TrueCrypt Audit

[Renegade]

(In case you aren't familiar with security audits, they are to determine the security of a piece of software and are quite intense.)

A fund has been set up to pay for a security audit if TrueCrypt:

http://www.fundfill....JdDQk211KJDAUfcOw==#

A site is also set up:

http://istruecryptauditedyet.com/

Anyways... Interesting. Publicly and openly audited.

Stay tuned. This could be important...

[CWuestefeld]

From the discussion of this that I've seen, there isn't really any reason to suspect that there's a problem. It's just that people want to *prove* that TC is secure, and hasn't been compromised.

[40hz]

+1 w/CUW


I think it's more that it's just now become important enough that people want to know for sure about TrueCrypt. Especially since misplaced trust in some faulty encryption mechanism is far more dangerous than not having encryption at all.

FWIW I've never heard any creditable concerns about TrueCrypt prove out so far.

[IainB]

From the discussion of this that I've seen, there isn't really any reason to suspect that there's a problem. It's just that people want to *prove* that TC is secure, and hasn't been compromised.

-CWuestefeld (October 10, 2013, 12:31 PM)

On the other hand, it could be the old IBM trick of deliberate spreading of FUD - fear, uncertainty, doubt - on a safe and uncrackable decryption system, by...hmm (I have no idea)...which might cause people to consider it "unsafe".

I'm not sure why anyone would want to do that, of course...

Yes, an audit could help to "prove" things, but then you'd need to audit the other crypto-g schemes (MS, Norton/Symantec, etc.), as a basis of comparison, to establish a level playing field.
Of course, you'd be able to trust the results as no-one would rig the results of such an audit. That would be like suggesting that some government agency spies on our every communication on the Internet and wants to continue doing so, unhindered. A laughable idea.

[Mark0]

How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries

We show in this article how to reproduce a deterministic compilation process specific to TrueCrypt 7.1a for Windows that matches the official binaries, and relieve the world from at least some concerns.

[mwb1100]

I just skimmed the article, but it looks like a very nice analysis.

[Vurbal]

Yes, an audit could help to "prove" things, but then you'd need to audit the other crypto-g schemes (MS, Norton/Symantec, etc.), as a basis of comparison, to establish a level playing field.

-IainB (October 10, 2013, 06:20 PM)

Why? The purpose of such an audit is to identify potential weaknesses, intentional or inadvertent, in TrueCrypt. If you want to find out how secure your defenses are against potential attacks the only comparison that matters is against known attack vectors.

Comparisons against other security projects don't really tell you anything useful unless your goal is choosing between multiple programs, all of which are assumed to be vulnerable to some subset of known attack vectors. You could then select the one with either the most desirable or least undesirable traits. However Brand X could be better in every conceivable area than Brand Y and still not be effective enough to do the job.

In fact even the most thorough security audit can't actually prove there aren't vulnerabilities. At best it could show whether it is or isn't vulnerable to the types of attacks generally known among security researchers. However that doesn't tell you whether there are vulnerabilities known only to TrueCrypt developers which the community doesn't know to test for. It's possible a review of the source code might reveal new types of backdoors but probably much more likely they would go undetected.

There is a reasonable comparison to be made in looking at who is behind the development of each program. There's a strong argument to be made that whether a program is free/open or closed is not as good an indicator of how trustworthy it is than the history of the developers. As we already know from the Snowden revelations the NSA can and does secretly manipulate the development process for open standards and software, building in vulnerabilities which have remained undetected for many years.

For example, what I know about Symantec's close ties to the government and have reason to suspect about their secret dealings with the intelligence community based on apparent spending in support of CISPA makes me distrust any product or service that comes from them.

Of course TrueCrypt's developers have gone to great pains to hide their own identities and also to not only avoid discussing their software's internals but also to punish other people for discussing them in any real detail on their official forum. If they were to take that a step or 2 further it would be perilously close to the companies who have tried to muzzle security researchers who dare to point out weaknesses in their products and those companies I distrust completely.

