Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Audit Back On Track After Silence and Uncertainty

Posted by Soulskill on from the cryptic-silence dept.

itwbennett writes: In October 2013 Cryptography professor Matthew Green and security researcher Kenneth White launched a project to perform a professional security audit of TrueCrypt, partly prompted by the leaks from Edward Snowden that suggested the NSA was engaged in efforts to undermine encryption. Their report, published in April 2014, covered the first phase of the audit. Phase two was supposed to involve a formal review of the program's encryption functions, with the goal of uncovering any potential errors in the cryptographic implementations—but then the unexpected happened. In May 2014, the developers of TrueCrypt, who had remained anonymous over the years for privacy reasons, abruptly announced that they were discontinuing the project and advised users to switch to alternatives. Now, almost a year later, the project is back on track.

4 of 112 comments (clear)

  1. Uh, ALL those companies are NCC by Anonymous Coward · · Score: 3, Informative

    "Instead, phase two of the audit will be handled by Cryptography Services, a team of consultants from iSEC Partners, Matasano, Intrepidus Group, and NCC Group."

    Uh, all those companies *are* NCC Group. They've got some fantastic talent, but it's a bit of an odd way of putting it. NCC owns iSEC Partners, Matasano and Intrepidus.

  2. Re:Hmm? by Anonymous Coward · · Score: 0, Informative

    Why stop at drive firmware? What about CPUs? Those are made overseas - maybe China has implanted secret code into CPUs? And what about EEPROMs? What if those are infected? What if there is a way to use satellites to push code through powerlines that tells PSUs to transmit a BlueTooth signal that infiltrates via an exploit into GPU RAM? I supposed the audit should cover that, too? I mean, is there anything that shouldn't be covered by this audit before it could be considered complete?

  3. Re:Really Glad to see this by Anonymous Coward · · Score: 2, Informative

    I assume you've seen VeraCrypt and CipherShed? I know VeraCrypt fixed some of the issues highlighted by the first part of the TrueCrypt Audit.

  4. Re:Um, by gurps_npc · · Score: 4, Informative
    Yes. Because some people think that TrueCrypt was killed BECAUSE it was actually secure and the NSA wanted them to de-secure it.

    As such, a warrant would let people continue to use it, secure in the fact that it actually works as required.

    It also lets people fork it.

    Frankly, I have been severely disappointed with BestCrypt, which I had hoped would end up as the replacement for TrueCrypt. (multiple problems with getting the regular operating system to recognize the 'mounted' drives)

    --
    excitingthingstodo.blogspot.com