Auditors Release Verified Repositories of TrueCrypt 146
Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.
Re:Differences between 7.1a and 7.2a (Score:5, Informative)
Match (Score:5, Informative)
Only anecdotal, but I have a copy of "TrueCrypt Setup 7.1a.exe" that I downloaded from truecrypt.org on May 25, 2012, with a SHA-1 sum of 7689d038c76bd1df695d295c026961e50e4a62ea, which matches the same file in this repository.
Re:7.1a for x64 linux (Score:5, Informative)
That was actually the first step of the audit - to ensure repeatable builds and ensure the source matched the object (well, the Windows version - the Linux version was built and verified by many people over the years, but the Windows build took some non-default make setting and then it matched, so confirmation of that was ~1 year ago).
Qatar ball (Score:4, Informative)
That's fine so long as home and the library don't use the same ISP. Cable monopolies tend to do this, such as if home uses Xfinity and the library uses Comcast Business. In extreme cases, an entire country's web traffic passes through the same proxy, as when Wikipedia temporarily blocked all editing from Qatar [slashdot.org].
Oh, and a correction to an error that I failed to spot in preview: "from the poster's computer to the reader's computer" at the end of #47205895 was supposed to be "from Dice to the reader's computer".
Matches mine, but I also have 64-bit Linux & M (Score:4, Informative)
Here's mine:
2667681 Apr 9 2013 truecrypt-7.1a-linux-x64.tar.gz
9526318 Jan 20 2013 TrueCrypt 7.1a Mac OS X.dmg
3466248 Jan 20 2013 TrueCrypt Setup 7.1a.exe
$ sha1sum *
086cf24fad36c2c99a6ac32774833c74091acc4d truecrypt-7.1a-linux-x64.tar.gz
16e6d7675d63fba9bb75a9983397e3fb610459a1 TrueCrypt 7.1a Mac OS X.dmg
7689d038c76bd1df695d295c026961e50e4a62ea TrueCrypt Setup 7.1a.exe
Re:7.1a for x64 linux (Score:5, Informative)
I believe I read about this guy [concordia.ca] on slashdot a year-ish ago. He verified the Windows binary comes from the official source. I replicated most of his steps, until I became a believer. It is the actual source used to compile the 7.1a binary.
Now, if you're afraid of back-doors, be afraid of what is already in the official source, all 110K+ lines of it.