
New effort to fully audit TrueCrypt raises $16,000+ in a few short weeks - laurent123456
http://arstechnica.com/security/2013/10/new-effort-to-fully-audit-truecrypt-raises-over-16000-in-a-few-short-weeks/
======
thex86
Cool! Maybe, finally, as a result of public scrutiny, TrueCrypt will have a
public repository. You know, it's 2013. I cannot think of any reason why the
software you will possibly trust with your life does not have code in a public
repository.

Till then time, we will and we should doubt it.

~~~
cantrevealname
> the software ... does not have code in a public repository

Yes, TrueCrypt should use a revision control system like Git or SVN. However,
your comment can be misinterpreted as saying that TrueCrypt doesn't release
source code at all.

It's worth mentioning that the full source code is available ( here:
[http://www.truecrypt.org/downloads2](http://www.truecrypt.org/downloads2) ).

------
kevinpet
Apparently TrueCrypt still has the crazy license which no one can quite figure
out if it's an amateur attempt to write an open source license, or an
extremely subtle trap to lure people into thinking it's an open source license
so that they can later sue.

~~~
nodata
It's not open source:
[http://opensource.org/licenses](http://opensource.org/licenses)

~~~
richardfontana
The absence of the TrueCrypt license on the OSI-certified list itself does not
signify much, since the license was AFAIK never submitted for OSI approval,
but Linux distros among others have raised concerns about several versions of
the license in the past, and the current one continues to be problematic IMO.
Some recent discussion has been going on on the OSI license-discuss mailing
list for those interested: see
[http://projects.opensource.org/pipermail/license-
discuss/201...](http://projects.opensource.org/pipermail/license-
discuss/2013-October/001293.html) and followup messages.

(Disclaimer: am an OSI director and also am Red Hat lawyer who was involved in
reviewing and rejecting the TrueCrypt license for Fedora.)

~~~
nodata
Thanks for the info, there's a lot of old information around.

The Wikipedia page seems to indicate you (as Red Hat) have no further
objections:
[https://en.wikipedia.org/wiki/TrueCrypt#Licensing_and_Open_S...](https://en.wikipedia.org/wiki/TrueCrypt#Licensing_and_Open_Source_status)
\- I guess this is wrong.

and the OSI minutes page seems to indicate the TrueCrypt license was going to
be rejected (maybe I'm misreading this):
[http://opensource.org/minutes20061213](http://opensource.org/minutes20061213)
\- but this is from 2006.

~~~
richardfontana
The assertion that TrueCrypt "has now managed to fix all the problems cited by
Red Hat Legal (relayed by Tom Callaway)" is false (I'm not Tom Callaway but I
am confident he would agree with me on this). The points I mention in the
license-discuss posting yesterday
[http://projects.opensource.org/pipermail/license-
discuss/201...](http://projects.opensource.org/pipermail/license-
discuss/2013-October/001313.html) were applicable (as far as I can remember)
to earlier versions we looked at and as to which we raised concerns to
TrueCrypt.

As I noted in that posting, TrueCrypt did change _some_ things in response to
the barrage of criticism, but not enough.

------
laurent123456
> There’s just one problem: no one knows who created the software.

What do they mean by this? Do we literally don't know who created Truecrypt?

~~~
cantrevealname
> Do we literally don't know who created Truecrypt?

Yes, that's right. (The very earliest version was based on work 13 years ago
by Paul Le Roux, but it's undergone enormous work since then by some person or
group.)

TrueCrypt is a popular, carefully designed, well written, well maintained,
highly stable and non-trivial application, but its authors are completely
unknown. The open source world does have some quiet humble people, but it
seems surprising that the authors want to remain totally anonymous for
developing a legitimate and well-respected product.

~~~
hrktb
Interesting. About anonymity, there is always the case where you don't want
people knocking at your door to ask for backdoors, hidden vulnerabilities or
any other requests about the software that you don't want to deal with.

------
dmix
I've abandoned truecrypt for Tomb in the meantime
[http://www.dyne.org/software/tomb/](http://www.dyne.org/software/tomb/)

~~~
cantrevealname
Let's not forget that an enormous number of people in the world still use
Windows. We need a secure, reliable, and free solution for them. The only app
that currently fills these requirements for Windows is TrueCrypt.

That's why I think it's a great idea to do a security audit of TrueCrypt since
that's the best available solution for a big segment of the world's
population.

~~~
shawnz
> We need a secure, reliable, and free solution for them. The only app that
> currently fills these requirements for Windows is TrueCrypt.

What's wrong with BitLocker?

EDIT: Keep in mind we are just talking about Windows solutions here. And if
Windows is backdoored, it is not going to make much difference if BitLocker is
also backdoored by the same agency.

~~~
chiph
Rampant speculation that it has been back-doored by the NSA.

Also, not cross-platform.

------
devx
I hope they've taken a snapshot of the software _before_ announcing the
crowdfunding campaign. If there has been any update since then, and it had any
backdoor, it may have already been removed.

