What Happened to TrueCrypt, and Why You Should Care

What is TrueCrypt and what happened to it? TrueCrypt is, or was, a data encryption program. You could use it to encrypt a group of files, a partition of a hard drive, or an entire hard drive. It also worked on flash drives, so anyone carrying around sensitive data found TrueCrypt extremely useful.

It had a solid gold reputation — nobody has succeeded in cracking it, it could encrypt unlimited amounts of data, and a recent analysis of the code showed that there were no “back doors” that hackers (or NSA) could use to break it. There was even a way to make the encrypted volume invisible for what the TrueCrypt manual calls “Plausable Deniability” — that is, the ability to plausably deny that you even have encrypted data even if someone has access to your hard drive (clearly they were envisioning darker scenarios than most of us ever encounter…).

So what’s the issue and what happened to it? Well, first of all it was built and maintained by an anonymous group known only as the TrueCrypt Team. Second, it was free and the company had no obvious source of revenue. The TrueCrypt Team did not use it as a sales tool to attract paying customers for security consulting, which would have been the most obvious way to monetize it.

But there are a lot of weird people in software, and every test of the software said it was exactly what it claimed to be. So many well-known industry gurus used it and swore by it (including Edward Snowden, apparently). What’s more, there was nothing else that did encryption quite as well for free.

There are currently two encryption applications that come close. One (DiskCryptor) is free but only encrypts an entire drive partition, so you have to know how to create a partition to use it. The other (Cypherix) is free for a version that encrypts very limited amounts of data; paid versions encrypt more.

Then on May 28 of this year, an announcement appeared on the TrueCrypt site saying that development of TrueCrypt had ended and that users should be aware that TrueCrypt may not be secure “as it may contain unfixed security issues.” They released a final version of the program that only decrypted previously-encrypted volumes but could not be used to encrypt any new volumes.

To date, no explanation for TrueCrypt’s sudden demise has been put forth by anyone, although there is no shortage of theories. Many (myself included) continue to use the application, using previously-downloaded copies, which still work as they always did and still have not been cracked. There are some rumors that a software group will pick up the pieces and continue development, possibly under a new name.

Well, OK, this is interesting and intriguing, but what does it have to do with the majority of computer users who never use an encryption application? Quite a bit, as it turns out. While the loss of this application will not affect many, the implications of the sudden disappearance of a widely-used and trusted utility should give many of us pause. For example:

  1. Your website resides on a hosting service. Do you have a plan of action if that hosting service goes belly-up tomorrow? Do you have a backup copy of your website that you could upload to a new hosting service? Do you know what hosting service you would choose?
  2. You may have industry-specific software that maintains records vital to your business (medical or accounting records, for example). If the company behind that software disappears tomorrow, what are your options?
  3. Do you keep data in the cloud? How valuable is that data? What would happen to that data if the vendor you are using went bust or had a system failure? The vendor probably maintains backups, but how much can you trust their backups and how long would it take to get your hands on your backed-up data?
  4. In this world of cloud computing, we can find ourselves dependent upon a wide variety of companies that we have little or no information about. If these companies are providing services that are critical to the operation of our business, shouldn’t we know something about their financial status and their stability?

TrueCrypt may rise again. But whether it does or not, its misadventures have raised some important issues that many of us need to think about. Even if everyone (inluding industry gurus) take some application or service for granted, you should at least think about your use of it and, quietly repeating the words “Remember TrueCrypt,” consider what you would do if it suddenly disappeared.

New website!

If you are reading this I don’t really have to tell you this is a new website, since you are reading it on the new website. But just in case you are super-focused on the text and missed the website around it, or you perhaps never saw the old website, I am hereby announcing that this my new website.

It took much longer than anticipated, but that was partly because my clients’ websites always came first. It was also because I built one new site about a year ago and didn’t like it, so it never went live. After I gave up on that one, I started searching for a new design. And while I was at it, I also searched for a new structure. Yes, I’d better explain that, hadn’t I?

The original website, as well as the first replacement candidate, was built using classic HTML (isn’t it amazing that something related to the World Wide Web – which is only about 24 years old – can be considered “classic?”). But classic HTML has a problem: To build or edit an HTML site, you either have to have an expensive authoring tool like Adobe Dreamweaver, or you have to be proficient in HTML and CSS. Most of my clients would like to be able to edit their sites without investing a lot of money into an authoring tool, or a lot of time learning HTML/CSS.

Thinking I could solve two problems at once, I decided to build my new website in a Content Management System (CMS), so that I could learn to build sites in a system that my clients could use to edit their sites. The challenge was to find a CMS that would be good enough to warrant investing a fair amount of my time into learning it.

