[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFB0D2Q3Rw6KRDZoQt8qBHOJUArH6V3=J0qP+qhHqA10Yz5m9Q@mail.gmail.com>
Date: Fri, 30 May 2014 15:32:49 -0400
From: Justin Bull <me@...tinbull.ca>
To: Not EcksKaySeeDee <noteckskayseedee@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?
On Fri, May 30, 2014 at 2:42 PM, Not EcksKaySeeDee <
noteckskayseedee@...il.com> wrote:
>
> 1. Where do we go from here? What do you, as the experts, suggest for
> people like me who are in IT, but not dedicated security pros, and
> especially for average users who are now increasing their security
> awareness in a post-Snowden world?
>
>
We wait. This is still fresh news.
> 2. Does anyone else on this list actively use TC, and if so, what are your
> plans now?
>
>
Yes. And I will continue to use 7.1a (although warily) pending any public
security disclosures, not FUD.
The Open Crypto Audit Project (OCAP) is the non-profit organization that's
currently performing cryptanalysis and public auditing of the TrueCrypt
source-code. They've completed Phase I and found no *glaring* security
issues. They plan to carry forward with Phase II and even adopt/forking
TrueCrypt's source code depending how events unfold (and licensing
restrictions).
See: http://opencryptoaudit.org/, http://istruecryptauditedyet.com/,
https://twitter.com/OpenCryptoAudit/status/472130444977131520
> I am wary of the whole "use Bitlocker" suggestion because: A) it's closed
> code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I
> don't know if/when they will roll over whenever the g-men show up and
> demand keys to the backdoors (if any).
>
>
You never know when it's closed source. I wonder how long Heartbleed would
kick around (privately, that is) if OpenSSL was closed-source they found
out about it.
> Of-course, open source is not perfect either, but, so the reasoning, goes,
> you have the "many eyes" argument in support of it. This begs another
> question (apologies), how many eyes are actually actively and consistently
> reviewing/auditing open source code?
>
>
Depends on the project, how fun it is, does it have an active community,
etc.. It's still better than nothing
> As far as I am aware (correct me if I'm wrong), there isn't a single
> neutral group or entity staffed by people whose sole purpose is to audit
> critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a
> need for such a group of people? Of-course the counter will be, who is
> going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't
> trust the big corporations again because of their influence and possible
> ties to the g-men and/or willingness to roll-over when the legal paperwork
> starts to fly.
>
>
OCAP plans to extend their work to OpenSSL and other critical
infrastructure, although this is in its infancy. Don't hold your breath.
--
Best Regards,
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists