TrueCrypt Audit: No NSA Backdoors

Mark Wilson writes: A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group (PDF) for the Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised. However, the software was found to contain a few other security vulnerabilities, including one relating to the use of the Windows API to generate random numbers for master encryption key material. Despite this, TrueCrypt was given a relatively clean bill of health with none of the detected vulnerabilities considered severe enough to lead "to a complete bypass of confidentiality in common usage scenarios."

That's what they WANT you to believe!

[CajunArson]

Where's the fun in there not being any nefarious evil backdoors??!?!?

How am I supposed to feed my narcissistic persecution complex that the NSA is focusing billions and billions of dollars of resources just to spy on me and me alone when they can't even put a backdoor in TrueCrypt??!?!?

Re: That's what they WANT you to believe!

Look everyone, a NSA shill.

Re:That's what they WANT you to believe!

I was looking through the source code --

What does -DSSSH_NSA_BACKDOOR_FLAG do when it's added to the CFLAGS Makefile variable?

Re:That's what they WANT you to believe!

[MrL0G1C]

Of course there are back doors, the NSA got to them. 'There are no back doors' - that is what they want you to believe ;-)

Re:That's what they WANT you to believe!

You're trying to belittle the legitimate concerns people have had towards the security of their software. It's not working.

We already know of routers compromised en massé, mass collection of *everyone's* even seemingly irrelevant data (yours included), false flag hacking and whatnot. So yes, go ahead and crack a joke about the cornerstone of democracy and freedom of speech being slowly corroded away. Don't expect anyone to laugh, though.

Re:That's what they WANT you to believe!

It enlarges your penis, citizen.

You should compile with that flag every time for best results. Tell your friends.

Re:That's what they WANT you to believe!

It'll add -DSSSH_NSA_BACKDOOR_FLAG to $CC's command line when compiling things.

Re:That's what they WANT you to believe!

[KGIII]

You do realize that TrueCrypt is out of development and the shop's been shuttered, yes?

Re:That's what they WANT you to believe!

You do realize that TrueCrypt is out of development and the shop's been shuttered, yes?

Wrong. It's been forked:
https://truecrypt.ch/
https://ciphershed.org/

And well before that it was reverse engineered:
https://github.com/bwalex/tc-play

Re:That's what they WANT you to believe!

And well before that it was reverse engineered:
https://github.com/bwalex/tc-play

Perhaps correction: re-implemented.

Re:That's what they WANT you to believe!

Ciphershed.org is based on a rebranding of the original TC 7.1a which was the 2nd to last version. I have a copy of the installer of the 7.1a of TC.

I wonder what the actual difference would be in terms of security between the two?

Re:That's what they WANT you to believe!

[KGIII]

Sweet! Much appreciated, I didn't dig any deeper than the TrueCrypt site (I guess I should have). The question is, then, do THEY have any NSA backdoors? There was a time when I'd have simple trusted open source but these days there is so much and so few eyeballs. Either way, I appreciate your reply a great deal. I will play with both later this afternoon when I have a bit more free time.

Re:That's what they WANT you to believe!

[OutOnARock]

....these are not the back doors you are looking for......

Re: That's what they WANT you to believe!

That is the most stupid thing you can say when this is supposed to be good news Celebrate it rather than say stupid things. Idiot.

Re:That's what they WANT you to believe!

Seriously, "en massé"?

Quis custodiet ipsos custodes?

Now we just need an audit of the auditors to make sure they weren't compromised and we can safely use TrueCrypt again.

Re:Quis custodiet ipsos custodes?

[msobkow]

I disagree completely. We need to audit the auditors of the auditors as well. Eventually we'll need to close the loop by having the original auditors audit a set of auditors so it's a self-perpetuating circle of audits. :P

Re:Quis custodiet ipsos custodes?

[OzPeter]

We need to audit the auditors of the auditors as well.

So it's auditors all the way down?

Re:Quis custodiet ipsos custodes?

[BreakBad]

That auditor loop would need to be audited. I see the strategy now, its job creation.

Re:Quis custodiet ipsos custodes?

[fustakrakich]

You bet your sweet ass it is...

Re: Quis custodiet ipsos custodes?

There ain't enough scientology whackos to possibly audit all these shit people.

Re:Quis custodiet ipsos custodes?

[bytethese]

Well, who's gonna audit the auditors of the auditors?

I wouldn't mind doing a little AUDITING myself.

Re:Quis custodiet ipsos custodes?

[jellomizer]

The interesting part of a conspiracy logic, we can have more and more people as part of it... It is just you who is some how left out.

However if the NSA couldn't keep snowden from releasing his information, who is rather low level. What makes you to think, that such a large conspiracy has such power behind it.

Re:Quis custodiet ipsos custodes?

Fuck off, Scientology trash

Re:Quis custodiet ipsos custodes?

