TrueCrypt takedown

Caspar Bowden (lists) lists at casparbowden.net
Sat May 31 00:25:45 BST 2014 

It's not irrational to recommend BitLocker to users trusting a 
Microsoft's platform

A mundane reason may be they realized the weaknesses of their cipher 
mode, and the support hassle they would get from disk re-encrypts gone 
bad if they changed

Or they might be subject to a coercive order to backdoor future 
versions, and/or realize they may have been infiltrated with a weakness 
already, and mucho data is hanging out there, so cheshire cat best policy

But it dramatically illustrates why should anyone now trust a codebase 
whose audit threat model has changed overnight from presumed benign 
authors to now unknown influences.

Suppose the Truecrypt authors believed it secure, why should they 
declare it not so?

If they believe it could be insecure, it probably is

FWIW neither BitLocker 
<http://testlab.sit.fraunhofer.de/content/output/project_results/bitlocker_skimming/> 
nor Truecrypt deals 
<http://theinvisiblethings.blogspot.fr/2009/10/evil-maid-goes-after-truecrypt.html> 
with Evil Maid 
<http://theinvisiblethings.blogspot.fr/2011/09/anti-evil-maid.html> 
attacks properly

Linux needs some well-engineered hidden container software though

Caspar

In 05/30/14 17:49, Wendy M. Grossman wrote:
> Me too.  It really does make you wonder what hidden factors might have 
> been at work.
>
>
> wg
> ---
> www.pelicancrossing.net
> Twitter: @wendyg
>
>
>
> -------- Original message --------
> From: bakeryworms at gmail.com
> Date: 2014/05/30 14:55 (GMT+00:00)
> To: ukcrypto at chiark.greenend.org.uk,UK Cryptography Policy Discussion 
> Group <ukcrypto at chiark.greenend.org.uk>
> Subject: Re: TrueCrypt takedown
>
>
> It made me think of the Lavabit shutdown.
>
> KRS
> Mark
>
>   Original Message
> From: JJ Gray
> Sent: Friday, 30 May 2014 14:43
> To: UK Cryptography Policy Discussion Group
> Reply To: UK Cryptography Policy Discussion Group
> Subject: Re: TrueCrypt takedown
>
> On 30/05/2014 10:44, Graham Cobb wrote:
>
> > of any issues). If the developers have stopped work on TrueCrypt then
> > that seems a reasonable warning to leave behind to the world.
> >
> > That does seem the simplest explanation to me.
>
> That would appear to be the case, at least at this stage.
> https://gist.github.com/ValdikSS/c13a82ca4a2d8b7e87ff
>
> Cheers,
> JJ
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140531/4c10c13a/attachment.html>

More information about the ukcrypto mailing list