NSA spying prompts open TrueCrypt encryption software audit to go viral
Concerns over NSA tampering provokes wide crowdsourcing response from security community
Computerworld - A unique effort to crowdsource a security audit of the popular TrueCrypt open source encryption software appears to be going viral three weeks after it was launched by two U.S. based researchers in response to concerns that the National Security Agency may have tampered with it.
The intiative has so far garnered more than $57,000 in donations and bitcoins and attracted over 1,000 volunteers from 30 countries, including a techncial advisory group comprised of some of the world's best regarded cryptographers.
The initiative's IsTruecryptAuditedYet website has received more than two million hits from users in 70 countries.
"The response has been amazing," said Kenneth White co-founder of the TrueCrypt Audit Project and principal scientist at BAO Systems, a health information systems company. "Donations have ranged from as little as $3 to as much as $10,000, with the majority in the $10 to $25 range."
"It's been incredibly humbling. As important as the financial contributions, we have had terrific offers of technical and logistical support from friends, colleagues and complete strangers," he added.
TrueCrypt, a free, open source encryption file and disk encryption softare tool for Windows, Mac OS X and Linux, is widely used by corporations, lawyers and other professionals and individuals around the world to encrypt sensitive and confidential data.
According to the anonymous group that developed the software, there have been close to 29 million downloads of TrueCrypt. In addition, countless more copies of the softeware have been distributed via magazine cover CDs and downloaded from servers hosted by others.
The software's popularity stems from it ease of use, its ability to do on-the-fly encryption of data and its robustness.
But recent disclosures about the NSA's alleged attempts to subvert popular encryption technologies have prompted some to question the trustworthiness of TrueCrypt -- or any other encryption technology.
In TrueCrypt's case, the concerns are exacerbated because few know who developed the software. Other facets of the technology have raised concerns as well.
In October, Matthew Green, a cryptographer, professor at Johns Hopkins University and co-founder of the TrueCrypt Security Audit initiative, outlined the concerns in a blog post.
For instance, said Green, the Windows version of TrueCrypt differs from the Linux version in a manner that suggests a possible backdoor or other deliberate compromise in the software.
"Even if the Truecrypt source code is trustworthy, there's no reason to believe that the binaries are. And many, many people only encounter Truecrypt as a Windows binary. In my very humble opinion that should worry you," Green wrote in arguing for a comprehensive audit of the software by the security community.
In the three weeks since the blog post, the response has been overwhelming, says White.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts