ANY ATTEMPT (EVEN IF PERMITTED BY APPLICABLE LAW) OTHERWISE TO USE, MODIFY, COPY, CREATE DERIVATIVE WORKS OF, (RE)DISTRIBUTE, OR SUBLICENSE THIS PRODUCT, OR PORTION(S) THEREOF, AUTOMATICALLY AND IMMEDIATELY TERMINATES YOUR RIGHTS UNDER THIS LICENSE AND CAN CONSTITUTE COPYRIGHT INFRINGEMENT (WHICH MAY BE PROSECUTED). YOU MAY NOT USE, MODIFY, COPY, CREATE DERIVATIVE WORKS OF, (RE)DISTRIBUTE, OR SUBLICENSE THIS PRODUCT, OR PORTION(S) THEREOF, EXCEPT AS EXPRESSLY PROVIDED IN THIS LICENSE (EVEN IF APPLICABLE LAW GIVES YOU MORE RIGHTS).
This is indeed true as it states in the (Section VI.2):
The TrueCrypt software is under a poor license, which is not only non-free, but has the potential to be actively dangerous to end users or distributors who agree to it, opening them to possible legal action even if they abide by all of the licensing terms, depending on the intent of the upstream copyright holder. Be advised that according to the Fedora Project's "" page: It is unchanged save two items: correcting a few late-stage misspellings and redaction of the consultants’ phone numbers.
iSEC’s full report is now available to the public. ServeTheHome is the IT professionals guide to servers, storage, networking, and high-end workstation hardware, plus great open. ISEC is grateful and honored to have been a part of the TrueCrypt security audit and feels that the analysis was both productive and important. The security community will benefit from continued review, new versions, and reproducible builds of the software in the future. ISEC hopes both the TrueCrypt project and the larger Open Crypto Audit Project continue their work.
iSEC believes in the importance of working with organizations like the Open Crypto Audit Project and the Open Technology Fund to support the development and security of technologies that promote trust and security throughout the Internet. Given TrueCrypt’s popularity, the entire security industry benefits from knowing more about the software and how secure it is. In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report.
Overall, iSEC does think changes can be made to improve code quality and maintainability, and that the build process should be updated to rely on recent tools with trustworthy provenance. All identified findings appeared accidental. On-the-fly encryption means that data are automatically encrypted or decrypted right before they are loaded or saved, without any user intervention. Truecrypt is a software system for establishing and maintaining an on-the-fly-encrypted drive. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted drive. iSEC found no evidence of backdoors or intentional flaws. iSEC did not identify any issues considered “high severity” during this testing. The audit conducted by iSEC is now complete and the findings are available now. The scope was kept narrowly focused to avoid stretching resources too thin and ensure that the review conducted was thorough and robust. In January 2014, iSEC Partners kicked off the engagement to audit the following portions of TrueCrypt: the Windows kernel code, the bootloader, the filesystem driver, and the areas around this code. With VeraCrypt, a single encrypted volume can be accessed simultaneously from multiple operating systems over a network.
VeraCrypt can be used for Windows, Mac OSx, and Linux. And third, conduct a public analysis of the code.Īs announced in December 2013, iSEC Partners (iSEC) worked with the Open Crypto Audit Project on the final goal – conducting a methodical analysis of TrueCrypt through code review and penetration testing. It offers a high level of security, it is easy to use, and it is an open-source program, so it is free. Second, produce repeatable, deterministic builds. First, resolve questions regarding TrueCrypt’s license status. OCAP began a grassroots campaign to raise money to answer fundamental questions about TrueCrypt. The Open Crypto Audit Project (OCAP) is a new organization that is attempting to answer questions of importance to the cryptography community, including those about trust in TrueCrypt. Owing to its popularity and widespread use, TrueCrypt has come under intense scrutiny with many openly asking if TrueCrypt could be trusted to function as claimed. The iSEC review will cover a lot of the thorniest bits of the code, but we are still working to audit the core cryptographic routines of Truecrypt and move. Over the past year, however, revelations about the capabilities of intelligence agencies have shaken the very foundations of much of the cryptography community. For nearly a decade, tens of millions of users have been trusting the open source encryption software, TrueCrypt.