Over recent days there has been a lot of discussion about TrueCrypt, and whether it is a viable security technology. Among the frenzy between security experts to figure out what is going on, the user community is left confused. It’s time to revist some security basics…
What’s going on with TrueCrypt?
First there were announcements that TrueCrypt is insecure and all development has stopped.
“TrueCrypt is not secure” official SourceForge page abruptly warns http://t.co/fqxn32VxuE by @dangoodin001
— Ars Technica (@arstechnica) May 28, 2014
Then the frenzy with all sort of theories as to what could be broken. What is more suggestions you should abandon it and use BitLocker (why BitLocker, and not any of the other good disk encryption products?)
STOP, go back to basics.
Revisit your threat analysis. Why are you using TrueCrypt?
I use it on my home computers because they have personal data on them, sensitive to me, but not uber-secret. I choose to encrypt the disk so that if my laptop is lost or stolen, the thief is not able to access my personal data. The thief is most likely to be someone trying to make a quick bit of cash by reselling the computer. The new owner will most likely install a new operating system for their own use, and not care about my data. They are highly unlikely to exploit any security hole to try and gain me personal data – the effort versus reward balance does not make sense.
So, to protect against this threat – TrueCrypt is still perfectly viable.
If on the other hand a state authority wished to get my data for some reason, they probably could. BUT they would do that anyway, there are so many techniques available to them, changing from TrueCrypt to a.n.other disk encryption product is not going to change that equation.
If I had uber-secret stuff to protect, the threat analysis might be different, but I don’t.
Wait, there is more news…
TrueCrypt developer replies, confirms dissolution of the project, suggests alternatives: https://t.co/LGA3D7OEbC — HD Moore (@hdmoore) May 30, 2014
So, the core developers have stopped work on it. If or how it will be developed and supported going forward is unclear – but as the article suggests some way or the other, it will go forward.
As an industry, and profession, we have to stop doing this.
Every time a glitch occurs in some security system, it gets over hyped, with theories about how bad the World could be. People that understand the complexities, can work a way through it. But 99% of the World can’t – and they are getting hugely confused about what is and is not safe to use. If we are to make progress against security issues, we need to take the 99% with us, and get them to understand the basics, that disk encryption is a really really good idea and you should do it on all your home computers. Against the biggest threat most people have at home, theft, TrueCrypt is just fine.
If you are reading this on a PC that does not have an encrypted disk, go and install TrueCrypt Setup 7.1a.exe (Windows version, other flavours are available), or a similar paid-for product now!