• 0

With TrueCrypt gone, what are the alternatives, besides BitLocker?


Question

I'd prefer an open-source solution, but a paid version would be fine as long as it's cheaper than the $100 Win 8.1 Pro upgrade (the only way to get BitLocker AFAIK).

 

I want to use it to encrypt my laptop and my external music drive.

 

Thanks!

Link to comment
Share on other sites

Recommended Posts

  • 0

What does the fork mean with regards to the project? Is it possible that we might see a continuing trusted release?

Their first goal is to make 7.1a available again, which they have done, and then they will wait for the full results of the audit and then fix vulnerabilities and bugs.

Link to comment
Share on other sites

  • 0

And NO I'm not going to use Bitlocker. With everything Snowden has released about wiretapping and backdoors I wouldn't rely on closed-source technology.

heartbleed, cough.

Link to comment
Share on other sites

  • 0

As of right now you can't claim any of that, we don't know if TC is safe, or if anyone with the right tool can bust open any TC volume in seconds and the devs found out and simply closed shop.

As for BitLocker. Again there's no magic key that can open all volumes it's pretty much impossible and any back doors would be detectable with the amount of scrutiny the code of such apps go through, you don't need the source to find such obvious exploits like back doors.

I'd rather trust a public audit on publicly available source code than rely on the assumption that Microsoft is incorruptible. I don't see for what reason you would think that if a backdoor was present in Bitlocker, it would be obvious to find. And while Bitlocker probably goes through a lot of scrutiny, none of it is independent and none is publicly available, which means you can only rely on assumptions of good will and incorruptibility.

 

See https://www.grc.com/misc/truecrypt/truecrypt.htm

Link to comment
Share on other sites

  • 0

heartbleed, cough.

Again, just because something is open source, doesn't mean it has no vulnerabilities and it doesn't mean it has more vulnerabilities.

Open source software just means:

1. There are more eyes that can review vulnerabilities

2. The software is more transparent, meaning the developers can't hide anything

Additionally, OpenSSL has been known to have many vulnerabilities in the past, I really think that people who use OpenSSL are at fault, there are many more secure open source alternatives. I wouldn't trust OpenSSL in the light of 7 major vulnerabilities in about 10 years, and when Steve Marquess, a former military consultant in Maryland started the OpenSSL Software Foundation for donations and consultancy contracts and garnered sponsorship from the United States Department of Homeland Security and the United States Department of Defense. [Source] (which has a lot more interesting things). OpenSSL is known as an atrocity in the open source community, and is a horrible example in this regard.

And you're just mentioning one vulnerability, which only affected 1.0.1 to 1.0.1f of OpenSSL, which wasn't even the latest version at the time. A fixed version of OpenSSL was released on the same day Heartbleed was publicly disclosed.

Link to comment
Share on other sites

  • 0

So you are setting this up under the premise if someone steals your stuff - you want to make them not have access to your music ??  What ???

If someone steals your external - chances are they will wipe it and move on

If it gets stolen, they already have the thing thats valuable to them. --  your music is only valuable to you.  Unless, of course, this would be thief just happens to have the same taste in music as you do.

 

I'll tell you the same thing I tell people who ask me if "hackers will attack them" ---   nobody cares about your stuff.



 

  • Like 2
Link to comment
Share on other sites

  • 0

So you are setting this up under the premise if someone steals your stuff - you want to make them not have access to your music ??  What ???

If someone steals your external - chances are they will wipe it and move on

If it gets stolen, they already have the thing thats valuable to them. --  your music is only valuable to you.  Unless, of course, this would be thief just happens to have the same taste in music as you do.

 

I'll tell you the same thing I tell people who ask me if "hackers will attack them" ---   nobody cares about your stuff.

+1 You really only need encryption if you know hackers/the government are specifically looking for you or will look for you in future. Just because Snowden leaked stuff about the NSA doesn't mean you have encrypt everything you have.

Link to comment
Share on other sites

  • 0

Your point?

