Forgot your password?
typodupeerror
Security Encryption

TrueCrypt Cryptanalysis To Include Crowdsourcing Aspect 131

Posted by samzenpus
from the many-eyes dept.
msm1267 (2804139) writes "A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two. The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer."
This discussion has been archived. No new comments can be posted.

TrueCrypt Cryptanalysis To Include Crowdsourcing Aspect

Comments Filter:
  • Truecrypt fork (Score:2, Informative)

    by Anonymous Coward on Monday June 02, 2014 @05:33PM (#47149891)

    The beauty of opensource is good projects never die.

    http://truecrypt.ch/

  • Re:Open Source it (Score:5, Informative)

    by Anonymous Coward on Monday June 02, 2014 @05:41PM (#47149967)

    TrueCrypt's source code is based on the earlier tool, Encryption For The Masses (E4M) [1997] by Paul LeRoux, who abandoned it in 2000 when he joined SecurStar to make the closed-source DriveCrypt with Shaun Hollingworth (who wrote a predecessor, Scramdisk). That's why the licence looks the (horrible) way it looks; it's an update of the E4M licence.

    When the TrueCrypt Team released the first version of their fork, the project lead David Tesarik got a whole bunch of nastygrams from a manager at SecurStar who alleged Paul LeRoux had stolen E4M from them and open-sourced it without their permission: https://groups.google.com/forum/#!topic/alt.security.scramdisk/HYa8Wb_4acs

    Which was complete bullshit, of course, as E4M had been opened years before SecurStar existed and they themselves published it on their website under the E4M licence, so nothing actually came of it - except 9x support was removed because it used Shaun's 'Scramdisk' driver, and he hadn't given permission to distribute with E4M if the name was changed, hence 1.0a.

    Wouldn't be surprised if there was a Slashdot article about it. Peter Gutmann suggested it'd be right up /.'s alley. :) /akr

  • Re:Truecrypt fork (Score:5, Informative)

    by Rhymoid (3568547) on Monday June 02, 2014 @07:18PM (#47150697)
    • .cn: China
    • .ch: Switzerland (Confoederatio Helvetica; Latin, because the four languages used in Schweiz/Suisse/Svizzera/Svizra don't otherwise agree on the appropriate abbreviation)
  • Re:Crowdsourcing (Score:5, Informative)

    by Kjella (173770) on Monday June 02, 2014 @07:19PM (#47150715) Homepage

    The TrueCrypt source is also - by most accounts - a huge ungodly mess that hasn't seen a significant update in at least the past two years.

    Not seen a significant update in at least two years, check. But huge, ungodly mess? Nah, 4.45 MB uncompressed, subtract 491 kB bitmaps and icons, 902 kB user guide, 117 kB license and readme texts in several versions, 250 kb string localization, 150 kB resource, project and solution files and you're talking approximated 2.5 MB code, divided into several logical directories. I skimmed the main files and they look decently formatted and commented, on the longish side but with plenty whitespace. I think probably under 100 kLOC total, a lot of it standard cryptographic primitives, installer, GUI and so on. Once you've made sure they don't contain any funny business the actual logical core seems to be more like 20-30 kLOC, quite manageable for one man to grasp.

  • Re:Crowdsourcing (Score:5, Informative)

    by WaywardGeek (1480513) on Monday June 02, 2014 @10:23PM (#47151819) Journal

    It's actually just a bit over 110 kLOC, but you were close. The crypto code is mostly very good. The GUI code must have been written by someone else, because it totally sucks, IMO. I was just porting it to wxgtk3.0 today from wxgtk2.8, and of course all the crypto compiled without even a warning, other than some AES code I need to look into. The GUI was a freaking nightmare. They implemented their own string class. How stupid is that? Well, they didn't just implement a string class, but they implemented a directory string class, a filename string class, a "volume" string class, a "volume info" string class, and about a dozen other string classes, most of which don't actually have any useful functionality, and just require all kinds of casting operators. Stupid stupid stupid...

    I haven't looked at the firewall between the GUI and crypto code yet. Obviously there's a fuse driver in Linux and I would not expect it to link with the GUI code at all, but I need to check. Given that the crypto code rocks, and the GUI code sucks, it's critical that they be in separate processes. That would be needed in any case, since you can't trust all that GUI library code living in the same process as the crypto core.

  • Re:Crowdsourcing (Score:5, Informative)

    by xeoron (639412) on Monday June 02, 2014 @10:25PM (#47151833) Homepage
    As of last weekend, it is in the process of being forked. New community site here [truecrypt.ch]

Is a person who blows up banks an econoclast?

Working...