TrueCrypt compromised by ?????
-
@JaredBusch said:
This seems too coordinated for a hack IMO. There are way too many pieces being changed at the same time. Yeah if it was just the website or just the source code, but the way back machine has no info? That is abnormal. The new executable being signed with the correct but recently reissued key? Unusual.
This is a lot of stuff to change and would be an unprecedented public hack.
True it is seemingly more and more likely to be legit.
It's not really a needed product anymore across any platform. But still very odd.
-
@scottalanmiller said:
@alexntg said:
@Dashrender said:
@alexntg said:
@technobabble said:
Well everyones talking about it on twitter and other websites. Here's what PC World is saying: http://www.pcworld.com/article/2241300/truecrypt-now-encouraging-users-to-use-microsofts-bitlocker.html
That makes sense, as Windows has the same functionality built-in.
Sure, but it's closed source.. so it's really not trustworthy!
Until recently, no one had actually audited TrueCrypt's code, so for a very long time, it could have had massive backdoors that no one cared to look for. Whether it's open source or close source, it doesn't really matter. On one side, you hope the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. On the other hand, you hope that the folks that wrote it were trustworthy and that if there were any issues, they or an associate caught it. Unless you're manually auditing the code yourself, what does it matter?
No one published an audit. Doesn't imply that it wasn't audited.
Nor does it imply that it was audited.
-
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
-
Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.
-
@technobabble said:
Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.
BitLocker's available with 8.1 Pro.
-
@scottalanmiller said:
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
Have you used TrueCrypt before?
-
@technobabble said:
Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.
And requires different tools on different platforms.
-
@alexntg said:
@scottalanmiller said:
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
Have you used TrueCrypt before?
Long ago just a little. Use LUKS now.
-
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
Have you used TrueCrypt before?
Long ago just a little. Use LUKS now.
Did you audit TrueCrypt?
-
@alexntg said:
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
Have you used TrueCrypt before?
Long ago just a little. Use LUKS now.
Did you audit TrueCrypt?
Not relevant. I'm not and was not on the security team. That's redirection.
Companies that I've worked at did code audits, certainly.
-
@alexntg Good to know, thanks!
-
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
Have you used TrueCrypt before?
Long ago just a little. Use LUKS now.
Did you audit TrueCrypt?
Not relevant. I'm not and was not on the security team. That's redirection.
Companies that I've worked at did code audits, certainly.
Completely relevant! Did the company you were working for when you used TrueCrypt audit the source code for it? If they did, great. If not, there's no difference from using a closed source product, in that you assumed/trusted that it was secure.
-
@scottalanmiller said:
@technobabble said:
Unless I am mistaken Bit locker is only for enterprise which is another reason its not a good replacement.
And requires different tools on different platforms.
For Windows 8/8.1, all it requires is a computer running Windows Pro or better. Windows 7 required a computer running Windows Enterprise and either a TPM or thumb drive.
-
Looks like someone might pick up the torch on TrueCrypt: https://au.news.yahoo.com/thewest/business/technology/a/23969633/
-
@alexntg said:
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
@alexntg said:
@scottalanmiller said:
No. But every company and every individual had the right and the ability to audit. That's important. Companies have coverage tools that they use all the time on this stuff.
Have you used TrueCrypt before?
Long ago just a little. Use LUKS now.
Did you audit TrueCrypt?
Not relevant. I'm not and was not on the security team. That's redirection.
Companies that I've worked at did code audits, certainly.
Completely relevant! Did the company you were working for when you used TrueCrypt audit the source code for it? If they did, great. If not, there's no difference from using a closed source product, in that you assumed/trusted that it was secure.
Still different in that you can audit anytime and others can audit. And you can monitor changes over time.
-
@Nic said:
Looks like someone might pick up the torch on TrueCrypt: https://au.news.yahoo.com/thewest/business/technology/a/23969633/
Indeed. This is why open source matters. The community can protect itself. And now there are public audits going on too!
http://news.softpedia.com/news/TrueCrypt-Not-Dead-Forked-and-Relocated-to-Switzerland-444447.shtml
-
But it's not open source, as it contains distribution and copyright-liability restrictions. Perhaps it is close enough especially now that it's been discontinued.
-
@technobabble said:
But it's not open source, as it contains distribution and copyright-liability restrictions. Perhaps it is close enough especially now that it's been discontinued.
What do you mean? It's not discontinued. Nor is it not open source. The license is odd, but those things don't limit it's openness.
-
Doesn't matter what the license says. The devs will never do anything if you violate their license and fork the code, as they prefer to remain anonymous.
-
@scottalanmiller I should have said abandoned.