Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Audit Back On Track After Silence and Uncertainty

Posted by Soulskill on from the cryptic-silence dept.

itwbennett writes: In October 2013 Cryptography professor Matthew Green and security researcher Kenneth White launched a project to perform a professional security audit of TrueCrypt, partly prompted by the leaks from Edward Snowden that suggested the NSA was engaged in efforts to undermine encryption. Their report, published in April 2014, covered the first phase of the audit. Phase two was supposed to involve a formal review of the program's encryption functions, with the goal of uncovering any potential errors in the cryptographic implementations—but then the unexpected happened. In May 2014, the developers of TrueCrypt, who had remained anonymous over the years for privacy reasons, abruptly announced that they were discontinuing the project and advised users to switch to alternatives. Now, almost a year later, the project is back on track.

5 of 112 comments (clear)

  1. Hmm? by bhcompy · · Score: 2, Insightful

    Now, almost a year later, the project is back on track. Ptacek, a cryptography expert and founder of Matasano Security, will no longer lead the cryptanalysis and the effort will no longer be crowdsourced. Instead, phase two of the audit will be handled by Cryptography Services, a team of consultants from iSEC Partners, Matasano, Intrepidus Group, and NCC Group.

    Are these auditors trustworthy? At least if it's crowdsourced it's an open process.

  2. Re:Um, by Anonymous Coward · · Score: 5, Insightful

    You sound like someone new to the concept of 'independent audit'.

  3. Riiiiight. by geminidomino · · Score: 4, Insightful

    So an audit performed by a closed group of corporates who have, no doubt, been thoroughly vetted and has never, ever, ever gotten a phone call from anyone in a suit offering them the choice of a bag of cash to play ball, or an increased probability of "accidents" and "unfortunate data leaks."

    Given the farewell address we got from the TC devs, which I'm sure most of us remember, and the laughable suggestions of "alternatives," there are two strong possibilities for why the project was shuttered:

    1. The developers all suffered a massive psychotic break at the same time.
    2. A canary so big and obvious that it's more of a "warrant roc."

    They may have ended the "silence", but the "uncertainty" is still alive and well, AFAIC.

  4. Re:What it really reveals by rvw · · Score: 3, Insightful

    This is good, or bad, depending on the tightness of your tin foil, but I think it reveals something far more important about encryption: we, the average users, are powerless to verify or truly trust any encryption solution offered. To realize that an audit of the code for a single-purpose program can only be done by a very small set of people shows that even with open source we're still just trusting others to safeguard our data. The need for encryption and the mathematical and coding complexity required to understand what we are using to safeguard our data is simply beyond our ability to check that it even makes sense at a basic level.

    We - even IT power users and programmers - are mostly powerless to verify not only encryption programs, but the underlying OS as well. As Shutterworth said, if you use our OS, you have to trust us, because we have root .

  5. Re:vera crypt by Anonymous Coward · · Score: 2, Insightful

    Maybe NSA can decrypt it - I don't care - I'm not their target.

    Don't be silly. You are their target. Everyone that fits into one of these groups is a target:

    1) Not an American citizen
    2) Is an American citizen