[kwlug-disc] Truecrypt

unsolicited unsolicited at swiz.ca
Fri May 30 18:48:19 EDT 2014


Granted: To your point, I was speaking with respect to the prior
version. Which has some history behind it.

On 14-05-30 05:57 PM, Khalid Baheyeldin wrote:
> If I read Bob's comment correctly, he is objecting to the
> extrapolation on that the future audit is most likely positive.

Not an unreasonable expectation based on the material.

And context.

The first rule of security is physical security. If they have
possession, no security is sufficient, even encryption.

In the absence of physical possession, there is a whole host of security
issues long before you get near TrueCrypt itself. (Baby and bathwater.)

Another rule is that nothing is secure - except absence.

I did not say it is bug free - different beastie.

Given the examinations to date, it is not unreasonable to expect no
significant, unmitigatable flaws to be discovered. Not to say they're
not there, merely it is not unreasonable to proceed as though they are
not, until proven otherwise. Nor that the scenarios necessary to exploit
them are not themselves unreasonable. (See 'issues beforehand', above.)

If you have possession, as you should not, all bets are off.

Otherwise is to promote the very FUD of assuming the negative is present
when one cannot prove a negative.

At least to the extent of panicking the world before so proven.

In any reasonable security context, as stated, my comment is not 
unreasonable.

And so should certainly not be characterized as it was.


On 14-05-30 05:57 PM, Khalid Baheyeldin wrote:
> If I read Bob's comment correctly, he is objecting to the
> extrapolation on that the future audit is most likely positive.
>
> On Fri, May 30, 2014 at 4:40 PM, unsolicited <unsolicited at swiz.ca
> <mailto:unsolicited at swiz.ca>> wrote:
>
> And others from here below:
>
> On 14-05-29 12:03 PM, Khalid Baheyeldin wrote:
>> ... If the previously audited version was safe, i.e. works as
> designed, then ...
>
>
> The initial audit was to verify that the binaries do indeed
> correspond to the published source code, and that no backdoors have
> been slipped in the binaries. That much was verified.
>
> But all that applies to the 2012 version (7.1a). The one that was
> just published this month removes a lot of features, and has not been
> audited in any way (beyond the diff between it and the previous
> version).
>
> Another note: someone is saying that a flaw will disclosed soon.
>
> http://soylentnews.org/article.pl?sid=14/05/30/1318243





More information about the kwlug-disc mailing list