19 comments

[ 2.7 ms ] story [ 52.5 ms ] thread
...and it sounds like they didn't do it.

A bit of good news for once?

Still not news. This article is nothing new, it simply took a piece from another article, added a title and called it good. They didn't even really add any commentary, other than saying one of the sources was their friend.
And google still insists it didn't give anything to the NSA.
It sounds like it but not really so from the original article.
This post links to the original Mashable article that Boing Boing excerpts: https://news.ycombinator.com/item?id=6368367

[Edited to add: do read the Mashable story, because it is much richer and features significantly more detailed conversations b/w the FBI and Microsoft.]

Microsoft: Commoditizing the shaft since 1975.
How long till we hear a similar story about TrueCrypt. Except no one even knows who is behind TrueCrypt. I hope there was some audited fork or another software with similar features(esp. hidden volumes) from a reputable company I could use.
Why is so important to "know" who is behind TrueCrypt ? They publish the code and you can inspect it and build it yourself if you don't trust the provided binaries.
The issue is that the source code is too complex to audit personally. Having no real identity behind it also removes the risk of finger pointing if a backdoor were to be discovered.

"There has been no known comprehensive review of the source code by a qualified cryptographer.[46][44] Thorough security code review and testing is hard, tedious, and painstaking work, and very few people have the skills to do it. There was, however, a functional evaluation of the deniability of hidden volumes in an earlier version of TrueCrypt by Schneier et al. that found security leaks." [1]

[1]https://en.wikipedia.org/wiki/Truecrypt#Reasonable_paranoia

If you go down this line of thinking, you can only trust the code you wrote yourself. Having a couple of dudes publicly recognizing that they wrote TrueCrypt doesn't actually solves anything.
It's about time then that few qualified cryptographers make an audit. Kickstarter project maybe.
I'll be the devil's advocate.

Insightful encryption app developer would hide his identity in order not to be bullied into putting backdoors.

Hmm.. are there any independent audits done on BitLocker? Since TrueCrypt's validity is so so and TPM modules cannot be fully trusted, may it be more secure to run Truecrypt and Bitlocker on top of each other? What other good encryption alternatives do we have?
> What other good encryption alternatives do we have?

If you don't trust TrueCrypt, I would recommend dm-crypt/LUKS (with cryptsetup front-end) for Linux and DiskCryptor [0] for Windows.

[0] - http://diskcryptor.net/wiki/Main_Page/en

I don't mean to spread FUD about LUKS, because I think it's great software, but our team has ran a LUKS setup for a while in production and it gave rise to vague problems. If you plan to use LUKS, please do test it extensively on real hardware before going production.