This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.
In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Just this week, however, the Open Source Technology Improvement Fund (OSTIF), which gives financial support to VeraCrypt, has released an announcement cloaked in almost as much mystery as the posting that terminated TrueCrypt in 2013: So, the audit was supposed to increase public trust in VeraCrypt. Worse still, security holes like backdoors aren’t bugs – they’re programmed in on purpose, so the coders often go to great lengths to hide them. …but recent history tells us that’s a myth: some bugs are subtle, or complex, or specialised enough that they stay hidden for years. There used to be an adage in open source that “with many eyes, all bugs are shallow”, meaning that someone, somewhere, is bound to spot any problems sooner or later, because they’re in there somewhere… Open source encryption products pride themselves on being “inspectable by anyone,” precisely because they’re open source, but the problem is that very few people are properly qualified to do cryptographic audits.
Indeed, at the start of August 2016, the VeraCrypt team announced that they were going to get their source code audited. (For the record, Sophos is strongly and publicly against backdoors, too.)įast forward two years and a new project called VeraCrypt, another open source FDE toolkit, has arisen from the ashes of TrueCrypt. Or perhaps they were told they had to put in a deliberate vulnerability, called a backdoor, but refused. Or perhaps they were forced to shut down by one or another intelligence agency who felt that the product was too strong?
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.įor all we ever knew, the developers simply decided they’d had enough, or fell out with each other, or realised that if they had to do a full rewrite for the forthcoming Windows 10 they might never escape from the cryptocoding treadmill. It was the opening words that caused the excitement: Anyway, TrueCrypt vanished in a puff of mystery just over two years ago when the developers abruptly pulled the plug on the project.