<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">It's not irrational to recommend
BitLocker to users trusting a Microsoft's platform<br>
<br>
A mundane reason may be they realized the weaknesses of their
cipher mode, and the support hassle they would get from disk
re-encrypts gone bad if they changed<br>
<br>
Or they might be subject to a coercive order to backdoor future
versions, and/or realize they may have been infiltrated with a
weakness already, and mucho data is hanging out there, so cheshire
cat best policy<br>
<br>
But it dramatically illustrates why should anyone now trust a
codebase whose audit threat model has changed overnight from
presumed benign authors to now unknown influences.<br>
<br>
Suppose the Truecrypt authors believed it secure, why should they
declare it not so?<br>
<br>
If they believe it could be insecure, it probably is<br>
<br>
FWIW <a
href="http://testlab.sit.fraunhofer.de/content/output/project_results/bitlocker_skimming/">neither
BitLocker</a> nor <a
href="http://theinvisiblethings.blogspot.fr/2009/10/evil-maid-goes-after-truecrypt.html">Truecrypt
deals</a> with <a
href="http://theinvisiblethings.blogspot.fr/2011/09/anti-evil-maid.html">Evil
Maid</a> attacks properly<br>
<br>
Linux needs some well-engineered hidden container software though<br>
<br>
Caspar<br>
<br>
In 05/30/14 17:49, Wendy M. Grossman wrote:<br>
</div>
<blockquote
cite="mid:o82nipa2vpn6rfv9o7ft9l3j.1401464967769@email.android.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>
<div>Me too. It really does make you wonder what hidden factors
might have been at work. </div>
<div><br>
</div>
<div><br>
</div>
<div>wg
<div>---
<div>
<div><a class="moz-txt-link-abbreviated" href="http://www.pelicancrossing.net">www.pelicancrossing.net</a></div>
<div>Twitter: @wendyg</div>
</div>
</div>
</div>
</div>
<br>
<br>
<br>
-------- Original message --------<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:bakeryworms@gmail.com">bakeryworms@gmail.com</a> <br>
Date: 2014/05/30 14:55 (GMT+00:00) <br>
To: <a class="moz-txt-link-abbreviated" href="mailto:ukcrypto@chiark.greenend.org.uk,UK">ukcrypto@chiark.greenend.org.uk,UK</a> Cryptography Policy
Discussion Group <a class="moz-txt-link-rfc2396E" href="mailto:ukcrypto@chiark.greenend.org.uk"><ukcrypto@chiark.greenend.org.uk></a> <br>
Subject: Re: TrueCrypt takedown <br>
<br>
<br>
It made me think of the Lavabit shutdown. <br>
<br>
KRS<br>
Mark<br>
<br>
Original Message <br>
From: JJ Gray<br>
Sent: Friday, 30 May 2014 14:43<br>
To: UK Cryptography Policy Discussion Group<br>
Reply To: UK Cryptography Policy Discussion Group<br>
Subject: Re: TrueCrypt takedown<br>
<br>
On 30/05/2014 10:44, Graham Cobb wrote:<br>
<br>
> of any issues). If the developers have stopped work on
TrueCrypt then<br>
> that seems a reasonable warning to leave behind to the world.<br>
> <br>
> That does seem the simplest explanation to me.<br>
<br>
That would appear to be the case, at least at this stage.<br>
<a class="moz-txt-link-freetext" href="https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff">https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff</a><br>
<br>
Cheers,<br>
JJ<br>
<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
</body>
</html>