Remember TrueCrypt?
It was a popular and widely-used encryption toolkit similar to Microsoft’s BitLocker and Apple’s FileVault.
The idea is that by encrypting and decrypting data at the operating system level, just before every chunk is written to disk and immediately after it’s read back in, you can’t accidentally miss anything.
Your operating system and temporary files are scrambled; leftover fragments of deleted files are scrambled too; even sectors on the disk that are blank are encrypted so you can’t tell they’re empty.
That’s known as FDE, short for full-disk encryption, and it’s a very handy way of reducing the risk of data leakage if a crook runs off with your laptop, or you leave it in a taxi.
With FDE, it’s no longer possible just to put your hard disk into another computer, or boot up from a recovery CD, and look through the files.
A puff of mystery
Anyway, TrueCrypt vanished in a puff of mystery just over two years ago when the developers abruptly pulled the plug on the project.
It was the opening words that caused the excitement:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.
For all we ever knew, the developers simply decided they’d had enough, or fell out with each other, or realised that if they had to do a full rewrite for the forthcoming Windows 10 they might never escape from the cryptocoding treadmill.
Or perhaps they were forced to shut down by one or another intelligence agency who felt that the product was too strong?
Or perhaps they were told they had to put in a deliberate vulnerability, called a backdoor, but refused. (For the record, Sophos is strongly and publicly against backdoors, too.)
Fast forward two years and a new project called VeraCrypt, another open source FDE toolkit, has arisen from the ashes of TrueCrypt.
Indeed, at the start of August 2016, the VeraCrypt team announced that they were going to get their source code audited.
Inspectable by anyone
Open source encryption products pride themselves on being “inspectable by anyone,” precisely because they’re open source, but the problem is that very few people are properly qualified to do cryptographic audits.
There used to be an adage in open source that “with many eyes, all bugs are shallow”, meaning that someone, somewhere, is bound to spot any problems sooner or later, because they’re in there somewhere…
…but recent history tells us that’s a myth: some bugs are subtle, or complex, or specialised enough that they stay hidden for years.
Worse still, security holes like backdoors aren’t bugs – they’re programmed in on purpose, so the coders often go to great lengths to hide them.
So, the audit was supposed to increase public trust in VeraCrypt.
Just this week, however, the Open Source Technology Improvement Fund (OSTIF), which gives financial support to VeraCrypt, has released an announcement cloaked in almost as much mystery as the posting that terminated TrueCrypt in 2013:
We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.
This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.
We are setting up alternate means of encrypted communications in order to move forward with the audit project.
Interestingly, the article announcing the “breach” is explicitly titled OSTIF, QuarksLab, and VeraCrypt E-mails are Being Intercepted, although in this case, it looks as though the emails are being destroyed.
You’d think that an outside actor who wanted to snoop on what you are up to would intercept non-destructively, by looking at the messages but letting them go anyway.
After all, deleting the messages doesn’t serve much point: firstly, it draws attention to the problem; and secondly, it doesn’t really prevent the messages from getting through, because the senders can just transmit them again.
What’s the conspiracy?
As you can imagine, conspiracy theorists are all over this.
Just like last time, however, when TrueCrypt imploded, the explanation might be entirely innocent. (Hands up anyone who has never lost emails, apparently without trace, at a vital instant).
So far, however, both VeraCrypt and its auditors seem to be as good as admitting (insisting, even) that someone has unauthorised insider access to their email.
The announcement concludes:
If nation-states are interested in what we are doing we must be doing something right. Right?
That seems a strange leap of logic.
Firstly, we don’t actually yet know whether a nation-state (let alone two of more of them) was involved in the first place.
Secondly, ending up with hackers inside your email accounts is not, in fact, a terribly good sign that you’re doing something right.
I’d prefer to see a conclusion more along the lines of, “We’re going to find out how the breach happened, and tell you how we plan to stop it happening again.”
So, we’ll be watching this one with great interest…
…in the meantime, what’s your theory? (You may comment anonymously.)