Of TrueCrypt and Warrant Canaries

No concrete reason for the TrueCrypt shutdown has emerged, giving way instead to speculation that perhaps the developers’ abrupt decision is a warrant canary.

Apple’s first transparency report, released last November, was one in a string of many released following the start of the Snowden leaks by technology companies trying to distance themselves from the tentacles of NSA surveillance.

Apple’s report, however, contained two sentences that made it stand out from the rest: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

Many interpreted that declaration as a warrant canary, a tactic by which one party could unobtrusively signal that it had yet to receive, in this case, a secret court order or National Security Letter requesting access to user data belonging to a suspected terrorist. The subtle power of the warrant canary is that if no such declaration is made in Apple’s next transparency report, one can assume it did receive a NSL request even though Apple is not permitted to publicly say so.

Fast forward to yesterday when TrueCrypt’s anonymous developers apparently shut their doors, declaring that the open source encryption software was “not secure as it may contain unfixed security issues.” TrueCrypt.org was redirecting visitors to the TrueCrypt page on SourceForge where the notice was posted along with the news that development had stopped on the project and directions were provided for users to migrate to Microsoft’s BitLocker drive encryption product.

Was all of this a form of a warrant canary?

Not a peep has been heard from the mysterious TrueCrypt developers, despite the efforts of the organizers of the Open Crypto Audit Project (OCAP), who spearheaded a grass-roots effort to have the code audited. TrueCrypt has been downloaded upwards of 30 million times and experts said it would be a prime target to be backdoored by an intelligence agency. OCAP this morning announced a similar audit of OpenSSL would be happening.

OCAP raised $70,000 had completed the first phase of the TrueCrypt audit, which turned up nothing untoward in the TrueCrypt bootloader and Windows kernel driver. Phase two had not begun, but was to examine the implementation of encryption suites, random number generators and critical algorithms.

The abrupt shutdown yesterday initiated endless speculation about its reasons. Was TrueCrypt dangerously and irreversibly compromised? Had the website been hacked? Was the small development team discouraged and angered about the findings of the audit, which questioned the quality of the code, and just decided to call it quits rather than invest time in cleaning it up?

Or had they received a subpoena from a secret court demanding access to keys?

Or had they received a subpoena from a secret court demanding access to keys or the installation of surveillance software into its product, a request they could not acquiesce to, and decided to shut down development?

This scenario is what spelled the end for Lavabit, the encrypted email provider used by former NSA contractor Edward Snowden. Last week, Lavabit founder Ladar Levison wrote a first-person account in the Guardian of the company’s shutdown. Levison said the FBI came to his door with an order he install snooping software on the Lavabit network.

“I had no choice but to consent to the installation of their device, which would hand the US government access to all of the messages – to and from all of my customers – as they travelled between their email accounts other providers on the Internet,” Levison wrote. But that wasn’t the final straw. The FBI also said the court order required Lavabit’s private encryption keys be turned over. Levison said he stalled for 38 days and was served seven times with legal papers by the FBI for the keys. After a number of court appearances, it was clear, Levison said, that he had a decision to make.

“I had not devoted 10 years of my life to building Lavabit, only to become complicit in a plan which I felt would have involved the wholesale violation of my customers’ right to privacy,” he wrote. “Thus with no alternative, the decision was obvious: I had to shut my company down.”

Is that what happened to TrueCrypt? Maybe.

Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, told Threatpost on Wednesday that TrueCrypt 7.2 hosted on SourceForge was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years. The software was also modified, she said, displaying the same warning that was posted on SourceForge.

Sandvik said she performed a quick analysis on the installer and saw no network traffic emanating from it, meaning that it likely was not spiked with a keylogger or other monitoring software connecting back to a third-party server.

In the meantime, experts remain befuddled as to the reason for the shutdown and the out-of-character recommendation to move to Microsoft’s proprietary BitLocker software. Did the anonymous developers just throw their hands up and abandon TrueCrypt once and for all? Did the impending crypto audit spook them off? Are we all being had by an elaborate hoax? Or was there a secret court order delivered to TrueCrypt demanding access to the software?

For now, the only answer to any of those questions is: Maybe.

Suggested articles