[liberationtech] TrueCrypt Alternatives?
Greg
greg at kinostudios.com
Fri Oct 3 12:24:09 PDT 2014
On Oct 3, 2014, at 12:04 PM, Steve Weis <steveweis at gmail.com> wrote:
> Hi Greg. The burden of proof is on Espionage to convince people that
> it is safe. I can't trust it based on marketing claims alone.
>
> There is not a sufficiently detailed design document on the website,
> much less a battle-tested, peer-reviewed design.
And how many free opensource source encryption utilities like Espionage fit that description?
None? Maybe the defunct TrueCrypt?
As far as crypto goes, we are using scrypt (free/open source) [1] and Apple's disk images (100% closed source).
[1] https://www.tarsnap.com/scrypt.html
We're not thrilled about the Apple part. I linked to a review by @ioerror (and someone he worked with) that contains their analysis of it in the r/security link that was mentioned earlier in this thread.
We are investigating ways of removing our dependence on Apple's sparsebundles.
> I don't see any reference to independent third-party audits.
I would love to do a professional audit once we can safely afford one.
In the meantime, those who would like to audit us pro-bono are welcome to so long as they sign the NDA:
https://www.taoeffect.com/forum/index.php?board=14.0
BTW, does anyone here want to donate to an audit of Espionage? Cause that would be swell! (Should we start a TrueCrypt-like campaign? I'm not sure that would go over well given that we charge for it.)
> I can't find any indication the development team has security or crypto expertise and I
> cannot personally sign an NDA to view the source code.
I have security expertise, but am not a cryptographer, and therefore I use existing code, like Colin Percival's scrypt.
> If I'm missing something or you're willing to give source access
> without an NDA, please let me know.
Why are you unable to sign the NDA?
> Otherwise, I have to advise people to avoid Espionage.
I'm sorry to hear that. :-(
Here is a list of other software that supports deniability (but not the same kind that Espionage does) that you might want to recommend in its place:
https://en.wikipedia.org/wiki/Deniable_encryption#Software
Kind regards,
Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
>
>
> On Thu, Oct 2, 2014 at 5:50 PM, Greg <greg at kinostudios.com> wrote:
>>
>> Stating a thing does not make it true, not matter how many times it is repeated.
>> It is not "apply". It is apply.
>> Anyone is welcome, so long as they:
>>
>> 1. Are software security professionals. (Nobody else matters in this context, after all.)
>> 2. Don't work for government intelligence agencies.
>> 3. Sign the NDA we give them, the salient points of which are enumerated on our site.
>>
>> They will be given a free license to Espionage.
>>
>> Also, you convince me how to keep providing high quality software and support while simultaneously making Espionage completely free and open source and I will do it in a flash.
> --
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141003/d7cf44d0/attachment-0001.html>
More information about the liberationtech
mailing list