The abrupt discontinuation of the disk and file encryption freeware TrueCrypt by its secretive software developers has left many security experts stunned, some of whom say there now are no viable alternatives left in non-commercial encryption software.
Their identities never revealed since they released the first version of TrueCrypt in 2004, the mysterious software developers behind TrueCrypt this week suddenly pulled the plug on it by posting their terse message in the form of a warning that said "Using TrueCrypt is not secure as it may contain unfixed security issues." TrueCrypt's unexpected end-of-life announcement even urged users to migrate to Windows BitLocker. It all left security experts stunned.
"Just yesterday, we have one of the most bizarre announcements in the history of Open Source," blogged Steve Pate, chief architect at HyTrust about the strange end-of-life announcement of TrueCrypt, which runs on Windows, Mac OS/X and Linux. Pate noted TrueCrypt was developed by an unknown group of software engineers and "attempts to contact them typically results in no response." He mulled whether TrueCrypt's strange farewell simply means "perhaps a group of part-timers just decided to call it a day and end with a cruel twist? Hopefully time will tell what really happened."
+ More on Network World: Encryption canary or insecure app? TrueCry6pt warning says use Microsoft's BitLocker +
Millions have downloaded TrueCrypt over the years, and to date no substantial security issues were publicly identified with it.
Tom Ritter, principal security engineer at iSec Partners, says his firm looked at components of TrueCrypt and found "no evidence of backdoors." There were a few flaws, "not major ones," he says, just the kind of "accidental" errors you find in software projects. While TrueCrypt isn't used widely in the enterprise, it is in the "non-enterprise community," he points out.
Ritter says he's not aware of any viable free or opens-source alternative to TrueCrypt. "Most of the full-disk encryption packages out there you have to pay for," he says.
Bruce Schneier, a crypto expert who this week told The Register he used TrueCrypt but is switching to Symantec OpenPGP, suggested that the puzzling tale of TrueCrypt may not yet be over.
There's widespread curiosity about what happened with TrueCrypt, Schneier noted in his blog, and "speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait and see what develops."
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: [email protected]
Read more about wide area network in Network World's Wide Area Network section.