Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Should Truecrypt be audited?
LinuxBSDos.com ^ | 15 October 2013 | Unknown

Posted on 10/18/2013 9:25:12 AM PDT by ShadowAce

Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).

Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.

In a recently published article on his blog (see Let’s audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

So that’s why Professor Green has launched a project to audit the Truecrypt code. It’s a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.


TOPICS: Computers/Internet
KEYWORDS: encryption; security; truecryt

1 posted on 10/18/2013 9:25:12 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; Still Thinking; ...

2 posted on 10/18/2013 9:25:42 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
The biggest one is that nobody knows who wrote it.

That statement threw me for a loop.

3 posted on 10/18/2013 9:26:32 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Yes. “Trust - but verify” is a good adage.


4 posted on 10/18/2013 9:26:54 AM PDT by Paine in the Neck (Is John's moustache long enough YET?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
It takes a LOT of effort to not leave footprints of some kind.

/johnny

5 posted on 10/18/2013 9:30:59 AM PDT by JRandomFreeper (Gone Galt)
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce
I don't use TrueCrypt, know little about it, but based on the post, looked around a bit. Seems that the issue of "we don't know who wrote this" goes back a few years, at least.

Even the Wiki article on TrueCrypt touches on the anonymity of the authors.

6 posted on 10/18/2013 9:36:23 AM PDT by Cboldt
[ Post Reply | Private Reply | To 3 | View Replies]

To: Cboldt
At least with Security-Enhanced Linux, you knew the NSA was working on it and contributing code.

/johnny

7 posted on 10/18/2013 9:44:46 AM PDT by JRandomFreeper (Gone Galt)
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce

8 posted on 10/18/2013 9:45:50 AM PDT by JoeProBono (SOME IMAGES MAY BE DISTURBING VIEWER DISCRETION IS ADVISED;-{)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JRandomFreeper
It takes a LOT of effort to not leave footprints of some kind.

Which actually is an argument in favor of the NSA not being behind it.

Standard tradecraft would have been to create a legend with fictional authors. The fact that this was not done implies that it was produced by a person or persons who understood cryptography but were not spies.

9 posted on 10/18/2013 9:55:39 AM PDT by FredZarguna (The sequel, thoroughly pointless, derivative, and boring was like all James Cameron "films.")
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce; COUNTrecount; Nowhere Man; FightThePower!; C. Edmund Wright; jacob allen; ...

Nut-job Conspiracy Theory Ping!

To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...

10 posted on 10/18/2013 9:57:32 AM PDT by null and void (I'm betting on an Obama Trifecta: A Nobel Peace Prize, an Impeachment, AND a War Crimes Trial...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

prism-break.org says the following:

“While TrueCrypt is open source, it is developed in a closed fashion and may receive less review than a comparably openly developed project. That said, it is still probably the best option for file encryption on Windows and OS X.

“If you’re running GNU/Linux, dm-crypt with LUKS is the recommended encryption option.”

Bruce Schneier has about the same comments. I’ve used TrueCrypt and LUKS and probably the best thing to do is run Linux as opposed to Windows.


11 posted on 10/18/2013 10:08:43 AM PDT by NewHampshireDuo
[ Post Reply | Private Reply | To 1 | View Replies]

To: NewHampshireDuo

I should have added, yes, it should be audited as should all security software.


12 posted on 10/18/2013 10:11:58 AM PDT by NewHampshireDuo
[ Post Reply | Private Reply | To 11 | View Replies]

To: ShadowAce

About 8 years ago, I had to send encrypted docs to the DOJ for work. They asked that I use Truecrypt as it was what they used (at the time). I don’t know much about encryption but the recent revelation regarding the NSA “asking” for SSL certs from websites leads me to believe they have had to come up with other means of circumventing encryption other than cracking it by brute force.


13 posted on 10/18/2013 10:42:09 AM PDT by lwd
[ Post Reply | Private Reply | To 1 | View Replies]

To: NewHampshireDuo

Since truecrypt is open source, it doesn’t matter who wrote it. What does matter is EVERY LINE of code. We need at least 2 independent geniuses to audit it.


14 posted on 10/18/2013 11:18:24 AM PDT by 867V309
[ Post Reply | Private Reply | To 11 | View Replies]

To: ShadowAce; Ernest_at_the_Beach; martin_fierro; Swordmaker; neverdem

Thanks ShadowAce. Matthew Green:
The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone... But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.
Ironically, this article has an anonymous author.

The security of any encryption standard declines with time; the proliferation of VMs in the OSes, the increased power and speed of processors (including GPUs in particular), and the trivial expense of hardware (including the superseded hardware no one seems to need; Linux got a big foothold in universities as a way of using out-of-work old CPUs tied together to multitask as a simulated supercomputer), means that the security of new encryption standards probably won't last much longer than the time it takes to announce them.


15 posted on 10/18/2013 11:30:00 AM PDT by SunkenCiv (It's no coincidence that some "conservatives" echo the hard left.)
[ Post Reply | Private Reply | View Replies]

To: null and void

LOL!


16 posted on 10/18/2013 11:35:11 AM PDT by SunkenCiv (Archer Daniels Midland, Monsanto, and the Bilderbergers are False Flag Ops!!! ;'))
[ Post Reply | Private Reply | To 10 | View Replies]

To: null and void

Hmmmmm.... maybe the government should put these coders in charge of the Ocare exchange.

At this point, I figure they watch me all the time


17 posted on 10/18/2013 2:19:01 PM PDT by Nifster
[ Post Reply | Private Reply | To 10 | View Replies]

To: Nifster

Your point’s a little off-topic, but yeah!

Why would anyone need to go enter all their data on the ObamaCare sites: haven’t they already got all this data on us all?

Heck, they know what toppings I put on my Papa John’s this afternoon - don’t they know all the rest, too?


18 posted on 10/18/2013 5:32:40 PM PDT by dagogo redux (A whiff of primitive spirits in the air, harbingers of an impending descent into the feral.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: dagogo redux

I was just being snarky but I am with you. They have it all in the NSA snooping files I shouldn’t need to input anything


19 posted on 10/18/2013 6:27:08 PM PDT by Nifster
[ Post Reply | Private Reply | To 18 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson