
An update on Truecrypt - clarkm
http://blog.cryptographyengineering.com/2013/12/an-update-on-truecrypt.html
======
daeken
> I usually take a pretty skeptical attitude on this blog when it comes to
> Internet security. For the most part we do things wrong, and I used to think
> most people didn't care. The fact is that I was wrong. If the response to
> our audit call is any evidence, you do care. You care a lot.

I used to feel the exact same way the author did initially. It wasn't until
this year, between teaching a class on security (whose demand I still can't
even remotely fathom) and becoming more outspoken about my concerns around the
way we handle security, that I really started to realize that people do care
deeply about security. That said, most people don't know enough to positively
impact security, but that's a problem of education; it's something I'm hoping
to put a serious dent in over the next year.

~~~
eps
> Education

Make sure to cover responsible disclosure.

~~~
lawnchair_larry
This is subjective, and it's rather presumptuous to claim one particular
philosophy as the "responsible" one. Microsoft rejected this term for that
reason, despite the fact that it would benefit them.

------
ThinkBeat
I cannot explain exactly why but something about this project rubs me the
wrong way.

So much time spent doing bureaucratic things, organizing, raising money. Have
meetings, setup a board.

Did the authors, the people who wrote the code, that did all that work,
receive such ample payment for their role? Should not some of the money raised
be offered to the developers? (Some say that they are anonymous I dont know if
that is true, but they do take donations on the site) Lets give them 70% of
the money raised to work on TrueCrypt and make it even more amazing.

They developers did all that work for free (?) , but now these people have to
get paid really well to see if what the devs did is correct.

Seems to me most of the money goes towards hiring a for profit consulting
company. Great way to drum up business I guess.

Meanwhile: From the official TrueCrypt FAQ:

Q: TrueCrypt is open-source, but has anybody actually reviewed the source
code?

A: Yes. In fact, the source code is constantly being reviewed by many
independent researchers and users. We know this because many bugs and several
security issues have been discovered by independent researchers (including
some well-known ones) while reviewing the source code.

So the reviews and audits have been going on for a long time by many
individuals around the world. Anyone can do it.

As far as I know, Linux has never been subjected to a formal audit. it has
been gawked at by thousands and thousands of individuals. None of them read
the whole thing for sure, but parts.

~~~
mhogomchungu
Some people are raising funds to review truecrypt code,meaning they will
always be one step behind truecrypt and there are others who are working on
truecrypt compatible implementations[1][2][3].

It is my opinion that some of this money will be better off if it went to
supporting these independent projects that allows management of truecrypt
formatted encrypted volumes without using truecrypt.It is possible to manage
truecrypt volumes without using truecrypt binary from truecrypt people.

[1] [https://github.com/bwalex/tc-play/](https://github.com/bwalex/tc-play/)

[2]
[http://code.google.com/p/cryptsetup/](http://code.google.com/p/cryptsetup/)

[3] [http://code.google.com/p/zulucrypt/](http://code.google.com/p/zulucrypt/)

~~~
tptacek
The money was donated to the Truecrypt audit project. It cannot go to other
projects.

------
salient
> And finally, the most exciting news: we've signed a first contract with iSEC
> partners to evaluate large portions of the Windows software and bootloader
> code. This review will begin in January.

That's huge. I assume you're not referring to having access to the Windows
source code, though.

Here's a crazy idea. After the whole NSA stuff, many governments are going to
require Microsoft to give them access to the source code, if they want them to
continue using it, or buy the new versions of Windows. Any chance you could
contact such a government, to allow you to do the audit on their behalf, or to
work together with them on it?

That would be a win-win for everyone. They get a team of experts to review the
Windows code base, and you get to know everything about Windows. They probably
won't be very eager to get Americans to do this for them, though, so make sure
you flaunt all of your credentials.

~~~
mintplant
> After the whole NSA stuff, many governments are going to require Microsoft
> to give them access to the source code, if they want them to continue using
> it, or buy the new versions of Windows.

That's interesting to hear. Got any more information on that?

~~~
Zigurd
Microsoft has made source code available to governments for quite a long time
now. However I don't think Microsoft has ever made _buildable_ source code
available, nor does it intend to.

~~~
gejjaxxita
Can you explain what you mean? How is it the source code if it's not
buildable?

