The Story of a Software Audit

By Lindsay Beck | November 18, 2013

Small Photo
Photo

Auditing of software of both the license and the source code is nothing new, especially of tools that are new to the digital security plethora of tools. But what about software whose use is widely recommended, but where little is known about the licensing decisions and the differences between original code and platform-specific applications? This is the impetus for the audit of the encryption software TrueCrypt.

TrueCrypt allows you to create an encrypted container on your computer's hard drive to store sensitive files, that to the untrained eye, appear like any other file you might find on a user’s computer.  TrueCrypt storage “volumes” are typically made to look like a large video file (and hey, we even have a tutorial on how to make one that actually plays part of a video).

Despite being an open-source licensed project, there are legal and technical limitations to its openness.

While TrueCrypt’s source code is publicly available, the binaries (what makes TrueCrypt function without any installation process), are not. This matters because use of these binaries could potentially have security flaws that are unknown and unfixed. As cryptographer Matthew Green points out, the majority of TrueCrypt users only run and install it through the binaries, and while the source code sems trustworthy, it’s unclear if the binaries are.  

TrueCrypt’s current license is also problematic from a user, developer, and legal perspectives. The existing language is often difficult to interpret and leaves far too much room for interpretation, prompting the following provision: “If you are not sure whether you understand all parts of this license or if you are not sure whether you can comply with all terms and conditions of this license, you must not use, copy, modify, create derivative works of, nor (re)distribute this product, nor any portion(s) of it. You should consult with a lawyer.” Kenneth White, co-founder of the “IsTrueCryptAuditedYet?” project, acknowledges that TrueCrypt’s license is “one of the least open open-source licenses” and is “certainly very unconventional by U.S. case law standards.”

White recently raised money through a crowd-funding effort to conduct a thorough audit. The audit will focus on:

1. A review of the existing license by a legal expert to determine its compatibility with the more commonly-used GPL license and other open source-licensed software.

2. Adapt what is called a "deterministic build process" that Tor is now using to ensure that the binaries are compiled from the source code, and that they are are safe and untampered with.

3. Compensate developers who find and fix security bugs in the source code.

4. Conduct a professional audit by a security evaluation firm qualified to review crypto software -- of the entire code base.

For more information on this project and to make a contribution, check out http://istruecryptauditedyet.com/ or follow #istruecryptauditedyet on Twitter. 

Share