| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Oct 2013 18:43:01 +1300
From: Pedro Worcel <pedro@...cel.com>
To: Xavier de Carné de Carnavalet <x_decarn@...s.concordia.ca>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: How I Compiled TrueCrypt For Windows and
Matched the Official Binaries
Awesome work!
2013/10/28 Xavier de Carné de Carnavalet <x_decarn@...s.concordia.ca>
> TrueCrypt is a popular piece of software enabling data protection by means
> of encryption for all categories of users. It is getting even more
> attention lately, following the revelations about the NSA, as the authors
> remain anonymous and no thorough security audit have yet been conducted to
> prove it is not backdoored in any way. This has led several concerns raised
> in different places, such as this blog post [1], this one [2], this
> security analysis [3], also related on that blog post [4] from which
> IsTrueCryptAuditedYet? [5] was born. One of the recurring questions is:
> What if the binaries provided on the website were different than the source
> code and they included hidden features? To address this issue, I built the
> software for Windows from the official sources in a careful way and was
> able to match the official binaries. According to my findings, all three
> recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources.
>
> Details on how to reproduce the results are mentioned at
> https://madiba.encs.concordia.**ca/~x_decarn/truecrypt-**
> binaries-analysis/<https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/>
>
> FAQ:
> - Does it mean TrueCrypt isn't backdoored in any way and is safe/secure?
> No.
> - Does it mean a potential backdoor or weakness should only be found in
> the source code?
> Assuming you trust the compiler not to do anything wrong, yes.
> - Nobody audited the source code.
> True, so you should support IsTrueCryptAuditedYet? for this to happen.
>
> Don't trust me, compile it yourself the way I did. If official binaries
> get changed in the future, I can't vouch for them. Check authenticity and
> integrity.
>
>
> [1] http://www.privacylover.com/**encryption/analysis-is-there-**
> a-backdoor-in-truecrypt-is-**truecrypt-a-cia-honeypot/<http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/>
> [2] http://brianpuccio.net/**excerpts/is_truecrypt_really_**safe_to_use<http://brianpuccio.net/excerpts/is_truecrypt_really_safe_to_use>
> [3] https://www.privacy-cd.org/**downloads/truecrypt_7.0a-**
> analysis-en.pdf<https://www.privacy-cd.org/downloads/truecrypt_7.0a-analysis-en.pdf>
> [4] http://blog.**cryptographyengineering.com/**
> 2013/10/lets-audit-truecrypt.**html<http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html>
> [5] http://istruecryptauditedyet.**com/<http://istruecryptauditedyet.com/>
>
> ______________________________**_________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
GPG: http://is.gd/droope <http://is.gd/signature_>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists