In a surprising and unexpected move, the Open Source encryption software, TrueCrypt, has been retired. Citing unfixed security issues on the TrueCrypt SourceForge web site, a new, standing page has replaced the old one only to help migrate existing data encrypted by TrueCrypt.
The main page now provides steps on how to enable and use BitLocker for a Windows-based system on encrypted and virtual disk images, but also provides a link to further instructions for "other platforms" which includes Mac OS X and Linux.
The TrueCrypt download is still available, but has modified in such a way as to only allow data to be migrated off of TrueCrypt and no longer offers the ability to encrypt data.
The SourceForge site seems to state that development has ended due to the retirement of Windows XP and that encryption built into newer versions of Windows are more secure. And, that really will continue to be the case since development has ended suddenly.
The web page ends with this warning: Using TrueCrypt is not secure
James Lyne, at Forbes, suggests that this might be a hoax and that possibly the web site was taken over by hackers. He also takes it a step further by recommending that the available bits should not be downloaded until clarity of motives, changes, and back out strategy is better communicated. Citing Jake Williams, SANS Instructor and Principle at Rendition InfoSec, Lyne seems to believe that TrueCrypt was the product of a government.
Lyne works for Sophos and spent some time digging into the source code from the new download and a cursory review showed that the bits seem legit with no obvious backdoors or attached malware. He also makes a good observation that BitLocker is only available only for Ultimate or Enterprise in Windows 7 and Pro or Enterprise in Windows 8. So, those without these Windows versions would need to look for alternatives.
This is not the first trouble with Open Source software. Most recently, a massive bug in OpenSSL called Heartbleed exploded across the netwaves, affecting almost two-thirds of all web sites. The flaw, induced by accident by an Open Source developer with fat fingers, is still causing issues for unpatched servers and products today. Heartbleed, along with today's TrueCrypt strange occurrence, highlights potential dangers of using Open Source software. Many believe that only software with corporate backing and financial responsibility can endure because Open Source software doesn't have actual customers in the true sense and no exact avenue for customer feedback and complaint. Open Source software, in many respects, is like a Mom and Pop Shop that can just close the doors if things get too tough or there's no interest in keeping the doors open any longer. In most cases the software is free to use which is probably its biggest appeal, but also emboldens the old phrase: "you get what you pay for."
Still, it is probably prudent to wait for a bigger communication. If the site was simply hacked there's no telling what dangers lie in the downloadable.
