August 16, 2016
After TrueCrypt mysteriously discontinued itself, VeraCrypt became the most popular open source disk encryption software used by activists, journalists, and privacy conscious people.
Due to the huge popularity of VeraCrypt, security researchers from the OSTIF (The Open Source Technology Improvement Fund) announced at the beginning of this month that it had agreed to audit VeraCrypt independently.
Using funds donated by DuckDuckGo and VikingVPN, the OSTIC hired vulnerability researchers from QuarksLab to lead the audit, which would look for zero-day vulnerabilities and other security holes in VeraCrypt’s code.
Now, the most troubling part comes here:
The OSTIF announced Saturday that its confidential PGP-encrypted communications with QuarkLabs about the security audit of VeraCrypt were mysteriously intercepted.
“We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders.” the OSTIF said. “Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.”
The information linked to the VeraCrypt security audit is so confidential that the OSTIF instructed QuarksLab research team to give “any results of this audit directly to the lead developer of VeraCrypt using heavily encrypted communications.”
This strict instruction was suggested at the beginning of this project to prevent the zero-day vulnerabilities from going into wrong hands or snoopers.