Two years later, the license was reviewed and updated, and several points were addressed, but not enough to satisfy its critics. Experts like Green and White have not been able to determine whether it was written maliciously, or by parties without much experience in writing licenses. The license spells out a number of things that cannot be done with the software, yet fails to clarify what can be done with it. In 2006, Red Hat and Debian declared it forbidden for its respective distributions because of the wonky license governing it the chief criticism being that it opened users to litigation, White said. This isn’t the first time TrueCrypt has come under some scrutiny. “We would know the code is good and the binary that comes from the code is good, the end.” “What we want to do is go through the source code very carefully, make sure there are no problems like that and get it built from the source and all these questions go away and nobody has to worry about backdoors or anything,” Green said. If the software were backdoored, it could be that whomever did it, encrypted the password and other relevant information so that it looks like random bytes under a key known only to a third party. The possibility exists that the random bytes could be the encryption of something sensitive, and in the case of a TrueCrypt volume, that could be the password. “And so, the question is why would you do that? How do we ensure that is not an encryption of your key? We can ensure that by looking at the code and saying ‘Yeah, definitely it’s not a backdoor, it’s just random bytes.’ So there seems to be a few places where-nobody is saying there’s a backdoor-but there are behaviors that don’t make a lot of sense and we’d like to rule out the possibility.” “It’s based on the same code, so it’s kind of mysterious as to why would you have two separate chunks of code in your code base that do different things depending on whether you’re Windows or Linux,” Green said. What are those encrypted bytes? Without an audit it’s difficult to know exactly because there’s no way to prove the Windows binary is related to the source code. The most concerning thing leading people in some corners to wonder whether TrueCrypt has been backdoored-or whether the Windows binary has-is that the last 65,024 bytes of the header is filled with random values the Linux version fills the header with zero encrypted bytes. ” It’s not an insult to them or that I think they’re doing something bad, it’s just that their software is really good and it’s really widely used and so it deserves to be on better footing nowadays.” “I started to look into it and I found that unlike pretty much all the other, it is made by this phantom, anonymous group of people who have this weird license they came up with,” Green said. While that decision could be made within a couple of weeks, a full audit may not be complete until early next year. To date, the crowdfunded project has raised more than $36,000 and Green and White have begun seeking recommendations on firms that can review the software’s integrity. Green and Kenn White, a security researcher, helped get IsTruCryptAuditedYet off the ground. “TrueCrypt is too important to have this little transparency.”Ĭryptography experts such as Matthew Green of Johns Hopkins University in Baltimore agree about TrueCrypt’s importance and the need to put it on “better footing” in terms of its trustworthiness. “I’m really glad this audit is going to happen,” said Chris Soghoian, principal technologist with the American Civil Liberties Union. With revelations of new NSA surveillance dropping almost weekly, paranoia and conspiratorial thinking is giving way second thoughts about even the most trusted software. Also, the most common TrueCrypt packages are downloadable binaries for Windows that cannot be compared to the original source code those binaries behave differently than versions compiled from source code, experts say. For instance, it’s not publicly known who is on the development team behind TrueCrypt. It’s “grandma-friendly” as one expert puts it, but there are plenty of worrisome aspects that users and security experts have looked past until now. TrueCrypt has been downloaded more than 28 million times and is lauded as easy-to-use software that does its job of encrypting files, disk partitions, or entire devices. The grassroots movement to audit TrueCrypt, the popular open source encryption tool, is gaining steam with tens of thousands of dollars already raised to fund the effort to not only professionally review the source code behind the tool, but also to legally review the custom license governing its use.
0 Comments
Leave a Reply. |