 

i just found it ironic that you're wary about closed source software being backdoored by the NSA when recently we've learned that the NSA has been exploiting for years a hole in open source software that they may have planted in plain sight.

Link to comment
Share on other sites

  • 0

i just found it ironic that you're wary about closed source software being backdoored by the NSA when recently we've learned that the NSA has been exploiting for years a hole in open source software that they may have planted in plain sight.

I just found it ironic that the difference between backdoors in open source software and closed source software is that in OSS, backdoors are eventually found and fixed, while in CSS, backdoors can be hidden from the public, never disclosed.

Link to comment
Share on other sites

  • 0

Microsoft only has 2 consumer SKUs now, Windows 8.1, and Windows 8.1 Pro.

Oops, was looking at my Windows 7 machine :/

 

I'm using Windows 8.1 (not Pro) on the laptop in question.

Link to comment
Share on other sites

  • 0

i just found it ironic that you're wary about closed source software being backdoored by the NSA when recently we've learned that the NSA has been exploiting for years a hole in open source software that they may have planted in plain sight.

Are you seriously suggesting that Robin Seggelman was secretly working for the NSA when he introduced the bug and that Dr Stephen Henson who reviewed his change and overlooked the flaw was an accomplice?

Link to comment
Share on other sites

  • 0

Again, just because something is open source, doesn't mean it has no vulnerabilities and it doesn't mean it has more vulnerabilities.

Open source software just means:

1. There are more eyes that can review vulnerabilities

2. The software is more transparent, meaning the developers can't hide anything

 

you can read closed source software like a book with IDA or windbg. even heavily obfuscated code like in packers,which run code in their own unknown custom VM has been unraveled and made back to be read by any junior reverser.

 

 

I just found it ironic that the difference between backdoors in open source software and closed source software is that in OSS, backdoors are eventually found and fixed, while in CSS, backdoors can be hidden from the public, never disclosed.

 

holes in closed source software are disclosed and fixed all the time

Link to comment
Share on other sites

  • 0

 you can read closed source software like a book with IDA or windbg. even heavily obfuscated code like in packers,which run code in their own unknown custom VM has been unraveled and made back to be read by any junior reverser.

I think that you're widely exaggerating. Such tools only do a very mechanical translation that can be very far from the structure of the original code. They're also incapable of dealing with more advanced C++ features like templates as these are erased during compilation. Optimization passes also lose a lot of information about the original structure which cannot be guessed at. On a codebase the size of an advanced cryptographic tool, you would end up with several millions of lines of meaningless identifiers and you'd still have an absolutely daunting reverse-engineering task to make any sense out of it. This makes independent code review practically infeasible, not to mention usually illegal.

  • Like 2
Link to comment
Share on other sites

  • 0

holes in closed source software are disclosed and fixed all the time

Not the ones that are purposely put in.

It's always better to hide backdoors in closed source software.

Link to comment
Share on other sites

  • 0

Are you seriously suggesting that Robin Seggelman was secretly working for the NSA when he introduced the bug and that Dr Stephen Henson who reviewed his change and overlooked the flaw was an accomplice?

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

Link to comment
Share on other sites

  • 0

Ok, apparently only 7 ultimate has Bitlocker. Still helpful to know what OS you're running.

Win 7 Enterprise also has Bitlocker. Not that it will help in this situation i'd say...

Link to comment
Share on other sites

  • 0

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

No software is ever guaranteed to be safe, open source or not, because it's made by humans.

It's just easier to hide a backdoor in a program where source code is not available, since machine code is not human readable, therefore, backdoors cannot be easily found by the community of users of the software.

Link to comment
Share on other sites

  • 0

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

The software is not safe because it's open-source; it's safe because there can be independent and public scrutiny that it is indeed safe, that there are no backdoors, etc. The mere fact that it's open-source is no guarantee of safety, but it's a prerequisite for independent and public verification.