I spent a lot of time exploring various CMSs. I bought at least two of them, and tried several more.To meet my criteria, the CMS had to:

  1. Be easy to use for a non-technical person.
  2. Be reasonably easy to modify by a technical person (me).
  3. Have a broad following, so I wouldn’t end up hitching my future to a dying program.
  4. Be inexpensive.

The only one of the CMSs I tried that met my criteria was WordPress. Joomla! (yes, the exclamation point is part of the name) came close but just doesn’t have the following that WordPress does, and I found I liked the WordPress interface better. Let’s check WordPress against the criteria above:

  1. The user interface in WordPress resembles the UI in Microsoft Word. ‘Nuff said.
  2. Word on the “street” was that WordPress was reasonably easy to work on, but at the time I was making this decision I didn’t know enough to judge this personally, so I took the word of experts.
  3. WordPress has a very broad following and it’s getting broader.
  4. WordPress is open source, so it’s free.

Once I decided on WordPress and really started to dig into the nitty-gritty, I found some big sand-traps. WordPress relies on themes (known as templates outside the WordPress world) to define the look and feel of a website. But these themes are built by developers with a wide range of skills. Some are expertly crafted, others are junk, and may crash your website without warning. The challenge: how to tell the good from the lousy.

Let me try to define the size of this problem: Templatemonster.com lists 1,820 WordPress themes, and that’s just the tip of the iceberg. Every WordPress developer with a pulse has produced a theme, which he/she offers (often free) to the world.

When faced with a challenge like this, the place to go is to the people who’ve been there and gotten burned. So I started asking questions in some of the WordPress groups on LinkedIn. I got a variety of answers, but the one that kept coming up repeatedly was the Genesis Framework. At this point in my WordPress education, I didn’t even know what a framework was, much less the Genesis Framework. It sounded like the name of a 1980s biblical blockbuster (starring Richard Burton, presumably).

Let’s see if I can explain succinctly what a framework is: A framework is a theme that is the base for a collection of related child themes (a child theme is a theme modification that piggy-backs onto a theme). By bringing together all the common code for a wide variety of child themes, Studio Press (the authors of Genesis) was able to refine the framework far beyond the state of refinement for most stand-alone themes. The result is a collection of excellent, robust themes, with good designs and excellent support.

This sounded ideal, but since the Genesis Framework isn’t free, I had to buy the framework and a child theme to actually try it out. I decided on the Streamline theme, partly because I liked it, but also because it was responsive (WordPress-speak for automatically adjusting to smaller screens on mobile devices). The ability to adapt to mobile screens has become extremely important and will be even more important in the near future.

I started to build the site, but then, in one of those lucky accidents, a project came in that looked ideal for the Streamline theme. Since client projects supersede my website, I built that one first. It’s here: http://www.irwinengineers.com/.

Using the experience I gained with the Irwin Engineers website, I then completed the site you are now looking at. I like it, but of course I built it. If you have some criticisms, or even better, some suggestions, I’d be glad to read them.

The NSA and web privacy

Is privacy dead? It’s sure felt that way recently, hasn’t it? The NSA claims that it has broken most of the encryption codes that we all use daily without a thought. Every time you use a secure server, to log into your bank account, to pay a bill, to buy something online, you are using web encryption. And allegedly, the NSA can read all of it.

There are two questions here: (1) Do we care on a societal basis? And (2) Do we care on a personal basis?

In some ways the first question is easier. The answer is clearly Yes, because if the privacy we assume exists doesn’t exist, all sorts of societal rules go out the window. Any society depends on a certain amount of trust. Without privacy, much of that trust evaporates. So on that basis alone, it needs to be fixed.

The second question is a little harder. While the same trust issues exist, there is also the needle-in-the-haystack effect. That is, with millions of transactions occurring each hour on the Internet, why would the NSA dig out your transaction for attention? The short answer is, they probably won’t. The longer, more paranoid answer is, they might just stumble across your records and decide to investigate you on a strictly random basis. So I guess the answer to the second question is Yes also.

One of the newsletters I get is a very technical one for IT people. It doesn’t really apply to web developers but I enjoy reading it, partly because I like the guy who writes it and partly because it’s interesting in a detached sort of way. But in the last issue, he asked the following rhetorical question: Why is the public media spending so much time and words on Syria and so little on the NSA. His theory, which I think may be correct, is that in 20 years Syria will be a few paragraphs in history books, but we may still be dealing the web privacy issues.

The good news is that the NSA story has not gone unnoticed in the Internet encryption community. In fact, there are already several discussions going on about firming up the existing encryption techniques, and several encryption conferences in the near future will be looking at this. It will be interesting to see if they can work out methods to lock out the NSA.