undefined | Better HN

0 points4bpp12y ago0 comments

This does not explain why they would do something as inexplicably naive as recommending that everyone use a closed-source solution for encrypting their data in 2014. (And conversely, if it were really a matter of them having had a change of heart and suddenly coming to perceive the world to be such a nice and simple place, why didn't they just sign the final declaration with their real names, given that the threat of them being forced to tamper with future versions is now moot?)

It seems like people are still somehow willing to believe that even if a spy agency had set its eyes on Truecrypt, they could not force them to make arbitrary statements to people sending them e-mails or members of the audit project.

0 comments

2 comments · 1 top-level

tptacek12y ago· 1 in thread

Only on HN, Reddit, and Slashdot is a recommendation of Bitlocker "inexplicably naive" because it's "closed-source". Meanwhile: I trust my sources a lot more than I trust your totally unfounded, straight- out- of- the- first- thoughts- that- came- to- your- mind speculation. One substantive difference between my sources and your speculation: I actually have sources.

The fact that the "warrant canary" scenario with Truecrypt is also silly also weighs heavily against your argument. Try to game out the scenario where Truecrypt is actually compromised. Especially funny: it's compromised at exactly the moment when a third party crowdsources an expert review of Truecrypt. That's when they choose to backdoor it. Seems legit.

4bppOP12y ago

> Only on HN, Reddit, and Slashdot is a recommendation of Bitlocker "inexplicably naive" because it's "closed-source".

I would be interested in seeing the argument of someone who is not part of "HN, Reddit, and Slashdot" against the proposition that cryptographic software that only few people have access to the source of is not trustworthy. I do not claim being involved particularly deeply in either the academic or the industrial security community, but my impression from the occasional academic discussion group I have managed to find the time to drop in on always was that this and/or some related proposition was part of what is commonly held to be true beyond the need for argument.

Regardless, there are two separate questions here - firstly, whether some sort of foul play actually was involved with the Truecrypt project closing up shop, and secondly, whether the recommendation to switch to Bitlocker should be considered sound or not. I believe that the recommendation is dangerous regardless of what happened with Truecrypt - at the very least, making no recommendation at all or telling people to stay with Truecrypt (7.1) for the time being and giving the OSS community some time to try and fill the vacuum is not worse than making said recommendation under any circumstances. In that light, even if your scenario is more compelling, I would argue that simply to err on the side of caution, one ought to refrain from pushing a narrative to the effect of "nothing fishy here; these perfectly trustworthy people just told you to use Bitlocker, make of that what you will" at this point in time.