Slashdot Mirror

← Back to Stories (view on slashdot.org)

How I Compiled TrueCrypt For Windows and Matched the Official Binaries

Posted by timothy on from the all-the-lurid-details dept.

First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."

15 of 250 comments (clear)

  1. But can you trust xavier2dc? by Anonymous Coward · · Score: 5, Funny

    But can you trust xavier2dc? It's turtles all the way down.

    1. Re:But can you trust xavier2dc? by javajawa · · Score: 5, Interesting

      Then follow the same steps and compile it yourself. You should come to the same results.

      --

      Meh

    2. Re:But can you trust xavier2dc? by Impy+the+Impiuos+Imp · · Score: 5, Funny

      Yah, really.

      Wait! But what if I, myself, am an NSA stooge and don't realize it?

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    3. Re:But can you trust xavier2dc? by paiute · · Score: 5, Funny

      OK, but how do I compile xavier2dc? Is the source even available?

      Step 1: Find his mother

      --
      If Slashdot were chemistry it would look like this:Cadaverine
    4. Re:But can you trust xavier2dc? by tippe · · Score: 5, Funny

      Lets give him the Voight-Kampff test and find out...

    5. Re:But can you trust xavier2dc? by Grog6 · · Score: 5, Funny

      If there's DNA on your Backdoor, you've just been rooted!

      (sorry; but this IS /.) :)

      --
      Truth isn't Truth - Guliani
    6. Re:But can you trust xavier2dc? by IndustrialComplex · · Score: 5, Funny

      You'll need to provide us with your source code.

      I'll provide you my source code, but just remember, you asked for it. So no complaining to the police when it is delivered.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  2. Little Let Down by Anrego · · Score: 5, Interesting

    I was kinda hoping he'd built some elaborate timing setup to somehow match the exact timestamps and compile speed as the official binaries were built with.

    This is still a great analysis though, and the detail provided is a fun read and useful insight into the general mindset and method of how this kind of analysis is done.

    1. Re:Little Let Down by IamTheRealMike · · Score: 5, Informative

      He did as much as was necessary to establish trust and no more.

      I just want to say to Xavier - thanks. Great work.

  3. Re:And why should we trust you? by asmkm22 · · Score: 5, Insightful

    He provides pretty clear instructions on how to duplicate the process he used. He's not just saying "I did it and it's safe, trust me."

  4. Re:But can you trust Microsoft Visual C++ by Dishevel · · Score: 5, Funny

    I don't. I build all of code in hardware. That is rendered in MineCraft.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  5. Did same, found same by Anonymous Coward · · Score: 5, Interesting

    I did the exact same thing as in TFA a few days earlier and ended up finding the exact same variations and causes for those variations.
    My conclusion was also identical, binaries are indeed coming from the provided sources and can be trusted if no further backdoor is found in the sources themselves.

    A cryptographic and coding oriented audit is still much required.

  6. Re:submitter told you how to check it yourself by mlts · · Score: 5, Informative

    I would say that TC is above almost all security software in that the source is available at all. There are a lot of utilities out there that there is no source available for unless one is a large government.

    TC at least has a level playing field. China might have the source code, but at least you do too.

  7. Diverse double compiling by tepples · · Score: 5, Informative

    And how can I trust the cpu to actually execute the code as compiled and not insert it's own microcode into the process?

    By using free compilers and ensuring clean binaries using diverse double compiling. (Thud457 mentioned it, and we discussed it a week ago.) Essentially what you do is bootstrap the compiler (compile the compiler's source code with your existing compiler binary, then recompile it with itself) on several different brands of compiler. If the binaries resulting from all bootstraps match, then either none of them have a backdoor or they all have the same backdoor. The more compilation processes you use, the less likely it will be that they all have the same backdoor. To exclude CPU microcode bugs that target a particular compiler, you could try running some of the bootstraps in an emulator such as DOSBox or bootstrap them as cross-compilers on another CPU architecture.

  8. Compiler can not be trusted by kbg · · Score: 5, Interesting

    There is one problem with his findings. In order to compile TrueCrypt you have to use Microsoft Visual C++ compiler, which is made by Microsoft from a closed source. If I was the NSA I would but the backdoor in the compiler and it would get injected into the binary whenever TrueCrypt was compiled.