Full Disclosure mailing list archives
Re: TrueCrypt?
From: Not EcksKaySeeDee <noteckskayseedee () gmail com>
Date: Fri, 30 May 2014 22:37:20 -0400
Thanks Justin (and Mike), very informative and thoughtful replies for a non-sec pro like myself. Coming out of your respective replies, I'm going to spend some time exploring Bitlocker and continue to use TC (until I hear solid/verifiable news). Cheers. On Fri, May 30, 2014 at 3:32 PM, Justin Bull <me () justinbull ca> wrote:
On Fri, May 30, 2014 at 2:42 PM, Not EcksKaySeeDee < noteckskayseedee () gmail com> wrote:1. Where do we go from here? What do you, as the experts, suggest for people like me who are in IT, but not dedicated security pros, and especially for average users who are now increasing their security awareness in a post-Snowden world?We wait. This is still fresh news.2. Does anyone else on this list actively use TC, and if so, what are your plans now?Yes. And I will continue to use 7.1a (although warily) pending any public security disclosures, not FUD. The Open Crypto Audit Project (OCAP) is the non-profit organization that's currently performing cryptanalysis and public auditing of the TrueCrypt source-code. They've completed Phase I and found no *glaring* security issues. They plan to carry forward with Phase II and even adopt/forking TrueCrypt's source code depending how events unfold (and licensing restrictions). See: http://opencryptoaudit.org/, http://istruecryptauditedyet.com/, https://twitter.com/OpenCryptoAudit/status/472130444977131520I am wary of the whole "use Bitlocker" suggestion because: A) it's closed code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I don't know if/when they will roll over whenever the g-men show up and demand keys to the backdoors (if any).You never know when it's closed source. I wonder how long Heartbleed would kick around (privately, that is) if OpenSSL was closed-source they found out about it.Of-course, open source is not perfect either, but, so the reasoning, goes, you have the "many eyes" argument in support of it. This begs another question (apologies), how many eyes are actually actively and consistently reviewing/auditing open source code?Depends on the project, how fun it is, does it have an active community, etc.. It's still better than nothingAs far as I am aware (correct me if I'm wrong), there isn't a single neutral group or entity staffed by people whose sole purpose is to audit critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a need for such a group of people? Of-course the counter will be, who is going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't trust the big corporations again because of their influence and possible ties to the g-men and/or willingness to roll-over when the legal paperwork starts to fly.OCAP plans to extend their work to OpenSSL and other critical infrastructure, although this is in its infancy. Don't hold your breath. -- Best Regards, Justin Bull PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: TrueCrypt?, (continued)
- Re: TrueCrypt? Philip Cheong (May 29)
- Re: TrueCrypt? Sergio Conde Gómez (May 29)
- Message not available
- Re: TrueCrypt? Justin Bull (May 29)
- Re: TrueCrypt? Mike Cramer (May 29)
- Message not available
- Re: TrueCrypt? Michael Cramer (May 30)
- Re: TrueCrypt? uname -a (May 30)
- Re: TrueCrypt? Jeffrey Walton (May 30)
- Re: TrueCrypt? Jeffrey Walton (May 30)
- Re: TrueCrypt? Not EcksKaySeeDee (May 30)
- Re: TrueCrypt? Justin Bull (May 30)
- Re: TrueCrypt? Not EcksKaySeeDee (May 31)
- Re: TrueCrypt? Philip Cheong (May 30)
- Re: TrueCrypt? Alfie John (May 30)
- Message not available
- Re: TrueCrypt? Mike Cramer (May 30)