Should Truecrypt be audited?

Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).

Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.

In a recently published article on his blog (see Let’s audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

So that’s why Professor Green has launched a project to audit the Truecrypt code. It’s a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.

Related Posts

Administrations sponsor extension of open source network monitoring tool Several public administrations in Spain are sponsoring the development of Zorb, an open source extension to Nagios, an open source network monitoring ...
These reCAPTCHAs where not meant to be read by humans A reCAPTCHA is supposed to make business tough for bots yet easy for humans to decipher. But we all know how annoying those things can be - for humans...
What’s LXD? Editor's Note: LXD is also pronounced L-X-D, which is my prefered pronunciation. So, what's LXD? Don't worry, if you don't know the answer, you...
Linux Deepin needs your help with the Deepin Localization Project Linux Deepin is a desktop distribution that's based on Ubuntu Desktop. It is a Chinese distribution and one of the very few Linux distributions th...
Pixelknot: Steganography app for Android With digital privacy, security and anonymity in the public consciousness, thanks to information revealed by Edward Snowden, any tool or application th...
Mozilla to sell ads in Firefox browser via the Directory Tiles program Mozilla has plans to start showing ads to first-time users of the Firefox browser. For the target group of users, the ads will appear alongside other ...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


5 Comments

  1. Stupid question. Two questions you should be asking are:

    1. Should you use unaudited security software?
    NO.
    2. Is auditing Truecrypt work $25k?
    Probably. Support of $16k before word got out seems to indicate that people are coughing up for it.

  2. Sum Yung Gai

    Got a problem with TrueCrypt? Well, if you’re using Microsoft or Apple software, then you’re already “pwn3d” by “We Know Whom” in the first place. Therefore, first thing to do is switch to a F/OSS platform like GNU/Linux or *BSD. Second thing to do is do an encrypted-partition installation. On GNU/Linux systems, I encrypt everything but the /boot partition. I consider that a reasonable mitigation of risk for my purposes. If “We Know Who” breaks into my house and installs a backdoor on /boot without my knowledge, then I’ve got a much bigger problem anyway. But if you know your computer’s been touched or tampered with (e. g. your computer got confiscated and then eventually returned to you), well, that’s what booting from a Knoppix or other Live-CD is for. 🙂 Same applies to backup media, BTW. Use the native GNU/Linux or *BSD tools to do the encrypting, and you should be good to go.

    –SYG

  3. I use and trust truecrypt

    but I believe it should be audited. all open-source (even closed source) should be looked at in details

    • But you can’t audit the source code of closed source tools. As such we can only trust that they are clean, that is, free of intentionally placed malware, also known as backdoors.

  4. Bob Robertson

    What a silly question.

    YES, it SHOULD be audited.

Leave a Comment

Your email address will not be published. Required fields are marked *

*