though to build this in TC (if it was going to grow with the way the OS industry is growing and following the technological trends).

Also, as the communication states, it was not a matter of what the initial TC audit had as findings. Sure, no developer likes being told that their code is not of the highest quality, but considering that this is not a commercial product and the span of the development time, I can clearly see how quality might get hurt. Of course, developers with the skills to produce such a product would more likely welcome constructive criticism rather than frown upon it. They remained (for various reasons) anonymous throughout the years, so they where not doing it for neither the glory nor the recognition (so I can't see their egos getting hurt by such statements). Statements like these hurt less experienced devs rather than seasoned ones.

Is TrueCrypt Insecure?

Now, in their SourceForge page, they state:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

 I've been reading a lot that this "could mean that the NSA has a back door" and other idiotic statements like this. What I have to say about the state of security of the product is:
  1. People have been using it without issues for years.
  2. No one has been successful in compromising the security (and they have tried). This is mostly because the crypto used behind the project is sound and well implemented.
  3. An audit is ongoing, so we will have definite results in the next months. 

The statement clearly states that in is not secure as it "may contain unfixed security issues"; translation? IF A SECURITY ISSUE IS FOUND, IT WILL NOT BE PATCHED.

Until this happens, there is no reason whatsoever to not continue to use it.

Concluding, this is a wake up call about the state of Open Source. We need (as a community) to figure out a way to help these developers make it worth while. A good step is the Linux Foundation's Open Source Initiative which will allow for monetary support of these projects. This needs however to be sustained (and not a one-time thing based on what happened with OpenSSL and now TrueCrypt).

Personally, I use and will continue to use TC. It is a solid product, and I have found no compelling reason to try to find an alternative. Until one is created (and its value and security proven), this is what I will be using.

No comments: