[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGSH4WmZ93oFeW0RqbAcUuneS=d6-mhvbEfyJwpmJj1k1zUKCg@mail.gmail.com>
Date: Fri, 30 May 2014 22:37:20 -0400
From: Not EcksKaySeeDee <noteckskayseedee@...il.com>
To: Justin Bull <me@...tinbull.ca>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?
Thanks Justin (and Mike), very informative and thoughtful replies for a
non-sec pro like myself. Coming out of your respective replies, I'm going
to spend some time exploring Bitlocker and continue to use TC (until I hear
solid/verifiable news). Cheers.
On Fri, May 30, 2014 at 3:32 PM, Justin Bull <me@...tinbull.ca> wrote:
> On Fri, May 30, 2014 at 2:42 PM, Not EcksKaySeeDee <
> noteckskayseedee@...il.com> wrote:
>
>>
>> 1. Where do we go from here? What do you, as the experts, suggest for
>> people like me who are in IT, but not dedicated security pros, and
>> especially for average users who are now increasing their security
>> awareness in a post-Snowden world?
>>
>>
> We wait. This is still fresh news.
>
>
>> 2. Does anyone else on this list actively use TC, and if so, what are
>> your plans now?
>>
>>
> Yes. And I will continue to use 7.1a (although warily) pending any public
> security disclosures, not FUD.
>
> The Open Crypto Audit Project (OCAP) is the non-profit organization that's
> currently performing cryptanalysis and public auditing of the TrueCrypt
> source-code. They've completed Phase I and found no *glaring* security
> issues. They plan to carry forward with Phase II and even adopt/forking
> TrueCrypt's source code depending how events unfold (and licensing
> restrictions).
>
> See: http://opencryptoaudit.org/, http://istruecryptauditedyet.com/,
> https://twitter.com/OpenCryptoAudit/status/472130444977131520
>
>
>> I am wary of the whole "use Bitlocker" suggestion because: A) it's closed
>> code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I
>> don't know if/when they will roll over whenever the g-men show up and
>> demand keys to the backdoors (if any).
>>
>>
> You never know when it's closed source. I wonder how long Heartbleed would
> kick around (privately, that is) if OpenSSL was closed-source they found
> out about it.
>
>
>> Of-course, open source is not perfect either, but, so the reasoning,
>> goes, you have the "many eyes" argument in support of it. This begs another
>> question (apologies), how many eyes are actually actively and consistently
>> reviewing/auditing open source code?
>>
>>
> Depends on the project, how fun it is, does it have an active community,
> etc.. It's still better than nothing
>
>
>> As far as I am aware (correct me if I'm wrong), there isn't a single
>> neutral group or entity staffed by people whose sole purpose is to audit
>> critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a
>> need for such a group of people? Of-course the counter will be, who is
>> going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't
>> trust the big corporations again because of their influence and possible
>> ties to the g-men and/or willingness to roll-over when the legal paperwork
>> starts to fly.
>>
>>
> OCAP plans to extend their work to OpenSSL and other critical
> infrastructure, although this is in its infancy. Don't hold your breath.
>
> --
> Best Regards,
> Justin Bull
> PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists