Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt To Go Through a Crowdfunded, Public Security Audit

Posted by timothy on from the line-by-line dept.

An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)

12 of 104 comments (clear)

  1. Hmmm... by Anonymous Coward · · Score: 5, Interesting

    But who will audit the auditors?

    1. Re:Hmmm... by lgw · · Score: 5, Insightful

      But who will audit the auditors?

      Gorillas!

      Seriously, a fully public audit is the best possible approach. You can never be 100% sure, but you can get close enough if the audit attracts enough talent. This is the true promise of open source: moving from "in theory, you could look at the source", yahright, to "here's the crowdfunding for experts to openly audit the open source". That's something.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Hmmm... by adolf · · Score: 4, Interesting

      Phone call to encryption expert: "Yes, thank you Truecrypt. I will gleefully accept your money and publish an audit."

      Next phone call to encryption expert: "Yes, thank you NSA. I will gleefully accept your money and write whatever you tell me to write in my published audit."

      (Oh, encryption experts are immune to subterfuge, greed, bottomless debt, double-dipping, and generally being nafarious? I thought that they were just human like the rest of us!)

      (And for the record, once one "independent" party accepts money from another party with a dog in the race, they cease being "independent" about the matter at-hand.)

      (See also: Whitewash.)

      --
      Kid-proof tablet..
  2. They need an independent expert to validate it? by Anonymous Coward · · Score: 3, Funny

    Alright, I'll volunteer. Once the money has cleared my account, consider it "validated."

  3. Re:Please, Google by epyT-R · · Score: 3, Insightful

    Are you nuts?

  4. Re:Free testing by rudy_wayne · · Score: 5, Insightful

    If you think better, stronger encryption is the answer, then you don't understand the problem.

    In 2011 the Foreign Intelligence Surveillance Court issued a ruling that many of the NSA's activities were illegal and unconstitutional. You'll notice that this had no effect on the NSA's spying because (a) It was a secret order issued by a secret court and nobody knew about it until just recently and (b) There is essentially no oversight of the NSA which means they are free to do whatever they want.

    So, even if you have some super-duper unbreakable encryption, which has been audited and you can guarantee that it contains no NSA backdoors, so what? If the NSA can't break your encryption they'll simply yell "National Security" and get a secret order from a secret court compelling to do decrypt your stuff or face prosecution -- prosecution which will be carried out in secret, making it impossible to defend yourself.

    If you've been paying attention, you see what the real problem is.

  5. Won't work for the Windows version by kbg · · Score: 4, Insightful

    The Windows version is compiled with MSVC, which almost certainly has a NSA backdoor that gets compiled into the TrueCrypt binary.

    1. Re:Won't work for the Windows version by vux984 · · Score: 5, Insightful

      Sure, vote it up as a point that the the toolchain is always suspect, but saying MSVC is injecting backdoors into everything it compiles is just plain idiotic.

    2. Re:Won't work for the Windows version by sconeu · · Score: 4, Informative

      * We know that the distributed source generates the distributed binaries. There was an article on this (I'm too lazy to search for it).

      * This audit will vet the source so that there are no *CODED* back doors.

      * The code is still vulnerable to a Ken Thompson style attack.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    3. Re:Won't work for the Windows version by steelfood · · Score: 4, Informative

      No, but certain differences between the TrueCrypt volumes generated by Windows and the TrueCrypt volumes generated by Linux point to there being a strong possibility of a backdoor in the Windows-only version.

      I'd be interested to see if there's actually code that writes out those random bytes in the header for Windows only, or if something else (API, MSVC, etc.) is causing the randomness. Because if it's the latter, then the chance of it being a backdoor goes way, way up.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  6. Does anyone really care? by badasawsomeness · · Score: 5, Insightful

    I feel like this has been reported on 5 times by now. Yes we know they are raising money, please no more updates until the findings from the audit are in.

    In the mean time is there any actual point to this? While TrueCrypt can be one of the best methods for a typical home user or even tech savy business person to encrypt that naughty folder. But it honestly isn't as widely used as they make it out to be. Most softwares or businesses use their own encryption. Not to mention the nature of TrueCrypt means its most often used to secure locals files or drives, meaning unless the NSA has direct control over your computer they really cant get at your stuff.

    Also would this resolve anything? As soon as the audit is done people will either, question the findings for one reason or another. When in the end all the audit can say is if there is an intentional backdoor or if there is an obvious flaw in the code that would leave it vulnerable. Even if neither of these turn up there is still a very real chance the NSA found their own unintentional flaw in the code that allows them to greatly reduce the time required to decrypt the drive.

    1. Re:Does anyone really care? by AHuxley · · Score: 3, Interesting

      Its more for people moving around the world. But the main risk is having your media looked at and someone seeing your need for the use of encryption.
      You could have all other data quickly captured and end up on a few gov lists with your computer returned.
      The NSA mostly seems to like to track all net use globally and then zoom in on users, their OS, files reviewing their digital lives.
      Tame OS, telcos and software seem to help the NSA with the final steps i.e. the end users encryption and saving the keystrokes for easy very decryption.
      But just the act of requesting an audit does make 'easy' past with some software more difficult.

      --
      Domestic spying is now "Benign Information Gathering"