back to article TrueCrypt audit: Probe's nearly all the way in ... no backdoor hit yet

The first phase of crowd-funded audit of TrueCrypt has turned up several vulnerabilities, but nothing particularly amiss and certainly nothing that looks like a backdoor. iSEC Partners, which was contracted to carry out the audit by the Open Crypto Audit Project (OCAP), ‪found‬ 11 vulnerabilities in the full disk and file …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. big_D Silver badge

      Maybe

      they could look at OpenSSL once they are finished here...

      1. DanDanDan

        Re: Maybe

        Look at OpenSSL!! Ha! Have you SEEN the code?!

        http://www.reddit.com/r/programming/comments/22o7kp/want_to_audit_openssl_you_sure_check_out_this_one/

      2. Simon Ward

        Re: Maybe

        I thought this too.

        Then I actually spent an idle couple of hours trying to make sense of some of the OpenSSL code.

        Now admittedly, my C is a bit rusty but I wouldn't wish the auditing of the clusterfuck of preprocessor directives and godawful coding style that is the OpenSSL codebase on my worst enemy.

        If an audit of OpenSSL was 'crowdfunded' (gods, I hate that term) then you'd actually need *two* funds - one to actually pay the auditors to do their thing and another for an extensive course of therapy for the poor sods afterwards.

    2. emmanuel goldstein

      if there are "backdoors" to be discovered, I would expect to find them in the cryptographic code. since this has yet to be audited, it's too early to declare that truecrypt is kosher.

      1. Yet Another Anonymous coward Silver badge

        No you wouldn't. The crypto routines are implemented form a set of standard published algorithms. It is relatively easy to prove that encrypting string X with key Y in truecrypt produces the same output as anyone else's AES

        There might be mistakes, there might be bugs which leave memory around and help you guess the keys, there might even be backdoors (if you are truly paranoid) in the original design of the algorithms that the NSA and Bruce put in there and the worlds cryptographers haven't spotted.

        But backdoors in the code that allow an NSA passwd to decrypt anything are going to be in the keyhandling. The big concern fro truecrypt users was that on windows you need to run a signed driver which you can't (easily) build yourself - so you have no idea if what you were running was what they claimed.

    3. Anonymous Dutch Coward
      Meh

      Core competencies

      @volsano:

      The problems found are comparatively minor, easily fixable, and indicative of competent people writing code just outside of their core competencies.

      Well... some of these errors (the messing with different data types - signed & unsigned integers etc) does not look to my (granted, inexperienced) eye as something a competent programmer would do.

      However, yes, the problems do seem fairly minor (once again, no C dev here so I admit my relative ignorance - though I must commend the report writers on their clear explanations)

  2. Anonymous Coward
    Anonymous Coward

    Phew thank god

    My "collection" is safe from the girlfriend although she does have trouble using the PC at the best of times. Maybe it is a cunning façade.

  3. Anonymous Coward 101

    Of course, the real problem is that this audit only took place years after the software has been available. This audit should have taken place on a beta version of the software, and then should be undertaken on a regular basis to ensure no security bugs are introduced with new versions.

    1. The_Idiot

      While I...

      ... of course recognise the 'good practice' basis of your comment, given that TrueCrypt is free at point of consumption, who exactly would pay for the type and level of rigour you suggest?

      Not in any way intended as a criticism, more a comment on certain limitations imposed on a product such as TrueCrypt and the developers behind it.

    2. big_D Silver badge

      As The_Idiot says, where are they going to get the money from to do that on a regular basis? They would have to start charging for it, which would put many people off. Or a rich sponsor.

      Doing a Kickstarter is a one of, because it was in the news. That won't work, if you are doing this every year or so.

      1. bigtimehustler

        They could just create a new kickstarter, saying we want to audit X software package, anyone interested? Donate now! For popular packages and libraries they will get donations.

    3. Anonymous Coward 101

      Where are they going to get the money from? No idea. But it's funny how the 'having no money' issue constantly arises when you give your software away for free, and doesn't arise as often with companies that do not give their software away for free.

      1. big_D Silver badge

        We are currently having security auditing, including source code done on one of our products. It ain't cheap!

  4. Aqua Marina
    Black Helicopters

    Here's hoping that iSEC Partners are not already subject to a gagging order preventing them from disclosing that Truecrypt is riddled with NSA backdoors!

    1. Charles 9 Silver badge

      Indeed, given the environment, why contract an American security firm?

  5. Anonymous Coward
    Anonymous Coward

    8. MainThreadProc() integer overflow

    Is it just me, or does '8. MainThreadProc() integer overflow' sound extremely similar to the heartbleed issue?

    Is there an overlap of developers between truecrypt and openssl?

    1. Kanhef

      Re: 8. MainThreadProc() integer overflow

      Integer overflow is very different from buffer overflow (and to be pedantic, heartbleed is a buffer overread issue). It can cause mathematical issues (e.g., for a signed byte, 100 + 100 = -56), but it's not easy to turn that into a security flaw.

  6. Euripides Pants
    Coat

    ...worse than a colonoscopy

    "Probe's nearly all the way in ... no backdoor hit yet"

    At least with the colonoscopy the doctors find your backdoor *before* inserting the probe.

  7. Anonymous Coward
    Anonymous Coward

    What was the thing they found named "_NSAKEY"?

    Oh, sorry. My mistake. NSAKEY was found not in TrueCrypt but in Windows itself.

  8. Anonymous Coward
    Anonymous Coward

    Don't trust iSEC or NCC Group audit

    Why can't TrueCrypt be audited by a company that is not based in the UK or in the US - i.e. potentially subject to GCHQ or the NSA leaning on them? iSEC is part of NCC Group - a UK company. I would not trust their audit, not until it is also audited by a company based in a land far-far-away from UK or US.

    1. Charles 9 Silver badge

      Re: Don't trust iSEC or NCC Group audit

      Probably because any company NOT in bed with the NSA or GCHQ is in bed with someone else. IOW, it's pick your poison.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020