|
http://truecrypt.ch/
TrueCrypt must not die TrueCrypt.ch is the gathering place for all up-to-date information. If TrueCrypt.org really is dead, we will try to organize a future. |
https://opencryptoaudit.org
Update: The TrueCrypt Phase I Audit Report is available! |
That was published a few months ago... the second phase of the audit is still pending. And the second phase is where the money is.
|
OK, what the heck is going on with computer security these days... After years of blissful ignorance:
First we get Heartbleed - spend a couple of days updating all my servers/routers/clients to the latest OpenSSH. Next the venerable TrueCrypt starts a storm of conspiracy stories. Today another vulnerability in OpenSSH has been identified which potentially affects HTTPS traffic and the OpenSSL foundation is asking us to upgrade again. http://www.wired.com/2014/06/heartbl...ssl-uncovered/ I can't wait for the results of the TC audit, the computer world isn't that much fun anymore. |
This is a prime example of when closed source goes bad. No source = no trust.
dmcrypt or lukscrypt plus GPG is the way to go :) |
TrueCrypt is open source - isn't it?
|
Originally Posted by gfunkdave
(Post 22990021)
TrueCrypt is open source - isn't it?
TL;DR - TrueCrypt License != Open Source
Originally Posted by Wikipedia
According to current OSI president Simon Phipps:
...it is not at all appropriate for TrueCrypt to describe itself as "open source." This use of the term "open source" to describe something under a license that's not only unapproved by OSI but known to be subject to issues is unacceptable. |
Originally Posted by CraigWatson
(Post 22989990)
This is a prime example of when closed source goes bad. No source = no trust.
dmcrypt or lukscrypt plus GPG is the way to go :) That's "open source" enough for me.
Originally Posted by CraigWatson
(Post 22990030)
Not quite: http://en.wikipedia.org/wiki/TrueCry...d_source_model
TL;DR - TrueCrypt License != Open Source |
Originally Posted by nkedel
(Post 22990120)
TrueCrypt makes source available, and you can build your own version from source easily enough. In practical terms, there is little stopping redistribution or forking.
Originally Posted by Open Crypto Audit
The current required Windows build environment depends on outdated build tools and software packages that are hard to get from trustworthy sources. For example, following the reproducible build instructions requires access to VC++ 1.52 (released in 1993), in addition to various Windows ports of GNU tools downloadable from wherever they can be found. Using antiquated and unsupported build tools introduces multiple risks including: unsigned tools that could be maliciously modified, unknown or unpatched security vulnerabilities in the tools themselves, and weaker or missing implementations of modern protection mechanisms such as DEP and ASLR. Once the build environment has been updated, the team should consider rebuilding all binaries with all security features fully enabled. For the purpose of auditing, TrueCrypt should release instructions for how to create reproducible builds.
Originally Posted by nkedel
(Post 22990120)
The term "open source" predates OSI, and they don't have a trademark on it.
I may be slightly pedantic, but the mis-communication of the terms "open source" and "free software" are one of my biggest pet hates - it's Freedom vs Gratis, TrueCrypt may be Gratis but it's not Free because it's restricted by the TrueCrypt License. OSI-approved licenses and copyleft are two of the cornerstones of the software freedoms :) |
Originally Posted by CraigWatson
(Post 22990187)
True, but the OSI was founded for a reason, to clear up the term and to impose standards.
The web was around in some form or another before the W3C and they don't have a trademark on the term HTML, but we still have web standards. I may be slightly pedantic, but the mis-communication of the terms "open source" and "free software" are one of my biggest pet hates - it's Freedom vs Gratis, TrueCrypt may be Gratis but it's not Free because it's restricted by the TrueCrypt License. Truecrypt isn't just free-as-in-beer; in practice as a private individual you're just as free to use the source as anything GPL-ed, and you are free to create and distribute new versions of it or products extended from it. Indeed, the biggest issues with the license (that it's "viral," like GPL, and that it requires attribution) are both in common with some OSI-approved licenses, and overall, it's a good deal LESS restrictive than some of the approved OSI licenses from commercial entities (notably Sun's CDDL.) (It's also not clear whether the new license posted with their gimped 7.2 release is retroactive; if so, most of the objections to the older license are moot.) Moreover, by the FSF's standards, a lot of OSI-recognized licenses aren't free. That level of doctrinal dispute is uninteresting. OSI-approved licenses and copyleft are two of the cornerstones of the software freedoms :) OSI-approved licenses are a convenience, and something that post-dates all three of the major general-use licenses (GPL, BSD and Apache.) |
Touché ;)
|
Some audit results resulted in the following article:
https://threatpost.com/audit-conclud...uecrypt/111994 |
Originally Posted by GUWonder
(Post 24610192)
Some audit results resulted in the following article:
https://threatpost.com/audit-conclud...uecrypt/111994 |
Originally Posted by Internaut
(Post 24612145)
Doesn't effect me; all my secrets are dancing and singing in front of you.
|
how much is not 'compromised' ?
|
| All times are GMT -6. The time now is 9:11 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.