Sponsoring public Truecrypt audit

Discussion in 'privacy technology' started by BoerenkoolMetWorst, Oct 11, 2013.

Thread Status:
Not open for further replies.
  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    http://istruecryptauditedyet.com/

    https://www.fundfill.com/fund/TrueCryptAudited

    https://twitter.com/search?q=#IsTrueCryptAuditedYet
     
  2. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Brilliant. I'll put in a couple of bucks if I have to.
     
  3. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    From 'A Few Thoughts on Cryptographic Engineering' by Matthew Green, cryptographer and research professor at Johns Hopkins University. link
    ...
    Currently at $13,226 of $25.000 goal
    Do read the entire article (and donate, if only 1 dollar :))
     
    Last edited by a moderator: Oct 15, 2013
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Let's audit Truecrypt! by Matthew Green a cryptographer and research professor at Johns Hopkins University.

    Note: The comments are worth reading.

    -- Tom
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,948
    Location:
    USA
    It will be great to see this happen! I have read of several cases in which a user was asked to give their password, or key up by Law enforcement. They had no way of hacking, or cracking it. Even if their has been no backdoors placed in TC by the NSA this venture will most likely lead to TC becoming even more secure than it already is.

    I would like to see more experts than just those mentioned from John Hopkins examine the code though. That will mean more money will need to be raised though unless some experts want to do charity work which is not likely. They have to bring in revenue somehow. We all have to make a living.
     
  6. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    link (my underline)

    With currently $15.081 pledged at FundFill.com link and 18.046 at IndieGogo.com link and a funding target of $25K, the current total of $33.127 makes a professional audit possible.
    We have a winner. :thumb:
    Twitter shows some major donations from a couple of security firms, up to $10K link
     
    Last edited: Oct 16, 2013
  7. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Wow seems like the goal was easy. I hope this turns out to be legit! :D
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    TrueCrypt isn't nearly as great as people like to think. Hopefully, once this audit is over, some starts a new one.

    Until then I'm working with a friend in the near future to create a wrapper for truecrypt containers, though I wouldn't really trust us to create anything super strong lol
     
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    What do you have in mind when you say that? Do you find the developers not as trustworthy as they should be, or is it something about the implementation that worries you?
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Both. Publicly, when people have looked at Truecrypt, they've found that it really isn't done well. One really blatant example of this is that its documentation is horrible and inaccurate. Purely from an implementation standpoint, without going into some of the nonpublic stuff that's way more interesting, I think it's silly that they have the PBKDF2 rounds hardcoded at 1-2000.

    https://github.com/bwalex/tc-play

    I also really don't trust it. There are a lot of reasons, mostly having to do with the binaries themselves.
     
  11. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Last edited: Oct 20, 2013
  13. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    The TC-documentation is 'horrible' ?
    Name me ONE other free program that comes with a 150 page manual !
    Are you ****ing kidding ??

    Besides : What's the point in making a 'wrapper' for a 'horrible' program you don't trust ??

    Makes me wonder how much time you have to research the issues you babble about ??
     
    Last edited: Oct 21, 2013
  14. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I believe that the documentation in question was the technical one, with the description of the container format and so on... But as I'm not Hungry Man, this is just a guess :)

    The problem with TC is that nobody can be sure that the binaries are compiled from the published source code. And because TC is not exactly easy to compile, people tend to use the already provided binaries instead of building it themselves. An audit would probably solve this issue.
     
  15. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    A match comparative study has been published by a Canadian student/researcher, even if this is not enough to prove the non-exitence of a backdoor
    https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/

    But most material and research tend to show that there is no backdoor in TC.
    With a paranoiac mind, we use nothing and trust nothing...end of life...

    rgds
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol, well, as I'd linked...

    Not to mention the weird licensing, developers, and everything else involved in the project - we only just now have a process for creating deterministic builds.

    In terms of making a wrapper, it's a fun project for school. And it won't rely on Truecrypt at all, it'll encrypt any file, but it's nicely matched for truecrypt containers since a few features provide things that TC does not.

    I love when people point to the number of posts I have though lol never makes any sense to me. Posting 5-15x a day takes 0 time out of my life. As for whether I have time to research it, I probably could (because, you know, I actually have the technical background to do reverse engineering), but I'm currently doing research on bug bounty programs, and I have my school work to do :p so I hope that answers your question.
     
  17. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Nope, it didn't answer anything -
    Maybe because you didn't spend any time on this either ?

    ~ Removed Off Topic Remarks ~
     
    Last edited by a moderator: Oct 28, 2013
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol ok I don't really care that much. I'm pretty secure in my opinion given that I actually know what I'm talking about.
     
  19. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    I do not agree 'Hungry Man' is trying to 'help' .
    He is spreading FUD about True-Crypt,
    even promoting a project of his own,
    while talking horse-manure about a program that he can not demonstrate any
    successful attack against .


    'Hungry Man' and forum-mod,
    Please read this :
    https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/
    Then, point me to your website(s) were you prove him wrong .

    There are no publicly known instances of a truecrypt-volume with unknown password ever being 'cracked' .
    If YOU had written such software, would you like to have your name(s) known,so the NSA could crawl all over your life ?

    PS :
    What weird licensing ?
    You are not allowed to call it TrueCrypt, you can't use the icon .. BIG DEAL !
    What developers ?
    I KNOW 'bit-locker' was made by M$-employees, with the 'help' of N$A and all the other TLA's that own M$ .
    Bill has a yacht, I doubt the TC-developers do .

    'Everything else involved in the project ?
    Like the fact that no TC-volume with unknown password has ever been cracked?

    'we only just now have a process for creating deterministic builds'
    Yes, because https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ did it ..
    Instead of spreading horse-manure, he just did it !
    And what did he prove ?
    That it is possible to compile TC to match the official binaries for all practical and relevant purposes .

    So, what else do you have against that horrible program you have some project for ?
    And is your name really 'Hungry Man' ?
     
    Last edited: Nov 1, 2013
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol ok so this is obviously not serious anymore, right?
     
  21. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
  22. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Re: Encryption for the paranoid: Verifying TrueCrypt source code and binaries

    Yeah, this is soooo good for freedom. Raccoon stays up on this real good, I remember when he did a compile and posted the hash, etc...
     
  23. Seven64

    Seven64 Guest

    Re: Encryption for the paranoid: Verifying TrueCrypt source code and binaries

    Nothing is safe anymore except unplugging the internet, but even then you have to be careful.
    Open source is really helpful to NSA.


    “Defending against these attacks is difficult. We know from subliminal channel and kleptography research that it's pretty much impossible to guarantee that a complex piece of software isn't leaking secret information. We know from Ken Thompson's famous talk on ‘trusting trust’ that you can never be totally sure if there's a security flaw in your software.”
     
  24. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Re: Encryption for the paranoid: Verifying TrueCrypt source code and binaries

    Trying to prove the unprovable... Why?
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
Loading...
Thread Status:
Not open for further replies.