lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 29 May 2014 17:46:13 -0400
From: Mike Cramer <mike.cramer@...look.com>
To: <fulldisclosure@...e.net>,
	<fulldisclosure@...lists.org>
Subject: Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

You need to ask yourself a question:

How well do you know coding and encryption handling to ensure that your
software doesn't have unintentional back doors and/or information
disclosure? This is a serious question because it requires serious answers
when you're dealing with cryptography. The weakest part of the security
system should not be the application.

What libraries would you use for encryption? If any? I assume you would
leverage AES. Would the library you choose to use support AES-NI? Would you
use the Intel CPU-based PRNG? (http://en.wikipedia.org/wiki/RdRand)

I think it's reasonable to assume that the "many eyes" approach to software
security doesn't really work. So simply saying you'll release it as GPL I
don't think should be considered "good enough" anymore when it comes to
encryption. The myriad of flaws in OpenSSL over the years both upstream and
in distributions should be a serious wake-up call on this one.

My recommendation would be to use FileVault/Bitlocker/OS implementations
unless you can come up with a good reason why not to do so.

-Mike

-----Original Message-----
From: Fulldisclosure [mailto:fulldisclosure-bounces@...lists.org] On Behalf
Of CIURANA EUGENE (pr3d4t0r - Full Disclosure)
Sent: Thursday, May 29, 2014 17:18
To: fulldisclosure@...lists.org
Subject: [FD] Full disk encryption for OS X alternative to TrueCrypt

 

Greetings. 

I'm a happy long-time user of TrueCrypt, and was as dismayed as anyone else
to see the news. I'm considering starting a full disk image encryption
alternative to TrueCrypt that will target OS X (maybe others too, but right
now OS X is my priority). 

Asking here for
interest in such an endeavor. My system still uses TrueCrypt 7.1a and I
managed to rescue the binaries, but I suspect they may break Real Soon Now
and, with nobody to maintain the code... well, OS X needs an alternative.
And no, Apple's partition encryption isn't an option since it's suspect of
having back doors. 

My intention is to release the code
under an open source license (GPLv2 or Apache). Please let me know your
thoughts. Working now on understanding how Fuse might play in this setup, or
whether to write a low-level driver altogether and mount it via the kernel
w/o Fuse. 

Cheers! 

pr3d 

-- 
 

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