UPDATE 140530 - In case it's of interest,BoxCryptor and ENCFS separately "mount" an encrypted utility folder located in the Dropbox - in Windows mounted as a virtual letter drive and in Linux as a separate folder you choose to name and locate. Their site advises that the ENCFS software in Ubuntu / Mint (past version 1.7) is compatible and will import and open a BoxCryptor drive. I have some experience with BoxCryptor in Windows and Android, which is very good for that. Thankfully I don't use full disk encryption but containers that open into virtual drives. It will be hard to replace for this reason. One thing I have to say about TC is that it was truly cross-platform compatible with both Windows and Linux, which I need. Whatever the explanation, this has been so childish and stupid a way to deal with users that I won't trust TrueCrypt unless / until the whole project is taken on by a grown up, reliable and transparent parent organization. I agree with others that TC has just shot itself in the head. This was an rare interview from one of the Truecrypt developers off of Github - read through what is being said. Before I dump the software.I'd like to see Phase 2 of the audit. I have watched Truecrypt for years.this sudden change to what they have been doing is completely inconsistent from previous development behavior. Phase one of the audit has been completed, with no major issues found: Then, a crowdsourcing effort to audit Truecrypt came about, and was welcomed by the Truecrypt developers. Then.quiet for over two years with no development, which is not consistent by past precedent of the Truecrypt development model. This software was developed and updated frequently from around 2004 till February 2012. The whole issue with Truecrypt is that it went down in a way that is suspicious. Security isn't a game, it's a battle! (sorry, a little over dramatic, but, I couldn't resist ) If you are using truecrypt and require secure encryption then the only safe course of action is to assume it is compromised and act accordingly. ![]() again possibly, who knows, but, again why take the risk. possibly, but, why take the risk.Ĭould the announcement be a hack, or one of the NSA conspiracy theories floating around. Well the only people that can answer that at present claim not.Ĭould it,in fact, be secure but the project has been closed for 'personal' reasons. ![]() If encryption is necessary then one must assume a risk management strategy and never assume anything is truly secure, so when it appears the developers of a security product are less than satisfied with the security of their own product you have no choice but to minimise that risk and assume they are correct. Personally, if I felt the need for encryption and doubts were raised over my chosen method's security then I would consider it insecure until proven otherwise. Using a long password, for instance, is strongly recommended ditto using full-system encryption for scenarios where decrypted data might be written to the page file.Mr Brian Krebs' take on the story. However, the report doesn't go into how an end-user could protect himself from any potential exploits detailed in the report, but the authors note that many of the issues in question can be mitigated by following directives in the documentation. Why TrueCrypt was created in such a manner could inspire endless debate, especially since its original creators and development team maintain a presence at least as shadowy as that of bitcoin's Satoshi Nakamoto. They were only able to do this after a good deal of work, and by using a shockingly old version of Microsoft Visual C++ released in 1993. ![]() ![]() This last issue was raised before by others who attempted to build TrueCrypt from source, to see if the resulting binaries matched the ones distributed on TrueCrypt's site. One major issue was how compiling TrueCrypt from source required the use of an older Windows build environment that's noticeably out of date. Most criticisms the authors levied at TrueCrypt involved the quality of the source code, such as how comments were added or what system functions were used (or not used). A second report will follow with a detailed analysis of the encryption itself. None of them by themselves were bad enough to consider avoiding TrueCrypt altogether, but they're all worth patching. The two of them examined TrueCrypt's source code in detail and found a total of 11 vulnerabilities. The report from the first phase of the audit was released on April 14, courtesy of security engineers Andreas Junestam and Nicolas Guigo, working under the banner of iSEC Partners.
0 Comments
Leave a Reply. |