Open-source encryption program TrueCrypt appears to havebeen compromised, with a strange website update warning users that the productwas no longer secure and distributing a new version of the software that someanalysts called suspicious.
“WARNING: UsingTrueCrypt is not secure as it may contain unfixed security issues,” an update posted on the encryptionsuite’s site said, followed by instructions to help users migrate dataencrypted by TrueCrypt to BitLocker, another full-disk encryption program thatcomes included with current Windows operating systems .
The termination was apparently triggered after Microsoftended support for Windows XP, as the developers’ statement implied the changeinstigated security problems with the TrueCrypt program.
“The development of TrueCrypt was ended in 5/2014 afterMicrosoft terminated support of Windows XP,” the message on the program’shomepage at sourceforge.net read. “You should migrate any data encrypted byTrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The TrueCrypt site is now offering downloads of a newversion of the software, 7.2, but journalists have noted irregularities aboutthe source code.
British IT news site The Register reported:
“A binary TrueCrypt 7.2 installer for Windows, downloadedfrom the TrueCrypt SourceForge site, contained the same text found on therewritten homepage – confirming the download has also been fiddled with amidtoday’s website switcheroo.”
The story also linkedto “an eyebrow-raising list of changes” between the source code of version 7.2and the previous release, 7.1a.
The new software did not appear to contain malware, however,with some experimenting users saying the program only opened a warning not touse TrueCrypt and refused to encrypt data – only decrypt it.
Still, software developer Jonathan Zdziarski, who worked asa cryptographer on the TrueCrypt project warned against using the new version –or the old ones, for that matter.
Zdziarski wrote on Twitter:
“If TrueCrypt.org is compromised, it’s likely beencompromised a good while. I wouldn’t trust any recent downloads of the software.”
TrueCrypt statementand software still unconfirmed
The authenticity of the statement on the TrueCrypt site, aswell as the new software, has not yet been confirmed, though the developers ofthe encryption suite have still yet to come forward with more detail about thechange.
Kenn White, of the crowdfunded project that has been workingon auditing on TrueCrypt’s code, said that the audit project had no newinformation on the shutdown.
“No one on the TC audit project has anything to do with its development or theTC site,” he tweeted.“We will share any credible updates with the community.”
White added that the audit project had contacted the TrueCryptdevelopment team and were waiting for a response. The audit team, tweetingunder the handle @OpenCryptoAudit, also said it would make anannouncement Thursday on their work and the future of the audit.
Public reactionlargely of disbelief
The Internet community, meanwhile, quickly expressed incredulityabout the announcement, with Reddit users exclaimingit “just reeks of fishiness” and that the “wording and vagueness” of thestatement raised red flags.
Speculation in the Reddit thread on the reasons for theshutdown range from a simple hack attack to conspiracy theories that thedevelopers have been served with a subpoena from the US government to enable aback door into the program.
Lavabit, a security-minded email provider that was afavorite of former security contractor Edward Snowden, was forced to shut downin a similar manner last August, citing pressure from the US government toprovide information about its clients.
Until more detail comes through about the nature of andreasons for the shutdown, however, the rumors and speculation will remain justthat.