iSEC finally released the results of their audit on TrueCrypt. Below is the key paragraph in their announcement. Basically, the software did contain some some lower risk weaknesses however overall it fared well. Additionally, the audit did not show any evidence of intentional tampering. Next step … fix the identified low risk items.
via iSEC Partners
The audit conducted by iSEC is now complete and the findings are available now. iSEC did not identify any issues considered “high severity” during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors. All identified findings appeared accidental. Overall, iSEC does think changes can be made to improve code quality and maintainability, and that the build process should be updated to rely on recent tools with trustworthy provenance. In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report.
You can download the full report here.
Today’s post pic is from Twitter.com.