How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries
samedi 26 octobre 2013 à 06:08 Sebsauvage, le 24/10/2013 à 23:31
Cet article sous-entend que - contrairement aux rumeurs - les binaires de TrueCrypt correspondent bien aux sources (et donc qu'il n'y a pas de backdoor). C'est juste qu'il est difficile d'obtenir exactement le même environnement de compilation que les auteurs de TrueCrypt.
(Permalink)
Tiger-222, le 25/10/2013 à 11:57
Cet article sous-entend que - contrairement aux rumeurs - les binaires de TrueCrypt correspondent bien aux sources : donc qu'il n'y a pas de backdoor.
via http://sebsauvage.net/links/?PGWq8A
(Permalink)
CAFAI, le 26/10/2013 à 06:08
Given this analysis, we can conclude that I compiled TrueCrypt from the official sources and matched the official binaries, and everyone who is able to gather the prerequisites for compiling TrueCrypt the same way as I did, is able to prove the same thing.
Before reaching this interesting result though, I was suspicious like many other people. I first compiled TrueCrypt with Visual Studio 2010 SP1 with all updates, and I got significantly different binaries, whose disassembled versions also differed a lot. I then switched to Visual Studio 2008 SP1 with all updates, but I got again significant changes, although less than compared to the build from VS2010. I had to be careful at reproducing the environment of the developers as close as possible, which made me reinstall VS2008 with SP1 but only with the post-SP1 updates released before TrueCrypt 7.1a was released. This means I omitted one available update. Only then, I could achieve an identical build and prove to myself that TrueCrypt is not backdoored by the developers in a way that is not visible from the sources. People should not take this conclusion for granted and are encouraged to reproduce this result by themselves.
My analysis can serve the IsTrueCryptAuditedYet to understand the importance of running the exact same compiler version in order to provide a deterministic build. Fortunately, TrueCrypt sources come with a working Visual Studio solution ready to compile, and thus relieve lots of problems that can arise from differences in the project configuration. Now, efforts can be focused on auditing the source code, rather than trying to reverse-engineer the whole software to search for non-existant backdoors.
http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/
(Permalink)
Cet article sous-entend que - contrairement aux rumeurs - les binaires de TrueCrypt correspondent bien aux sources (et donc qu'il n'y a pas de backdoor). C'est juste qu'il est difficile d'obtenir exactement le même environnement de compilation que les auteurs de TrueCrypt.
(Permalink)
Tiger-222, le 25/10/2013 à 11:57
Cet article sous-entend que - contrairement aux rumeurs - les binaires de TrueCrypt correspondent bien aux sources : donc qu'il n'y a pas de backdoor.
via http://sebsauvage.net/links/?PGWq8A
(Permalink)
CAFAI, le 26/10/2013 à 06:08
Given this analysis, we can conclude that I compiled TrueCrypt from the official sources and matched the official binaries, and everyone who is able to gather the prerequisites for compiling TrueCrypt the same way as I did, is able to prove the same thing.
Before reaching this interesting result though, I was suspicious like many other people. I first compiled TrueCrypt with Visual Studio 2010 SP1 with all updates, and I got significantly different binaries, whose disassembled versions also differed a lot. I then switched to Visual Studio 2008 SP1 with all updates, but I got again significant changes, although less than compared to the build from VS2010. I had to be careful at reproducing the environment of the developers as close as possible, which made me reinstall VS2008 with SP1 but only with the post-SP1 updates released before TrueCrypt 7.1a was released. This means I omitted one available update. Only then, I could achieve an identical build and prove to myself that TrueCrypt is not backdoored by the developers in a way that is not visible from the sources. People should not take this conclusion for granted and are encouraged to reproduce this result by themselves.
My analysis can serve the IsTrueCryptAuditedYet to understand the importance of running the exact same compiler version in order to provide a deterministic build. Fortunately, TrueCrypt sources come with a working Visual Studio solution ready to compile, and thus relieve lots of problems that can arise from differences in the project configuration. Now, efforts can be focused on auditing the source code, rather than trying to reverse-engineer the whole software to search for non-existant backdoors.
http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/
(Permalink)