~~~
karlmdavis
Think about the largest, most complex codebase you've ever worked on. Then,
remove any architecture documentation, wikis, etc. used to document how it's
all tied together. Then, remove the build scripts and any lib folders.

Imagine how much fun it'd be trying to get that to build. Multiply the terror
that inspires by (at least) 100x.

~~~
patio11
I think everything you say is likely to be accurate. However, given that we're
talking about a nation state in an adversarial context, remember the relevant
comparison is "Express the pain of black-box reconstructing the Windows build
process in terms of ACEs (aircraft carrier equivalents)."

I very much doubt that building Windows is a 10 ACE problem, or a 1 ACE
problem, or a 0.1 ACE problem.

~~~
kro0ub
Where can more info be found on the "ACE" metric?

~~~
mechanical_fish
[https://en.wikipedia.org/wiki/Jane's_Fighting_Ships](https://en.wikipedia.org/wiki/Jane's_Fighting_Ships)

Or if you're lazy you just Google up this Wikipedia entry:

[https://en.wikipedia.org/wiki/List_of_aircraft_carriers_of_t...](https://en.wikipedia.org/wiki/List_of_aircraft_carriers_of_the_United_States_Navy)

The USA has ten active _Nimitz_ -class aircraft carriers. Wikipedia claims
that the most recent, the USS _George H.W. Bush_ , was completed in 2009 at a
cost of $6.2 billion. A bargain compared to the projected cost of the USS
_Gerald R. Ford_ , now under construction with a budget of $15.5 billion.

These numbers are ridiculously overlarge in this context, of course, which is
the point. Access to the Windows build toolchain is not even a $10M project.
It's not a technical problem. You start by just offering the money to the
company. A few million dollars, plus a history of enforcing your TOP SECRET
security clearances, plus credible assurances that you're not going to launch
a competing product, is probably enough to convince the company to just _give_
you what you want. Quietly, of course. No need to spook the other customers.

If that doesn't work, there's always espionage.

------
aareet
This, in a nutshell, is the underutilized value of open source - the ability
for the general public to conduct a trustworthy third party audit and validate
security claims of software creators.

~~~
tptacek
Not really. This is the value of crowdsourcing. The audit itself is being
conducted by a professional software security firm (our sister company, as it
happens) and their portion of it might only have cost a small factor more had
complete source code not been available. It's the money and expertise that are
making this possible, not the source code.

(Don't get me wrong: I strongly prefer open source software to closed.)

~~~
nabla9
I have a question.

Can government issue gag order to security firm doing audit and prevent them
from releasing backdoors or intentional weaknesses they discover?

~~~
tptacek
No.

~~~
whyme
I'm surprised you're so confident considering how many experts were shocked to
discover how far the US govt had been able to go.

~~~
tptacek
Comes from an understanding of how service providers actually get gagged: the
courts _actively issue a gag rule_ based on orders _they themselves issued_.
That's can't be true of basic science.

~~~
shiven
What if the powers that be decide to "classify" the results/reports? I would
guess that would be a big legal hurdle. But if things get to that point, a
copy the report would probably show up on wikileaks... I guess?

~~~
eli
That's not how classification works.

~~~
tptacek
It's also not how research works. For something to be restrained from
publication, the government needs to know it exists. But with new research
results, they can't know what to restrain until it's too late.

They could try passing a law outlawing security research, but: good luck with
that.

~~~
polarix
Don't they now know what to restrain? (due to this post, at the very least...)

------
apaprocki
Tip for gaining more donations: once they get 501c(3) status, many larger
companies have established charity matching programs. Usually it just takes
some employee initiative to ask for an organization to be added (/ paperwork
verified) and then companies will match donations. In addition, philanthropy
departments can be petitioned for grants. Given all the recent news, that
might generate a decent amount of grants.

------
wil421
This is extremely awesome and I support it. I have sensitive files with tax
info and some software keys I like to keep protected. NSA aside I don't want
some malware or vulnerability in my system allowing intruders to take my
stuff.

~~~
kirubakaran
Can't malware just keylog your passphrase?

~~~
wil421
Sure it could but would it be smart enough to find the crypt file. Hopefully
McAfee can help with the key logger.