> I disagree completely. We need to audit the auditors of the auditors as well. Eventually we'll need to close the loop by having the original auditors audit a set of auditors so it's a self-perpetuating circle of audits.

Furthermore, we need to hand over all the auditors to Ezio Auditore, to make sure none of them tell NSA about the exploitable bugs found during the audit.

Re:Quis custodiet ipsos custodes?

> NSA couldn't keep snowden from releasing his information, who is rather low level

If you think Edward Snowden was rather low level, I have a bridge to sell you (complete with turret, rangefinder, boilers, steam turbines, bilge pump, cat of 9 tails and a pair of 7-ton anchors.)

You see, Snowden's father was rear admiral of the US Coast Guard, just like McCain's father was rear admiral in the US Navy.

Re:Quis custodiet ipsos custodes?

[lgw]

Auditor auditor auditors audit auditor auditors, obviously.

Re:Quis custodiet ipsos custodes?

[Phreakiture]

Or perhaps, "Quis audiet ipsos auditores"?

It sounds like it is the Ken Thompson problem of trusting trust once again rearing its head.

Re:Quis custodiet ipsos custodes?

[bytethese]

Someone doesn't watch movies I gather...

Re: Quis custodiet ipsos custodes?

You have just described what doing IT for large American banks has become. The number of times I hear "we can't create that new thing until we finish with the regulatory changes" is just depressing.

Re:Quis custodiet ipsos custodes?

[Mister+Transistor]

Nice. +1 for the obscure Turtle Club reference!! :D

Re:Quis custodiet ipsos custodes?

[Culture20]

You use a side loop to audit the first loop, etc. until you have a tube, then loop the tube. It'll be a torus like a donut or a bagel. To audit the audit-bagel, you'll need concentric layers of more audit-bagels like an onion. Mmmmm... Onion Bagel.

Re:Quis custodiet ipsos custodes?

[sconeu]

Are you a Turtle?

Been once since 1975!

Re:Quis custodiet ipsos custodes?

[Mister+Transistor]

YBYSAIA! (1972)

Re:Quis custodiet ipsos custodes?

[Opportunist]

Took you quite a while.

That's what consulting and auditing is about. Hell, if it wasn't for that I'd have to get a real job and actually do some work!

Re:Quis custodiet ipsos custodes?

[Opportunist]

Yet look how different they turned out to be. One became and upstanding, honest person who has never ever done anything but serving his country, and the other one went into politics.

Re:Quis custodiet ipsos custodes?

This is why the universe is like fractal.

Re: Quis custodiet ipsos custodes?

[loftarasa]

*slow clap* you win the Internet today, sir

Re:Quis custodiet ipsos custodes?

[Bob+the+Super+Hamste]

I still like "A ship shipping ship shipping shipping ships".

Re:Quis custodiet ipsos custodes?

[Culture20]

To loop the onion bagel, you'll need four dimensions. So, want time travel? Throw more auditors at the problem.

Re:Quis custodiet ipsos custodes?

[sjames]

Inmtroducing the Open Open Crypto Audit Project Audit Project.

Re:Quis custodiet ipsos custodes?

[lq_x_pl]

You must work for the government. You have described a perfect bureaucracy.

Tin foil hat time

[OzPeter]

Wasn't the NSA accused of suggesting/modifying various encryption standards in order to weaken them? In which case they don't need back doors into the software as they can already unlock the data.

Re:Tin foil hat time

Why don't you go inform yourself as to which encryption standards those were and then come back and actually contribute to the discussion, instead of mindlessly speculate?

Re:Tin foil hat time

The Slashdot armchair business moguls and arm chair software managers are bad enough, but don't be an armchair cryptographer.

Re:Tin foil hat time

Why don't you go inform yourself as to which encryption standards those were and then come back and actually contribute to the discussion, instead of mindlessly speculate?

You don't want mindless speculation, yet you're reading Slashdot comments?

Re:Tin foil hat time

[buchner.johannes]

Wasn't the NSA accused of suggesting/modifying various encryption standards in order to weaken them? In which case they don't need back doors into the software as they can already unlock the data.

Yes, and the authors of said algorithms (CS researchers) agree that that was ok (a security - speed/implementation tradeoff).

Re:Tin foil hat time

[mrchaotica]

Truecrypt lets you pick which encryption algorithm (and key generation mechanism, IIRC) that you want to use. So just pick one that the NSA didn't compromise!

Re:Tin foil hat time

Except that the encryption standards used by TrueCrypt have also been audited. They are open to criticism.

Re:Tin foil hat time

[jones_supa]

Which algorithms are we talking about?

