| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 May 2014 15:32:49 -0400 From: Justin Bull <me@...tinbull.ca> To: Not EcksKaySeeDee <noteckskayseedee@...il.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] TrueCrypt? On Fri, May 30, 2014 at 2:42 PM, Not EcksKaySeeDee < noteckskayseedee@...il.com> wrote: > > 1. Where do we go from here? What do you, as the experts, suggest for > people like me who are in IT, but not dedicated security pros, and > especially for average users who are now increasing their security > awareness in a post-Snowden world? > > We wait. This is still fresh news. > 2. Does anyone else on this list actively use TC, and if so, what are your > plans now? > > Yes. And I will continue to use 7.1a (although warily) pending any public security disclosures, not FUD. The Open Crypto Audit Project (OCAP) is the non-profit organization that's currently performing cryptanalysis and public auditing of the TrueCrypt source-code. They've completed Phase I and found no *glaring* security issues. They plan to carry forward with Phase II and even adopt/forking TrueCrypt's source code depending how events unfold (and licensing restrictions). See: http://opencryptoaudit.org/, http://istruecryptauditedyet.com/, https://twitter.com/OpenCryptoAudit/status/472130444977131520 > I am wary of the whole "use Bitlocker" suggestion because: A) it's closed > code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I > don't know if/when they will roll over whenever the g-men show up and > demand keys to the backdoors (if any). > > You never know when it's closed source. I wonder how long Heartbleed would kick around (privately, that is) if OpenSSL was closed-source they found out about it. > Of-course, open source is not perfect either, but, so the reasoning, goes, > you have the "many eyes" argument in support of it. This begs another > question (apologies), how many eyes are actually actively and consistently > reviewing/auditing open source code? > > Depends on the project, how fun it is, does it have an active community, etc.. It's still better than nothing > As far as I am aware (correct me if I'm wrong), there isn't a single > neutral group or entity staffed by people whose sole purpose is to audit > critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a > need for such a group of people? Of-course the counter will be, who is > going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't > trust the big corporations again because of their influence and possible > ties to the g-men and/or willingness to roll-over when the legal paperwork > starts to fly. > > OCAP plans to extend their work to OpenSSL and other critical infrastructure, although this is in its infancy. Don't hold your breath. -- Best Regards, Justin Bull PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists