In the wake of the serious Heartbleed flaw in OpenSSL, more people are becoming aware of how widely used and important open source encryption tools are, and how their security is too often taken for granted. Some people were already worrying about this back in September last year, when we learned that the NSA had intentionally undermined encryption by weakening standards and introducing backdoors. As Techdirt reported, that led to a call for a security audit of TrueCrypt, a very popular open source disk encryption tool. Fortunately, the Open Crypto Audit Project raised a goodly sum of money through FundFill and IndieGogo, which allowed the first phase of the audit to be funded. Here's what's now been done (pdf):
The Open Crypto Audit Project engaged iSEC Partners to review select parts of the TrueCrypt 7.1a disk encryption software. This included reviewing the bootloader and Windows kernel driver for any system backdoors as well as any other security related issues.
The good news:
iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.
However, it did still find vulnerabilities in the code it examined:
the iSEC team identified eleven (11) issues in the assessed areas. Most issues were of severity Medium (four (4) found) or Low (four (4) found), with an additional three (3) issues having severity Informational (pertaining to Defense in Depth).
Because of that, among the recommendations that iSEC made was the following:
Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.
Improve code quality. Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project.
That's an important point, and probably something that other open source projects might take to heart, too. Some have called into question whether Linus's Law -- that "all bugs are shallow, given enough eyeballs" -- is really true for free software (although Eric Raymond, author of "The Cathedral and the Bazaar", has offered a robust defense of that claim.) One reason why those eyeballs may not be finding the bugs is that the code, though open, is unnecessarily hard to read.
The fact that vulnerabilities were found -- even if "all appear to be unintentional, introduced as the result of bugs rather than malice" as iSEC puts it -- is another reason why the second phase of the audit, which will look at the details of how the cryptographic functions have been implemented, is necessary. The discovery of "issues" in TrueCrypt's code also underlines why similar audits need to be conducted for all important open source security programs: if there are vulnerabilities in TrueCrypt, there are likely to be more elsewhere, perhaps much more serious. Finding them is largely a question of money, which is why companies currently free-riding on free software -- perfectly legally -- should start seriously thinking about making some voluntary contributions to help audit and improve them to prevent another Heartbleed.
Google May Consider Giving A Boost To Encrypted Sites ((Mis)Uses of Technology)
I think I've come to the realization that the debate over whether violent video games cause real-life violence is probably never going to end. Centuries from now, some new race of alien beings will be picking over humanity's remains like some kind of alien-Indiana Jones and think to themselves, "What the hell is this bullshit?" They'll look over fossilized papers about crazy video game hardliners who were running guns on the side, or studies that stated that violent games will breed violent children despite the relative lack of violent children present. Oh, the laughs they will have at our expense.
But, it turns out, there is a way you can cause aggression in children through games. You just have to make really crappy games.
Researchers at the Oxford Internet Institute and the University of Rochester took Half-Life 2, one of the most satisfyingly intuitive games ever made (in my opinion), and modified it, turning it into a game of tag rather than a first person shooter. Some users were given a tutorial, and others were simply thrown into the game. Those that did not get the tutorial were much more aggressive after playing. Andrew Przybylski from the Oxford Internet Institute:So, all you have to do to make folks aggressive with a game is make it very difficult, counter-intuitive, and annoying. You know, like Battle Toads, Myst, or any game produced by Derek Smart. This explains why I used to go over to a friend's house, find him playing Bulls Vs. Blazers on his Sega, and would know for sure that the gaming session would eventually end with him ripping the cartridge out of the machine and chucking it at a wall (true story).
"This need to master the game was far more significant than whether the game contained violent material. Players of games without any violent content were still feeling pretty aggressive if they hadn't been able to master the controls or progress through the levels at the end of the session."
Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the "security of our users' information is a top priority" and that Google users do not need to change their passwords.Here's the thing: if the NSA hadn't become so focused on hacking everyone, it wouldn't be in this position. The NSA's dual offense and defense role has poisoned the waters, such that no company can or should trust the government to do the responsible thing and help secure vulnerable systems any more. And for that, the government only has itself to blame.