Slashdot Mirror
How I Compiled TrueCrypt For Windows and Matched the Official Binaries
First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."
He provides pretty clear instructions on how to duplicate the process he used. He's not just saying "I did it and it's safe, trust me."
You don't have to trust this person, they've given you the exact steps to do it yourself.
TFA painstakingly explained how you can check it yourself. I'm sure several people will, including enough people that I trust enough. Especially given that there is zero evidence of a backdoor. Nobody is claiming there is a backdoor, so it's a question if yyou trust the testers more than you trust - nobody.
If you're that worried about a ken thompson attack (which this topic always devolves in to) then why even use a computer at all?
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
Then follow the same steps and compile it yourself. You should come to the same results.
I think you're kind of missing his two points. One, he's joking. But two, he's also serious...yes, that is what someone can do. But will they? Probably not. I'm willing to bet that 80% minimum of those who read TFA will simply accept it as canon and move on with it a fact in their minds that the two do match. And beyond that, they will keep it as a fact in their minds even for future releases, which haven't been validated in this way. So that's really the challenge here.
And even worse, think about all the TrueCrypt users who don't have the technical ability to compile binaries, much less do it in a very specific way? Ultimately, someone has to be trusted, and trust is a web rather than something that flows from a single fountain when it comes to society.
For your security, this post has been encrypted with ROT-13, twice.
I don't think you can have a "piece" of software. You don't have half of TrueCrypt or a 3rd of it. Should be "TrueCrypt is popular software enabling data protection"
He did as much as was necessary to establish trust and no more.
Or so he has led you to believe...
systemd is Roko's Basilisk.
Everything in that link only applies to secondary volumes, it doesn't appear to apply if you've encrypted your system volume.
Also, everything being talked about has little to do with windows, and more to do with the pointers/shortcuts external applications make to the "hidden" encrypted filesystem.
Linux would likely have the same number of "Hey! Look! An encrypted filesystem over there!" red flags.
But did this guy check why the Windows version writes mysterious random bytes in the header but not in the Linux version?