Should Truecrypt be audited?

LinuxBSDos.com ^ | 15 October 2013 | Unknown

[ShadowAce]

Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).

Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.

In a recently published article on his blog (see Let’s audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

So that’s why Professor Green has launched a project to audit the Truecrypt code. It’s a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.

[ShadowAce]

[ShadowAce]

The biggest one is that nobody knows who wrote it.

That statement threw me for a loop.

[Paine in the Neck]

Yes. “Trust - but verify” is a good adage.

[JRandomFreeper]

It takes a LOT of effort to not leave footprints of some kind.

/johnny

[Cboldt]

I don't use TrueCrypt, know little about it, but based on the post, looked around a bit. Seems that the issue of "we don't know who wrote this" goes back a few years, at least.

Even the Wiki article on TrueCrypt touches on the anonymity of the authors.

[JRandomFreeper]

At least with Security-Enhanced Linux, you knew the NSA was working on it and contributing code.

/johnny

[JoeProBono]

[FredZarguna]

It takes a LOT of effort to not leave footprints of some kind.

Which actually is an argument in favor of the NSA not being behind it.

Standard tradecraft would have been to create a legend with fictional authors. The fact that this was not done implies that it was produced by a person or persons who understood cryptography but were not spies.

[null and void]

Nut-job Conspiracy Theory Ping!

To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...

[NewHampshireDuo]

prism-break.org says the following:

“While TrueCrypt is open source, it is developed in a closed fashion and may receive less review than a comparably openly developed project. That said, it is still probably the best option for file encryption on Windows and OS X.

“If you’re running GNU/Linux, dm-crypt with LUKS is the recommended encryption option.”

Bruce Schneier has about the same comments. I’ve used TrueCrypt and LUKS and probably the best thing to do is run Linux as opposed to Windows.

[NewHampshireDuo]

I should have added, yes, it should be audited as should all security software.

[lwd]

About 8 years ago, I had to send encrypted docs to the DOJ for work. They asked that I use Truecrypt as it was what they used (at the time). I don’t know much about encryption but the recent revelation regarding the NSA “asking” for SSL certs from websites leads me to believe they have had to come up with other means of circumventing encryption other than cracking it by brute force.

[867V309]

Since truecrypt is open source, it doesn’t matter who wrote it. What does matter is EVERY LINE of code. We need at least 2 independent geniuses to audit it.

[SunkenCiv]

Thanks ShadowAce. Matthew Green:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone... But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

Ironically, this article has an anonymous author.

The security of any encryption standard declines with time; the proliferation of VMs in the OSes, the increased power and speed of processors (including GPUs in particular), and the trivial expense of hardware (including the superseded hardware no one seems to need; Linux got a big foothold in universities as a way of using out-of-work old CPUs tied together to multitask as a simulated supercomputer), means that the security of new encryption standards probably won't last much longer than the time it takes to announce them.

[SunkenCiv]

LOL!

[Nifster]

Hmmmmm.... maybe the government should put these coders in charge of the Ocare exchange.

At this point, I figure they watch me all the time

[dagogo redux]

Your point’s a little off-topic, but yeah!

Why would anyone need to go enter all their data on the ObamaCare sites: haven’t they already got all this data on us all?

Heck, they know what toppings I put on my Papa John’s this afternoon - don’t they know all the rest, too?

[Nifster]

I was just being snarky but I am with you. They have it all in the NSA snooping files I shouldn’t need to input anything