Switch back to full version.
Techdirt Lite.
(Click here for full version)

First Phase Of Security Audit Finds Vulnerabilities But No Backdoors In TrueCrypt Encryption Software (Privacy)

by Glyn Moody

from the more-work-needed,-and-more-donations dept on Wednesday, April 16th, 2014 @ 12:11AM

In the wake of the serious Heartbleed flaw in OpenSSL, more people are becoming aware of how widely used and important open source encryption tools are, and how their security is too often taken for granted. Some people were already worrying about this back in September last year, when we learned that the NSA had intentionally undermined encryption by weakening standards and introducing backdoors. As Techdirt reported, that led to a call for a security audit of TrueCrypt, a very popular open source disk encryption tool. Fortunately, the Open Crypto Audit Project raised a goodly sum of money through FundFill and IndieGogo, which allowed the first phase of the audit to be funded. Here's what's now been done (pdf):

The Open Crypto Audit Project engaged iSEC Partners to review select parts of the TrueCrypt 7.1a disk encryption software. This included reviewing the bootloader and Windows kernel driver for any system backdoors as well as any other security related issues.
The good news:
iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.
However, it did still find vulnerabilities in the code it examined:
the iSEC team identified eleven (11) issues in the assessed areas. Most issues were of severity Medium (four (4) found) or Low (four (4) found), with an additional three (3) issues having severity Informational (pertaining to Defense in Depth).

Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types, and so forth.
Because of that, among the recommendations that iSEC made was the following:
Improve code quality. Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project.
That's an important point, and probably something that other open source projects might take to heart, too. Some have called into question whether Linus's Law -- that "all bugs are shallow, given enough eyeballs" -- is really true for free software (although Eric Raymond, author of "The Cathedral and the Bazaar", has offered a robust defense of that claim.) One reason why those eyeballs may not be finding the bugs is that the code, though open, is unnecessarily hard to read.

The fact that vulnerabilities were found -- even if "all appear to be unintentional, introduced as the result of bugs rather than malice" as iSEC puts it -- is another reason why the second phase of the audit, which will look at the details of how the cryptographic functions have been implemented, is necessary. The discovery of "issues" in TrueCrypt's code also underlines why similar audits need to be conducted for all important open source security programs: if there are vulnerabilities in TrueCrypt, there are likely to be more elsewhere, perhaps much more serious. Finding them is largely a question of money, which is why companies currently free-riding on free software -- perfectly legally -- should start seriously thinking about making some voluntary contributions to help audit and improve them to prevent another Heartbleed.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Google May Consider Giving A Boost To Encrypted Sites ((Mis)Uses of Technology)

by Mike Masnick

from the a-good-move,-but-would-it-work? dept on Tuesday, April 15th, 2014 @ 8:05PM
Interesting report over at the WSJ noting that some at Google are considering if they should boost the search results for sites that are encrypted as an attempt to encourage more widespread use of encryption. I would be a bit surprised if the company did this, as Google always claims that it's focus is entirely on the quality of the content of sites, and delivering people to what they're looking for. While the search algorithms do take into account things like page load time, it seems like encryption status might not be seen as a real indicator of quality. Still, I hope that Google does seriously consider such a move, because it could (very quickly) drive many more sites to encrypt -- and, it would probably (finally) drive more services that refuse to make encryption work to figure it out. For example, almost no media sites will do full encryption because it would effectively break most ad networks. So, for most media properties, going full encryption automatically means taking a huge hit in ad revenue. The various ad networks could do things to fix this, but very few of them seem interested (actually, very few of them seem to even understand the issue). If Google were to make this change, then the pressure coming from media properties (many of whom live and die based on their Google rankings) to ad networks to figure this out, would hopefully be enough to create a real shift.

DailyDirt: Aircraft That Stay In The Sky For Days (Or Longer) (Innovation)

by Michael Ho

from the urls-we-dig-up dept on Tuesday, April 15th, 2014 @ 5:00PM
Most folks don't really like flying for more than a few hours at a time, so it's not really a problem for a lot of people that most planes aren't even capable of flights lasting longer than day. (Zeppelins can fly for weeks at a time, but those ships haven't been flying regularly for a while.) Autonomous drones have been making some really long flights recently, and there may be more uses for aircraft that can stay up in the air for long periods of time. Here are just a few examples. If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Video Games Do Cause Aggression... If They Suck Out Loud (Studies)

by Timothy Geigner

from the garbage-in-garbage-out dept on Tuesday, April 15th, 2014 @ 3:50PM

I think I've come to the realization that the debate over whether violent video games cause real-life violence is probably never going to end. Centuries from now, some new race of alien beings will be picking over humanity's remains like some kind of alien-Indiana Jones and think to themselves, "What the hell is this bullshit?" They'll look over fossilized papers about crazy video game hardliners who were running guns on the side, or studies that stated that violent games will breed violent children despite the relative lack of violent children present. Oh, the laughs they will have at our expense.

But, it turns out, there is a way you can cause aggression in children through games. You just have to make really crappy games.

Researchers at the Oxford Internet Institute and the University of Rochester took Half-Life 2, one of the most satisfyingly intuitive games ever made (in my opinion), and modified it, turning it into a game of tag rather than a first person shooter. Some users were given a tutorial, and others were simply thrown into the game. Those that did not get the tutorial were much more aggressive after playing. Andrew Przybylski from the Oxford Internet Institute:

"This need to master the game was far more significant than whether the game contained violent material. Players of games without any violent content were still feeling pretty aggressive if they hadn't been able to master the controls or progress through the levels at the end of the session."
So, all you have to do to make folks aggressive with a game is make it very difficult, counter-intuitive, and annoying. You know, like Battle Toads, Myst, or any game produced by Derek Smart. This explains why I used to go over to a friend's house, find him playing Bulls Vs. Blazers on his Sega, and would know for sure that the gaming session would eventually end with him ripping the cartridge out of the machine and chucking it at a wall (true story).

The real question is: if we were going to tax violent games because we thought that's what made some kids violent, are we similarly going to tax shitty games for the same reason? It would make just as much sense, which is to say none, but it might be a good buttress against the ruination of the next ending to a Mass Effect game, amirite?


Google Apparently Chose Not To Tell The NSA About Heartbleed (Privacy)

by Mike Masnick

from the trust-issues dept on Tuesday, April 15th, 2014 @ 2:48PM
Well, this is interesting. I naturally assumed that when the various researchers first discovered Heartbleed, they told the government about it. While I know that some people think this is crazy, it is fairly standard practice, especially for a bug as big and as problematic as Heartbleed. However, the National Journal has an article suggesting that Google deliberately chose not to tell the government about Heartbleed. No official reason is given, but assuming this is true, it wouldn't be difficult to understand why. Google employees (especially on the security side) still seem absolutely furious about the NSA hacking into Google's data centers, and various other privacy violations. When a National Journal reporter contacted Google about the issue, note the response:
Asked whether Google discussed Heartbleed with the government, a company spokeswoman said only that the "security of our users' information is a top priority" and that Google users do not need to change their passwords.
Here's the thing: if the NSA hadn't become so focused on hacking everyone, it wouldn't be in this position. The NSA's dual offense and defense role has poisoned the waters, such that no company can or should trust the government to do the responsible thing and help secure vulnerable systems any more. And for that, the government only has itself to blame.

Older Stories >>