NSA Has Spurred Renewed Interest In Thorough Security Audits Of Popular 'Secure' Software
from the skepticism-is-a-good-thing dept
In yet another bit of fallout from the NSA surveillance efforts -- and, specifically, the NSA's covert takeover of security standards to insert vulnerabilities -- it appears that there's suddenly much more skepticism towards well-known security offerings. This is a good thing. There have already been some revelations concerning attempts to compromise Tor, and security researcher Matthew Green has now called for a thorough security audit of TrueCrypt, the (very) popular disk encryption tool. Green and some others have kicked off the project on the aptly named website IsTrueCryptAuditedYet.com.As Green notes, he is not suggesting that TrueCrypt is not secure, or that it's been compromised, but that in this day and age, security software needs to be properly audited -- and, if anything, hopefully the results of such an audit will be either more secure software or more confidence that TrueCrypt really is secure.
Maybe nothing at all. Rest assured if I knew of a specific problem with Truecrypt, this post would have a very different title -- something with exclamation points and curse words and much wry humor. Let me be clear: I am not implying anything like this. Not even a little.Hopefully, the end result of this new found skepticism towards popular security products will lead to a world in which we really are more secure, rather than one in which the NSA just has people thinking they're more secure.The 'problem' with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don't know what to trust anymore. We have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, makes a fantastic target for subversion.
But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, 'authorship is a better predictor of quality than openness'. I would feel better if I knew who the TrueCrypt authors were.
Now please don't take this the wrong way: anonymity is not a crime. It's possible the Truecrypt developers are magical security elves who are simply trying to protect their vital essence. More prosaically, perhaps they live in a country where privacy advocates aren't as revered as they are in the US. (I kid.)
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: audits, matthew green, nsa, nsa surveillance, security, truecrypt
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
There IS historical precedent for this.
[ link to this | view in chronology ]
Re: There IS historical precedent for this.
[ link to this | view in chronology ]
People already trust this government far less than it needed to be. But government actions willing to cover up and hide methodology and workings that make things untrustworthy have been shown to be what it seeks often.
One would think after years of enforcement that medical data as well as personal data has protected status is now being upended. I'll just drop this here...
http://yro.slashdot.org/story/13/10/15/1315205/buried-in-the-healthcaregov-source-no-expectat ion-of-privacy
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Why I don't use TrueCrypt
I'm glad he made this point. Mystery code must always be assumed to be insecure. TrueCrypt might be just fine, but anonymous authors are a good-sized red flag.
[ link to this | view in chronology ]
Since I do a lot of pretty high end esoteric math crap, freelance, the LAST thing I want is for some government wonk to get a hold of it and make shit worse.
[ link to this | view in chronology ]
BUT can you raise even a TINY suspicion of Google, Mike?
Where Mike sez: "Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn't a way of encouraging them to buy. It's a way of encouraging them to want nothing to do with you." -- So why doesn't that apply to The Google?
10:58:26[l-365-8]
[ link to this | view in chronology ]
Re: BUT can you raise even a TINY suspicion of Google, Mike?
[ link to this | view in chronology ]
Re: BUT can you raise even a TINY suspicion of Google, Mike?
[ link to this | view in chronology ]
Re: Re: BUT can you raise even a TINY suspicion of Google, Mike?
[ link to this | view in chronology ]
Encryption isn't enough
[ link to this | view in chronology ]
Would you still use it?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What about the compilers?
Just because the source code is fine doesn't mean the compiled executables consist solely of the audited source code.
Has there been an audit done of the GCC (and other) compilers and libraries (e.g. random number generators) to see if they insert additional subroutines into compiled code?
[ link to this | view in chronology ]
Re: What about the compilers?
From the page the story links to:
So they're not just looking at the source code.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Watch for the obvious
What strikes me about the most obvious attack method is the reboots. I've received lots of Windows updates recently, and a lot of them do a double reboot. Well at least they look like a reboot. There's a screen and it looks like truecrypt asking for a password, but then again, it could just be a password phishing screen.
Fundamentally I don't trust the Windows computer in front of me, and am migrating to a Centos box.
Passwords etc. they're being moved off to a non-connected box and changed.
These are difficult times. MI5 is calling discussion life-threatening, GCHQ is outside the law and working for a foreign government. Astroturfer in coordination with Andrew Parker's remarks, make death threats against Snowden and newspaper editors.
I think people don't take their own security strongly enough until its too late.
[ link to this | view in chronology ]