Re: DriveCrypt

Computer Software Security - Computer security - desktop and server software, encryption and similar subjects 

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date Re: DriveCrypt anonymous 11-26-2008  Re: DriveCrypt nemo_outis 11-26-2008  Re: DriveCrypt John Smith 11-26-2008  Re: DriveCrypt nemo_outis 11-26-2008  Re: DriveCrypt Anonymous 11-26-2008  Re: DriveCrypt nemo_outis 11-26-2008  Re: DriveCrypt nemo_outis 11-27-2008  Re: DriveCrypt Non scrivetemi 11-27-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt jc 11-27-2008  Re: DriveCrypt Nomen Nescio 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt nemo_outis 11-30-2008  Re: DriveCrypt nemo_outis 12-01-2008  Re: DriveCrypt Ari 12-01-2008  Re: DriveCrypt Anonymous Remai... 12-02-2008  Re: DriveCrypt Box750 11-26-2008  Re: DriveCrypt Ari 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt Dave U. Random 12-01-2008  Re: DriveCrypt nemo_outis 12-01-2008  Re: nemo On Open Source Marty 11-28-2008  Re: nemo On Open Source Ari 11-28-2008  Re: nemo On Open Source nemo_outis 11-28-2008  Re: nemo On Open Source Ari 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt anonymous 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt anonymous 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt Anonymous Remai... 11-30-2008  Re: DriveCrypt nemo_outis 11-30-2008  Re: DriveCrypt Non scrivetemi 12-01-2008  Re: DriveCrypt nemo_outis 12-01-2008
Posted by anonymous on November 26, 2008, 8:45 am If you were  Registered and logged in, you could reply and use other advanced thread options I don't want to knock them out of business, but TrueCrypt is free and open source. I would go with them. You have to take DriveCrypt's word concerning not having a back door. Even their claim to not having one because of the loss of reputation can not be verified. For all you know this could be an intelligence agency front company. Go with TrueCrypt. http://www.truecrypt.org/ Posted by nemo_outis on November 26, 2008, 11:46 am If you were  Registered and logged in, you could reply and use other advanced thread options @news.mixmin.net: > I don't want to knock them out of business, but TrueCrypt is free and > open source. I would go with them. You have to take DriveCrypt's word > concerning not having a back door. Even their claim to not having one > because of the loss of reputation can not be verified. For all you > know this could be an intelligence agency front company. Go with > TrueCrypt. > > http://www.truecrypt.org/ Truecrypt is an excellent program BUT... 1) You have no idea who the developers are (they remain pseudonymous) 2) Very few people compile the Windows binaries from source; it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt (due to compiler options, etc.) 3) There are NO (zip, nada, zilch) published detailed reviews of the source code. Availability of open-source *doesn't* mean that reviews actually get done! 4) Truecrypt has ruthlessley suppressed all earlier versions (from wayback, sourceforge, oldapps, etc.) even though they were supposedly open-source (thus making incremental review impossible). This is ominous! 5) There is no public mechanism for submission and review of bug reports, etc. Any bug database, etc. is CLOSED! to the public, with only a "bug report form" available that goes into a black hole unacknowledged. 6) The Truecrypt forums are run in an exceedingly autocratic and unfriendly way, with many posts arbitrarily removed. Many topics (not just the ones in the posting guidelines) are "off limits." Moreover, the forums sometimes close unexplained for long periods (a month or more) and reemerge with many posts purged. The moderators make it very difficult for posters to contact each other directly. 7) The license for Truecrypt is NOT open source (e.g., doesn't meet OSI criteria) and is quite restrictive. There are a number of rationales presented in defence of the above points by the developers (e.g., centralized control, quality, reputation, etc.) but they are all, IMHO, very weak in contrast to the opposing views. In short, there is NO substantive public evidence that Truecrypt's source code has been the subject of thorough review, nor is there any reason to rely on the credentials of the developers (since they remain anonymous). In that absence, using Truecrypt is an act of blind faith every bit as much (or more!) than using a closed-source encryption program. Regards, Posted by John Smith on November 26, 2008, 1:55 pm If you were  Registered and logged in, you could reply and use other advanced thread options nemo_outis wrote: > @news.mixmin.net: > >> I don't want to knock them out of business, but TrueCrypt is free and >> open source. I would go with them. You have to take DriveCrypt's word >> concerning not having a back door. Even their claim to not having one >> because of the loss of reputation can not be verified. For all you >> know this could be an intelligence agency front company. Go with >> TrueCrypt. >> >> http://www.truecrypt.org/ > > > Truecrypt is an excellent program BUT... > > 1) You have no idea who the developers are (they remain pseudonymous) > > 2) Very few people compile the Windows binaries from source; it is > exceedingly difficult to generate binaries from source that match the > binaries provided by Truecrypt (due to compiler options, etc.) > > 3) There are NO (zip, nada, zilch) published detailed reviews of the > source code. Availability of open-source *doesn't* mean that reviews > actually get done! > > 4) Truecrypt has ruthlessley suppressed all earlier versions (from > wayback, sourceforge, oldapps, etc.) even though they were supposedly > open-source (thus making incremental review impossible). This is > ominous! > > 5) There is no public mechanism for submission and review of bug > reports, etc. Any bug database, etc. is CLOSED! to the public, with only > a "bug report form" available that goes into a black hole unacknowledged. > > 6) The Truecrypt forums are run in an exceedingly autocratic and > unfriendly way, with many posts arbitrarily removed. Many topics (not > just the ones in the posting guidelines) are "off limits." Moreover, the > forums sometimes close unexplained for long periods (a month or more) and > reemerge with many posts purged. The moderators make it very difficult > for posters to contact each other directly. > > 7) The license for Truecrypt is NOT open source (e.g., doesn't meet OSI > criteria) and is quite restrictive. > > There are a number of rationales presented in defence of the above points > by the developers (e.g., centralized control, quality, reputation, etc.) > but they are all, IMHO, very weak in contrast to the opposing views. > > In short, there is NO substantive public evidence that Truecrypt's source > code has been the subject of thorough review, nor is there any reason to > rely on the credentials of the developers (since they remain anonymous). > In that absence, using Truecrypt is an act of blind faith every bit as > much (or more!) than using a closed-source encryption program. > > Regards, DriveCrypt does have an excellent reputation...... And good support. It looks like the best on the market now are the paid PGP products and the DriveCrypt Plus Pack. Posted by nemo_outis on November 26, 2008, 3:23 pm If you were  Registered and logged in, you could reply and use other advanced thread options > DriveCrypt does have an excellent reputation...... And good support. > It looks like the best on the market now are the paid PGP products and > the DriveCrypt Plus Pack. With commercial developers there are a number of things to look for: 1) Company rep 2) Product rep (including bugtraq bugs, etc.) 3) Company Support 4) Price 5) For the paranoid: Company location (outside US, NATO countries, etc.) 6) Product features (especially whether you need the "corporate adminsitrative stuff" - most vendors make most of their money from companies, not consumers) 7) Third-party certification, especially FIPS-2. For instance, Winmagic's Securedoc (from Canada) has FIPS-2 Level 2 certification. No, that isn't equivalent to open-source and some people believe even the independent FIPS labs may be compromised, but it does mean the product has undergone a rigorous independent review using a standardized process. However, getting FIPS-2 certification is costly and some feel it is mostly just a marketing thing (like ISO 9000) so that it can be bought by government and corporate customers who have to comply with shit like HIPAA and need to cover their butts for necessary certifications/due diligence. My personal preference (yes, even over Truecrypt) is closed-source commercial Bestcrypt Volume Encryption from Jetico (in Finland). Cutting edge technology (RAID, XTS, multi-password, etc.) from a company with a long track record. (No FIPS-2 cert though.) While Bestcrypt or Truecrypt is enough for most, for those with serious needs I recommend taking the performance and complication hit and using a multi-layer approach which largely eliminates any single point of failure (e.g., if one product has a bug or backdoor). For instance, one might use a Seagate Momentus FDE-2 hardware-encrypted drive, with Bestcrypt whole-disk encryption layered on. Real paranoids might even add a third layer, keeping especially sensitive data in Truecrypt container files. Regards, Posted by Anonymous on November 26, 2008, 7:11 pm If you were  Registered and logged in, you could reply and use other advanced thread options nemo_outis wrote: > My personal preference (yes, even over Truecrypt) is closed-source > commercial Bestcrypt Volume Encryption from Jetico (in Finland). Cutting 1. Bestcrypt isn't closed source, you ninny. 2. What happened to you prattling on about it being "whole disk"? Similar Threads Posted Re: DriveCrypt November 26, 2008, 6:11 pm Re: DriveCrypt December 1, 2008, 9:40 am DriveCrypt July 7, 2009, 4:29 am bestcrypt 7.20 vs drivecrypt 4.4 December 18, 2006, 7:37 am DriveCrypt Plus Boot Problem November 16, 2008, 3:50 pm Drivecrypt won't open dcv file on DVD disk February 10, 2008, 11:57 am Drivecrypt pre-boot auth versus multiple users October 11, 2005, 3:12 pm