> I usually take a pretty skeptical attitude on this blog when it comes to Internet security. For the most part we do things wrong, and I used to think most people didn't care. The fact is that I was wrong. If the response to our audit call is any evidence, you do care. You care a lot.
I used to feel the exact same way the author did initially. It wasn't until this year, between teaching a class on security (whose demand I still can't even remotely fathom) and becoming more outspoken about my concerns around the way we handle security, that I really started to realize that people do care deeply about security. That said, most people don't know enough to positively impact security, but that's a problem of education; it's something I'm hoping to put a serious dent in over the next year.
This is subjective, and it's rather presumptuous to claim one particular philosophy as the "responsible" one. Microsoft rejected this term for that reason, despite the fact that it would benefit them.
I cannot explain exactly why but something about this project rubs me the wrong way.
So much time spent doing bureaucratic things, organizing, raising money.
Have meetings, setup a board.
Did the authors, the people who wrote the code, that did all that work, receive such ample payment for their role? Should not some of the money raised be offered to the developers? (Some say that they are anonymous I dont know if that is true, but they do take donations on the site)
Lets give them 70% of the money raised to work on TrueCrypt and make it even more amazing.
They developers did all that work for free (?) , but now these people have to get paid really well to see if what the devs did is correct.
Seems to me most of the money goes towards hiring a for profit consulting company. Great way to drum up business I guess.
Meanwhile: From the official TrueCrypt FAQ:
Q: TrueCrypt is open-source, but has anybody actually reviewed the source code?
A: Yes. In fact, the source code is constantly being reviewed by many independent researchers and users. We know this because many bugs and several security issues have been discovered by independent researchers (including some well-known ones) while reviewing the source code.
So the reviews and audits have been going on for a long time by many individuals around the world. Anyone can do it.
As far as I know, Linux has never been subjected to a formal audit.
it has been gawked at by thousands and thousands of individuals. None
of them read the whole thing for sure, but parts.
Linux has been repeatedly subject to formal audits that cover the entire system in various configurations. More money has been spent auditing Linux than will ever be spent auditing Truecrypt. You haven't heard about it, because the audits were done quietly. The Truecrypt audit, on the other hand, was organized by a cryptographer on behalf of and for the sole benefit of Truecrypt's users.
If you'd like to trust your disk encryption to the same random selection of people who have looked at it in the past, rather than security domain experts, don't donate. Or, use some other package that hasn't and won't be audited. That's fine. For many of the rest of us, it's not OK to rely on un-vetted disk encryption, and paying people to write more of it without having the design and code assessed makes things worse, not better.
As one of the people running this project, let me give a quick response that may help you feel better about it.
I'm a technical person and, like you, my first inclination was to simply get on with it: we'd collect some money, then we'd start the audit. We quickly realized it wasn't _quite_ that simple. For one thing we received a whole lot of money, some of which was literally dumped into a personal bank account by IndieGogo. My collaborator on this project, Kenn White, pointed out that we might very well have to pay taxes on this money if we didn't do something to organize. That's a huge waste of our money /and/ yours. Hence the formation of OCAP as a non-profit and creation of a separate bank account. This has taken us some time, but it's worth it. It also requires that we keep track of donations and demonstrate that they were well spent, which is also a good thing.
I should point out that all this work is a royal pain in the butt, and we are not being paid to do this work. We've funded the filing fees out of our own donations.
Second, we wanted to establish a trustworthy board of technical advisors before we went and started spending the money. This has also been quite a bit of trouble, but it's certainly been worthwhile. The full list will be up on our site shortly, but briefly it includes:
Bruce Schneier, Trevor Perrin, Marcia Hoffman, Moxie Marlinspike, Nate Lawson, Joseph Lorenzo Hall, Runa Sandvik, JP Aumasson and James Denaro. Thomas Ptacek has also been on this board, but decided to recuse himself while iSEC was being considered.
