NSA Has Spurred Renewed Interest In Thorough Security Audits Of Popular 'Secure' Software

from the skepticism-is-a-good-thing dept

In yet another bit of fallout from the NSA surveillance efforts -- and, specifically, the NSA's covert takeover of security standards to insert vulnerabilities -- it appears that there's suddenly much more skepticism towards well-known security offerings. This is a good thing. There have already been some revelations concerning attempts to compromise Tor, and security researcher Matthew Green has now called for a thorough security audit of TrueCrypt, the (very) popular disk encryption tool. Green and some others have kicked off the project on the aptly named website IsTrueCryptAuditedYet.com.

As Green notes, he is not suggesting that TrueCrypt is not secure, or that it's been compromised, but that in this day and age, security software needs to be properly audited -- and, if anything, hopefully the results of such an audit will be either more secure software or more confidence that TrueCrypt really is secure.
Maybe nothing at all. Rest assured if I knew of a specific problem with Truecrypt, this post would have a very different title -- something with exclamation points and curse words and much wry humor. Let me be clear: I am not implying anything like this. Not even a little.

The 'problem' with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don't know what to trust anymore. We have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, makes a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, 'authorship is a better predictor of quality than openness'. I would feel better if I knew who the TrueCrypt authors were.

Now please don't take this the wrong way: anonymity is not a crime. It's possible the Truecrypt developers are magical security elves who are simply trying to protect their vital essence. More prosaically, perhaps they live in a country where privacy advocates aren't as revered as they are in the US. (I kid.)
Hopefully, the end result of this new found skepticism towards popular security products will lead to a world in which we really are more secure, rather than one in which the NSA just has people thinking they're more secure.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    arcan, Oct 15th, 2013 @ 2:36pm

    first thing beneficial the NSA has ever done.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 2:37pm

    There IS historical precedent for this.

    After all, the passengers on the Titanic felt pretty secure.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 2:39pm

    It is good that the revelations that have been brought forth from the Snowden data release is seeing effective changes to how things are done and questions to what was assumed to be safe software.

    People already trust this government far less than it needed to be. But government actions willing to cover up and hide methodology and workings that make things untrustworthy have been shown to be what it seeks often.

    One would think after years of enforcement that medical data as well as personal data has protected status is now being upended. I'll just drop this here...

    http://yro.slashdot.org/story/13/10/15/1315205/buried-in-the-healthcaregov-source-no-expectat ion-of-privacy

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    John Fenderson (profile), Oct 15th, 2013 @ 2:51pm

    Re:

    That slashdot story is meaningless. It's not wording that anybody sees or agrees to, and it has no legal effect whatsoever. It upends nothing. It's probably left over from a template.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    John Fenderson (profile), Oct 15th, 2013 @ 2:54pm

    Why I don't use TrueCrypt

    The biggest one is that nobody knows who wrote it


    I'm glad he made this point. Mystery code must always be assumed to be insecure. TrueCrypt might be just fine, but anonymous authors are a good-sized red flag.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Baldaur Regis (profile), Oct 15th, 2013 @ 2:56pm

    Re: There IS historical precedent for this.

    And, just as her sinking led to a general review of nautical engineering, to the improvement of ALL ships, having the NSA take advantage of our trust will lead to better software.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Xploding_Cobra (profile), Oct 15th, 2013 @ 2:57pm

    What gets me is that as someone who has been using Truecrypt for years, until all this NSA bullshit, I never even thought about whether or not my own government had subverted it. Since all the NSA bullshit started though, I've managed to curtail damn near everything that I do online. While I still use TOR for certain research and I still use Truecrypt for certain files, it's pretty god damn arrogant of my own government to make me doubt my own system. It's pretty bad when I have to go offline to do some of the things I need to do, double encrypt something (or more - sometimes four x encryption) it's a sad god damn day that I have to do it in the first place. Yeah, I like run-on sentences plus this rum is DAMN good.

    Since I do a lot of pretty high end esoteric math crap, freelance, the LAST thing I want is for some government wonk to get a hold of it and make shit worse.

