NSA spying prompts open TrueCrypt encryption software audit to go viral

Concerns over NSA tampering provokes wide crowdsourcing response from security community

A unique effort to crowdsource a security audit of the popular TrueCrypt open source encryption software appears to be going viral three weeks after it was launched by two U.S. based researchers in response to concerns that the National Security Agency may have tampered with it.

The intiative has so far garnered more than $57,000 in donations and bitcoins and attracted over 1,000 volunteers from 30 countries, including a techncial advisory group comprised of some of the world's best regarded cryptographers.

The initiative's IsTruecryptAuditedYet website has received more than two million hits from users in 70 countries.

"The response has been amazing," said Kenneth White co-founder of the TrueCrypt Audit Project and principal scientist at BAO Systems, a health information systems company. "Donations have ranged from as little as $3 to as much as $10,000, with the majority in the $10 to $25 range."

"It's been incredibly humbling. As important as the financial contributions, we have had terrific offers of technical and logistical support from friends, colleagues and complete strangers," he added.

TrueCrypt, a free, open source encryption file and disk encryption softare tool for Windows, Mac OS X and Linux, is widely used by corporations, lawyers and other professionals and individuals around the world to encrypt sensitive and confidential data.

According to the anonymous group that developed the software, there have been close to 29 million downloads of TrueCrypt. In addition, countless more copies of the softeware have been distributed via magazine cover CDs and downloaded from servers hosted by others.

The software's popularity stems from it ease of use, its ability to do on-the-fly encryption of data and its robustness.

But recent disclosures about the NSA's alleged attempts to subvert popular encryption technologies have prompted some to question the trustworthiness of TrueCrypt -- or any other encryption technology.

In TrueCrypt's case, the concerns are exacerbated because few know who developed the software. Other facets of the technology have raised concerns as well.

In October, Matthew Green, a cryptographer, professor at Johns Hopkins University and co-founder of the TrueCrypt Security Audit initiative, outlined the concerns in a blog post.

For instance, said Green, the Windows version of TrueCrypt differs from the Linux version in a manner that suggests a possible backdoor or other deliberate compromise in the software.

"Even if the Truecrypt source code is trustworthy, there's no reason to believe that the binaries are. And many, many people only encounter Truecrypt as a Windows binary. In my very humble opinion that should worry you," Green wrote in arguing for a comprehensive audit of the software by the security community.

In the three weeks since the blog post, the response has been overwhelming, says White.

Going forward, the effort will be to do a thorough legal review of the open source license under which TrueCrypt is being made available, White said.

The audit will include research on the history of the code, a formal cryptanalysis, a software security audit and a reproducible process for building the software. "Because the development team prefers to work anonymously and with limited communication to the outside, some of these tasks are more complex than is typical in reviews of this sort," White said.

"We have had brief contact with the TrueCrypt team, but were encouraged by their stated desire in welcoming an independent audit," White dded.

The TrueCrypt security audit team is presently working with a few attorneys who specialize in privacy and security law, and also with experts in open source software licensing, he said.

After the project was announced, an independent researcher at Concordia University in Montreal published an analysis on the source code build process for the Windows version of TrueCrypt. "This is a crucial necessary step for a reproducible build," White said.

"We are still discussing the best strategy for the technical audit, which may include a combination of academic, private sector and fully open, public security research," he said.

The team is also reviewing two proposals for a commercial audit of the software by private firms with deep credentials in software security engineering, he added.

In addition, a highly respected group of technical advisers including noted cryptographer Bruce Schneier, Moxie Marlinspike former security director at Twitter, and staffers at Electronic Frontier Foundation and the Tor Project are working on a roadmap for the technical analysis.

The project's IndieGoGo crowd funding campaign will continue through Dec. 13.

The bulk of the technical analysis will require another four to six weeks of full time effort which means the audit could be completed by February 2014. "This is complex multi-platform software comprised of over 70,000 lines of C, C++ and assembler code," White explained.

"In the next few days, we are rolling out an updated site which will include more about our organizing structure and the backgrounds of our technical advisory group which reads like a Who's Who of the security and privacy communities."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingNational Security Agencysecurityencryption

More about Electronic Frontier FoundationLinuxNational Security AgencyNSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place