TrueCrypt To Go Through a Crowdfunded, Public Security Audit

An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)

Re:Won't work for the Windows version

[sconeu]

* We know that the distributed source generates the distributed binaries. There was an article on this (I'm too lazy to search for it).

* This audit will vet the source so that there are no *CODED* back doors.

* The code is still vulnerable to a Ken Thompson style attack.

Re:Won't work for the Windows version

[steelfood]

No, but certain differences between the TrueCrypt volumes generated by Windows and the TrueCrypt volumes generated by Linux point to there being a strong possibility of a backdoor in the Windows-only version.

I'd be interested to see if there's actually code that writes out those random bytes in the header for Windows only, or if something else (API, MSVC, etc.) is causing the randomness. Because if it's the latter, then the chance of it being a backdoor goes way, way up.