TrueCrypt To Go Through a Crowdfunded, Public Security Audit

← Back to Stories (view on slashdot.org)

TrueCrypt To Go Through a Crowdfunded, Public Security Audit

Posted by timothy on Thursday November 7, 2013 @10:53AM from the line-by-line dept.

An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)

26 of 104 comments (clear)

Min score:

Reason:

Sort:

Hmmm... by Anonymous Coward · 2013-11-07 11:04 · Score: 5, Interesting

But who will audit the auditors?
1. Re:Hmmm... by lgw · 2013-11-07 11:12 · Score: 5, Insightful
  
  But who will audit the auditors?
  Gorillas!
  Seriously, a fully public audit is the best possible approach. You can never be 100% sure, but you can get close enough if the audit attracts enough talent. This is the true promise of open source: moving from "in theory, you could look at the source", yahright, to "here's the crowdfunding for experts to openly audit the open source". That's something.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:Hmmm... by adolf · 2013-11-07 13:09 · Score: 4, Interesting
  
  Phone call to encryption expert: "Yes, thank you Truecrypt. I will gleefully accept your money and publish an audit."
  Next phone call to encryption expert: "Yes, thank you NSA. I will gleefully accept your money and write whatever you tell me to write in my published audit."
  (Oh, encryption experts are immune to subterfuge, greed, bottomless debt, double-dipping, and generally being nafarious? I thought that they were just human like the rest of us!)
  (And for the record, once one "independent" party accepts money from another party with a dog in the race, they cease being "independent" about the matter at-hand.)
  (See also: Whitewash.)
  
  --
  Kid-proof tablet..
3. Re:Hmmm... by lgw · 2013-11-07 13:40 · Score: 2
  
  But then we'll know. If Bruce Schneier is an NSA plant, and he and at least one smart non-NSA plant routinely audit software, the pattern will emerge.
  Like I said, nothing is perfect, but this is pretty good.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
4. Re:Hmmm... by lgw · 2013-11-07 13:42 · Score: 2
  
  In this case you won't need much money, as TrueCrypt is so high profile and lots of security experts use it personally. If this approach catches on, and the novelty wears off, then you'd need more money to be sure.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
5. Re:Hmmm... by adolf · 2013-11-07 14:13 · Score: 2
  
  But I don't know Bruce Schneier from a hole in the ground, and the only thing I know about Truecrypt is that the folks who make it say it is secure (or, perhaps in the future, pay for audits, wherein it is proclaimed secure).
  The circle of trust is very, very short here.
  Studies have shown that studies are easily skewed by money.
  
  --
  Kid-proof tablet..
Free testing by retech · 2013-11-07 11:06 · Score: 2

So they're getting crowd-funded money to do all their testing to ensure no one can see the NSA's back doors they have in place.
1. Re:Free testing by rudy_wayne · 2013-11-07 11:19 · Score: 5, Insightful
  
  If you think better, stronger encryption is the answer, then you don't understand the problem.
  In 2011 the Foreign Intelligence Surveillance Court issued a ruling that many of the NSA's activities were illegal and unconstitutional. You'll notice that this had no effect on the NSA's spying because (a) It was a secret order issued by a secret court and nobody knew about it until just recently and (b) There is essentially no oversight of the NSA which means they are free to do whatever they want.
  So, even if you have some super-duper unbreakable encryption, which has been audited and you can guarantee that it contains no NSA backdoors, so what? If the NSA can't break your encryption they'll simply yell "National Security" and get a secret order from a secret court compelling to do decrypt your stuff or face prosecution -- prosecution which will be carried out in secret, making it impossible to defend yourself.
  If you've been paying attention, you see what the real problem is.
2. Re:Free testing by Penguinisto · 2013-11-07 11:54 · Score: 2
  
  There is one small silver lining to this otherwise ugly cloud... if of course there's a way to hide any trace of TrueCrypt on a machine that's using it?
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Free testing by Anonymous+Psychopath · 2013-11-07 12:05 · Score: 2
  
  So they're getting crowd-funded money to do all their testing to ensure no one can see the NSA's back doors they have in place.
  So what's your answer? Everyone just does their own code review?
  
  --
  Eagles may soar, but weasels don't get sucked into jet engines.
4. Re:Free testing by letherial · 2013-11-07 13:50 · Score: 2
  
  Well put it in a hidden container and put stupid shit inside your normal container and give them that password. Throw a bunch of tax returns and shit in there and say you where only following your IT friends advice on protecting your finance documents, or if your IT, say you practice what you preach.
  Also, assume they will find this post and use it to prove you have a secret container, so you'll want to change your name, SSN, DOB and possibly a face change(at least your hair), in fact, why where you stupid enough to talk smack on NSA in a public forum? Clearly if you dont like the NSA watching over you then your a hardcore criminal/terrorist and we can just skip the whole show me what you got trial bullshit and lock you up...or maybe just bomb you. Hidden containers wont matter to the drone and the secret judge who already ordered your death.
  Point is...your fucked.
5. Re:Free testing by letherial · 2013-11-07 13:52 · Score: 2
  
  I think the bigger question here is, why do you need to wipe your free space? are you hiding something from the NSA?
They need an independent expert to validate it? by Anonymous Coward · 2013-11-07 11:07 · Score: 3, Funny

Alright, I'll volunteer. Once the money has cleared my account, consider it "validated."
Re:Please, Google by epyT-R · 2013-11-07 11:08 · Score: 3, Insightful

Are you nuts?
Won't work for the Windows version by kbg · 2013-11-07 11:24 · Score: 4, Insightful

The Windows version is compiled with MSVC, which almost certainly has a NSA backdoor that gets compiled into the TrueCrypt binary.
1. Re:Won't work for the Windows version by Mr0bvious · 2013-11-07 11:40 · Score: 2
  
  Please vote this up..
  Indeed, the vectors for adding back doors is not as simple as looking at source code.
  
  --
  Never happened. True story.
2. Re:Won't work for the Windows version by vux984 · 2013-11-07 11:54 · Score: 5, Insightful
  
  Sure, vote it up as a point that the the toolchain is always suspect, but saying MSVC is injecting backdoors into everything it compiles is just plain idiotic.
3. Re:Won't work for the Windows version by sconeu · 2013-11-07 12:19 · Score: 4, Informative
  
  * We know that the distributed source generates the distributed binaries. There was an article on this (I'm too lazy to search for it).
  * This audit will vet the source so that there are no *CODED* back doors.
  * The code is still vulnerable to a Ken Thompson style attack.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
4. Re:Won't work for the Windows version by Anti-Social+Network · 2013-11-07 12:20 · Score: 2
  
  Which is why, if you read the info on the IndieGoGo blurb, they talk about a validated Windows build that is signed.
  
  Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered.
  
  --
  Goddammit just when I get my first +5 the Beta rolls out and kills everything
5. Re:Won't work for the Windows version by steelfood · 2013-11-07 14:40 · Score: 4, Informative
  
  No, but certain differences between the TrueCrypt volumes generated by Windows and the TrueCrypt volumes generated by Linux point to there being a strong possibility of a backdoor in the Windows-only version.
  I'd be interested to see if there's actually code that writes out those random bytes in the header for Windows only, or if something else (API, MSVC, etc.) is causing the randomness. Because if it's the latter, then the chance of it being a backdoor goes way, way up.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
6. Re:Won't work for the Windows version by letherial · 2013-11-07 14:43 · Score: 2
  
  If you have followed any basic critical thinking class then you should observe one simple fact about this statement. It is a opinion, there are not facts supporting this that i am aware of (and many other claims about this article), nor is there any provided evidence.
  If you use windows there are facts you should know. 1. its the most used OS and is the biggest target for anyone wanting information. Its far better to build a generic malicious code that will attack a known vulnerability of windows, even if its not zero day, then it is to bother with the small percentage of people who use linux/mac, that is where the main problem with using windows. 2. There is really truly no way to know what is programed in windows, if you think microsoft would put at risk the world market for the NSA without one big fight, then you probably dont want to use windows. Consider this though, most breaches happen not because there is some easy way to break into windows, but because the admin didn't do something properly.
  Now its not up to me to decide what level of paranoid security you run, or why you choose one OS over another, it is up to me however to call out bullshit, or at the very least, demand evidence on outrageous claims.
7. Re:Won't work for the Windows version by gl4ss · 2013-11-07 16:25 · Score: 2
  
  some guy replicated building the released tc binaries already though.
  so unless the compiler is attaching a tc specific backdoor to everything..
  
  --
  world was created 5 seconds before this post as it is.
Does anyone really care? by badasawsomeness · 2013-11-07 11:55 · Score: 5, Insightful

I feel like this has been reported on 5 times by now. Yes we know they are raising money, please no more updates until the findings from the audit are in.
In the mean time is there any actual point to this? While TrueCrypt can be one of the best methods for a typical home user or even tech savy business person to encrypt that naughty folder. But it honestly isn't as widely used as they make it out to be. Most softwares or businesses use their own encryption. Not to mention the nature of TrueCrypt means its most often used to secure locals files or drives, meaning unless the NSA has direct control over your computer they really cant get at your stuff.
Also would this resolve anything? As soon as the audit is done people will either, question the findings for one reason or another. When in the end all the audit can say is if there is an intentional backdoor or if there is an obvious flaw in the code that would leave it vulnerable. Even if neither of these turn up there is still a very real chance the NSA found their own unintentional flaw in the code that allows them to greatly reduce the time required to decrypt the drive.
1. Re:Does anyone really care? by AHuxley · 2013-11-07 16:33 · Score: 3, Interesting
  
  Its more for people moving around the world. But the main risk is having your media looked at and someone seeing your need for the use of encryption.
  You could have all other data quickly captured and end up on a few gov lists with your computer returned.
  The NSA mostly seems to like to track all net use globally and then zoom in on users, their OS, files reviewing their digital lives.
  Tame OS, telcos and software seem to help the NSA with the final steps i.e. the end users encryption and saving the keystrokes for easy very decryption.
  But just the act of requesting an audit does make 'easy' past with some software more difficult.
  
  --
  Domestic spying is now "Benign Information Gathering"
we know current version gcc is safe by raymorris · 2013-11-07 14:33 · Score: 2

We know that the current version of GCC doesn't have the "Ken Thompson" trojan. The original version could have, theoretically a but it couldn't survive so many versions. Also, gdb would have revealed it long ago.
Maybe gcc also trojans gdb? And ptrace, and ...
You have to imagine that the author wrote specialized trojans for a bunch of programs that hadn't been created yet, and hid them all in a few kilobytes. That's beyond impossible, even for the best programmer in the world.
audit will reveal the likely flaws, non-encryption by raymorris · 2013-11-07 14:40 · Score: 2

The best way to deal with strong encryption is to go around it, to use the back door. Those are the flaws an audit would reveal, issues not with the actual encryption, which is a fairly small part of the software, but with the other 90% of the code .
The encryption itself has been analyzed, and will continue to be analyzed, outside of Truecrypt, which is just one of many packages that use the same encryption.