Partner links

Should Truecrypt be audited?

TrueCrypt is discontinued

Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).

Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.

In a recently published article on his blog (see Let’s audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

So that’s why Professor Green has launched a project to audit the Truecrypt code. It’s a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.

Share:

Facebook
Twitter
Pinterest
LinkedIn

Partner links

Newsletter: Subscribe for updates

Subscribe
Notify of
guest
5 Comments
Inline Feedbacks
View all comments
wumpus
wumpus
10 years ago

Stupid question. Two questions you should be asking are:

1. Should you use unaudited security software?
NO.
2. Is auditing Truecrypt work $25k?
Probably. Support of $16k before word got out seems to indicate that people are coughing up for it.

Sum Yung Gai
Sum Yung Gai
10 years ago

Got a problem with TrueCrypt? Well, if you’re using Microsoft or Apple software, then you’re already “pwn3d” by “We Know Whom” in the first place. Therefore, first thing to do is switch to a F/OSS platform like GNU/Linux or *BSD. Second thing to do is do an encrypted-partition installation. On GNU/Linux systems, I encrypt everything but the /boot partition. I consider that a reasonable mitigation of risk for my purposes. If “We Know Who” breaks into my house and installs a backdoor on /boot without my knowledge, then I’ve got a much bigger problem anyway. But if you know your computer’s been touched or tampered with (e. g. your computer got confiscated and then eventually returned to you), well, that’s what booting from a Knoppix or other Live-CD is for. 🙂 Same applies to backup media, BTW. Use the native GNU/Linux or *BSD tools to do the encrypting, and you should be good to go.

–SYG

Tyler
Tyler
10 years ago

I use and trust truecrypt

but I believe it should be audited. all open-source (even closed source) should be looked at in details

Bob Robertson
Bob Robertson
10 years ago

What a silly question.

YES, it SHOULD be audited.

Get the latest

On social media

Security distros

Hacker
Linux distros for hacking and pentesting

Crypto mining OS

Bitcoin
Distros for mining bitcoin and other cryptocurrencies

Crypto hardware

MSI GeForce GTX 1070
Installing Nvidia GTX 1070 GPU drivers on Ubuntu

Disk guide

LVM
Beginner's guide to disks & disk partitions in Linux

Bash guide

Bash shell terminal
How to set the PATH variable in Bash
Categories
Archives
5
0
Hya, what do you think? Please comment.x
()
x