Still not news. This article is nothing new, it simply took a piece from another article, added a title and called it good. They didn't even really add any commentary, other than saying one of the sources was their friend.
[Edited to add: do read the Mashable story, because it is much richer and features significantly more detailed conversations b/w the FBI and Microsoft.]
How long till we hear a similar story about TrueCrypt. Except no one even knows who is behind TrueCrypt. I hope there was some audited fork or another software with similar features(esp. hidden volumes) from a reputable company I could use.
Why is so important to "know" who is behind TrueCrypt ? They publish the code and you can inspect it and build it yourself if you don't trust the provided binaries.
The issue is that the source code is too complex to audit personally. Having no real identity behind it also removes the risk of finger pointing if a backdoor were to be discovered.
"There has been no known comprehensive review of the source code by a qualified cryptographer.[46][44] Thorough security code review and testing is hard, tedious, and painstaking work, and very few people have the skills to do it. There was, however, a functional evaluation of the deniability of hidden volumes in an earlier version of TrueCrypt by Schneier et al. that found security leaks." [1]
If you go down this line of thinking, you can only trust the code you wrote yourself. Having a couple of dudes publicly recognizing that they wrote TrueCrypt doesn't actually solves anything.
PGP? It does whole disk encryption, but I don't think it does hidden volumes. (I could be wrong.)
I'm not sure if you consider it reputable or not, but the source has been available, at least for recent versions. I'm not sure about the current version.
Hmm.. are there any independent audits done on BitLocker? Since TrueCrypt's validity is so so and TPM modules cannot be fully trusted, may it be more secure to run Truecrypt and Bitlocker on top of each other? What other good encryption alternatives do we have?
I don't mean to spread FUD about LUKS, because I think it's great software, but our team has ran a LUKS setup for a while in production and it gave rise to vague problems. If you plan to use LUKS, please do test it extensively on real hardware before going production.
19 comments
[ 2.7 ms ] story [ 52.5 ms ] threadA bit of good news for once?
[Edited to add: do read the Mashable story, because it is much richer and features significantly more detailed conversations b/w the FBI and Microsoft.]
I don't know why the one from boing boing was even posted.
"There has been no known comprehensive review of the source code by a qualified cryptographer.[46][44] Thorough security code review and testing is hard, tedious, and painstaking work, and very few people have the skills to do it. There was, however, a functional evaluation of the deniability of hidden volumes in an earlier version of TrueCrypt by Schneier et al. that found security leaks." [1]
[1]https://en.wikipedia.org/wiki/Truecrypt#Reasonable_paranoia
Insightful encryption app developer would hide his identity in order not to be bullied into putting backdoors.
I'm not sure if you consider it reputable or not, but the source has been available, at least for recent versions. I'm not sure about the current version.
http://www.symantec.com/connect/downloads/symantec-pgp-deskt...
If you don't trust TrueCrypt, I would recommend dm-crypt/LUKS (with cryptsetup front-end) for Linux and DiskCryptor [0] for Windows.
[0] - http://diskcryptor.net/wiki/Main_Page/en
[1]http://en.wikipedia.org/wiki/FreeOTFE