Few outside the community of internet security geeks would have heard of TrueCrypt until some time last month.
Then, in a series of reports on the inner workings of the Islamic State, the New Times’ Rukmini Callimachi revealed that when dispatched on missions from which they might not return, Islamic State jihadists were routinely issued with a USB-powered electronic device loaded with two cyber-security programmes.
One of these was a disc-wiper called CCleaner; the other an open source encryption programme known as TrueCrypt.
Nor does the faith of the Islamic State geeks appear to be misplaced. Included in the trove of secret documents leaked in 2013 by cyber-whistleblower Edward Snowden, was one confirming that the US’s National Security Agency had experienced “major problems” cracking TrueCrypt.
What makes the encryption especially alarming for US authorities is the fact that unlike the giant Apple corporation, which was recently compelled to give the NSA access via a “back door” to an iPhone encryption, TrueCrypt was from the start an outlaw operation, and beyond the control of would-be Big Brothers of the worldwide web.
Articles in the online The Atavist magazine claim TrueCrypt was based on a programme called E4M (Encryption for the Masses) which was written by Paul Calder le Roux in the last years of the 20th century.
Then, in 2004 - after E4M had been copyrighted to a commercial company - an anonymous collective released a powerful new encryption programme called TrueCrypt, which its creator/s said was “based on (and might be considered a sequel to)” the by then copyrighted E4M.
Though many of his former associates as well as cyber-security experts appear to believe Le Roux was personally involved in developing TrueCrypt from the E4M platform, no proof has yet come to light to this effect.
Even so, in 2014, after it became known that Le Roux was co-operating with US law enforcement authorities, an announcement appeared on the TrueCrypt website to the effect that it was no longer safe, that there were unresolved security issues, that Microsoft had withdrawn support, and that encrypted data should be migrated forthwith.
Hyper-links connected up to other websites show islamic States’s faith in TrueCrypt appears unshaken, however, and there are no indications to date that the NSA has been able to access jihadist operatives’ encrypted communications.
Moreover, according to Ratliff, a security audit conducted by top academic cyber-security experts in the US in late 2015 declared the programme still secure.
But maybe, for those who once worked with Le Roux, it just doesn’t seem worth it to gamble that he didn’t have some back door Plan B all along.
Weekend Argus
* Use IOL’s Facebook and Twitter pages to comment on our stories. See links below.