Can you trust 'NSA-proof' TrueCrypt? Cough up some dough and find out

Can we please not call it an extra 64K block of data, it's padding to the next 64K boundary.

An encrypted block of zeros will be can be verified to be zeros by the key owner and it carries no information despite being pseudo-random in appearance. Finding out whether the Windows version incorporates information there will only come from disassembling the compiled code, just looking at the source is irrelevant.

Extra bytes in binary

Could the extra bytes perhaps be a signature?

From the Truecrypt FAQ:

As TrueCrypt is open-source software, independent researchers can verify that the source code does not contain any security flaw or secret 'backdoor'. Can they also verify that the official executable files were built from the published source code and contain no additional code?

Yes, they can. In addition to reviewing the source code, independent researchers can compile the source code and compare the resulting executable files with the official ones. They may find some differences (for example, timestamps or embedded digital signatures) but they can analyze the differences and verify that they do not form malicious code.

If you don't like it, overwrite it

If you don't like the mysterious 64K then just overwrite it with a chunk of mp3. Either Truecrypt will stop working or it won't, which should tell you something in itself.

Maybe the EFF would like to chip in?

Audit the source? Nobody *runs* the source, they run binaries

> why an audit of TrueCrypt is needed and arguably even overdue

And as soon as the developers come up with a new version, the auditing needs to be all over again.

However, what's worse is if someone brings out a TrueCrypt virus. One that only attacks that particular program and inserts a backdoor into installed copies (or some other binary it depends on). You can have audited source - but that's no use if the environment the program is running on is insecure and is therefore open to having the binary attacked, post-audit.

The only audit that a user could trust would be of an entire system: O/S, applications+libraries and TrueCrypt. Then as soon as any of those are changed, upgraded or patched, the whole audit becomes invalidated. Oh, and as for proprietary binary-only drivers, codecs or libraries: don't even think about installing them.

TrueCrypt is good

But no on it's own. The unthinking masses will go "Oh, but plausible deniability!" Yeah well, that's for nowt when the OS grasses you up.

Imagine you mount your "hidden" volume to drive E: and open some file in Word or Paint or whatever. "E:\Secret\Codename-Razorbill.txt"

Close it, unmount the hidden volume.

Well done, the presence of that file is now obvious to anyone who gets hold of your computer (or has a virus/trojan running on it) and has a shufty your "most recently used" list. To either the bad guys find out (electrodes to the scrotum) or the cops do (you go to jail under RIPA).

This is just one example of how a single tool simply isn't enough.

Surely it depends on

who you are concerned about looking at your data?

A. random hackers / scumbags who steal your kit

B. Governments

If it is A then you are probably ok (assuming your passwords / passfile is not on the same box);

if it is B then it is safe to assume you are not.

If you are worried about B you need to keep your stuff isolated from ALL networks.

Would be nice to know that there were no backdoors but seriously doubt that most peoples home equipment is looked at by governments when the traffic they generate is so easy for them to slurp.

I don't care about being anonymous, I'm just too lazy to create a login ;*p Hey! They MADE me create one....so much for anonymity.

Personally, never assumed truecrypt would withstand world class decryption - I use it for routine stuff - business records that contain private data on clients, the sort of stuff that if your laptop is stolen you don't want available to anyone. Yes, I use a bios pwd and a disk pwd, but it's information on OTHER people, not me, so it's my responsibility to try to keep it safe. Obviously, if a security agency of a large government is interested in me or any one else, they're gonna find out all that stuff anyway!

Let's see - what WOULD be the security data that would interest them?

-

If you were encrypting data from organized crime

-if you were encrypting child pornography

-If you were encrypting evidence from felonies you were or had committed

-if you were using it for espionage

LOL - well, I don't have to worry on those accounts, that's for sure! I guess it all goes back to the "who watches the watchers" concept. I believe some reciprocity should be possible: No, I don't wanna know what the nuclear launch codes are! ;*p , But , there should be some kind of civilian audit organization that is at least allowed to oversee the basic practices of the NSA & CIA, like there are for police departments in many places. I know, that's the Congress' job....but they're too close to the problem and are easily swayed by purported "threats to national security".

Watched a movie last night about the nuclear program called "Building Bombs" which really showed how well meaning, basically really good people get caught up in regrettable enterprises....I know a couple people that, let's just say they have VERY high security clearances, and they're fun folks - smart, humorous, creative people. If it was just people like them running the NSA, I'd be like, "sure dude, here's all my passwords", ha ha ha ha! The problem is, there's always a few psychopaths that are attracted to positions of power and let's face it (eg in the military & the CIA) people who get a kick out of killing people and all sorts of other mean and nasty things as the song goes....Those people can inflict a lot of damage! So watchdogs please, NSA & CIA people: Most of us understand the need for some kind of security organization to, eg, look for the missing plutonium "pits" stolen (or sold) from Russian or other crumbled nuclear states.....but a little more openness wouldn't hurt..