The istruecryptauditedyet campaign, spearheaded by Ken White and Matthew Green (yes the latter guy was recently in the news after being asked to censor his blog by John Hopkins) is off to a great start with tens of thousands of dollars already pledged by concerned members of the community.
The problem aims to undertake a code review and security focused audit of TrueCrypt. Hopefully the individuals involved will also go to the trouble of producing their own community win32 builds so we don’t necessarily need to trust the builds that are made available on the official website.
There are plenty of reasons to not trust TrueCrypt. The domain is registered through a proxy service, the software is brought to us not by a team of known developers but by a shaowdy TrueCrypt Foundation and the entire show just seems a bit too good to be true. More importantly we should never implicitly trust software that hasn’t been rigorously audited.
Given the amount of individuals who use the software it is staggering to think that professionals in the field have not yet independently reviewed the code for the latest release. The closest thing is for a previous version (v6) and was conducted by the French Government.
While I don’t have anything to base this on I believe that the source edition of Truecrypt is effectively clean. This doesn’t mean there aren’t bugs that could be exploited, of course. If I were a government level adversary I would be putting my backdoors in the binaries that pretty much every Windows user of TrueCrypt uses. Given the prerequisites required for actually building the Windows version of TrueCrypt perhaps it is unsurprising. That anyone trusts a Windows based operating system with secrets that are worth protecting is, however, very surprising.