I realize this is a large set of advisors, and getting consensus does take some time: but at the end of the day this audit is all about trust. The goal here is to make sure that everybody feels it was run honestly and in public. These are people we trust to call BS if we cut corners or do something shady.
With respect to reviewing the code, I routinely come across bugs in open crypto projects that should have been detected by 'people gawking at the code'. It turns out that in certain areas -- crypto being one -- you need a hell of a lot of domain expertise to find and kill subtle bugs. The people with that kind of expertise often have other things to do. This audit is an opportunity for us to correct that, at least this one time, for one project.
If people want to support the TrueCrypt developers, there's a "Donate" button on the TrueCrypt website. People have instead chosen to give money to an initiative to have a thorough independent audit of the TrueCrypt code - it seems to me like it would be morally wrong to take their money and give it to the TrueCrypt developers instead. Presumably, if their preference was for that money to go to the TrueCrypt developers instead, they'd have skipped the middleman and donated directly.
Perhaps someone should organize a similar initiative for the Linux source code?
Some people are raising funds to review truecrypt code,meaning they will always be one step behind truecrypt and there are others who are working on truecrypt compatible implementations[1][2][3].
It is my opinion that some of this money will be better off if it went to supporting these independent projects that allows management of truecrypt formatted encrypted volumes without using truecrypt.It is possible to manage truecrypt volumes without using truecrypt binary from truecrypt people.
> Did the authors, the people who wrote the code, that did all that work, receive such ample payment for their role? Should not some of the money raised be offered to the developers? (Some say that they are anonymous I dont know if that is true, but they do take donations on the site) Lets give them 70% of the money raised to work on TrueCrypt and make it even more amazing.
If the authors of TrueCrypt have a mechanism in place to bring money in from TrueCrypt, a successful security audit will only make that a lot more profitable. If they don't, they're obviously not worried about it, so who cares?
> They developers did all that work for free (?) , but now these people have to get paid really well to see if what the devs did is correct.
Sixty thousand bucks divided amongst multiple people is not hugely generous compensation.
> So much time spent doing bureaucratic things, organizing, raising money. Have meetings, setup a board.
Well, if you're raising money and don't want to end up in jail for not doing it the right way, you have to spend a bit of time and money doing it the right way.
> And finally, the most exciting news: we've signed a first contract with iSEC partners to evaluate large portions of the Windows software and bootloader code. This review will begin in January.
That's huge. I assume you're not referring to having access to the Windows source code, though.
Here's a crazy idea. After the whole NSA stuff, many governments are going to require Microsoft to give them access to the source code, if they want them to continue using it, or buy the new versions of Windows. Any chance you could contact such a government, to allow you to do the audit on their behalf, or to work together with them on it?
That would be a win-win for everyone. They get a team of experts to review the Windows code base, and you get to know everything about Windows. They probably won't be very eager to get Americans to do this for them, though, so make sure you flaunt all of your credentials.
> After the whole NSA stuff, many governments are going to require Microsoft to give them access to the source code, if they want them to continue using it, or buy the new versions of Windows.
That's interesting to hear. Got any more information on that?
Microsoft has made source code available to governments for quite a long time now. However I don't think Microsoft has ever made buildable source code available, nor does it intend to.
Which means that no one can verify that the source code MS gives them is the source code that they are running, which means NSA backdoor etc. blah tinfoil hat blah.
Think about the largest, most complex codebase you've ever worked on. Then, remove any architecture documentation, wikis, etc. used to document how it's all tied together. Then, remove the build scripts and any lib folders.
Imagine how much fun it'd be trying to get that to build. Multiply the terror that inspires by (at least) 100x.
I think everything you say is likely to be accurate. However, given that we're talking about a nation state in an adversarial context, remember the relevant comparison is "Express the pain of black-box reconstructing the Windows build process in terms of ACEs (aircraft carrier equivalents)."
I very much doubt that building Windows is a 10 ACE problem, or a 1 ACE problem, or a 0.1 ACE problem.
