Crypto prof: "We have nearly, but not quite enough to get a serious audit done."
by Cyrus Farivar - Oct 15 2013, 5:16pm CDT
For nearly a decade, TrueCrypt has been one of the trusty tools in a security-minded user’s toolkit. There’s just one problem: no one knows who created the software. Worse still, no one has ever conducted a full security audit on it—until now.
Since last month, a handful of cryptographers have discussed new problems and alternatives to the popular application. On Monday, this culminated in a public call to perform a full security audit on TrueCrypt. As of Tuesday afternoon, that fundraiser reached more than $16,000, making a proper check more likely. Much of those funds came from a single $10,000 donation from an Atlanta-based security firm.
“We're now in a place where we have nearly, but not quite enough to get a serious audit done,” wrote Matthew Green, a well-known cryptography professor at Johns Hopkins University. How much would “enough” be? “That depends on how many favors we can get from the security evaluation companies,” Green continued on Twitter. "I'm trying to answer that this week."
Green is one of people leading the charge to setup the audit, and he helped create the website istruecryptauditedyet.com. On his blog, he elaborated on why all the TrueCrypt attention has surfaced:
In case you haven't noticed, there's a shortage of high-quality and usable encryption software out there. TrueCrypt is an enormous deviation from this trend. It's nice, it's pretty, it's remarkably usable. My non-technical lawyer friends have been known to use it from time to time, and that's the best 'usable security' complement you can give a piece of software.
Green, along with North Carolina-based scientist Kenn White, set up two online fundraisers. One of those efforts has been soliciting donations since late September. The ultimate hope is to raise at least $25,000 for the auditing project.