Not long after news spread that TrueCrypt was shutting down, enough theories were circulating about what happened to fill an episode of the TV show 24.
To recap: The developers of the TrueCrypt open-source, on-the-fly encryption software announced Wednesday that they were ending development of the software. In a post online, the developers state the software "is not secure as it may contain unfixed security issues." In addition, they note that the development was ended after Microsoft ended its support of Windows XP, and that later versions of the operating system "offer integrated support for encrypted disks and virtual disk images."
The post urges users to migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on their respective platforms.
"The whole situation is very odd, but there are clues to what might be happening," says Mark Bower, vice president at Voltage Security. "The TrueCrypt development team is largely anonymous, and has unclear origins. On the one hand, TrueCrypt is a product that is supposed to be transparent about its security design, yet there have always been unclear aspects to its origins. On the other hand, it was about to be put through a thorough crowd-funded technical audit. Was there something to hide? Maybe so."
Last month, iSEC Partners released a code audit of TrueCrypt and found no backdoors or serious vulnerabilities in the portion of code it reviewed, which included the Windows kernel driver and bootloader.
Tom Ritter, principal security consultant at iSEC Partners, considers the end of TrueCrypt to be a loss to the open-source community.
"They've been working on it for I think over a decade," says Ritter. "That's a very long time to work on a project, so it might be they had other commitments come up in their lives and didn't want to let the project peter out, so to speak."
The first version of TrueCrypt was released in February 2004. Since its release, it has been downloaded approximately 30 million times. While many people may have downloaded it multiple times over the years, they are still looking at millions of people who are "now stuck with a new version of the software that will only decrypt and a recommendation to move to other encryption software," blogs Steve Pate, chief architect at HyTrust:
Well, we know for sure that AES is still a rock solid encryption algorithm and is widely used across the commercial space and nation states to protect their data. As for TrueCrypt, perhaps a group of part timers just decided to call it a day and end with a cruel twist? Hopefully time will tell what really happened.
What we do know is that TrueCrypt had been put through its paces. In 2013, the Open Crypto Audit Project was funded to ensure that TrueCrypt could be analyzed from a security perspective. The first set of results were released last months and showed that there was no evidence of any backdoors. A second review is still pending and we eagerly await the results of that, but now it may be moot. Whatever the real story is, TrueCrypt's reputation has likely been fatally injured. IT managers that have been relying on TrueCrypt will rightly be concerned about their organizations data security and their own reputation, will be seeking professional alternatives. Strange days.