What’s with the TrueCrypt warning?

TrueCrypt, the free open source full disk encryption program favoured by many security-savvy people, including apparently Edward Snowden, is no more. Its website now redirects to its SourceForge page which starts with this message:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

This statement is so full of problems it is difficult to know where to start.

Is it a canary?
Canaries are warnings by a different method (if a canary died in a mine, the likelihood was that poison gas, otherwise yet undetected, was present). So one suggestion is that this message indicates government interference, and like Levison and Lavabit, it has been shut down to protect the users. (Levison said, “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.”) Some have gone so far as to suggest a more explicit warning in TrueCrypt’s first paragraph: “not secure as”.

Microsoft’s BitLocker disk encryption

But for me the strongest suggestion that this might be a canary warning is the recommendation for Microsoft’s BitLocker. The message says “You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.” It then proceeds to give a step-by-step how-to for migrating to BitLocker.

My problem is two-fold. Firstly, I find it difficult to believe that the developers of open-source cryptography would voluntarily recommend placing faith in a closed-source solution — and one from Microsoft to boot. Secondly, BitLocker gives up the ground won with such difficulty during the First Crypto Wars against Clinton’s Clipper chip and key escrow demands — BitLocker escrows the keys either with the IT department or with Microsoft’s cloud services. From both locations, using the PATRIOT Act, government agencies can retrieve those keys effectively on demand. This recommendation doesn’t make sense from a purely ‘security’ viewpoint.

Against this, however, we should note that ‘David’ (apparently a or the TrueCrypt developer) has told @stevebarnhart that there has been no government contact except one time inquiring about a ‘support contract’; that “BitLocker is ‘good enough’ and Windows was original ‘goal of the project’;” and that “There is no longer interest.” But whether ‘David’ is who he says he is, or whether what he says is true is anyone’s guess.

I find myself conflicted. This time my heart says, don’t think conspiracy; but my head says, this isn’t right.

What next?
For whatever reason, TrueCrypt can no longer be trusted. If we take David at face value, he has simply lost interest in the project and bowed out in a most unsatisfactory manner. That would imply that you can carry on using TrueCrypt; but that like XP, any future issues will not be resolved. So it’s probably best not to wait for them.

But if you were savvy enough to install TrueCrypt you will be savvy enough to migrate to an alternative without being persuaded into using BitLocker. BitLocker works with the Trusted Platform Module (TPM), a motherboard chip that to my mind turns Windows 8 into an NSA trojan. (See Is Windows 8 an NSA trojan?) This latest development merely reinforces my opinion.

It would be tempting to say it is time to migrate away from Windows altogether — perhaps to Linux. The reality, however, is that nothing is secure. What can be made by software can be unmade by software; that which can be built by computer power can be demolished by computer power. The unmakers have a thousand times the resources of the makers.

The solution is political, not technological. We the people have to reassert our role over the politicians. They are our servants. We pay them to do our bidding. And we have to make it absolutely clear that government interference and surveillance is unacceptable and must stop.