Awesome work!
2013/10/28 Xavier de Carné de Carnavalet <[email protected]> > TrueCrypt is a popular piece of software enabling data protection by means > of encryption for all categories of users. It is getting even more > attention lately, following the revelations about the NSA, as the authors > remain anonymous and no thorough security audit have yet been conducted to > prove it is not backdoored in any way. This has led several concerns raised > in different places, such as this blog post [1], this one [2], this > security analysis [3], also related on that blog post [4] from which > IsTrueCryptAuditedYet? [5] was born. One of the recurring questions is: > What if the binaries provided on the website were different than the source > code and they included hidden features? To address this issue, I built the > software for Windows from the official sources in a careful way and was > able to match the official binaries. According to my findings, all three > recent major versions (v7.1a, v7.0a, v6.3a) exactly match the sources. > > Details on how to reproduce the results are mentioned at > https://madiba.encs.concordia.**ca/~x_decarn/truecrypt-** > binaries-analysis/<https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/> > > FAQ: > - Does it mean TrueCrypt isn't backdoored in any way and is safe/secure? > No. > - Does it mean a potential backdoor or weakness should only be found in > the source code? > Assuming you trust the compiler not to do anything wrong, yes. > - Nobody audited the source code. > True, so you should support IsTrueCryptAuditedYet? for this to happen. > > Don't trust me, compile it yourself the way I did. If official binaries > get changed in the future, I can't vouch for them. Check authenticity and > integrity. > > > [1] http://www.privacylover.com/**encryption/analysis-is-there-** > a-backdoor-in-truecrypt-is-**truecrypt-a-cia-honeypot/<http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/> > [2] > http://brianpuccio.net/**excerpts/is_truecrypt_really_**safe_to_use<http://brianpuccio.net/excerpts/is_truecrypt_really_safe_to_use> > [3] https://www.privacy-cd.org/**downloads/truecrypt_7.0a-** > analysis-en.pdf<https://www.privacy-cd.org/downloads/truecrypt_7.0a-analysis-en.pdf> > [4] http://blog.**cryptographyengineering.com/** > 2013/10/lets-audit-truecrypt.**html<http://blog.cryptographyengineering.com/2013/10/lets-audit-truecrypt.html> > [5] http://istruecryptauditedyet.**com/<http://istruecryptauditedyet.com/> > > ______________________________**_________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-**disclosure-charter.html<http://lists.grok.org.uk/full-disclosure-charter.html> > Hosted and sponsored by Secunia - http://secunia.com/ > -- GPG: http://is.gd/droope <http://is.gd/signature_>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
