Re: TrueCrypt?

[Not EcksKaySeeDee <noteckskayseedee () gmail com>]

Thanks Justin (and Mike), very informative and thoughtful replies for a
non-sec pro like myself. Coming out of your respective replies, I'm going
to spend some time exploring Bitlocker and continue to use TC (until I hear
solid/verifiable news). Cheers.


On Fri, May 30, 2014 at 3:32 PM, Justin Bull <me () justinbull ca> wrote:

> On Fri, May 30, 2014 at 2:42 PM, Not EcksKaySeeDee <
> noteckskayseedee () gmail com> wrote:
>
> > 1. Where do we go from here? What do you, as the experts, suggest for
> > people like me who are in IT, but not dedicated security pros, and
> > especially for average users who are now increasing their security
> > awareness in a post-Snowden world?
> We wait. This is still fresh news.
>
>
> > 2. Does anyone else on this list actively use TC, and if so, what are
> > your plans now?
> Yes. And I will continue to use 7.1a (although warily) pending any public
> security disclosures, not FUD.
>
> The Open Crypto Audit Project (OCAP) is the non-profit organization that's
> currently performing cryptanalysis and public auditing of the TrueCrypt
> source-code. They've completed Phase I and found no *glaring* security
> issues. They plan to carry forward with Phase II and even adopt/forking
> TrueCrypt's source code depending how events unfold (and licensing
> restrictions).
>
> See: http://opencryptoaudit.org/, http://istruecryptauditedyet.com/,
> https://twitter.com/OpenCryptoAudit/status/472130444977131520
>
>
> > I am wary of the whole "use Bitlocker" suggestion because: A) it's closed
> > code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I
> > don't know if/when they will roll over whenever the g-men show up and
> > demand keys to the backdoors (if any).
> You never know when it's closed source. I wonder how long Heartbleed would
> kick around (privately, that is) if OpenSSL was closed-source they found
> out about it.
>
>
> > Of-course, open source is not perfect either, but, so the reasoning,
> > goes, you have the "many eyes" argument in support of it. This begs another
> > question (apologies), how many eyes are actually actively and consistently
> > reviewing/auditing open source code?
> Depends on the project, how fun it is, does it have an active community,
> etc.. It's still better than nothing
>
>
> > As far as I am aware (correct me if I'm wrong), there isn't a single
> > neutral group or entity staffed by people whose sole purpose is to audit
> > critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a
> > need for such a group of people? Of-course the counter will be, who is
> > going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't
> > trust the big corporations again because of their influence and possible
> > ties to the g-men and/or willingness to roll-over when the legal paperwork
> > starts to fly.
> OCAP plans to extend their work to OpenSSL and other critical
> infrastructure, although this is in its infancy. Don't hold your breath.
>
> --
> Best Regards,
> Justin Bull
> PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/