Security Researchers Want To Fully Audit Truecrypt 233
Hugh Pickens DOT Com writes "TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it. Now Cyrus Farivar reports in Ars Technica that a fundraiser reached more than $16,000 in a public call to perform a full security audit on TrueCrypt. 'Lots of people use it to store very sensitive information,' writes Matthew Green, a well-known cryptography professor at Johns Hopkins University. 'That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents. We should be sweating bullets about the security of a piece of software like this.' According to Green, Truecrypt 'does some damned funny things that should make any (correctly) paranoid person think twice.' The Ubuntu Privacy Group says the behavior of the Windows version [of Truecrypt 7.0] is problematic. 'As it can't be ruled out that the published Windows executable of Truecrypt 7.0a is compiled from a different source code than the code published in "TrueCrypt_7.0a_Source.zip" we however can't preclude that the binary Windows package uses the header bytes after the key for a back door.' Green is one of people leading the charge to setup the audit, and he helped create the website istruecryptauditedyet.com. 'We're now in a place where we have nearly, but not quite enough to get a serious audit done.'"
Waitaminit... (Score:4, Interesting)
...I thought the main point of the "open source is more secure" argument was that this process supposedly happened on its own, organically?
I'm all for an audit (Score:2, Interesting)
I do have one question, if you need reliable encryption and privacy why is your operating systems Windows?
Re:Waitaminit... (Score:3, Interesting)
Actually, he makes a good argument that should be taken seriously. Just because it is open source doesn't mean anyone is actually auditing it. If it happened often and spontaneously, there would be no need to raise $16,000 to support an audit.
Re:Problems in the license, and an alternative? (Score:4, Interesting)
Truecrypt's main advantage is that it is cross platform. I can make a TC volume on Windows, stash it on Dropbox, then later on open it on my Mac or Linux box.
However, each of the operating systems generally has some method which doesn't have the hidden volumes and the plausible deniability aspect, but some form of volume encryption.
OS X has FileVault 2, which can encrypt drives with a couple clicks. OS X also has a utility that makes sparse images, using "bands", which allows one to have an encrypted volume grow and shrink as needed. Of course, there is a loss of security with this feature, but it adds versatility.
Linux has LUKS and dm-crypt (Android uses a modified version of dm-crypt to protect the /data partition in newer revs.)
Windows has BitLocker. Windows 8 and newer's implementation of BitLocker allow for it to ask for a password before boot even if a TPM chip isn't present. Of course, not all Windows editions have BitLocker usable.
Of course, there are third party utilities. PGP (the commercial version owned by Symantec) comes to mind, which can encrypt Windows, Linux, and Mac volumes. I doubt this would ever be possible, but if their code was released with a free license, this likely would be the best Truecrypt replacement, although it wouldn't have hidden volume functionality.
Oh really? (Score:4, Interesting)
"TrueCrypt has been part of security-minded users' toolkits for nearly a decade — but there's one problem: no one has ever conducted a full security audit on it except the NSA.
FTFY
Re:A thought (Score:4, Interesting)
I have used FreeOTFE before, and kind of forgotten about it. As it happens, I am looking for something just like this now for use with some USB keys I need to use to share data at different places.
Now that I look at it I see this on Wikipedia:
"The FreeOTFE website is unreachable as of June 2013 and the domain name is now registered by a new owner."
So I asked, is it even being maintained? I know its open source but, its good to know if a project is actively maintained too. Apparently the place to go is Sourceforge as freeotfe.org is something else now: http://sourceforge.net/projects/freeotfe.mirror/ [sourceforge.net]
AND the latest release is several months after the original website disappeared, So it looks like somebody is working on it anyway. May be just what I needed.
NSA launches project FUD against Trucrypt (Score:3, Interesting)
Be in no doubt. You are NOT witnessing an attempt to ensure the security of Truecrypt. You ARE seeing a standard FUD play by NSA people against one of the greatest thorns in their side.
Put this in the same category as those regular stories that appear on Slashdot and elsewhere, telling you that you CANNOT ever be sure that your erased data on your Hard-drive cannot be recovered by sophisticated forensic analysis of the magnetic surface. The NSA even paid to have a peer-reviewed paper placed in the scientific literature claiming such recovery is possible- despite the fact that such a claim is provably laughable.
Here's the mathematical proof of NONE recoverability of properly deleted data.
- let us say that you fill a HDD with target data, and now over-write that data with a RANDOM series of bytes. If the original data CAN be recovered, we have DOUBLED the capacity of the HDD, because logically there can be no distinction between the original data, and the random data used to erase it.
- now, let's say we wipe again with another random sequence. If the original data can be recovered, we have TRIPLED the capacity of the HDD, for the reason stated above.
- and again, we wipe with another random wave. If the original data is STILL recoverable, we have quadrupled the functioning capacity of the HDD.
- repeat, etc.
The problem is that the HDD is designed, given the head, recording signal, and surface material, to only support the original capacity under the signal theory that covers the current method of recording. It does NOT matter that in theory, the disk material MAY be able to save far more data with a different head, and signal method. Only the current method matters.
But the owners of Slashdot will allow periodic FUD articles to appear that DISCOURAGE people from using proper file erase tools, on the basis that its actually a waste of time, because the NSA can still get your data no matter how you erase it.
Much of what the NSA engages in is PSYCHOLOGICAL WARFARE. Major US TV networks and film studios, for instance, have been ordered to NEVER reveal the fact that ALL mobile phones in the USA have their location continually tracked by cell tower triangulation methods. While is is actually LAW in the US that every cell phone must have continuous location tracking ability, the US government believes many criminals are inherently stupid, and will allow their cell phones to produce evidence against them ***IF*** they have false ideas about how cell phone technology works. US Dramas like 'Shameless' (the US remake) and films like 'The Call' have actually informed the audience that ONLY phones with real GPS chips can be location-tracked- a complete and total lie, but a lie designed to sink into the unsophisticated minds of the sheeple.
The truth about the strength of Truecrypt is the complete LACK of stories about Truecrypt being defeated in practice. Shills will try to tell you that this is because Truecrypt is defeated in super-secret cases you can't be allowed to hear about, but this is a nonsense for two reasons. If you are a high level target of the NSA, nothing can save you, so the security of any encryption system is irrelevant. If systems like Truecrypt are defeated as part of ordinary governmental actions, the government, by law, has to allow this fact to be known (the RIGHT to a fair trial, etc).
So instead, you get this FUD attack against Truecrypt, which will persuade a certain percentage of suckers to NOT bother using Trucrypt in the first place, give up using it, or transfer to a commercial alternative that is DEFINITELY compromised by the NSA (ALL commercial encryption software is compromised).
Why mention only old versions? (Score:4, Interesting)
The current version of TrueCrypt is 7.1a. Why are they only talking of older versions?
Re:A costly analysis (Score:4, Interesting)
Similar with me. The NSA invading privacy is one issue, but I have higher priorities on my list to guard against. I like packing my own parachute so if some criminal organization hacks my remote storage provider [1], the data is still secure.
Is TrueCrypt insecure? Unknown. Is it good enough to keep a criminal organization out of my old tax papers? More likely than not, although I have been moving to storing data in GnuPG [2] encrypted ZIP archives with an accompanying signature and manifest file (also encrypted) which will allow the contents to be opened up on more platforms than just what TC supports.
[1]: When deploying a storage service in a private cloud, I deployed it where the data stored on the SAN LUNs were encrypted. This made great internal PR, but it still didn't solve the problem that if someone hacked the client, the data was a sftp command away from being slurped off.
[2]: Well, on Linux and OS X, GnuPG. On Windows, Symantec's PGP Desktop because it supports my ancient Aladdin (now SafeNet) eTokens.
Re:A costly analysis (Score:4, Interesting)
The only IRS punishment going on is the IRS trying to stop political groups claiming they are charities. Something congress themselves should have fixed rather than leave it to the IRS to try to sort out all the liars. When Crossroads GPS, a superPAC created by Karl Rove of all people is claiming to be a charity there is a WHOLE lot of lying going on.