However the overall pattern of actions by TrueCrypt's developers suggests instead (to me at least) that they're probably just too thin skinned and/or perhaps simply control freaks. Either or both of those qualities makes me uneasy about TrueCrypt but not to a degree even approaching my distrust of Symantec.

In fact they also meet what has become an important criteria for me over the last few months. They don't live in the US. That automatically puts them outside the primary sphere of NSA influence. Since, as an American, my encrypted data is more likely to be the target of US intelligence and law enforcement agencies than those of foreign powers that weighs heavily in their favor even if there are secret backdoors.

[IainB]

^^ +1 for what @Vurbal said: Spot-on. Some food for thought.    

Yes, an audit could help to "prove" things, but then you'd need to audit the other crypto-g schemes (MS, Norton/Symantec, etc.), as a basis of comparison, to establish a level playing field.

-IainB (October 10, 2013, 06:20 PM)

Why? ...

-Vurbal (October 25, 2013, 05:42 AM)

My comment was kinda tongue-in-cheek, as I couldn't see a particularly compelling and valid reason for selecting TrueCrypt out of the stack, almost at random, and it could arguably be a complete waste of time, mostly for the reasons you pointed out.
I only said it could help, I didn't say it would necessarily prove anything. Audits of anything always have potential value.

However, recommending audits can be a damaging thing. Suggesting out of the blue that something "needs to be independently audited" carries with it an unfounded and implicit suggestion that scrutiny is required as there is or may be or could be something dubious about it - it's a bit like casting aspersions. Anyway, that's when my BS alert went off and I suspected FUD. I guess I've seen it too often before not to be wary of it.

Some people (not me, you understand), not knowing much about TrueCrypt and after reading the audit suggestion, might prefer caution and could well decide to hold off using TrueCrypt for the first time until much later, after it has been thoroughly audited, if ever. Especially after the SnowdenGate NSA revelations. They might say "How could we know but that the NSA haven't already compromised the code for their own illegal/nefarious purposes, or that some other criminal organisation hasn't already done so for that matter?" (And here they would presumably define "criminal" as "deliberately acting outside of and against international laws and/or the laws of a nation state".) However, I couldn't possibly comment.

On the other hand, some people (not me, you understand) might say that, for all we know, the NSA or other criminal organisation has already found TrueCrypt to be one amongst several of the most frustratingly impenetrable encryption methods out there in the public domain, and would like to dissuade people from using it for that very reason, but again, I couldn't possibly comment.

[Vurbal]

^^ +1 for what @Vurbal said: Spot-on. Some food for thought.   

Yes, an audit could help to "prove" things, but then you'd need to audit the other crypto-g schemes (MS, Norton/Symantec, etc.), as a basis of comparison, to establish a level playing field.

-IainB (October 10, 2013, 06:20 PM)

Why? ...

-Vurbal (October 25, 2013, 05:42 AM)

My comment was kinda tongue-in-cheek, as I couldn't see a particularly compelling and valid reason for selecting TrueCrypt out of the stack, almost at random, and it could arguably be a complete waste of time, mostly for the reasons you pointed out.
I only said it could help, I didn't say it would necessarily prove anything. Audits of anything always have potential value.

-IainB (October 28, 2013, 11:16 PM)

Fair enough. I couldn't really tell how much, if any, of your post was entirely serious. 

However, recommending audits can be a damaging thing. Suggesting out of the blue that something "needs to be independently audited" carries with it an unfounded and implicit suggestion that scrutiny is required as there is or may be or could be something dubious about it - it's a bit like casting aspersions. Anyway, that's when my BS alert went off and I suspected FUD. I guess I've seen it too often before not to be wary of it.

I would agree that it's important to be careful about how you suggest it needs and audit. However the default assumption about any security product should be that it isn't effective until some level of auditing has been completed. Likewise the public should be educated on that point, although once again in a responsible manner rather than one that spreads FUD.