![]() ![]() Truecrypt uses an odd, potentially non-FOSS license. The exact terms are still a work in progress, but our proposal breaks down into roughly four components: In short: there are numerous reasons we need to audit this software - and move its build process onto safe, deterministic footing. In my very humble opinion that should worry you. And many, many people only encounter Truecrypt as a Windows binary. Which of course tees up the most important concern: even if the Truecrypt source code is trustworthy, there’s no reason to believe that the binaries are. From the analysis of the source we could preclude that this is a back door… As it can’t be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in “TrueCrypt_7.0a_Source.zip” we however can’t preclude that the binary Windows package uses the header bytes after the key for a back door. By an analysis of the decrypted header data it can’t be distinguished whether these are indeed random values or a second encryption of the master and XTR key with a back door password. From the point of view of a security analysis the behavior of the Windows version is problematic. He Windows version of TrueCrypt 7.0a deviates from the Linux version in that it fills the last 65,024 bytes of the header with random values whereas the Linux version fills this with encrypted zero bytes. Here I will quote from the Ubuntu Privacy Group’s review of Truecrypt 7.0: ![]() For one thing, the software does some damned funny things that should make any (correctly) paranoid person think twice. And who knows, maybe I’ll even convince you we can do more.īut anonymity isn’t the only thing that concerns me about Truecrypt. In case you don’t see the reason for a Truecrypt audit, I’m going to devote the remainder of this post to convincing you how important it is. If you’re an information security professional/expert/hobbyist please consider giving us some of your time to help identify bugs in the software. Go to the site and donate! It doesn’t have to be money, although that would be best. ![]() If you already know why this is important, by all means stop reading this post now. It is my great pleasure to publicize (and belatedly kick off) an open project to audit the Truecrypt disk encryption tool. Well, I’m still distracted by other things, but people like Kenn White have been getting organized. Then I went off and got distracted by other things. A few weeks ago, after learning about the NSA’s efforts to undermine encryption software, I wrote a long post urging developers to re-examine our open source encryption software. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |