back to article Mostly harmless: Berlin boffins bleat post epic TrueCrypt audit feat

Ten auditors from the lauded Fraunhofer Institute for Secure Information Technology have given TrueCrypt a security tick after completing a comprehensive six-month audit under contract from the German Government. The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient …

  1. Anonymous Coward
    Anonymous Coward

    Well, hurray..

    If you want VeraCrypt, it's at https://veracrypt.codeplex.com. Current version is 1.16.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, hurray..

      Hell no!

      For what possible reason?

      I already have my properly authenticated TC 7.1a binaries, code and keys. I had them long before the abandonment. The cryptography is (of course) as solid as it has always been, the code has now been scrutinised at length by multiple independent authorities, and all that has ever been discover is a smattering of benign and contextually utterly trivial coding imperfections. As a result of all this FUD, TC 7.1a has been rendered/proven by far the most studied, robust and trustworthy block cryptography application I know of. I really can't imagine any reason arising to even consider moving from TC 7.1a at any point in the foreseeable future.

      Anyone who does not already have copies can readily obtain them from and compare them with multiple sources, disseminated widely across the interwebs and the world. There is no longer a single point of failure. At present a search of the signing key's "short fingerprint" (F0D6B1E0) yields 2780 results on Google. Presumably now 2781 ;o)

      Just for good measure, here's the key's full spec along with a few of its digests...

      pub 1024D/F0D6B1E0 2004-06-06

      Key fingerprint = C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0

      uid TrueCrypt Foundation <info@truecrypt-foundation.org>

      uid TrueCrypt Foundation <contact@truecrypt.org>

      sub 4077g/6B136ECF 2004-06-06

      Key fingerprint = EB79 356A 3AFA B492 66A3 322F DCEA 1B7C 6B13 6ECF

      TrueCrypt-key.asc

      MD5:41612478ceeee8448b87a5e872f07302

      SHA256:26d4446f040bf6989a19b197f69d0fc2a80fb6fa826750163f396ee904ac4b27

      WHIRLPOOL:c3deb2b0a45ce04293088ac0e44a8fe7a0df1a6e0c6fa37dd46598ca4d554895f0a234bb3f8646f5ba1c020088b573e98e1f6b8ce93c8bb9e5c65c0d7b09d5da

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, hurray..

        Thanks to AC for all those full specs and digests, etc., for your genuinely useful comment :)

        The down voter must be TLA - masters of FUD ...

        1. Youngone
          Devil

          Re: Well, hurray..

          Thanks to AC for all those full specs and digests, etc., for your genuinely useful comment :)

          The down voter must be TLA - masters of FUD ...

          I'm pretty sure El Reg randomly creates down votes, just for the LOL's.

          1. David Roberts

            Re: Well, hurray..

            I freely supply random up and down votes whilst scrolling with my touch screen tablet.

            I haven't yet found a "withdraw vote" function to match the ability to withdraw a post.

            1. Anonymous Coward
              Anonymous Coward

              Re: Well, hurray..

              You can't unvote but you can change your vote - as many times as you like.

              1. Jan 0 Silver badge

                Re: Well, hurray..

                Wow!

                I never knew that, but you're right. I just tried it.

                Upvotes/Downvotes can be rescided. Hurrah!

      2. Sir Runcible Spoon
        Big Brother

        Re: Well, hurray..

        @AC Whilst I take your point, since this is open source and that it could always benefit from a few tweaks and improvements, perhaps a new version of the code (with the delta closely scrutinised with every update) is a good thing?

        Having the signed binaries from the original is a good thing, and always useful as a back-stop, but compiling* it yourself from known code is also good.

        *Assuming you can trust your compiler of course :)

        1. Anonymous Coward
          Anonymous Coward

          Re: Well, hurray..

          Total agreement Sir RC. The devil is, of course, in the close scrutiny of every delta.*

          Seeing no meaningful utility to any "upgrade" due to...

