A security audit of TrueCrypt has determined that the disk encryption software does not contain any backdoors that could be used by the NSA or other surveillance agencies. A report prepared by the NCC Group for Open Crypto Audit Project found that the encryption tool is not vulnerable to being compromised.
The NSA also has “major” problems with Truecrypt, a program for encrypting files on computers. Truecrypt’s developers stopped their work on the program last May, prompting speculation about pressures from government agencies. A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems. Both are programs whose source code can be viewed, modified, shared and used by anyone. Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed.
TrueCrypt Lives on
Despite this, a new Swiss TrueCrypt website that claims to be “the gathering place for all up-to-date information” on TrueCrypt has sprung up. The site is the home of a new project which is taking the TrueCrypt code forward and evolving it into a new application called CipherShed.
I do not know precisely what this means, as I have no contact with the developers anymore: but this is what was agreed upon.
They should no longer be trusted, their binaries should not be executed, their site should be considered compromised, and their key should be treated as revoked. It may be that they have been approached by an aggressive intelligence agency or NSLed, but I don’t know for sure.
While the source of 7.2 does not appear to my eyes to be backdoored, other than obviously not supporting encryption anymore, I have not analysed the binary and distrust it. It shouldn’t be distributed or executed.
TrueCrypt’s formal code audit will continue as planned. Then the code will be forked, the product’s license restructured, and it will evolve. The name will be changed because the developers wish to preserve the integrity of the name they have built. They won’t allow their name to continue without them. But the world will get some future version, that runs on future operating systems, and future mass storage systems.
There will be continuity . . . as an interesting new chapter of Internet lore is born.