If you do not see the source code, can not look at the algorithms used, and can not confirm there is no funny business going on, you can not be in any degree certain that software (or ANY TECHNOLOGY!!) is doing exactly what you think it does. I do not expect the average idiot CIO or other “IT” idiots to take reality to heart- while poo pooing open software, and unwisely supporting the push for even more closed hardware and software, they will continue to trust companies that have lied to their customers and sold out their privacy. We now KNOW completely for sure that large companies and governments collude with one another to make our information and communications less secure in the interest of “security” Written by Douglas Crawford Free and open source full disk encryption program TrueCrypt was the darling of the security world (recommended by Edward Snowden and Amazon alike), despite the fact that its developers remained anonymous and the code had not been independently audited. There is far more reason to be concerned trusting your information to software of any kind that is not open. Even if they do find some serious problem, they are not likely to tell the customer first what is going on. If you did see an “audit” from a large software company, could you believe it? “We had our secret source code “audited”, and we did great.” Ha ha. When was the last time you saw an outside security audit of a commercial product? It is amusing, all of this talk about auditing- you have the source code, look at it. There are many other programs that are pretty much ubiquitous in the Linux stack that never see the attention of qualified security auditors and likely never will. If they change one line of code, it’s Beta, not Secure. Truecrypt is one program of many (not to mention that TC has gone around 10 years now without a real audit). This group is not being transparent, and they are already making implied warranties, ie., “Secure Encryption Software”, not Beta software. In short: there are numerous reasons we need to audit this software and move its build process onto. Beware.Īlso, they moved all of their discussions off their forums and into mailing lists, secure VOIP, etc., and usually ignore any suggestions (better name, remove word “secure”, and more). And many, many people only encounter Truecrypt as a Windows binary, he pointed out. Suggestions to make it new, lean, simpler and very secure were scorned. CipherShed ignored that and decided for full backward compatibility. They said to please not ‘clone, fork and edit’. Our charter is to: provide technical assistance to free open source software (FOSS) projects in the public interest. Even the TrueCrypt devs said that it would be better to re-write everything in order to get very familiar with every line of code. The Open Crypto Audit Project (OCAP) is a community-driven global initiative which grew out of the first comprehensive public audit and cryptanalysis of the widely used encryption software TrueCrypt ®. Anyone who calls something SECURE without testing, knows nothing about programming. The ciphershed team are already calling their software “secure” on their website, even though it has not been audited AND they are making changes to the code that could accidentally break anything at anytime.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |