TrueCrypt Cryptanalysis To Include Crowdsourcing Aspect - Slashdot

Slashdot is powered by your submissions, so send in your scoop

×

TrueCrypt Cryptanalysis To Include Crowdsourcing Aspect 131

Posted by samzenpus on Monday June 02, 2014 @04:50PM from the many-eyes dept.

msm1267 (2804139) writes "A cryptanalysis of TrueCrypt will proceed as planned, said organizers of the Open Crypto Audit Project who announced the technical leads of the second phase of the audit and that there will be a crowdsourcing aspect to phase two. The next phase of the audit, which will include an examination of everything including the random number generators, cipher suites, crypto protocols and more, could be wrapped up by the end of the summer."

This discussion has been archived. No new comments can be posted.

TrueCrypt Cryptanalysis To Include Crowdsourcing Aspect

Search 131 Comments Log In/Create an Account

Comments Filter:

Truecrypt fork (Score:2, Informative)

by Anonymous Coward writes: on Monday June 02, 2014 @05:33PM (#47149891)

The beauty of opensource is good projects never die.
http://truecrypt.ch/

Share
twitter facebook
Re:Open Source it (Score:5, Informative)

by Anonymous Coward writes: on Monday June 02, 2014 @05:41PM (#47149967)

TrueCrypt's source code is based on the earlier tool, Encryption For The Masses (E4M) [1997] by Paul LeRoux, who abandoned it in 2000 when he joined SecurStar to make the closed-source DriveCrypt with Shaun Hollingworth (who wrote a predecessor, Scramdisk). That's why the licence looks the (horrible) way it looks; it's an update of the E4M licence.
When the TrueCrypt Team released the first version of their fork, the project lead David Tesarik got a whole bunch of nastygrams from a manager at SecurStar who alleged Paul LeRoux had stolen E4M from them and open-sourced it without their permission: https://groups.google.com/forum/#!topic/alt.security.scramdisk/HYa8Wb_4acs
Which was complete bullshit, of course, as E4M had been opened years before SecurStar existed and they themselves published it on their website under the E4M licence, so nothing actually came of it - except 9x support was removed because it used Shaun's 'Scramdisk' driver, and he hadn't given permission to distribute with E4M if the name was changed, hence 1.0a.
Wouldn't be surprised if there was a Slashdot article about it. Peter Gutmann suggested it'd be right up /.'s alley. :) /akr

Parent Share
twitter facebook
Re:Truecrypt fork (Score:5, Informative)

by Rhymoid ( 3568547 ) writes: on Monday June 02, 2014 @07:18PM (#47150697)
- .cn: China
- .ch: Switzerland (Confoederatio Helvetica; Latin, because the four languages used in Schweiz/Suisse/Svizzera/Svizra don't otherwise agree on the appropriate abbreviation)
Parent Share
twitter facebook
Re:Crowdsourcing (Score:5, Informative)

by Kjella ( 173770 ) writes: on Monday June 02, 2014 @07:19PM (#47150715) Homepage

The TrueCrypt source is also - by most accounts - a huge ungodly mess that hasn't seen a significant update in at least the past two years.
Not seen a significant update in at least two years, check. But huge, ungodly mess? Nah, 4.45 MB uncompressed, subtract 491 kB bitmaps and icons, 902 kB user guide, 117 kB license and readme texts in several versions, 250 kb string localization, 150 kB resource, project and solution files and you're talking approximated 2.5 MB code, divided into several logical directories. I skimmed the main files and they look decently formatted and commented, on the longish side but with plenty whitespace. I think probably under 100 kLOC total, a lot of it standard cryptographic primitives, installer, GUI and so on. Once you've made sure they don't contain any funny business the actual logical core seems to be more like 20-30 kLOC, quite manageable for one man to grasp.

Parent Share
twitter facebook
Re:Crowdsourcing (Score:5, Informative)

by WaywardGeek ( 1480513 ) writes: on Monday June 02, 2014 @10:23PM (#47151819) Journal

It's actually just a bit over 110 kLOC, but you were close. The crypto code is mostly very good. The GUI code must have been written by someone else, because it totally sucks, IMO. I was just porting it to wxgtk3.0 today from wxgtk2.8, and of course all the crypto compiled without even a warning, other than some AES code I need to look into. The GUI was a freaking nightmare. They implemented their own string class. How stupid is that? Well, they didn't just implement a string class, but they implemented a directory string class, a filename string class, a "volume" string class, a "volume info" string class, and about a dozen other string classes, most of which don't actually have any useful functionality, and just require all kinds of casting operators. Stupid stupid stupid...
I haven't looked at the firewall between the GUI and crypto code yet. Obviously there's a fuse driver in Linux and I would not expect it to link with the GUI code at all, but I need to check. Given that the crypto code rocks, and the GUI code sucks, it's critical that they be in separate processes. That would be needed in any case, since you can't trust all that GUI library code living in the same process as the crypto core.

Parent Share
twitter facebook
Re:Crowdsourcing (Score:5, Informative)

by xeoron ( 639412 ) writes: on Monday June 02, 2014 @10:25PM (#47151833) Homepage

As of last weekend, it is in the process of being forked. New community site here [truecrypt.ch]

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

Life is a whim of several billion cells to be you for a while.