| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 May 2014 22:37:20 -0400 From: Not EcksKaySeeDee <noteckskayseedee@...il.com> To: Justin Bull <me@...tinbull.ca> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] TrueCrypt? Thanks Justin (and Mike), very informative and thoughtful replies for a non-sec pro like myself. Coming out of your respective replies, I'm going to spend some time exploring Bitlocker and continue to use TC (until I hear solid/verifiable news). Cheers. On Fri, May 30, 2014 at 3:32 PM, Justin Bull <me@...tinbull.ca> wrote: > On Fri, May 30, 2014 at 2:42 PM, Not EcksKaySeeDee < > noteckskayseedee@...il.com> wrote: > >> >> 1. Where do we go from here? What do you, as the experts, suggest for >> people like me who are in IT, but not dedicated security pros, and >> especially for average users who are now increasing their security >> awareness in a post-Snowden world? >> >> > We wait. This is still fresh news. > > >> 2. Does anyone else on this list actively use TC, and if so, what are >> your plans now? >> >> > Yes. And I will continue to use 7.1a (although warily) pending any public > security disclosures, not FUD. > > The Open Crypto Audit Project (OCAP) is the non-profit organization that's > currently performing cryptanalysis and public auditing of the TrueCrypt > source-code. They've completed Phase I and found no *glaring* security > issues. They plan to carry forward with Phase II and even adopt/forking > TrueCrypt's source code depending how events unfold (and licensing > restrictions). > > See: http://opencryptoaudit.org/, http://istruecryptauditedyet.com/, > https://twitter.com/OpenCryptoAudit/status/472130444977131520 > > >> I am wary of the whole "use Bitlocker" suggestion because: A) it's closed >> code, and B) it's Microsoft. Not that I hate Microsoft, it's just that I >> don't know if/when they will roll over whenever the g-men show up and >> demand keys to the backdoors (if any). >> >> > You never know when it's closed source. I wonder how long Heartbleed would > kick around (privately, that is) if OpenSSL was closed-source they found > out about it. > > >> Of-course, open source is not perfect either, but, so the reasoning, >> goes, you have the "many eyes" argument in support of it. This begs another >> question (apologies), how many eyes are actually actively and consistently >> reviewing/auditing open source code? >> >> > Depends on the project, how fun it is, does it have an active community, > etc.. It's still better than nothing > > >> As far as I am aware (correct me if I'm wrong), there isn't a single >> neutral group or entity staffed by people whose sole purpose is to audit >> critical source code (be it TrueCrypt, OpenSSL, etcetera). Maybe there is a >> need for such a group of people? Of-course the counter will be, who is >> going to pay/feed/clothe these people to spend 24x7 auditing it? I wouldn't >> trust the big corporations again because of their influence and possible >> ties to the g-men and/or willingness to roll-over when the legal paperwork >> starts to fly. >> >> > OCAP plans to extend their work to OpenSSL and other critical > infrastructure, although this is in its infancy. Don't hold your breath. > > -- > Best Regards, > Justin Bull > PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists