Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Encryption Open Source

How I Compiled TrueCrypt For Windows and Matched the Official Binaries 250

First time accepted submitter xavier2dc writes "TrueCrypt is a popular software enabling data protection by means of encryption for all categories of users. It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way. This has led several concerns raised in different places, such as this blog post, this one, this security analysis [PDF], also related on that blog post from which IsTrueCryptAuditedYet? was born. One of the recurring questions is: What if the binaries provided on the website were different than the source code and they included hidden features? To address this issue, I built the software from the official sources in a careful way and was able to match the official binaries. According to my findings, all three recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources."
This discussion has been archived. No new comments can be posted.

How I Compiled TrueCrypt For Windows and Matched the Official Binaries

Comments Filter:
  • by Anonymous Coward on Thursday October 24, 2013 @03:19PM (#45228097)

    But can you trust xavier2dc? It's turtles all the way down.

  • Little Let Down (Score:5, Interesting)

    by Anrego ( 830717 ) * on Thursday October 24, 2013 @03:23PM (#45228171)

    I was kinda hoping he'd built some elaborate timing setup to somehow match the exact timestamps and compile speed as the official binaries were built with.

    This is still a great analysis though, and the detail provided is a fun read and useful insight into the general mindset and method of how this kind of analysis is done.

  • "It is getting even more attention lately following the revelations of the NSA as the authors remain anonymous and no thorough security audit have yet been conducted to prove it is not backdoored in any way."

    What they mean is:
    It is getting even more attention lately[,] following the revelations of the NSA[,] as the authors remain anonymous and no thorough security audit [has] yet been conducted to prove it is not backdoored in any way.

    Oh, you know, so it doesn't say: "revelations of the NSA as the aut
  • by jabberw0k ( 62554 ) on Thursday October 24, 2013 @03:32PM (#45228293) Homepage Journal

    "TrueCrypt is a popular software enabling data protection...

    No, TrueCrypt is a popular piece of software. You don't have "a hardware" or "a clothing" or "an information" — and likewise you cannot have "a software."

  • Did same, found same (Score:5, Interesting)

    by Anonymous Coward on Thursday October 24, 2013 @04:14PM (#45228721)

    I did the exact same thing as in TFA a few days earlier and ended up finding the exact same variations and causes for those variations.
    My conclusion was also identical, binaries are indeed coming from the provided sources and can be trusted if no further backdoor is found in the sources themselves.

    A cryptographic and coding oriented audit is still much required.

  • This thing about TrueCrypt has turned into a test-case for software security practices.

    Loosely, the security audit has three sections: 1) Look at the sources, 2) Look at the license agreement, 3) Verify that the binaries match the sources.

    Item #3 above seems to be a generic problem: assuming that the source is correct, how can people verify that binaries were compiled from the source? Any minor change to the compiler can generate different instructions for the same code, and many compilers insert time-stamp

    • by ledow ( 319597 )

      Include source with the binary, in a non-executable section.

      On first run, the machine builds the source (running as a very limited user) and compares the result against the rest of the binary. If it doesn't match, it simply ignores the binary supplied, replaces it with the new compiled version and signs it with a key unique to your own computer/compiler.

      Of course, there are myriad problems here (not least that commercial software will never be released in that format), but that's the only way "to be sure".

  • by Anonymous Coward

    The NSA wages a massive psychological warfare campaign in yearly psy-ops that are budgeted at multiple billions of dollars. Telling people that good, cheap, easy solutions are 'bad' is very very effective. Most people are very easily manipulated, when messages are regularly inserted into their media of choice.

    Take one real-life NSA project:
    - years ago, the US government passed laws insisting that ALL mobile phones in the USA could be location tracked using ANY viable technology solution. In reality, this m

  • by kbg ( 241421 ) on Thursday October 24, 2013 @06:01PM (#45229709)

    But did this guy check why the Windows version writes mysterious random bytes in the header but not in the Linux version?

  • by kbg ( 241421 ) on Thursday October 24, 2013 @06:19PM (#45229809)

    There is one problem with his findings. In order to compile TrueCrypt you have to use Microsoft Visual C++ compiler, which is made by Microsoft from a closed source. If I was the NSA I would but the backdoor in the compiler and it would get injected into the binary whenever TrueCrypt was compiled.

    • by grub ( 11606 )
      Not just that, you need a very old Microsoft Visual C++: V 1.52

      Why so old? Weaknesses or backdoored? TINFOIL HAT!
      • Re: (Score:3, Informative)

        by xavier2dc ( 3408341 )
        Visual C++ 1.52c is the last version that could generate 16-bit code, which is needed to compile part of the boot loader for full disk/system encryption. The other solution would have been to write all the thing in assembly (or replaced the portion with the pre-compiled code instead), but that wouldn't have made more people happy to reverse-engineer more assembly, would it?

If you didn't have to work so hard, you'd have more time to be depressed.

Working...