Last Wednesday the SourceForge page for popular open-source disk encryption software TrueCrypt started recommending the use of BitLocker on Windows instead. Visitors were told that the application was "not secure" anymore. Of course, social networks exploded with speculation, with people claiming the page was hacked or that the government, using a National Security Letter, might be requesting "changes" on the software. The truth is much more mundane: a developer of TrueCrypt confirmed to Reuters that it had been shut down out of boredom. Security researcher Steve Gibson said that after 10 years of work, the developers simply got tired of the project.
People who have used TrueCrypt over the years are baffled by the sudden stop in development and claims of insecurity. No known security holes exist, but the folks behind the initiative feel since the project won't be updated anymore, it's better find an alternative. At this point, if a bug is found, it's safe to assume it will not be patched -- no matter how serious it is.
All of this went down in the midst of an independent audit to ferret out potential vulnerabilities in TrueCrypt. The good news is that the audit will continue unabated. And, if legal issues with the license can be sorted, a new team will take over development instead of creating a "fork," or a separate project based on the same core code. Unfortunately, the current license that TrueCrypt is distributed under forbids the creation of a commercially available fork. Matthew Green, a cryptography professor from Johns Hopkins University, is leading the effort to restart development on TrueCrypt. He doesn't want to commit to the creation of a new version just yet, though work should continue once (and if) the licensing issues are resolved.
If you're currently using TrueCrypt, you probably shouldn't panic. We're not exactly security experts, but its' probably safe to continue using it until some security issues are found. Though, you should probably start looking for a backup plan.
Filed under: Software
Source: Reuters
0 comments:
Post a Comment