What Happened to TrueCrypt, and Why You Should Care

What is TrueCrypt and what happened to it? TrueCrypt is, or was, a data encryption program. You could use it to encrypt a group of files, a partition of a hard drive, or an entire hard drive. It also worked on flash drives, so anyone carrying around sensitive data found TrueCrypt extremely useful.

It had a solid gold reputation — nobody has succeeded in cracking it, it could encrypt unlimited amounts of data, and a recent analysis of the code showed that there were no “back doors” that hackers (or NSA) could use to break it. There was even a way to make the encrypted volume invisible for what the TrueCrypt manual calls “Plausable Deniability” — that is, the ability to plausably deny that you even have encrypted data even if someone has access to your hard drive (clearly they were envisioning darker scenarios than most of us ever encounter…).

So what’s the issue and what happened to it? Well, first of all it was built and maintained by an anonymous group known only as the TrueCrypt Team. Second, it was free and the company had no obvious source of revenue. The TrueCrypt Team did not use it as a sales tool to attract paying customers for security consulting, which would have been the most obvious way to monetize it.

But there are a lot of weird people in software, and every test of the software said it was exactly what it claimed to be. So many well-known industry gurus used it and swore by it (including Edward Snowden, apparently). What’s more, there was nothing else that did encryption quite as well for free.

There are currently two encryption applications that come close. One (DiskCryptor) is free but only encrypts an entire drive partition, so you have to know how to create a partition to use it. The other (Cypherix) is free for a version that encrypts very limited amounts of data; paid versions encrypt more.

Then on May 28 of this year, an announcement appeared on the TrueCrypt site saying that development of TrueCrypt had ended and that users should be aware that TrueCrypt may not be secure “as it may contain unfixed security issues.” They released a final version of the program that only decrypted previously-encrypted volumes but could not be used to encrypt any new volumes.

To date, no explanation for TrueCrypt’s sudden demise has been put forth by anyone, although there is no shortage of theories. Many (myself included) continue to use the application, using previously-downloaded copies, which still work as they always did and still have not been cracked. There are some rumors that a software group will pick up the pieces and continue development, possibly under a new name.

Well, OK, this is interesting and intriguing, but what does it have to do with the majority of computer users who never use an encryption application? Quite a bit, as it turns out. While the loss of this application will not affect many, the implications of the sudden disappearance of a widely-used and trusted utility should give many of us pause. For example:

  1. Your website resides on a hosting service. Do you have a plan of action if that hosting service goes belly-up tomorrow? Do you have a backup copy of your website that you could upload to a new hosting service? Do you know what hosting service you would choose?
  2. You may have industry-specific software that maintains records vital to your business (medical or accounting records, for example). If the company behind that software disappears tomorrow, what are your options?
  3. Do you keep data in the cloud? How valuable is that data? What would happen to that data if the vendor you are using went bust or had a system failure? The vendor probably maintains backups, but how much can you trust their backups and how long would it take to get your hands on your backed-up data?
  4. In this world of cloud computing, we can find ourselves dependent upon a wide variety of companies that we have little or no information about. If these companies are providing services that are critical to the operation of our business, shouldn’t we know something about their financial status and their stability?

TrueCrypt may rise again. But whether it does or not, its misadventures have raised some important issues that many of us need to think about. Even if everyone (inluding industry gurus) take some application or service for granted, you should at least think about your use of it and, quietly repeating the words “Remember TrueCrypt,” consider what you would do if it suddenly disappeared.

Which social media services should you consider for your business?

Businesses are under a lot of pressure now to move into social media. There’s so much talk about it that it’s very easy to feel like you are being left behind unless you jump in quickly.

But before you do, stop and think about which social media services would work best for your company. They aren’t all the same (even though they all get lumped into that “social media” category), and the nature of your business, not to mention your own skills and preferences, dictate which would work best for you and which you should steer clear of.

So let’s first characterize your business: B-to-B or B-to-C? Visual (for example interior design, painting, car detailng) or not visual (for example car repair, financial services, CPA)? Retail products or services?

