Skip to comments.Should Truecrypt be audited?
Posted on 10/18/2013 9:25:12 AM PDT by ShadowAce
Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).
Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.
In a recently published article on his blog (see Lets audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:
The problem with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we dont know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.
But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, authorship is a better predictor of quality than openness. I would feel better if I knew who the TrueCrypt authors were.
So thats why Professor Green has launched a project to audit the Truecrypt code. Its a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.
That statement threw me for a loop.
Yes. “Trust - but verify” is a good adage.
Even the Wiki article on TrueCrypt touches on the anonymity of the authors.
Which actually is an argument in favor of the NSA not being behind it.
Standard tradecraft would have been to create a legend with fictional authors. The fact that this was not done implies that it was produced by a person or persons who understood cryptography but were not spies.
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
prism-break.org says the following:
“While TrueCrypt is open source, it is developed in a closed fashion and may receive less review than a comparably openly developed project. That said, it is still probably the best option for file encryption on Windows and OS X.
“If youre running GNU/Linux, dm-crypt with LUKS is the recommended encryption option.”
Bruce Schneier has about the same comments. I’ve used TrueCrypt and LUKS and probably the best thing to do is run Linux as opposed to Windows.
I should have added, yes, it should be audited as should all security software.
About 8 years ago, I had to send encrypted docs to the DOJ for work. They asked that I use Truecrypt as it was what they used (at the time). I don’t know much about encryption but the recent revelation regarding the NSA “asking” for SSL certs from websites leads me to believe they have had to come up with other means of circumventing encryption other than cracking it by brute force.
Since truecrypt is open source, it doesn’t matter who wrote it. What does matter is EVERY LINE of code. We need at least 2 independent geniuses to audit it.
The problem with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we dont know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone... But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, authorship is a better predictor of quality than openness. I would feel better if I knew who the TrueCrypt authors were.Ironically, this article has an anonymous author.
Hmmmmm.... maybe the government should put these coders in charge of the Ocare exchange.
At this point, I figure they watch me all the time
Your point’s a little off-topic, but yeah!
Why would anyone need to go enter all their data on the ObamaCare sites: haven’t they already got all this data on us all?
Heck, they know what toppings I put on my Papa John’s this afternoon - don’t they know all the rest, too?
I was just being snarky but I am with you. They have it all in the NSA snooping files I shouldn’t need to input anything
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.