http://truecrypt.ch/

https://opencryptoaudit.org

https://opencryptoaudit.org/reports/...Assessment.pdf

That was published a few months ago... the second phase of the audit is still pending. And the second phase is where the money is.

OK, what the heck is going on with computer security these days... After years of blissful ignorance:

First we get Heartbleed - spend a couple of days updating all my servers/routers/clients to the latest OpenSSH.

Next the venerable TrueCrypt starts a storm of conspiracy stories.

Today another vulnerability in OpenSSH has been identified which potentially affects HTTPS traffic and the OpenSSL foundation is asking us to upgrade again.

http://www.wired.com/2014/06/heartbl...ssl-uncovered/

I can't wait for the results of the TC audit, the computer world isn't that much fun anymore.

This is a prime example of when closed source goes bad. No source = no trust.

dmcrypt or lukscrypt plus GPG is the way to go

TrueCrypt is open source - isn't it?

Not quite: http://en.wikipedia.org/wiki/TrueCry...d_source_model

TL;DR - TrueCrypt License != Open Source

TrueCrypt makes source available, and you can build your own version from source easily enough. In practical terms, there is little stopping redistribution or forking.

That's "open source" enough for me.

The term "open source" predates OSI, and they don't have a trademark on it.

In actual fact:

True, but the OSI was founded for a reason, to clear up the term and to impose standards. The web was around in some form or another before the W3C and they don't have a trademark on the term HTML, but we still have web standards.

I may be slightly pedantic, but the mis-communication of the terms "open source" and "free software" are one of my biggest pet hates - it's Freedom vs Gratis, TrueCrypt may be Gratis but it's not Free because it's restricted by the TrueCrypt License. OSI-approved licenses and copyleft are two of the cornerstones of the software freedoms

They don't have any power to "impose" standards -- they can (and do) try to build consensus around them, but to suggest that theirs is the only definition out there is simply wrong.

...and browsers have to deal with HTML that doesn't completely comply with the standards, and yet everyone understands that it is HTML.

[/QUOTE]

Truecrypt isn't just free-as-in-beer; in practice as a private individual you're just as free to use the source as anything GPL-ed, and you are free to create and distribute new versions of it or products extended from it.

Indeed, the biggest issues with the license (that it's "viral," like GPL, and that it requires attribution) are both in common with some OSI-approved licenses, and overall, it's a good deal LESS restrictive than some of the approved OSI licenses from commercial entities (notably Sun's CDDL.)

(It's also not clear whether the new license posted with their gimped 7.2 release is retroactive; if so, most of the objections to the older license are moot.)

Moreover, by the FSF's standards, a lot of OSI-recognized licenses aren't free. That level of doctrinal dispute is uninteresting.

Quite a lot of OSI-approved licenses AREN'T copyleft (in the generally accepted sense, including the one use in the OSI's own FAQ; some other people use it to mean all open source.)

OSI-approved licenses are a convenience, and something that post-dates all three of the major general-use licenses (GPL, BSD and Apache.)

Touch�

Some audit results resulted in the following article:

https://threatpost.com/audit-conclud...uecrypt/111994

Saw an article about that in The Register. Sounds like the whole situation was ultimately down to either warrant canary, or something more sinister. Doesn't effect me; all my secrets are dancing and singing in front of you.

Oh, so THAT'S what that is. Cut it out, I'm trying to sleep here!

how much is not 'compromised' ?