There is really no getting around the fact that staying secure on the Internet is hard, if not impossible, to achieve. Yes, users can do more to keep themselves safe by adopting good security practices. They can choose strong passwords that they don’t reuse for different sites. They can avoid disclosing personal details online and for users that are particularly security conscious, can encrypt the contents of their hard disks. Ultimately however, users have to rely on the software they are using to be secure, especially security software. If this isn’t the case, then no end of good habits will prevent others from secretly siphoning information they can later exploit.
Keys picture from Shutterstock
The problem here is that the past year has shown that it is simply not possible to explicitly trust the major software companies who have been forced into providing US security services with access to their customers’ information. After the revelations about the NSA, people started looking for what they believed to be reliable approaches to keeping their data secure. This has never been a particularly easy task because security is actually hard to do properly and especially hard to do in a way that is actually easy to use.
One such product that seemed to fit the bill however, was open source software called TrueCrypt.
TrueCrypt allows a user to create encrypted disks that can hold files that you want to protect. It was especially good for protecting information stored on cloud storage services like DropBox or Google Drive. It even had high profile advocates like Edward Snowden who had recommended its use. Security analyst Bruce Schneier also recommended its use even though he had some concerns about particular aspects of the product. To him, any lingering doubts about TrueCrypt paled into insignificance compared to the risk of trusting “large U corporations”.
To further bolster people’s faith in TrueCryp two researchers Matthew Green and Kenneth White raised money through an IndieGoGo campaign to conduct a security audit on TrueCrypt to try and resolve whether there were any hidden issues. That audit had recently completed a first phase and hadn’t uncovered any problems in the software code.
But it seems that faith in even this product was misplaced. In an announcement that has greatly surprised the security world, the developers behind TrueCrypt declared that the product could no longer be trusted.
The unknown developers of TrueCrypt have recommended that people not continue to use the product and to rely on the encryption functionality built into Windows and Mac OS instead.
Nobody is quite sure why the developers have decided to shut the project down. It is possible that they knew it was compromised and understood that this would be revealed eventually through the audit. Or it could have been that they were simply not interested in maintaining the product any further and called it a day. There are large numbers of open source projects that are essentially abandoned and so this latter explanation wouldn’t be unreasonable. The problem is however, that they way that the project was shut down suggests a very hasty decision rather than something that was planned.
For those who were using TrueCrypt, the only real alternative is to now switch to using the encryption abilities of their computer operating system software as detailed on the TrueCrypt site. This incident serves as a further reminder that there is no perfect solution to computer security and what approach you take to security involves deciding who you are trying to protect your information from.
If it is the most common case that the concern is with cyber-criminals, then using Microsoft of Apple’s provided security is probably a good idea. If you are trying to protect yourself from spying by your own or other government agencies, then the truth is that using these products may not help very much in the end.David Glance is Director of Innovation, Faculty of Arts, Director of Centre for Software Practice at University of Western Australia. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.