Security Researchers Want To Fully Audit Truecrypt

Hugh Pickens DOT Com writes "TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it. Now Cyrus Farivar reports in Ars Technica that a fundraiser reached more than $16,000 in a public call to perform a full security audit on TrueCrypt. 'Lots of people use it to store very sensitive information,' writes Matthew Green, a well-known cryptography professor at Johns Hopkins University. 'That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents. We should be sweating bullets about the security of a piece of software like this.' According to Green, Truecrypt 'does some damned funny things that should make any (correctly) paranoid person think twice.' The Ubuntu Privacy Group says the behavior of the Windows version [of Truecrypt 7.0] is problematic. 'As it can't be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in "TrueCrypt_7.0a_Source.zip" we however can't preclude that the binary Windows package uses the header bytes after the key for a back door.' Green is one of people leading the charge to setup the audit, and he helped create the website istruecryptauditedyet.com. 'We're now in a place where we have nearly, but not quite enough to get a serious audit done.'"

Different Source Code for Different Versions?

[tysonedwards]

I am shocked, and frankly a little pissed off that Version 6 and Version 7 aren't identical.

Re:Typo?

[davidbrit2]

Well, we can't trust that copy/paste hasn't been back-doored.

Re:Typo?

[Rob the Bold]

Yeah, it's a typo. The privacy report says in the last full paragraph on page 13:

As it can't be ruled out that the published Windows executable of TrueCrypt 7.0a is compiled from a different source code than the code published in “TrueCrypt 7.0a Source.zip” we however can't preclude that the binary Windows package uses the header bytes after the key for a back door.

Seems the author retyped the statement themselves rather than just copying and pasting then the summary carried it over.

As I can't make sense of this sentence even as corrected, I however can't preclude that there is still a typo.

Best encyption ever

[Smidge204]

I use the best encryption ever for everything I need to keep secret. The algorithm is a simple bitwise XOR applied to every byte in the file, using the data itself as a one-time pad. Completely uncrackable unless you know the data that was used for the pad.

The output also compresses really well!
=Smidge=

Re:Best encyption ever

[Anonymous Coward]

Good, but the decryption is o(god).

Re:Typo?

[Anonymous Coward]

Wait. You trust Clippy?

It looks like you're trying to keep a secret. Would you like me to search online for help on keeping secrets?

Re:Typo?

[clickety6]

Surely this is proof that copy-paste has been backdoored.

Between the copy action and the paste action, the NSA was able to get in, read the copied text, parse it and then subtly alter it in order to cause confusion and distrust among us. We must act now!

I found an apt quotation from Edmund Burke we should all take to heart regarding acting against the NSA. I'll copy it here:

"The only thing necessary for the triumph of evil is for good men to do something."