If Windows has ever been built from sources provided by Microsoft plus reverse-engineering the missing bits in the toolchain, that build has never been deployed by governments as a "certified clean" Windows.
One problem is that you not only have to succeed in building and running, and compatibility-testing Windows from a snapshot of the source code (which, as a snapshot, might not correspond to any release), you have to keep up with patches and new releases. So if that ever had been done, the utility would be limited. Perhaps some modules would match bit-for-bit. What would that tell you?
That's still very unlike being able to audit source code, audit updates, and build from audited code using an identical toolchain, also built from audited code, as an upstream release.
I also think your "ACE" metric turns out to be larger than you think, once you add in an air wing and escort and support ships. Launching a ship that is an aircraft carrier is a bit like booting a kernel with no userland.
The USA has ten active Nimitz-class aircraft carriers. Wikipedia claims that the most recent, the USS George H.W. Bush, was completed in 2009 at a cost of $6.2 billion. A bargain compared to the projected cost of the USS Gerald R. Ford, now under construction with a budget of $15.5 billion.
These numbers are ridiculously overlarge in this context, of course, which is the point. Access to the Windows build toolchain is not even a $10M project. It's not a technical problem. You start by just offering the money to the company. A few million dollars, plus a history of enforcing your TOP SECRET security clearances, plus credible assurances that you're not going to launch a competing product, is probably enough to convince the company to just give you what you want. Quietly, of course. No need to spook the other customers.
You can't just throw the Windows source code into VS and have it compile. If you don't have the build specs and toolchain, which likely has a few purpose-built tools, you ain't building.
This, in a nutshell, is the underutilized value of open source - the ability for the general public to conduct a trustworthy third party audit and validate security claims of software creators.
Not really. This is the value of crowdsourcing. The audit itself is being conducted by a professional software security firm (our sister company, as it happens) and their portion of it might only have cost a small factor more had complete source code not been available. It's the money and expertise that are making this possible, not the source code.
(Don't get me wrong: I strongly prefer open source software to closed.)
Probably not. But they can contact a security reseach company so they make a "crowdsourced" audit project, perform it and still leave a backdoor or two uncovered. TrueCrypt gets an official audit and NSA keeps the backdoors - win-win. </sarcasm> And there is less chance that anyone else will perform an audit in near future. :(
I am not familiar with the legal situation. However, one needs also to consider extra-juridical means. A security company that does not comply with the demands of the relevant security services is unlikely ever to do major business again in the country where it is based.
Comes from an understanding of how service providers actually get gagged: the courts actively issue a gag rule based on orders they themselves issued. That's can't be true of basic science.
What if the powers that be decide to "classify" the results/reports? I would guess that would be a big legal hurdle. But if things get to that point, a copy the report would probably show up on wikileaks... I guess?
It's also not how research works. For something to be restrained from publication, the government needs to know it exists. But with new research results, they can't know what to restrain until it's too late.
They could try passing a law outlawing security research, but: good luck with that.
The NSA isn't going to swoop in and claim that the results of the Truecrypt audit were born secret. But the answer to nabla9's question is yes, legal precedent exists in the United States for restraining the publication of original research when it is perceived to damage vital national security interests.
Tip for gaining more donations: once they get 501c(3) status, many larger companies have established charity matching programs. Usually it just takes some employee initiative to ask for an organization to be added (/ paperwork verified) and then companies will match donations. In addition, philanthropy departments can be petitioned for grants. Given all the recent news, that might generate a decent amount of grants.
This is extremely awesome and I support it. I have sensitive files with tax info and some software keys I like to keep protected. NSA aside I don't want some malware or vulnerability in my system allowing intruders to take my stuff.
I used to feel the exact same way the author did initially. It wasn't until this year, between teaching a class on security (whose demand I still can't even remotely fathom) and becoming more outspoken about my concerns around the way we handle security, that I really started to realize that people do care deeply about security. That said, most people don't know enough to positively impact security, but that's a problem of education; it's something I'm hoping to put a serious dent in over the next year.