Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Data Storage Encryption Open Source Your Rights Online

TrueCrypt To Go Through a Crowdfunded, Public Security Audit 104

Posted by timothy from the line-by-line dept.
An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)
This discussion has been archived. No new comments can be posted.

TrueCrypt To Go Through a Crowdfunded, Public Security Audit More

TrueCrypt To Go Through a Crowdfunded, Public Security Audit

Comments Filter:

  • Re:Please, Google (Score:4, Insightful)

    by epyT-R ( 613989 ) on Thursday November 07, 2013 @07:08PM (#45362115)

    Are you nuts?

  • Re:Hmmm... (Score:5, Insightful)

    by lgw ( 121541 ) on Thursday November 07, 2013 @07:12PM (#45362157) Journal

    But who will audit the auditors?

    Gorillas!

    Seriously, a fully public audit is the best possible approach. You can never be 100% sure, but you can get close enough if the audit attracts enough talent. This is the true promise of open source: moving from "in theory, you could look at the source", yahright, to "here's the crowdfunding for experts to openly audit the open source". That's something.

  • Re:Free testing (Score:5, Insightful)

    by rudy_wayne ( 414635 ) on Thursday November 07, 2013 @07:19PM (#45362223)

    If you think better, stronger encryption is the answer, then you don't understand the problem.

    In 2011 the Foreign Intelligence Surveillance Court issued a ruling that many of the NSA's activities were illegal and unconstitutional. You'll notice that this had no effect on the NSA's spying because (a) It was a secret order issued by a secret court and nobody knew about it until just recently and (b) There is essentially no oversight of the NSA which means they are free to do whatever they want.

    So, even if you have some super-duper unbreakable encryption, which has been audited and you can guarantee that it contains no NSA backdoors, so what? If the NSA can't break your encryption they'll simply yell "National Security" and get a secret order from a secret court compelling to do decrypt your stuff or face prosecution -- prosecution which will be carried out in secret, making it impossible to defend yourself.

    If you've been paying attention, you see what the real problem is.

  • Won't work for the Windows version (Score:5, Insightful)

    by kbg ( 241421 ) on Thursday November 07, 2013 @07:24PM (#45362285)

    The Windows version is compiled with MSVC, which almost certainly has a NSA backdoor that gets compiled into the TrueCrypt binary.

  • Re:Won't work for the Windows version (Score:5, Insightful)

    by vux984 ( 928602 ) on Thursday November 07, 2013 @07:54PM (#45362589)

    Sure, vote it up as a point that the the toolchain is always suspect, but saying MSVC is injecting backdoors into everything it compiles is just plain idiotic.

  • Does anyone really care? (Score:5, Insightful)

    by badasawsomeness ( 3025411 ) on Thursday November 07, 2013 @07:55PM (#45362599)

    I feel like this has been reported on 5 times by now. Yes we know they are raising money, please no more updates until the findings from the audit are in.

    In the mean time is there any actual point to this? While TrueCrypt can be one of the best methods for a typical home user or even tech savy business person to encrypt that naughty folder. But it honestly isn't as widely used as they make it out to be. Most softwares or businesses use their own encryption. Not to mention the nature of TrueCrypt means its most often used to secure locals files or drives, meaning unless the NSA has direct control over your computer they really cant get at your stuff.

    Also would this resolve anything? As soon as the audit is done people will either, question the findings for one reason or another. When in the end all the audit can say is if there is an intentional backdoor or if there is an obvious flaw in the code that would leave it vulnerable. Even if neither of these turn up there is still a very real chance the NSA found their own unintentional flaw in the code that allows them to greatly reduce the time required to decrypt the drive.

  • Re:Please, Google (Score:2, Insightful)

    by joelleo ( 900926 ) on Thursday November 07, 2013 @08:19PM (#45362799)

    They also apparently:

    hacked my Power Supply by implanting a trasp device in My Bose Speakers and possibly my high end water machine that sent malware farts through my electrical grid and tunneled into my system that way.

    sounds TOTALLY not paranoid schizophrenic.

    On topic, Truecrypt is just a tool. It can't be "subverted" to do evil - it just exists and people can use it for 'good' or 'evil.' My hammer is really good and pounding nails ('good',) but would work equally well in password extraction ('evil') =)

Slashdot Top Deals

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Close