          • TC's cryptographic integrity now having been checked and confirmed to absurdity... and beyond.
          • Any and all the coding foibles being meaningless irrelevances because, obviously, if your system isn't secure, all your cryptography effort would inevitably be totally fucked anyway.
          ...I really do consider those devilish deltas to be risk totally without reward.

          * (Emboldened _AND_ italicised for the pleasure of our sarcastic friend. Now featuring a list too!)

      3. lansalot

        Re: Well, hurray..

        Bold and italics are AWESOME.

        (as are caps).

      4. Gordon 10

        Re: Well, hurray..

        Downvoted because essentially you're saying a fixed known frozen in time version is better than something that is under active development - a point which is extremely debatable since its public knowledge who the Veracrypt developers are vs the unknowns who coded the original.

        Your whole argument rests on balancing 2 imponderables - dormant but well audited legacy code vs maintained but changing code, which may or may not be introducing new bugs with new functionality.

        Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV.

        1. Doctor Syntax Silver badge

          Re: Well, hurray..

          "Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV."

          "Frequently used" doesn't necessarily mean heavily scrutinised, at least, not until those bugs emerged. It was active maintenance that introduced the Debian ssl bug.

        2. Cynic_999

          Re: Well, hurray..

          "

          Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV.

          "

          Well, my *logic* is certainly different to yours.

          Unless the Veracrypt team (person?) finds a security flaw in Truecrypt that was missed by the extensive audit, and then produces a fix, I cannot see how it could possibly come up with a product that is more secure. Security flaws are seldom fixed by accident in the course of making other tweaks and adding new features. Exactly the reverse is in fact the case.

  2. Blofeld's Cat
    Coat

    Hmm...

    Well that should reassure all the conspiracy theorists out there.

    "... under contract from the German Government."

    Tin foil - It's not just for wrapping the turkey.

    1. esque

      Re: Hmm...

      Governments are not monoliths. They can both do good and bad. Sometimes at the same time.

      This audit was done to see if TrueCrypt is secure for Government use: Some cryptography solution used by German federal institutions uses parts of TrueCrypt, and thus the BSI (Bundesinstitut für Sicherheit in der Informationstechnologie/Federal institute for Security in Information Technology) ordered this audit to see if the solution is secure for their use.

      Thus in this case the interests of the Government and the public are the same.

    2. SolidSquid

      Re: Hmm...

      Somewhat contrary to that, Germany has generally been pretty strong on the whole personal privacy and was the target of hacking by the NSA, which apparently they got quite annoyed at. It wouldn't surprise me if they were having an audit done for internal use and someone suggested making a public statement of the results to try and counter some of the bad press from being part of Five Eyes

  3. james.aka.damingo

    Under contract....

    My tinfoil hat is tingling....

    I'm not saying this is true but what if, the governments know that trucrypt is breakable (they found a way somehow) the previous devs found out and told us all. Governments now trying to convince us to keep using it because its "like secure guys" rather than having us use something new that they cant crack.

    Just sayin..

    1. Anonymous Coward
      Anonymous Coward

      Re: Under contract....

      I'm not saying this is true but are you sure "the governments" aren't behind the relentless anti-Truecrypt FUD ...and maybe something like "VeraCrypt" too???

      Just sayin...

  4. Anonymous Coward
    Anonymous Coward

    Tin foil

    Chaps, please remember: the manufacturers of tin foil are paid by the government to include microscopic trackers at regular intervals in every roll.

    Think about it: the trackers will need aerials; aerials need to be conductive; tin foil is conductive.

    But sometimes there is simply no conspiracy.

    1. Sir Runcible Spoon
      Joke

      Re: Tin foil

      What if you run a few thousand volts through* your tin foil to ensure all the bugs are fried first?

      *I would recommend you take it off your head first though, but ymmv.

      1. Steve Crook

        Re: Tin foil

        You think they haven't thought of that? The tin foil thing is a bluff, people think they're safe, but they aren't. In fact, the recorders have been miniaturised and distributed as dust across the whole world. Whenever the government want information they just send in people with vacuum cleaners. They got the idea from a series of short stories by Bob Shaw...