------
rdl
The best thing someone could do for TrueCrypt security is to very publicly
release a version with a backdoor, easily exploited, and difficult to detect,
for anyone else to distribute. By making that a real threat, users will end up
checking their source/compilation/results, protecting them against the same
threat from real attackers.

~~~
cantrevealname
That might be a cute object lesson in good security practice for the security
cognoscenti, but the overwhelming majority of potential users in the world
will just throw up their hands in despair and say that we can trust anything
and privacy is impossible.

If we want ordinary people to benefit from TrueCrypt, a better idea would be
to find secure ways of distributing signed and verified copies of the binary.
I'm saying binary because most users in the world will be ordinary Windows and
Mac users, not software developers. Most people in the world cannot compile
from source.

Also, as a first step, we need to do this security audit of TrueCrypt.

~~~
rdl
(Not saying auditing truecrypt is bad; I'll probably donate some $ once I get
back to the US)

This problem already exists, and is actually something Mac App Store,
iOS/iTunes store, and Google Play do a pretty good job of solving; I assume
there are some similar solutions for Windows (I don't really know the windows
consumer software distribution space).

The extensions improvements in Chrome/Firefox (and I guess other browsers, but
I don't follow them) also are a great step forward toward this.

Ubuntu/Debian do a pretty good job of locking down main repositories, too.
It's really just a matter of training users that downloading random code from
random URLs is risky.

Once locked-down distribution hits critical mass, you can probably get away
with making it even more difficult and obvious-to-the-user-he-is-doing-
something-risky in "sideloading" applications. You can also have corp/org
security policies which prohibit this kind of thing.

Obviously there are sacrifices for this -- it becomes possible for a platform
owner to restrict availability of apps based on non-security considerations,
like being anti-porn (Apple), complying with the union of laws of all
countries, etc. Or just outright commercial anti-competitiveness (again,
mostly Apple...)

------
dmishe
So um how do we know that none of the people conducting this audit are
secretly working for NSA?

Somewhat james bond-y idea but you get the point.

~~~
tptacek
This is the new Slashdot "First Post", isn't it?

~~~
dmishe
What?

~~~
tptacek
Kids these days.

~~~
YuriNiyazov
My god, we are old, Thomas. This is what most graybeards must feel like.

------
mynameishere
Here's the thing...if any government organization actually goes through a
truecrypt backdoor or flaw, the odds are very good that the news will get out.
Yeah, if they seize a computer, crack it and never provide the unencrypted
information to a court or other public forum (and somehow shut-up the
perpetrator), they could keep it secret. But what's the point?

~~~
cantrevealname
Your claim is that use of decrypted information would reveal the backdoor.

I'll offer the Enigma cipher as a counterexample:

The British were regularly reading and _acting upon_ encrypted German messages
in 1940. It may have changed the course of World War II! The Germans did not
learn that the British had broken the code despite German ships being sunk
based on the Enigma crack. In fact, nobody in the public knew until 1974. (
ref: [http://en.wikipedia.org/wiki/Ultra#Post-
war_disclosures](http://en.wikipedia.org/wiki/Ultra#Post-war_disclosures) )

A government organization could make good use of a TrueCrypt backdoor without
it ever being revealed in court or a public forum. They can act on the
information using a pretext for example.

~~~
mynameishere
I'm trying to imagine a parallel circumstance and I cannot. Most governments
would not use truecrypt, but rather something they have control of themselves.
The people using truecrypt illicitly are ordinary criminals: Gangsters, child
pornographers, terrorists (maybe), money-launderers, drug dealers, etc. The
information revealed by a crack is not something that can be used in the
manner of that by espionage. (ie, it won't tell us that Rommel will be
approaching Cairo at such-and-such a date.) Information via espionage can be
filtered down as if it were from other intelligence sources, or even guessing.
And so the exploit can be concealed as with Ultra.

But to use truecrypt against the people who are _actually using it for crime_
you would almost certainly have to reveal the exploit publicly in a court.

~~~
cantrevealname
Precisely the circumstances you're trying to imagine is being done by the DEA
using information from NSA intercepts:

"(Reuters) - A secretive U.S. Drug Enforcement Administration unit is
funnelling information from intelligence intercepts, wiretaps, informants and
a massive database of telephone records to authorities across the nation to
help them launch criminal investigations of Americans. Although these cases
rarely involve national security issues, documents reviewed by Reuters show
that law enforcement agents have been directed to conceal how such
investigations truly begin - not only from defence lawyers but also sometimes
from prosecutors and judges. The undated documents show that federal agents
are trained to _recreate_ the investigative trail to effectively cover up
where the information originated."

I recommend the whole article here:

[http://uk.reuters.com/article/2013/08/05/uk-dea-sod-
idUKBRE9...](http://uk.reuters.com/article/2013/08/05/uk-dea-sod-
idUKBRE9740HP20130805)

~~~
tedunangst
How does that apply to TrueCrypt? Is the claim that TrueCrypt is secretly
siphoning off data and feeding it to the NSA? Or is the claim that the NSA
sent a dude to sneak into my house, image my hard drive, and then decrypt it?

~~~
cantrevealname
If you sync your TrueCrypt volume to Dropbox or other cloud storage (an
excellent use case for TrueCrypt, by the way), a backdoor could be exploited
by whoever has access to the Internet traffic or the servers.