Re:Tin foil hat time

[plover]

Yes, the NSA has been accused of colluding with RSA to promote the Dual_EC_DRBG random number generator as a standard, despite claims that it contained a backdoor. https://en.wikipedia.org/wiki/... . The NSA has also been accused of interfering with standards that would enable ubiquitous effective encryption for popular communications tools, such as phones and email, resulting in the current hodgepodge of patchwork. Sure, you may use TLS to send and retrieve your email to and from your ISP, but the data is unencrypted in their servers, and is vulnerable to interception there. Your cell calls may be encrypted, but Chris Paget demonstrated at DEFCON how easy that is to defeat, using his almost legal homemade version of a Harris Stingray. And the encryption algorithms used by cell phones only protect the data flying over the airwaves, not on the cellular wired infrastructure which is already required to be vulnerable by CALEA.

However, the existence of one backdoor in one algorithm does not prove or disprove the existence of backdoors in other algorithms. Most exploitable weaknesses we do know about come from either protocol flaws or implementation errors, and these auditors found evidence of neither.

Re:Tin foil hat time

[maestroX]

DES http://en.wikipedia.org/wiki/D....

Re:Tin foil hat time

[Totenglocke]

You can also use keyfiles too.

Re:Tin foil hat time

[Andy+Dodd]

The only case I know of where an algorithm was actually backdoored was one of the random number generation schemes... The algorithm in question happens to be (IIRC) quite fast.

In other cases (DES I think??? I could be wrong.) the NSA recommended some oddball changes. No one could find a negative consequence of them so they went in - a decade or so later, it turns out that the original implementation of DES DID have a cryptographic flaw and the NSA recommendations fixed that.

Keep in mind there are two parts of the NSA, ones which have in many ways highly conflicting goals:
1) One part is tasked with compromising the information infrastructure of our enemies - these are the ones who keep on making the news these days
2) Another part is tasked with protecting our critical information infrastructure, especially with protecting data sensitive to national security. These are the people who do Type I crypto certification, worked on creating SELinux, etc. These rarely make the news but in general, from our perspective these are the good guys. You can tell that AES-256 is NOT backdoored by the NSA since they allow it to be used to protect classified information (NSA Suite B - you can assume anything in Suite B is solid since the NSA is using it themselves.)

Re:Tin foil hat time

[Lord+Crc]

There's talk that they influenced the decision of some recommended constants for Elliptic Curve Cryptography.

You'll want to use constants that ensures the cryptographic strength of the algorithm, so picking them are non-trivial and hence a recommended set was published. This is the same for most algorithms. AES has constants and they are part of what makes the algorithm AES and not some other variant.

Anyway, here's what Bruce Schneier said about ECC:

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

And here's a nice background on ECC:
https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

Re:Tin foil hat time

[AmiMoJo]

Snowden uses Truecrypt so if they have cracked it they are keeping it very quiet... Look at it this way, of you are less if a target than Snowden you are probably safe using it even if they do have a way in.

Re:Tin foil hat time

[meta-monkey]

don't be an armchair cryptographer.

Why not? I'm really good at it. You will NEVER decrypt my armchair.

Re:Tin foil hat time

You can tell that AES-256 is NOT backdoored by the NSA since they allow it to be used to protect classified information (NSA Suite B - you can assume anything in Suite B is solid since the NSA is using it themselves.)

AES is an algorithm, and one that was created in Europe to boot, so I don't think there's any chance the NSA could have 'backdoored" it.
The situation is quite different for any software that implements AES.

[Hey, meknows me's an AC here, but the slashdot login page for Google accounts keeps giving me 404's. Whatsup?]

Re:Tin foil hat time

Interesting read, thanks for the links. It's always nice to have Schneier's insight.

Re:Tin foil hat time

AES is an algorithm, and one that was created in Europe to boot, so I don't think there's any chance the NSA could have 'backdoored" it.

To be pedantic, AES is an algorithm created in the US.

It's (very heavily) based on Rijndael, which was created by two Belgian cryptographers. But there are some differences between the two.

Re:Tin foil hat time

[chihowa]

The only case I know of where an algorithm was actually backdoored was one of the random number generation schemes... The algorithm in question happens to be (IIRC) quite fast.

The random number generator, Dual_EC_DRBG is actually very very slow. If it wasn't pushed so hard, nobody would willingly use it.

In other cases (DES I think??? I could be wrong.) the NSA recommended some oddball changes. No one could find a negative consequence of them so they went in - a decade or so later, it turns out that the original implementation of DES DID have a cryptographic flaw and the NSA recommendations fixed that.

In addition to fixing the S-boxes as you described, they also recommended reducing the key size, which made the algorithm weaker and shorter lived.

Dual_EC_DRBG was required for FIPS 140-2 certification, which is required for software that is used to protect sensitive-but-unclassfied information by the US government. So there is some conflict between the two goals above.

Re:Tin foil hat time

So how is SELinux "our" critical information infrastructure? Can't nearly anyone, anywhere, use it?

Re:Tin foil hat time

[swillden]

In other cases (DES I think??? I could be wrong.) the NSA recommended some oddball changes. No one could find a negative consequence of them so they went in - a decade or so later, it turns out that the original implementation of DES DID have a cryptographic flaw and the NSA recommendations fixed that.

Specifically, the S boxes (essentially some translation tables used in the algorithm) in the original design were vulnerable to linear cryptanalysis, which is a cryptanalytic technique that involves constructing systems of linear equations representing the transformations in key portions of the algorithm, then applying mathematical analysis to deduce key and/or plaintext bits. Linear cryptanalysis was unknown in the academic world at the time, but it was apparently known to the NSA. The NSA's changes made DES resistant to linear cryptanalysis.

However, the NSA also reduced the key size and block size from 128 bits to 56 and 64 bits, respectively. This likely made DES vulnerable to brute force attacks by particularly well-funded attackers (e.g., the NSA). Use of multiple DES operations in sequence overcomes this issue and Triple DES today is still considered to be quite strong. So, all in all, the NSA improved DES security. This isn't surprising because it was a core part of their mission; a mission that appears to have been deprecated in the post 9/11 world, but was still very important to the NSA in the 70s.

Re:Tin foil hat time

[Opportunist]

'scuse me, but this here is mindless speculation. If you want serious discussion, take your time machine and set it for 1999.

Re:Tin foil hat time

[Opportunist]

In theory, yes. I just think selling SELinux could be a bit hard. You see what's going on here with things where the NSA might have, allegedly, maybe, could have, possibly, considered influencing the potential eventual implementation of what could have become part of something they could use.

In SELinux there is no doubt about the NSA's involvement. It was one of the effin' selling points of the system.

Now, the whole deal looks good on paper (provided you find a Linux Guru willing and able to administer that monstrosity). But that nagging feeling remains: Do you want to trust a foreign intelligence service that has not allegedly, maybe, possibly spied with impunity on everyone and anyone domestic and abroad just as they feel like, but who has done that with proven certainty?

Re: Tin foil hat time

Keep in mind that it's in the best interest of the nas to strengthen des. They need everyone to use an encryption no one but they can break.

Re:Tin foil hat time

[david_thornley]

IIRC, recently, there were some constants the NSA suggested for elliptical-curve cryptography, and some informed speculation that the NSA might have a method of cracking that specific case. They fixed some problems with DES, but I think they were the ones who suggested the key length, which eventually turned out to be much too short. (Key lengths nowadays are typically 128 bits or more, and cannot be brute-forced with only the resources available in our Solar System.) Overall, I'd tend to trust NSA recommendations when they look reasonable, but I'm suspicious.

Re:Tin foil hat time

Maybe you are thinking of this:

http://linux.slashdot.org/story/13/09/07/195241/john-gilmore-analyzes-nsa-obstruction-of-crypto-in-ipsec

Re:Tin foil hat time

You can tell that AES-256 is NOT backdoored by the NSA since they allow it to be used to protect classified information (NSA Suite B - you can assume anything in Suite B is solid since the NSA is using it themselves.)

Uhhh.... your logic is scary/suspicious here in assuming that because they are using something, it isn't backdoored? As that could simply mean they believe/know that the backdoor isn't something they believe others would be able to take advantage of, or at least not without such sufficient warning that they could switch things out or...

Re: Tin foil hat time

No, AES is one of the versions of the Rijndael algorithm invented by the Belgians in Belgium. It is the one with a 128-bit block and 128, 192, or 256 bit keys. No changes were made by NIST.

Re: Tin foil hat time

It was differential cryptanalysis, not linear.

Re: Tin foil hat time

Of course, if you think they are so advanced, maybe they can crack things they didn't have a hand in too. Maybe, nothing is safe. I'd use a courier if I were you.

No NSA Backdoor

... that we know off...
It's not because we don't see that it is not there !

Re: No NSA Backdoor

See the classic Ken Thompson paper: http://cm.bell-labs.com/who/ken/trust.html

Quote at bottom of my browser window

[OzPeter]

Is this a deliberate choice of quote,or just randomly apropos?

You can fool all the people all of the time if the advertising is right and the budget is big enough. -- Joseph E. Levine

Re:Quote at bottom of my browser window

[jones_supa]

I get the same quote.

A qualified statement

They didn't say "no backdoors", but no NSA backdoors. So what they are saying is there are backdoors, just not NSA.

Re:A qualified statement

[plover]

They didn't qualify it at all. That was the editor who wrote the story, and the Slashdot editor who quoted the story. Neither quoted it from the report. https://opencryptoaudit.org/re...

Very gratifying to see

[sasparillascott]

This was very reassuring to see and I'm very glad the audit was finished finally. The 2nd to the last version (v7.1a) is the gold standard for multi-platform encryption where you can be reasonably sure the NSA/FBI doesn't have a back door (or access to the keys) like they would with Bitlocker etc..

Re:NSA hat time

[sasparillascott]

It's good to remember that the ones the NSA purposely weakened were flag by private experts as being suspect before they were even in place (so people avoided them) and then confirmed as being purposely weakened by the Snowden docs - so the bad ones were flagged - DuckDuckGo is your friend on that. You definitely wouldn't want to be doing the NSA's work though in spreading generalized FUD (fear, uncertainty, doubt) about this encryption application (so people don't use it) that was also pointed out as "secure" by Snowden.

WARNING: TrueCrypt propganda.

"time-boxed nature of the engagement prevented auditors from reviewing the source code in
its entirety"

"...as it is difficult to fully test code on multiple operating systems and configurations."

So in other words, they can't properly test the software and won't be able to.

So in other words, this story is misleading and seems more like propaganda to help bolster TrueCrypt's reputation.

Re:WARNING: TrueCrypt propganda.

You are a cow.

Re:WARNING: TrueCrypt propganda.

[lgw]

"time-boxed nature of the engagement prevented auditors from reviewing the source code in
its entirety, the most relevant areas were investigated thoroughly."

Was the actual quote. Those spring FUD are NSA shills. There were two specific areas they highlighted for more auditing: checking that memory was always securely wiped, and checking oddball disk sector sizes. I'd be surprised if the former were an issue, but they have a point. The latter is exactly the sort of place where bugs lurk, in my experience.

The most important thing they didn't audit, IMO, is the "hidden volumes" feature of TrueCrypt. I'm a bit skeptical of that myself, as steganography is in general a harder problem that cryptography. Hopefully another trusted group will continue the auditing effort via crowd funding.

Re:WARNING: TrueCrypt propganda.

Nice response, please mod up.

A trillion thanks to the TrueCrypt Developers

Whoever you are, you are fantastic people. You've helped millions of people worldwide protect their privacy. And you even had to bear some mentally diseased cretins accusing you of being NSA guys.

Thank you for the fantastic piece of software you have designed.

Please note...

[dark.nebulae]

The NSA is monitoring this thread to identify all of you naysayers...

Re:Please note...

I, for one, am glad for our benevolent NSA overlords. They've been very good to me, mirroring terabyte after terabyte of my downloaded pr0n.

Re:Please note...

Yeah. We noticed you. We don't mind it, storage-wise, but looking through the material really is a hated task here -- if you could reduce the amount of midget gay BSDM you're consuming by just a little bit, we'd be grateful in perpetuity .

Regards,
-NSA

Re:Please note...

[bill_mcgonigle]

Hey, some of us fully support their warrantless search capacity. The TrueCrypt developers' farewell message suggesting that Mac users create a disk image with a null cipher was especially good advice and not at all a warrant canary that they'd been pressured! There is no man behind the curtain, people!

Re: Please note...

Google knows way more about you.

Re: NSA hat time

Unless /u/OzPeter is already working for the NSA

What if the backdoor is well hidden?

[buck-yar]

The shellshock bug went on for a long time with many eyes on the code. How do we know the auditors weren't outmatched and just missed the backdoor?

Re:What if the backdoor is well hidden?

That is what I have been saying too. NSA might have already planted a bunch of backdoors in all sorts of open source software. The agency can easily hire a guy to join an OSS project and contribute useful patches, but also hide a couple of clever backdoors there.

Re:What if the backdoor is well hidden?

[TFlan91]

^ This.

Re:What if the backdoor is well hidden?

[squiggleslash]

Who knows? On the other hand, the many eyes argument with ShellShock is dubious: most people who would have recognized it didn't realize the implications as they weren't looking at it from a security standpoint, and few people actually likely touched or had reason to view that part of the code.

This story, on the other hand, is about an actual security audit. In theory, it is more comprehensive, the researchers were looking for bugs, had a security background and agenda, and so would likely have picked up on ShellShock had it been Bash they were auditing rather than TrueCrypt.

I'm not suggesting there's no chance they've missed anything, but I am saying the process is considerably more thorough and less likely to make a mistake. Bear in mind TrueCrypt has had "many eyes" for a decade or so too. And "many eyes" did, eventually, pick up on ShellShock, it just took longer than anyone would hope.

Re:What if the backdoor is well hidden?

You are never going to "know". Ever. So you have to decide for yourself what is "good enough".

Re:What if the backdoor is well hidden?

[Zappy]

you don't

Re:What if the backdoor is well hidden?

[buck-yar]

So to you this couldn't have been anything but a perfect audit and if there was something, there was a 100% chance it would have been caught.

Naive, or NSA op

Re:What if the backdoor is well hidden?

[swillden]

So to you this couldn't have been anything but a perfect audit and if there was something, there was a 100% chance it would have been caught.

Naive, or NSA op

Reading comprehension fail. Please re-read this sentence from the GP:

I'm not suggesting there's no chance they've missed anything, but I am saying the process is considerably more thorough and less likely to make a mistake.

Absolute certainty is impossible, but audits like this do provide a basis for a reasonable belief that the security of TrueCrypt is good.

Re:What if the backdoor is well hidden?

[Vitriol+Angst]

I suppose then you look at the compiler and the chips on the computer itself.

There are a number of cases where the Government has forced component manufacturers to embed designs on their silicone. Laser printers for instance; for "some reason" all PostScript rasterizing chips at one time could be turned into passive antennas to indicate their location -- and in the Desert Storm war, this allowed the US to find locations that MIGHT be military command centers (assuming a computer next to a printer). Maybe the antennas are still in laser printers. Or maybe the wires in $100 bills allow them to be tracked by remote scanners and be used as listening devices -- yeah, well, who would have thought 40 years ago that metallic ink could be used to create a simple game on a piece of cardboard? There's no reason we couldn't have a pack-man game that was powered by sugary cereal in milk, is there? And, by pointing two lasers at a solid object in a room through a window, it's possible to record whatever sounds occur in that room. So it's only a matter of whether there is an intention and the creativity employed in embedding every day objects to be used to gather information on us.

For instance, let's look at something that IS PROVABLE; if you have a color printer, print out a period in color at the top of the paper. It will go "zip" and then again "zip" near the bottom. In yellow ink, in very small type, you will see a code indicating your printer's registration number. Was that a feature for you, or to track the unwary? Maybe it's just because they were worried about counterfeiters printing out money -- but the point is, your camera, your printer, your MAC address on your computer are ways to identify whatever you make on them. If the device is recorded as being yours -- whatever you do on it is not anonymous to an outfit like the NSA.

The point is; we sit on top of an infrastructure that we ignore as long as it works. Any one of the components of the Internet Routers at CISCO, or the transceiver in your phone, or in your power supply are BELOW the encryption level we assume is the important message.

So as long as you are OK with your location and identity being known, and who you sent the message to -- then encryption may be working OR, all messages have a tag tacked on with the HTTP packet from some underlying bit of hardware that relays information to a router on the internet backbone and is always being sniffed. Maybe those "lost" packets or in the noise.

The point is; it's great that they searched TrueCrypt -- but not at the expense of giving up on being paranoid. If I can think of a dozen vectors to exploit - think of the people who are PAID to come up with new vectors.

Re:What if the backdoor is well hidden?

[Vitriol+Angst]

At the next Black Hat competition, they should really mix it up and have teams trying to embed spy-ware and decryption in lengthy and complex encryption code. Some code would be tainted, other code would be not, and some would just be shoddy so as to obscure the obscure.

It would be interesting to see how easy or hard it is to really catch nefarious code.

Because, unless you or someone working with you can understand EVERY line of code in a program -- and its dependancies, you can't really be sure.

The other thing is, you can have exploitable algorithms that can be manipulated. The "buffer overflow" -- where you stuff malicious code at the end of a command that has more data than the query was designed to handle is not based on malicious code in a program -- just an unforeseen and EXPLOITABLE feature.

To guarantee that a program is not exploitable is more difficult than to guarantee that there are no exploits. And an expert hacker, contributing code, might have done so with the expectation that the backdoor would one day be found. It's now more inconvenient, but perhaps one prime number salts all the random number generation, for instance, and knowing that would reduce the complexity of the pass code by orders of magnitude. Or, a specific string is always at a certain location in all messages after encryption, and the cracking can start by having to find a known 128 bit value in the halfway point of any array of encrypted data -- making the process a bit easier. None of those would yield consistent patterns that might be discovered, without knowing WHY each and every routine does what it does.

OR, you might have infected the compiler, and someone naming a variable; "ReallyGoodPasswordSalt" causes it to compile these little "cracking helpers" into any application that is built on them.

Then you might look a components of the computer executing the instructions. It's possible, for instance, that all INTEL chips or emulators, or maybe a chip from some tiny fab in Asia has a component on your computer that looks for some kind of code, or compiler directive, and embeds a hidden "cracker's helper" in whatever string passes through it. So a contributor, puts in some "good clean code" but they use specific variable names, or common routine calls in a certain order -- all it requires is a "pattern". The Developers don't look for these exploits, because it's not a normal business activity to have men in dark suits show up at an office and tell someone to "build this logic area into your silicon design." They never hear of such things. It's crazy to think of it.

People working at AT&T would have laughed at you if you told them that all the data over their backbone was just copied out -- they still might depending on their level of awareness. Why? Businesses that play ball get special treatment -- like a subcommittee in Congress drops a probe, or there's no lawsuits to break up a monopoly for a while. Whether you think that is nonsense or not, depending on electronics that no one person can know all the functions of means that exploits by an organized and well funded government organization, or maybe an NGO, have more places to hide.

How could we test for a hidden "poisoning" of code on devices we cannot fully guarantee? Perhaps when compiling, have an application take all the variables and libraries and give them new, random names, then compile. See if the same salt, same password, and same text after encryption ends up exactly the same way with both applications.

