NSA Has Spurred Renewed Interest In Thorough Security Audits Of Popular 'Secure' Software (original) (raw)

from the skepticism-is-a-good-thing dept

In yet another bit of fallout from the NSA surveillance efforts — and, specifically, the NSA’s covert takeover of security standards to insert vulnerabilities — it appears that there’s suddenly much more skepticism towards well-known security offerings. This is a good thing. There have already been some revelations concerning attempts to compromise Tor, and security researcher Matthew Green has now called for a thorough security audit of TrueCrypt, the (very) popular disk encryption tool. Green and some others have kicked off the project on the aptly named website IsTrueCryptAuditedYet.com.

As Green notes, he is not suggesting that TrueCrypt is not secure, or that it’s been compromised, but that in this day and age, security software needs to be properly audited — and, if anything, hopefully the results of such an audit will be either more secure software or more confidence that TrueCrypt really is secure.

Maybe nothing at all. Rest assured if I knew of a specific problem with Truecrypt, this post would have a very different title — something with exclamation points and curse words and much wry humor. Let me be clear: I am not implying anything like this. Not even a little.

The ‘problem’ with Truecrypt is the same problem we have with any popular security software in the post-September-5 era: we don’t know what to trust anymore. We have hard evidence that the NSA is tampering with encryption software and hardware, and common sense tells us that NSA is probably not alone. Truecrypt, as popular and widely trusted as it is, makes a fantastic target for subversion.

But quite frankly there are other things that worry me about Truecrypt. The biggest one is that nobody knows who wrote it. This skeeves me out. As Dan Kaminsky puts it, ‘authorship is a better predictor of quality than openness‘. I would feel better if I knew who the TrueCrypt authors were.

Now please don’t take this the wrong way: anonymity is not a crime. It’s possible the Truecrypt developers are magical security elves who are simply trying to protect their vital essence. More prosaically, perhaps they live in a country where privacy advocates aren’t as revered as they are in the US. (I kid.)

Hopefully, the end result of this new found skepticism towards popular security products will lead to a world in which we really are more secure, rather than one in which the NSA just has people thinking they’re more secure.

Filed Under: audits, matthew green, nsa, nsa surveillance, security, truecrypt