Sloppy but secure: Open source TrueCrypt passes audit - APRIL 15, 2014

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

How secure is TrueCrypt, the open source disk encryption system  
used by many as a line of defense against snoops (and maybe  

For a long time, the answer was "we don't know." Now, thanks to  
an independently conducted audit of TrueCrypt's source code, we  
have a partial answer, courtesy of iSEC Research Labs: It's not  
bad, but it could be a lot better.

The project to audit TrueCrypt was originally initiated by  
cryptography researchers Kenneth White and Matthew Green, who  
launched a crowdsourced fundraising campaign to put professional  
eyes on the project. Their Indiegogo fundraiser racked up more  
than $46,000 -- with an original goal of $25,000 -- and another  
fundraiser on Fundfill added another $16,479 to the kitty.

The report from the first phase of the audit was released on  
April 14, courtesy of security engineers Andreas Junestam and  
Nicolas Guigo, working under the banner of iSEC Partners. The  
two of them examined TrueCrypt's source code in detail and found  
a total of 11 vulnerabilities. None of them by themselves were  
bad enough to consider avoiding TrueCrypt altogether, but  
they're all worth patching. A second report will follow with a  
detailed analysis of the encryption itself.

Most criticisms the authors levied at TrueCrypt involved the  
quality of the source code, such as how comments were added or  
what system functions were used (or not used). One major issue  
was how compiling TrueCrypt from source required the use of an  
older Windows build environment that's noticeably out of date.

This last issue was raised before by others who attempted to  
build TrueCrypt from source, to see if the resulting binaries  
matched the ones distributed on TrueCrypt's site. They were only  
able to do this after a good deal of work, and by using a  
shockingly old version of Microsoft Visual C++ released in 1993.  
Why TrueCrypt was created in such a manner could inspire endless  
debate, especially since its original creators and development  
team maintain a presence at least as shadowy as that of  
bitcoin's Satoshi Nakamoto.

However, the report doesn't go into how an end-user could  
protect himself from any potential exploits detailed in the  
report, but the authors note that many of the issues in question  
can be mitigated by following directives in the documentation.  
Using a long password, for instance, is strongly recommended;  
ditto using full-system encryption for scenarios where decrypted  
data might be written to the page file.

The timing on the release of this report couldn't have been  
better. After the ghastly news of Heartbleed broke, people are  
now wary of the status of any independently developed open  
source security product. The fact that source code for something  
is available doesn't mean it's being audited to determine how  
secure it is -- and even if something is audited, that doesn't  
mean the people doing the auditing know what to look for. Having  
a paid audit team look into any project of this scope is a major  
positive step.

Suddenly, it appears TrueCrypt has ended all, while endorsing  
those who it formerly protected against.

Re: Sloppy but secure: Open source TrueCrypt passes audit - APRIL 15, 2014

On a sunny day (Fri, 30 May 2014 08:36:57 +0200) it happened Anonymous

Quoted text here. Click to load it

That has nothing to do with security
I fact maybe after that date the MS libraries for Visual Studio had build in back door code.
I'd prefer an older version from before Pa Ranoia (Bush 9/11).

Quoted text here. Click to load it


NASA wants backdoors, they corrupted or forced their way into RSA, any other club that started
with good intentions.
It is most likely the True Crypt developers did not want part of that,
and they are not allowed to say NSA held a gun to their head.
Freedom of speech, my hat.

This message was encrypted with one time pad.

Re: Sloppy but secure: Open source TrueCrypt passes audit - APRIL 15, 2014

Quoted text here. Click to load it

  If "This message was encrypted with one time pad", then the  
encryption failed because it is perfectly readable.

Re: Sloppy but secure: Open source TrueCrypt passes audit - APRIL 15, 2014

On a sunny day (Fri, 30 May 2014 13:44:05 +0200 (CEST)) it happened "Anonymous

Quoted text here. Click to load it

Yes, and the original message was also perfectly readble.
look up xor.

(xor this message with original message gives the 'key' or 'pad').
All my postings are encrypted ;-)

Re: Sloppy but secure: Open source TrueCrypt passes audit - APRIL 15, 2014

Quoted text here. Click to load it

Ah, but that is the secret. The true message is something entirely
different. All you have to do is to find that true OTP to read his real

Site Timeline