Try sending out various lengths of encrypted messages from various devices (that are the same), and compare them coming from different equipment, times and locations -- they SHOULD BE the same. If they are not, or the HTTP packets have some unexplained padding and/or different byte lengths, perhaps there is unexplained messaging going on from the devices and not the software.

I'm not in software security, but I do have a devious mind, and if I can think of a way to make encryption more crackable, then others can.

Re:What if the backdoor is well hidden?

So to you this couldn't have been anything but a perfect audit and if there was something, there was a 100% chance it would have been caught.

They never claimed there ARE no backdoors, they claimed they couldn't FIND any backdoors.

The burden is on you and you alone to prove the auditing company actually found a backdoor and claimed otherwise.

The fact there is or is not a backdoor is irrelevant to their claim, and irrelevant to your argument or this discussion.

So go ahead, prove the auditing team lied. Lacking any proof from you, we can only take what they said at face value along with their own evidence proving otherwise.

Once more (as you can't read too well), even if there IS a backdoor, that means nothing. You must prove it was found and lied about, not that it exists.

Re:What if the backdoor is well hidden?

The tin foil hat is strong on this one. And goddamnit, I agree.

Re:What if the backdoor is well hidden?

^ post should be +5 Informative

Their audit doesn't matter...

[frank_adrian314159]

If this hadn't been done ten years before he talked about, it's been done by now. They have everything they want. Live accordingly.

Re:Their audit doesn't matter...

STFU about some old geezers flawed views on trust. If you really knew anything about programing or did a little bit of research on assembly and C you would find it's not a very big concern anymore.

Re:Their audit doesn't matter...

That's detectable. See here. If it had been done with any major compiler, I'm fairly confident it would have been detected by now.

Re:Their audit doesn't matter...

[swillden]

If this hadn't been done ten years before he talked about, it's been done by now. They have everything they want. Live accordingly.

Fortunately, we know how to counter that threat.

It also seems pretty unlikely that the NSA had enough foresight to get VC++ instrumented to subvert TrueCrypt. It's not impossible, but there have been a lot of similar tools over the years, and I don't think the compilers could have been modified to subvert all of them.

Re:Their audit doesn't matter...

It also doesn't matter because TrueCrypt is dead and no one since has truly picked up the code and ran with it because the license sucks.

Re:Their audit doesn't matter...

[david_thornley]

That trick only works if you've got only one compiler. You can detect it and nullify it if you have two independent compilers for the same language. Neither of the two have to be fully trusted, but you do have to assume they're not in cahoots with each other.

Re:Their audit doesn't matter...

...but has anyone actually done it?

It's a nice theory and all, but until someone actually uses GCC to compile Clang, and Clang to compile GCC, and gets the results to output code that is identical to code output by their versions compiled by themselves, then we don't actually know anything.

Having a theory as to how we might find such things is only half of the solution at best.

obvious logic

[slashmydots]

Everyone kept saying they would find a backdoor. Don't you think that logically the NSA shut down the project because they couldn't find a backdoor in it? They would have left it alone if it had an NSA backdoor in it.

Re:obvious logic

Everyone kept saying they would find a backdoor. Don't you think that logically the NSA shut down the project because they couldn't find a backdoor in it? They would have left it alone if it had an NSA backdoor in it.

I am not surprised that they found no backdoors in the source code. I would be very surprised though if the NSA/FBI/whoever didn't distribute or pressure the authors of TrueCrypt to distribute backdoored executables. How many people running TrueCrypt compiled it from source? I'm guessing very few. How many people know how to verify a download's authenticity and integrity? Not many. How many of those even bother? Fewer still.

A backdoor doesn't need to be in the source code to affect the overwhelming majority of TrueCrypt users. In fact, a trustworthy source code would be quite valuable if you were backdooring the precompiled executables because you could get people to trust the program with their data. Placing your backdoor in the source would be idiotic.

(I have no evidence of this happening; I'm just saying it's not only about the source code)

 

Of course, if there -was- an NSA backdoor

they'd be barred from telling us so under pain of GITMO.

Re:Of course, if there -was- an NSA backdoor

[beernutmark]

In that case they would simply say "We have finished our audit." and leave it at that. The implications would be clear.

Re: NSA hat time

/u/OzPeter

Found the redditor!

Thanks for the audit...

...NSA

Haha look up who NCC are

Ex-government organisation

Why the mysterious end of TrueCrypt development?

[derideri]

Last year when TrueCrypt developers suddenly threw in the towel, everyone assumed it was because TrueCrypt had been forced been subverted by the NSA, similar to Lavabit. If that's not the case though, as the audit suggests, then why did the developers suddenly quit?

Rephrase that

"1) One part is tasked with compromising the information infrastructure of our enemies"

And yet they compromise the infrastructure of your allies too. Or maybe I missed the memo and you have pretty much only enemies ?

It's About Trust, not Technology

A non-technical consumer won't know about NCC Group, or Open Crypto Audit Project and will have no reason to trust them.

