An update on Truecrypt

&gt; I usually take a pretty skeptical attitude on this blog when it comes to Internet security. For the most part we do things wrong, and I used to think most people didn&#x27;t care. The fact is that I was wrong. If the response to our audit call is any evidence, you do care. You care a lot.<p>I used to feel the exact same way the author did initially. It wasn&#x27;t until this year, between teaching a class on security (whose demand I still can&#x27;t even remotely fathom) and becoming more outspoken about my concerns around the way we handle security, that I really started to realize that people do care deeply about security. That said, most people don&#x27;t know enough to positively impact security, but that&#x27;s a problem of education; it&#x27;s something I&#x27;m hoping to put a serious dent in over the next year.

I cannot explain exactly why but something about this project rubs me the wrong way.<p>So much time spent doing bureaucratic things, organizing, raising money. Have meetings, setup a board.<p>Did the authors, the people who wrote the code, that did all that work, receive such ample payment for their role? Should not some of the money raised be offered to the developers? (Some say that they are anonymous I dont know if that is true, but they do take donations on the site) Lets give them 70% of the money raised to work on TrueCrypt and make it even more amazing.<p>They developers did all that work for free (?) , but now these people have to get paid really well to see if what the devs did is correct.<p>Seems to me most of the money goes towards hiring a for profit consulting company. Great way to drum up business I guess.<p>Meanwhile: From the official TrueCrypt FAQ:<p>Q: TrueCrypt is open-source, but has anybody actually reviewed the source code?<p>A: Yes. In fact, the source code is constantly being reviewed by many independent researchers and users. We know this because many bugs and several security issues have been discovered by independent researchers (including some well-known ones) while reviewing the source code.<p>So the reviews and audits have been going on for a long time by many individuals around the world. Anyone can do it.<p>As far as I know, Linux has never been subjected to a formal audit. it has been gawked at by thousands and thousands of individuals. None of them read the whole thing for sure, but parts.

&gt; And finally, the most exciting news: we&#x27;ve signed a first contract with iSEC partners to evaluate large portions of the Windows software and bootloader code. This review will begin in January.<p>That&#x27;s huge. I assume you&#x27;re not referring to having access to the Windows source code, though.<p>Here&#x27;s a crazy idea. After the whole NSA stuff, many governments are going to require Microsoft to give them access to the source code, if they want them to continue using it, or buy the new versions of Windows. Any chance you could contact such a government, to allow you to do the audit on their behalf, or to work together with them on it?<p>That would be a win-win for everyone. They get a team of experts to review the Windows code base, and you get to know everything about Windows. They probably won&#x27;t be very eager to get Americans to do this for them, though, so make sure you flaunt all of your credentials.

This, in a nutshell, is the underutilized value of open source - the ability for the general public to conduct a trustworthy third party audit and validate security claims of software creators.

Tip for gaining more donations: once they get 501c(3) status, many larger companies have established charity matching programs. Usually it just takes some employee initiative to ask for an organization to be added (&#x2F; paperwork verified) and then companies will match donations. In addition, philanthropy departments can be petitioned for grants. Given all the recent news, that might generate a decent amount of grants.

This is extremely awesome and I support it. I have sensitive files with tax info and some software keys I like to keep protected. NSA aside I don&#x27;t want some malware or vulnerability in my system allowing intruders to take my stuff.