Next, let’s go through the various social media and see which work best with which types of business:

First let’s consider blogs. There’s some question whether a blog is really social media, but most are interactive (that is, users can add comments) and they are very effective for virtually all kinds of businesses. They have multiple advantages:

1. They change, so your readers always have something new to review
2. Done correctly, they point back to your website, so they add links to your search engine listings
3. They keep you thinking about your business, which means you serve your clients better

I encourage all my clients to commit to a blog. But that, of course, is the hangup: commitment. My advice is not to start a blog if you aren’t willing to commit to continuing it. The rest of my advice, however, is to commit to it and do it. You will find you get into the rhythm of it fairly quickly, and after a while you will be turning them out like pancakes.

Now on to the more traditional social media. I will go into more detail about each of these in future blogs, but here is the abbreviated rundown:

Facebook

Pros: Best for B-to-C businesses, supports business pages, huge audience
Cons: Has a lot of security gotchas, needs a lot of TLC to be effective and safe

LinkedIn

Pros: Best for B-to-B businesses, large audience, very professional, few security issues, excellent discussion groups
Cons: Requires a fair amount of participation to be useful

Google+

Pros: Best for B-to-C businesses, growing fairly rapidly, similar to Facebook in function
Cons: Audience is growing but is nowhere near Facebook’s yet; requires TLC just like Facebook

Pinterest

Pros: Best for B-to-C, very visual focus so best for visual businesses
Cons: Uncertain future; still in its infancy but growing rapidly; requires TLC

The rest

Beyond these, there are a variety of special-interest sites that are worth watching and considering. For example, if you are in an industry that has anything to do with housing, Houzz is well worth exploring. It’s similar to Pinterest but restricted to housing issues, very visual, and like most social media, requires a lot of TLC.

Using an external DNS

Yeah, I know. This sounds techie right from the title. But it won’t be, I promise.

Very simply, DNS (Domain Name Service) is a translator. Let’s look at an example to illustrate what is being translated.

If you wanted to go to the New York Times website, you would normally type http://www.nytimes.com. This works fine for you because, as a human you prefer alphanumeric characters. They are easier to remember and easier to associate with the site you want to visit.

The Internet, however, prefers numbers. To the Internet, the New York Times website looks like this: http://170.149.168.130. The number 170.149.168.130 is called the IP address of the Times website (in case you collect useless trivia to have available when conversation at your next party lags, IP stands for Internet Protocol).

The DNS server simply translates the www.nytimes.com that you typed into your browser to 170.149.168.130 so the Internet can use it to find the Times website for you.

This is all well and good, but so what? Here is so what:

It turns out the server that handles the DNS translation has a big effect on your Internet experience. For example, a slow DNS server can slow the time it takes for each website to appear in your browser. This is because the website you are trying to see won’t send you a copy until it gets your request, and every request must go through the DNS. If the DNS is overloaded, your website will take longer to load.

And the DNS is often overloaded. That’s because your ISP, where your DNS usually resides, has little incentive to speed it up. It’s an invisible part of the  web-surfing process and users have no way to tell if the delay they are experiencing occurs at the DNS, at the website itself, or anyplace in between.

The easy solution to this is to use an external DNS. While it’s not widely publicized outside of corporate IT circles, there are several external DNS services that do a much better job at delivering your website quickly.

The external DNS services provide another benefit: They use a blacklist that flags sites known to contain malware (viruses, etc.) and prevents those sites from loading if you request one. While some ISP DNSs do this also, the external DNS services do a considerably better job.

Best of all, at least for individual users, these services are free.

There are a number of these services available, including one from Google. But the one that is most attuned to individual users with limited technical experience is OpenDNS (http://www.opendns.com). They lead you through the process of using OpenDNS instead of your ISP’s DNS.

Give it a try. Odds are websites will pop up faster using an external DNS. And yes, you can go back to your ISP’s DNS if for any reason you don’t like or don’t feel comfortable with the external DNS.