back to article Mostly harmless: Berlin boffins bleat post epic TrueCrypt audit feat

Ten auditors from the lauded Fraunhofer Institute for Secure Information Technology have given TrueCrypt a security tick after completing a comprehensive six-month audit under contract from the German Government. The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient …

Anonymous Coward

Well, hurray..

If you want VeraCrypt, it's at https://veracrypt.codeplex.com. Current version is 1.16.

7
1
Anonymous Coward

Re: Well, hurray..

Hell no!

For what possible reason?

I already have my properly authenticated TC 7.1a binaries, code and keys. I had them long before the abandonment. The cryptography is (of course) as solid as it has always been, the code has now been scrutinised at length by multiple independent authorities, and all that has ever been discover is a smattering of benign and contextually utterly trivial coding imperfections. As a result of all this FUD, TC 7.1a has been rendered/proven by far the most studied, robust and trustworthy block cryptography application I know of. I really can't imagine any reason arising to even consider moving from TC 7.1a at any point in the foreseeable future.

Anyone who does not already have copies can readily obtain them from and compare them with multiple sources, disseminated widely across the interwebs and the world. There is no longer a single point of failure. At present a search of the signing key's "short fingerprint" (F0D6B1E0) yields 2780 results on Google. Presumably now 2781 ;o)

Just for good measure, here's the key's full spec along with a few of its digests...

pub 1024D/F0D6B1E0 2004-06-06

Key fingerprint = C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0

uid TrueCrypt Foundation <info@truecrypt-foundation.org>

uid TrueCrypt Foundation <contact@truecrypt.org>

sub 4077g/6B136ECF 2004-06-06

Key fingerprint = EB79 356A 3AFA B492 66A3 322F DCEA 1B7C 6B13 6ECF

TrueCrypt-key.asc

MD5:41612478ceeee8448b87a5e872f07302

SHA256:26d4446f040bf6989a19b197f69d0fc2a80fb6fa826750163f396ee904ac4b27

WHIRLPOOL:c3deb2b0a45ce04293088ac0e44a8fe7a0df1a6e0c6fa37dd46598ca4d554895f0a234bb3f8646f5ba1c020088b573e98e1f6b8ce93c8bb9e5c65c0d7b09d5da

18
3
Anonymous Coward

Re: Well, hurray..

Thanks to AC for all those full specs and digests, etc., for your genuinely useful comment :)

The down voter must be TLA - masters of FUD ...

4
4
Silver badge
Big Brother

Re: Well, hurray..

@AC Whilst I take your point, since this is open source and that it could always benefit from a few tweaks and improvements, perhaps a new version of the code (with the delta closely scrutinised with every update) is a good thing?

Having the signed binaries from the original is a good thing, and always useful as a back-stop, but compiling* it yourself from known code is also good.

*Assuming you can trust your compiler of course :)

2
0

Re: Well, hurray..

Bold and italics are AWESOME.

(as are caps).

1
1
Anonymous Coward

Re: Well, hurray..

Total agreement Sir RC. The devil is, of course, in the close scrutiny of every delta.*

Seeing no meaningful utility to any "upgrade" due to...

  • TC's cryptographic integrity now having been checked and confirmed to absurdity... and beyond.
  • Any and all the coding foibles being meaningless irrelevances because, obviously, if your system isn't secure, all your cryptography effort would inevitably be totally fucked anyway.
...I really do consider those devilish deltas to be risk totally without reward.

* (Emboldened _AND_ italicised for the pleasure of our sarcastic friend. Now featuring a list too!)

3
2

Re: Well, hurray..

Downvoted because essentially you're saying a fixed known frozen in time version is better than something that is under active development - a point which is extremely debatable since its public knowledge who the Veracrypt developers are vs the unknowns who coded the original.

Your whole argument rests on balancing 2 imponderables - dormant but well audited legacy code vs maintained but changing code, which may or may not be introducing new bugs with new functionality.

Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV.

7
7
Silver badge

Re: Well, hurray..

"Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV."

"Frequently used" doesn't necessarily mean heavily scrutinised, at least, not until those bugs emerged. It was active maintenance that introduced the Debian ssl bug.

6
1
Silver badge

Re: Well, hurray..

"

Given this last year has seen Heartbleed AND shellshock in far more frequently used codebases - my personal preference is to go with the actively maintained stuff, but YMMV.

"

Well, my *logic* is certainly different to yours.

Unless the Veracrypt team (person?) finds a security flaw in Truecrypt that was missed by the extensive audit, and then produces a fix, I cannot see how it could possibly come up with a product that is more secure. Security flaws are seldom fixed by accident in the course of making other tweaks and adding new features. Exactly the reverse is in fact the case.

4
0
Silver badge
Devil

Re: Well, hurray..

Thanks to AC for all those full specs and digests, etc., for your genuinely useful comment :)

The down voter must be TLA - masters of FUD ...

I'm pretty sure El Reg randomly creates down votes, just for the LOL's.

2
0
Silver badge

Re: Well, hurray..

I freely supply random up and down votes whilst scrolling with my touch screen tablet.

I haven't yet found a "withdraw vote" function to match the ability to withdraw a post.

4
0
Anonymous Coward

Re: Well, hurray..

You can't unvote but you can change your vote - as many times as you like.

2
0

Re: Well, hurray..

Wow!

I never knew that, but you're right. I just tried it.

Upvotes/Downvotes can be rescided. Hurrah!

0
0
Coat

Hmm...

Well that should reassure all the conspiracy theorists out there.

"... under contract from the German Government."

Tin foil - It's not just for wrapping the turkey.

2
0

Re: Hmm...

Governments are not monoliths. They can both do good and bad. Sometimes at the same time.

This audit was done to see if TrueCrypt is secure for Government use: Some cryptography solution used by German federal institutions uses parts of TrueCrypt, and thus the BSI (Bundesinstitut für Sicherheit in der Informationstechnologie/Federal institute for Security in Information Technology) ordered this audit to see if the solution is secure for their use.

Thus in this case the interests of the Government and the public are the same.

4
1

Re: Hmm...

Somewhat contrary to that, Germany has generally been pretty strong on the whole personal privacy and was the target of hacking by the NSA, which apparently they got quite annoyed at. It wouldn't surprise me if they were having an audit done for internal use and someone suggested making a public statement of the results to try and counter some of the bad press from being part of Five Eyes

3
0

Under contract....

My tinfoil hat is tingling....

I'm not saying this is true but what if, the governments know that trucrypt is breakable (they found a way somehow) the previous devs found out and told us all. Governments now trying to convince us to keep using it because its "like secure guys" rather than having us use something new that they cant crack.

Just sayin..

2
2
Anonymous Coward

Re: Under contract....

I'm not saying this is true but are you sure "the governments" aren't behind the relentless anti-Truecrypt FUD ...and maybe something like "VeraCrypt" too???

Just sayin...

1
0
Anonymous Coward

Tin foil

Chaps, please remember: the manufacturers of tin foil are paid by the government to include microscopic trackers at regular intervals in every roll.

Think about it: the trackers will need aerials; aerials need to be conductive; tin foil is conductive.

But sometimes there is simply no conspiracy.

6
0
Silver badge
Joke

Re: Tin foil

What if you run a few thousand volts through* your tin foil to ensure all the bugs are fried first?

*I would recommend you take it off your head first though, but ymmv.

1
0

Re: Tin foil

You think they haven't thought of that? The tin foil thing is a bluff, people think they're safe, but they aren't. In fact, the recorders have been miniaturised and distributed as dust across the whole world. Whenever the government want information they just send in people with vacuum cleaners. They got the idea from a series of short stories by Bob Shaw...

You think all this talk of drones is true? They just send a signal to the transmitters in a specific area and they detonate. It looks like a missile explosion, but it isn't. The drones are just a convenient cover.

0
0
Silver badge
Joke

Re: Tin foil

"What if you run a few thousand volts through* your tin foil"

For the love of $DEITY, don't do that, man! The unavoidable arcing creates millions of tiny punctures in the tin foil which then all proceed to diffract the incoming mind control signal right into your skull, as a tiny all new source each! It's the worst thing you could do, which is exactly why THEY create this sort of misleading rumour! Don't listen to them! Or to me! I could be one of them - just think about it...!

3
0
Thumb Up

Re: Tin foil

"They got the idea from a series of short stories by Bob Shaw..."

Slow glass! I haven't thought about that for ages.

Now I come to think about it, my copy of "Other Days, Other Eyes" went missing I wonder if the subject matter was too close to "the truth"?

1
0
Big Brother

Re: Tin foil

So this is what is in those contrails that are sprayed all over the globe! Nanobugs to defeat tin foil protection!

0
0

Re: Tin foil

I thought all conspiracies were a part of the Grand, Master Plan (GMP). This GMP is the source of all conspiracies. It is, itself, a conspiracy between The Governments and the highly secretive Makers of Tin Foil to sell more tin foil.

1
0

Re: Tin foil

I thought everyone knew the tin foil hat was past it, and the 'anti drone hoodie' was the future.

0
0
Mushroom

From TrueCrypt to government exploding surveillance dust...

Well, that escalated quickly.

12
0

Suspicion on the abandonment...

Was one (or more) developers of Truecrypt USA citizens? If so it is likely that they received a secret court order, ordering them to weaken parts of the code or leave subtle vulnerabilities. You would never know as the order would be secret and so in defiance the developers just packed up shop like a well known encrypted mail provider.

If the intentional bug was found for those even bothering to look they could just claim unknown bug and then fix it (and leave another bug elsewhere)

Or simply, they got fed up of coding it.

- S.A

4
0
Anonymous Coward

Re: Suspicion on the abandonment...

Ukraine, I vaguely recall?

I more clearly recall an absolutely extraordinary amount of FUD-slinging on the official forum. All baseless of course but the tone and effect it created was very impressive. Now gone and poorly archived, sadly, as it would have been interesting to revisit, armed with a couple of years hindsight. I'd be surprised if that hadn't contributed to the apparently "fed up" ultimate outcome.

0
0
Alien

Re: Suspicion on the abandonment...

That's the best part. We don't know anything about the developers. Their nationality, their number, their motivation... nothing. It's perfect conspiracy fodder.

0
0
Anonymous Coward

Does Veracrypt plan to be audited?

Just curious.

1
0
Anonymous Coward

Re: Does Veracrypt plan to be audited?

Not indefinitely, I'd wager.

0
0
Silver badge

Re: Does Veracrypt plan to be audited?

Vera isn't that kind of girl

1
0
Headmaster

Nammar Grazi

"The 77-page report dug up extra vulnerabilities in the once-popular encryption platform but say none are sufficient to undermine the jettisoned software."

...none IS...

/You're welcome.

2
2
Anonymous Coward

Re: Nammar Grazi

The "extra vulnerabilities" is the subject of the "none are sufficient..." Since the subject is plural, the verb should match. Consider this rewrite:

The 77-page report on [TrueCrypt] dug up extra vulnerabilities, but the report says that none of the vulnerabilities are sufficient to undermine [TrueCrypt].

On the other hand, the "77-page report" is 3rd person singular, so "say" should be "says".

The confusion comes from having two subjects with accompanying verbs scattered throughout the sentence.

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017