TrueCrypt audit fundraiser cracks $34K

Security experts who are crowd-funding a project to probe the file and disk encryption tool TrueCrypt for backdoors look set to reach their financial target.

The project “Is TrueCrypt Audited Yet?” launched on Monday and will attempt to put to rest lingering concerns over the popular encryption software with a public audit of the Windows, Linux and Mac OS X versions of TrueCrypt.

Since launching two fundraisers on Monday, the project has collected just under $35,000 -- $19,303 at the time of writing on IndieGoGo, where it aims to reach $25,000 and $15,191 at FundFill, which doesn’t list a target -- making the audit more likely to go ahead.

Calls to review TrueCrypt intensified after reports in early September that the US National Security Agency (NSA) had attempted to weaken encryption standards and had planted backdoors in encryption software.

In a statement on its website, TrueCrypt denies it has implement a backdoor in its software, and that TrueCrypt only allows decryption with the correct password or key.

But while TrueCrypt’s open source code can be reviewed by anyone, previous analyses of TrueCrypt’s Windows binary package haven’t been able to determine whether the binaries have been tampered with.

As Matthew Green, a cryptographer and research professor at Johns Hopkins University, “even if the Truecrypt source code is trustworthy, there's no reason to believe that the binaries are.”

But the biggest concern for Green, one of two people behind the project, is that no one knows who wrote TrueCrypt.

Why the audit is important, adds Green, is that people don’t have many options when it comes to disk encryption.

Security technologist Bruce Schneier used TrueCrypt to protect files from NSA leaker Edward Snowden stored on his air-gapped computer. And while a lot about TrueCrypt made him suspicious, he had fewer concerns with it than the only other encryption alternatives for Windows -- Microsoft’s BitLocker and Symantec’s PGPDisk.

“I am more worried about large U.S. corporations being pressured by the NSA than I am about TrueCrypt,” he wrote.

Besides aiming to fund a full audit of TrueCrypt, the project plans to use the funds to pay out bug bounties and hire a lawyer to see if TrueCrypt’s v 3.0 license really is free and open source. At the moment, the license prevents its inclusion in Ubuntu, Debian, RedHat, CentOS and Fedora, the project’s website notes.

The project will also borrow from Tor’s approach to ensuring the integrity of its binaries by implementing a “deterministic build” process where trusted binaries are verified by multiple builders.

Tags TrueCrypt

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Email Security and Data Protection

Encrypt your sensitive email

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.