     

    reply to this | link to this | view in thread ]

  8. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Oct 15th, 2013 @ 2:59pm

    BUT can you raise even a TINY suspicion of Google, Mike?

    It's basically a spy agency like the NSA, operates in utter secrecy, its code planted all over the world to effectively "tap" into tens of millions of sites, billions in revenue yet pays almost no taxes, hides the money in offshore havens... With all that, could you ankle-biters toss me a bone and say that Google is not entirely above suspicion?

    Where Mike sez: "Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn't a way of encouraging them to buy. It's a way of encouraging them to want nothing to do with you." -- So why doesn't that apply to The Google?
    10:58:26[l-365-8]

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 3:02pm

    Re: BUT can you raise even a TINY suspicion of Google, Mike?

    2/10. Needs more cowbell.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    JTReyn (profile), Oct 15th, 2013 @ 3:38pm

    Encryption isn't enough

    NSA thinks what it's doing is OK, but it is all wrong, as these comments overwhelmingly agree. The system is broke, and logic dictates that we take matters into our own hands. Start using encryption, stop using public cloud storage and move everything to a Cloudlocker (www.stoamigo.com) which works the same but stays in your home where they still need a warrant to get it. I'm sure good ol Yankee ingenuity will come up with more inventions like this to protect us from the people supposed to protect us.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 3:42pm

    Re: BUT can you raise even a TINY suspicion of Google, Mike?

    You're basically wrong. Again.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Xploding_Cobra (profile), Oct 15th, 2013 @ 3:43pm

    Re: Re: BUT can you raise even a TINY suspicion of Google, Mike?

    and you're surprised why?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 3:43pm

    What if TrueCrypt's anonymous author comes forward and they turn out to work for NIST.

    Would you still use it?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 3:47pm

    Clappy should join the Motion Picture Ass. of America, they both are outrageously comical.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 4:12pm

    What if TrueCrypt's anonymous author comes forward and they turn out to have had the code from their BSD licensed code riped off

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Eldakka (profile), Oct 15th, 2013 @ 4:41pm

    What about the compilers?

    Even if the truecrypt source code passes an audit, what about the compiled code?

    Just because the source code is fine doesn't mean the compiled executables consist solely of the audited source code.

    Has there been an audit done of the GCC (and other) compilers and libraries (e.g. random number generators) to see if they insert additional subroutines into compiled code?

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Mike Masnick (profile), Oct 15th, 2013 @ 5:56pm

    Re: What about the compilers?

    Just because the source code is fine doesn't mean the compiled executables consist solely of the audited source code.

    From the page the story links to:


    Implement deterministic/reproducible builds. Many of our concerns with Truecrypt could go away if we knew the binaries were compiled from source. Unfortunately it's not realistic to ask every Windows user to compile Truecrypt themselves. Our proposal is to adapt the deterministic build process that Tor is now using, so we can know the binaries are safe and untampered. This is really a precondition to everything else. And it's not an easy process.


    So they're not just looking at the source code.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Pixelation, Oct 15th, 2013 @ 8:52pm

    The NSA have done themselves in. Anyone with anything to hide in the past should have been suspicious. Now they are informed.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Oct 15th, 2013 @ 11:12pm

    Watch for the obvious

    I use truecrypt, but probably shouldn't given my anti-NSA stance.

    What strikes me about the most obvious attack method is the reboots. I've received lots of Windows updates recently, and a lot of them do a double reboot. Well at least they look like a reboot. There's a screen and it looks like truecrypt asking for a password, but then again, it could just be a password phishing screen.

    Fundamentally I don't trust the Windows computer in front of me, and am migrating to a Centos box.

    Passwords etc. they're being moved off to a non-connected box and changed.

    These are difficult times. MI5 is calling discussion life-threatening, GCHQ is outside the law and working for a foreign government. Astroturfer in coordination with Andrew Parker's remarks, make death threats against Snowden and newspaper editors.

    I think people don't take their own security strongly enough until its too late.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This