They need a government/private source that they choose to trust (for any reason good or bad) to endorse their use of encryption.

If trust is lacking, then encryption is not useful to the mass market.

Re:Why the mysterious end of TrueCrypt development

It's a reasonable assumption that the TrueCrypt developers were pressured to subvert the project, but shut it down instead. As you said, similar to Lavabit; recall that Ladar didn't give the Feds what they wanted, he shut down the service rather than compromise his users. I think the same thing happened with Truecrypt.

The audit suggests that no NSA backdoor actually made it into the product. It's still very likely that the gov't tried to force a backdoor, and the developers' response was to abandon ship.

Re:Why the mysterious end of TrueCrypt development

Last year when TrueCrypt developers suddenly threw in the towel, everyone assumed it was because TrueCrypt had been forced been subverted by the NSA, similar to Lavabit. If that's not the case though, as the audit suggests, then why did the developers suddenly quit?

Because they quit instead of implementing the backdoor/vulnerability? Like Lavabit, they had two choices: comply with the demands or abandon the project.

Re:Why the mysterious end of TrueCrypt development

I don't think you quite understood what happened at Lavabit. Lavabit didn't shut down because the NSA got in, they shut down because the NSA wanted to get in and was throwing around their (il-)legal weight. Lavabit have no choice but to close up shop, or go along with the NSA's wishes.

Same thing here. The NSA was likely making legal threats to those working on the project, and they wanted nothing to do with it.

So.. un-random number generation backdoor?

Come on - if the random number generation isn't random... should be pretty obvious..

https://www.schneier.com/essays/archives/2007/11/did_nsa_put_a_secret.html

Audits

It only takes one unlocked door to allow somebody into a bank.

A security flaw on an API is a immediate security threat, and they shouldn't be making such a call anyways.

And the only way to be sure of the security is to audit it yourself and compile it yourself. I'm making my own, then I'm going to encrypt a few hundred petabytes of randome data and send it to the NSA so their machines can gum it to death.

Milhouse is not a meme.

ahhhh.... "the dreaded Rear Admiral "

RNG

The RNG issue on Windows is not trivial.

Re:Why the mysterious end of TrueCrypt development

It would be easier and cheaper for an NSA pencil pusher to write million dollar checks to all the truecrypt developers to have them walk away and claim it is insecure, than to have a team of NSA security experts spend years unsuccessfully trying to crack truecrypt.

Mr Tinfoil and proud of it.

[AftanGustur]

Don't forget that about 20 years ago NSA was introducing flaws by exploiting bugs in the compilers.

I doubt a code-review would find any of these.

NIST Curves are not safe

[psyclone]

Focusing on NIST and the NSA

Choose a safer curve

TrueCrypt Audit: No NSA Backdoors

FOUND YET !

Existence of [Unicorns \ zombie jesus \ Invisible sky friends \ intelligent merkin ] still not disproved yet !

Re:Why the mysterious end of TrueCrypt development

Because all of the asshole users, who couldn't be bothered to donate money to the people writing their encryption software, we ready and willing to donate money to other people who promised to have a look at it.

If you want people to audit TrueCrypt, the obvious choice there is the people who wrote the damn software themselves. In particular, as they already wrote the software for free, there's a fair chance that they'll use your funds to actually review the code, vs. just waiting a year or two and then saying "yeah, we looked at it, it's fine." ...but no, let's not give money to the TrueCrypt project, let's all get excited about giving money to an auditing project and give them as much cash in a few months as the TrueCrypt project would be lucky to see in ten years.

I can't blame them. If users of my software had done the same thing, I'd shut the project down with a big "fuck you" too.

Re:Why the mysterious end of TrueCrypt development

From what I understand, making TrueCrypt work with UEFI systems would have required a major rewrite. It's quite possible that they were already thinking of giving up, and any government pressure just finished it off.

DDC works for free compilers

[tepples]

That's detectable.

Only if the compiler is free software. David A. Wheeler's diverse double-compiling construction requires the compiler's source code. It can provide strong evidence of freedom from "trusting trust"-type attacks for something like Clang, GCC, or Tiny C Compiler, but not for something proprietary such as Visual C++.

Conflict of interest

[tepples]

Fortunately, we know how to counter that threat.

Only Microsoft has the ability to counter that threat because only Microsoft owns a lawfully made copy of the source code to Visual C++. Microsoft also has an interest to promote BitLocker over TrueCrypt.

Re:Conflict of interest

[swillden]

Another option is to build TrueCrypt with a different compiler. There is ongoing work to do that.

"secure"

I love the bit where nerds in their dressing gowns reading slashdot pretend that they have secrets that are so vital that not only do they require completely unbreakable encryption but they pretend they are tougher than Bruce Willis and would of course be able to resist a neverending experience at the hands of some hooded torturer waterboarding you while sawing off your balls with a hacksaw.
Yeah, at least your critical data is totally "secure".