        You think all this talk of drones is true? They just send a signal to the transmitters in a specific area and they detonate. It looks like a missile explosion, but it isn't. The drones are just a convenient cover.

        1. roytrubshaw
          Thumb Up

          Re: Tin foil

          "They got the idea from a series of short stories by Bob Shaw..."

          Slow glass! I haven't thought about that for ages.

          Now I come to think about it, my copy of "Other Days, Other Eyes" went missing I wonder if the subject matter was too close to "the truth"?

        2. bpfh
          Big Brother

          Re: Tin foil

          So this is what is in those contrails that are sprayed all over the globe! Nanobugs to defeat tin foil protection!

          1. Jo_seph_B

            Re: Tin foil

            I thought everyone knew the tin foil hat was past it, and the 'anti drone hoodie' was the future.

      2. DropBear
        Joke

        Re: Tin foil

        "What if you run a few thousand volts through* your tin foil"

        For the love of $DEITY, don't do that, man! The unavoidable arcing creates millions of tiny punctures in the tin foil which then all proceed to diffract the incoming mind control signal right into your skull, as a tiny all new source each! It's the worst thing you could do, which is exactly why THEY create this sort of misleading rumour! Don't listen to them! Or to me! I could be one of them - just think about it...!

    2. Geoff332

      Re: Tin foil

      I thought all conspiracies were a part of the Grand, Master Plan (GMP). This GMP is the source of all conspiracies. It is, itself, a conspiracy between The Governments and the highly secretive Makers of Tin Foil to sell more tin foil.

  5. Teddy the Bear
    Mushroom

    From TrueCrypt to government exploding surveillance dust...

    Well, that escalated quickly.

  6. Sir Alien

    Suspicion on the abandonment...

    Was one (or more) developers of Truecrypt USA citizens? If so it is likely that they received a secret court order, ordering them to weaken parts of the code or leave subtle vulnerabilities. You would never know as the order would be secret and so in defiance the developers just packed up shop like a well known encrypted mail provider.

    If the intentional bug was found for those even bothering to look they could just claim unknown bug and then fix it (and leave another bug elsewhere)

    Or simply, they got fed up of coding it.

    - S.A

    1. Anonymous Coward
      Anonymous Coward

      Re: Suspicion on the abandonment...

      Ukraine, I vaguely recall?

      I more clearly recall an absolutely extraordinary amount of FUD-slinging on the official forum. All baseless of course but the tone and effect it created was very impressive. Now gone and poorly archived, sadly, as it would have been interesting to revisit, armed with a couple of years hindsight. I'd be surprised if that hadn't contributed to the apparently "fed up" ultimate outcome.

    2. Old Handle
      Alien

      Re: Suspicion on the abandonment...

      That's the best part. We don't know anything about the developers. Their nationality, their number, their motivation... nothing. It's perfect conspiracy fodder.

  7. Anonymous Coward
    Anonymous Coward

    Does Veracrypt plan to be audited?

    Just curious.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does Veracrypt plan to be audited?

      Not indefinitely, I'd wager.

      1. Yet Another Anonymous coward Silver badge

        Re: Does Veracrypt plan to be audited?

        Vera isn't that kind of girl

  8. Linker3000
    Headmaster

    Nammar Grazi

    "The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient to undermine the jettisoned software."

    ...none IS...

    /You're welcome.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nammar Grazi

      The "extra vulnerabilities" is the subject of the "none are sufficient..." Since the subject is plural, the verb should match. Consider this rewrite:

      The 77-page report on [TrueCrypt] dug up extra vulnerabilities, but the report says that none of the vulnerabilities are sufficient to undermine [TrueCrypt].

      On the other hand, the "77-page report" is 3rd person singular, so "say" should be "says".

      The confusion comes from having two subjects with accompanying verbs scattered throughout the sentence.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like