Came here in search of an answer to a problem, but didn't find it? Visit the forum @ LinuxBSDos.com, pick a category and ask a question.
Exact matches only
Search in title
Search in content
Search in posts
Search in pages

Should Truecrypt be audited?

Truecrypt is a cross-platform, free disk encryption software for Windows and Unix-like operating systems. It is generally considered a good disk encryption software, and not too long ago, I wrote a tutorial that showed how to encrypt the Windows installation of a Windows-Linux dual-boot setup (see Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs).

Truecrypt is said to be published under an open source license, but in some quarters, its license has not been accepted as a valid open source license. And some of those people believe it has a backdoor. Guess who is widely believed to be responsible for that backdoor.

In a recently published article on his blog (see Let’s audit Truecrypt!), Matthew Green, a cryptographer and research professor at Johns Hopkins University, Baltimore, Maryland, wrote that:

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what we can trust anymore. We now have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, is a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness’. I would feel better if I knew who the TrueCrypt authors were.

So that’s why Professor Green has launched a project to audit the Truecrypt code. It’s a challenging project with very specific objectives. And it will require many hands on deck. Details are available here.

Exact matches only
Search in title
Search in content
Search in posts
Search in pages
Digital Ocean SSD VPS Cloud Server droplets

Digital Ocean is a VPS/Cloud hosting provider. For just $5 per month, you can get yourself a Cloud server with 512 MB of RAM, 20 GB super-fast SSD, free snapshots, plus backups for a minimal fee. All via a simple graphical interface.

And by signing up with this referral link, you can help support this website.

If you are reading this, your ad could also be occupying this space. Contact us to make it happen.

If commenting on this article is closed, please post your comments at forum.linuxbsdos.com.

5 Comments

  1. wumpus says:

    Stupid question. Two questions you should be asking are:

    1. Should you use unaudited security software?
    NO.
    2. Is auditing Truecrypt work $25k?
    Probably. Support of $16k before word got out seems to indicate that people are coughing up for it.

  2. Sum Yung Gai says:

    Got a problem with TrueCrypt? Well, if you’re using Microsoft or Apple software, then you’re already “pwn3d” by “We Know Whom” in the first place. Therefore, first thing to do is switch to a F/OSS platform like GNU/Linux or *BSD. Second thing to do is do an encrypted-partition installation. On GNU/Linux systems, I encrypt everything but the /boot partition. I consider that a reasonable mitigation of risk for my purposes. If “We Know Who” breaks into my house and installs a backdoor on /boot without my knowledge, then I’ve got a much bigger problem anyway. But if you know your computer’s been touched or tampered with (e. g. your computer got confiscated and then eventually returned to you), well, that’s what booting from a Knoppix or other Live-CD is for. :-) Same applies to backup media, BTW. Use the native GNU/Linux or *BSD tools to do the encrypting, and you should be good to go.

    –SYG

  3. Tyler says:

    I use and trust truecrypt

    but I believe it should be audited. all open-source (even closed source) should be looked at in details

    • finid says:

      But you can’t audit the source code of closed source tools. As such we can only trust that they are clean, that is, free of intentionally placed malware, also known as backdoors.

  4. Bob Robertson says:

    What a silly question.

    YES, it SHOULD be audited.

Leave a Comment