Link to comment
Share on other sites

  • 0

no,what im suggesting is that they could have done it,and it would have passed review,and we'd be told the software is safe because its open source.

Ok, let's say OpenSSL was closed source and was called ClosedSSL. What would have happened, since the heartbeat implementation passed review?

Link to comment
Share on other sites

  • 0

I thought I knew neowin, but then I keep getting surprised.

When I read the initial posts from OP - I thought - "someone is going to tell him to stop believing what he sees in movies - nobody cares about your little collection"  but 3 pages later there is still discussion.

 

Link to comment
Share on other sites

  • 0

I thought I knew neowin, but then I keep getting surprised.

When I read the initial posts from OP - I thought - "someone is going to tell him to stop believing what he sees in movies - nobody cares about your little collection"  but 3 pages later there is still discussion.

 

This thread just isn't about him, it's about other people, who actually need an encryption solution.

Link to comment
Share on other sites

  • 0

I think that you're widely exaggerating. Such tools only do a very mechanical translation that can be very far from the structure of the original code. They're also incapable of dealing with more advanced C++ features like templates as these are erased during compilation. Optimization passes also lose a lot of information about the original structure which cannot be guessed at. On a codebase the size of an advanced cryptographic tool, you would end up with several millions of lines of meaningless identifiers and you'd still have an absolutely daunting reverse-engineering task to make any sense out of it. This makes independent code review practically infeasible, not to mention usually illegal.

nobody is suggesting converting the whole codebase back to C++. that would be a total waste of time. there is plenty info in disassemblies to get a high level view of things, like imports,exports,string, coupled with some excellent tools like IDA graph view and hexrays decompiler. how do you figure holes in closed source software are revealed all the time? because hackers and security researchers are reading this code like a book. take key generators for example. these involve decoding highly obfuscated routines involving highly obfuscated cryptography,yet these things keep being pumped out by some high schoolers( a more mature and intelligent person would seek to get paid with such skill).

 

No software is ever guaranteed to be safe, open source or not, because it's made by humans.

It's just easier to hide a backdoor in a program where source code is not available, since machine code is not human readable, therefore, backdoors cannot be easily found by the community of users of the software.

Ok, let's say OpenSSL was closed source and was called ClosedSSL. What would have happened, since the heartbeat implementation passed review?

The software is not safe because it's open-source; it's safe because there can be independent and public scrutiny that it is indeed safe, that there are no backdoors, etc. The mere fact that it's open-source is no guarantee of safety, but it's a prerequisite for independent and public verification.

again, take a look at the myriad of vulnerabilities and holes in proprietary closed source software revealed on the daily.

Link to comment
Share on other sites

  • 0

again, take a look at the myriad of vulnerabilities and holes in proprietary closed source software revealed on the daily.

But will we ever know about the vulnerabilities that are never disclosed by the manufacturer?

 

 

nobody is suggesting converting the whole codebase back to C++. that would be a total waste of time. there is plenty info in disassemblies to get a high level view of things, like imports,exports,string, coupled with some excellent tools like IDA graph view and hexrays decompiler. how do you figure holes in closed source software are revealed all the time? because hackers and security researchers are reading this code like a book. take key generators for example. these involve decoding highly obfuscated routines involving highly obfuscated cryptography,yet these things keep being pumped out by some high schoolers( a more mature and intelligent person would seek to get paid with such skill).

"Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system." - http://en.wikipedia.org/wiki/Vulnerability_(computing)#Identifying_and_removing_vulnerabilities

Link to comment
Share on other sites

  • 0

But will we ever know about the vulnerabilities that are never disclosed by the manufacturer?

yes,third parties reveal vulnerabilities not disclosed by the manufacturer all the time.

 

"Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system. Though these tools can provide an auditor with a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system." - http://en.wikipedia.org/wiki/Vulnerability_(computing)#Identifying_and_removing_vulnerabilities

im not talking about system scanners. im talking about reverse engineering tools that aid in understanding decompiled code,and help the reverser better understand where they are in the code they are reading.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.