TrueCrypt security audit is good news, so why all the glum faces?

L33tdawg: On an unrelated note, Runa A. Sandvik who's involved with the TrueCrypt audit project will be presenting the closing keynote 'Bringing Internet Security to Where the Wild Things Are' at HITBSecConf2015 - Amsterdam the end of May in Amsterdam.

The ongoing audit of the TrueCrypt whole-disk encryption tool used by millions of privacy and security enthusiasts has reached an important milestone—a detailed review of its cryptographic underpinnings that found no backdoors or fatal flaws.

The 21-page Open Cryptographic review published Thursday uncovered four vulnerabilities, the most serious of which involved the use of a Windows programming interface to generate random numbers used by cryptographic keys. While that's a flaw that cryptographers say should be fixed, there's no immediate indication that the bug undermines the core security promise of TrueCrypt. To exploit it and the other bugs, attackers would most likely have to compromise the computer running the crypto program. None of the vulnerabilities appear to allow the leaking of plaintext or secret key material or allow attackers to use malformed inputs to subvert TrueCrypt. The report was produced by researchers from information security consultancy NCC Group.