The beauty of open-source software is that the source code is available to anyone who wants to read through it to find how it works, the flaws it might contain, and places to add an extra feature or hook into other systems.
Actually looking through thousands of lines of code for evidence of backdoors, weak encryption, or other signs of corruption is a challenge even for large organizations. For individuals, even the 5MB worth of documentation, drivers and libraries that make up the source file of the wildly popular TrueCrypt encryption software is a long trudge uphill.
Nevertheless, motivated by reports that the National Security Agency (NSA) had compromised many of the most heavily used encryption schemes on the Web, and following the calls for a response from cryptographers including Matthew Green of Johns Hopkins University, a volunteer army of code-sifters has formed to sift through TrueCrypt code in search of reassurance or a leak to plug.
The effort, led by developers including bioinformaticist Kenn White, has attracted more than 1,000 volunteers, almost $60,000 in donations of cash and Bitcoin, and attracted more than two million hits on the site IsTrueCryptAuditedYet.
The reason for all the furor is simple: “TrueCrypt is important!” Green wrote in an Oct. 14 blog item.
“Lots of people use it to store very sensitive information. That includes corporate secrets and private personal information. Bruce Schneier is even using it to store information on his personal air-gapped super-laptop, after he reviews leaked NSA documents,” Green wrote.
TrueCrypt is as popular and well-regarded partly for technical reasons, and partly because it’s one of the few reasonable secure options available. “There’s a shortage of high-quality and usable encryption software out there,” Green argued. “TrueCrypt is an enormous deviation from this trend. It’s nice, it’s pretty, it’s remarkably usable.”
It may also not have been cracked, stuffed and hung on a wall as a trophy by the NSA; it may be as secure and reliable as it ever was.
Or it might not be.
IsTrueCryptAuditedYet intends to find out by reviewing the license terms, quality of various binaries compiled from the source code, and having the entire codebase audited either by “one of the few security evaluation companies who are qualified to review crypto software,” volunteers, or both.
The crowdsourced audit team has attracted a number of lawyers who are working on the licensing and technical advisers, including Schneier and former Twitter security chief Moxie Marlinspike, as well as groups from the Electronic Frontier Foundation, the Tor Project and others, according to a story Nov. 7 in Network World.
The technical analysis of more than 70,000 lines of code written in C, C++ and assembler will take four to six weeks once it is fully funded and the background work is completed.
The project’s IndieGoGo crowd-funding effort will go on through Dec. 13, but the project will roll out an updated site, announcement of an organizational structure, information on the members of its technical advisory group and other updates, according to Kenn White, who quotes Google engineer Mike Hearn on why the NSA scandal has enraged so many:
“We designed this system to keep criminals out,” Hearn wrote Nov. 5, referring to both Western legal tradition and efforts to keep the Internet private:
“There’s no ambiguity here. The warrant system with skeptical judges, paths for appeal, and rules of evidence was built from centuries of hard won experience. When it works, it represents as good a balance as we’ve got between the need to restrain the state and the need to keep crime in check. Bypassing that system is illegal for a good reason.
“Unfortunately… Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement, we therefore do what internet engineers have always done – build more secure software.”
Let the scanning begin.
Image: AllieBrosh modified by Matthew Green