Slashdot Mirror
Tomb, a Successor To TrueCrypt For Linux Geeks
jaromil writes: Last day we released Tomb version 2.1 with improvements to stability, documentation and translations. Tomb is just a ZSh script wrapping around cryptsetup, gpg and other tools to facilitate the creation and management of LUKS encrypted volumes with features like key separation, steganography, off-line search, QRcode paper backups etc. In designing Tomb we struggle for minimalism and readability, convinced that the increasing complexity of personal technology is the root of many vulnerabilities the world is witnessing today — and this approach turns out to be very successful, judging from the wide adoption, appreciation and contributions our project has received especially after the demise of TrueCrypt.
As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.
As maintainer of the software I wonder what Slashdot readers think about what we are doing, how we are doing it and more in general about the need for simplicity in secure systems, a debate I perceive as transversal to many other GNU/Linux/BSD projects and their evolution. Given the increasing responsibility in maintaining such a software, considering the human-interface side of things is an easy to reach surface of attack, I can certainly use some advice and criticism.
to be honest, and I've been recently reading a lot about potential TrueCrypt replacements. Of course I was looking for FDE mostly, not just a few files.
The successor for TrueCrypt is VeraCrypt, as it is a direct fork.
Also, a "linux geek" would have already have taken dm-crypt as an alternative, or performed the instructions in some Full Disk Encryption Howto.
If its Linux only don't present it as a successor to TrueCrypt. A very important feature of TrueCrypt is(was) that it targets Linux, Mac OS X and MS Windows. Any archive being available to any of the three platforms.
The successor to TrueCrypt will most likely be something derived from the audited TrueCrypt source code. You just won't compare favorably given the single supported platform. You are just going to create a reputation of being one of the lessor choices, which may be entirely unfair.
Don't handicap yourself. Promote your software on its own merits, don't try to piggyback on TrueCrypts popularity, such a strategy will likely backfire.
Need I say more?
Can't rule that out about anything. In this case you're talking about the guy (Denis Roio) with dyne:bolic under his belt - and the "non-profit" behind it and his "campaign" to fork Debian. A self-described "researcher in philosophy of technology and software artisan". He's done at least one TED talk (I can't be bothered looking for the link).
The Tomb project is interesting and I've been following it for a while - the main thing that differentiates it from other LUKS-made-simple tools is the addition of steganography capabilities.
Despite his numerous, um, eccentricities and involvement in the rabid and vitriolic campaign against systemd, it's the code that counts. In this case it's just wrappers around dm-crypt, dm-setup and LUKS designed to make LUKS easier for people who find it difficult - and to add a few other features. Like anything else that is meant to be trusted to the same degree it should be independently audited.
Note: there are plenty of reasonable objections to systemd. Those that hold them don't demand no-one else should be able to use systemd, raise money unaccountably so a handful(?) of anonymous self-described "Unix gurus" can "fork Debian" (yeah - and I'm going to build a moon mission in my basement). Or use threats/trolling/FUD.That would be more like an NSA style campaign to divide the Linux community and keep their existing init flaw backdoors in place on hard-to-get-to systems.
Cue the usual sock-puppet forum flooding and disinformation [sigh]
We know that the developers were pretty sure that the last version of TrueCrypt was still secure. You cannot ever know for certain that a software is really secure. You may convince yourself that it is, or that it isn't, but you never know what the other side has done, or is doing.
The ONLY thing you really know for certain about TrueCrypt, is that the developers felt that their product was being compromised, so they let the world know of their suspicions.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
We know the auditors also think 7.1a is secure.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Without reading anything besides your summary, it sounds like you're on the right track. "Minimalism" and "simplicity," judiciously applied, usually leads to a good result. As Albert Einstein said, "Everything should be as simple as possible, but not simpler."
At this point they can watch every phone call we make, watch where we walk every minute of the day, watch what websites we go to, read our email.
They can no doubt get in back doors on our computers any time.
Why should they care if we encrypt our hard drives? We're on the internet when our computers are on!
Tomb isn't a successor to TrueCrypt, for me at least. Not even close.
TrueCrypt's selling point is NOT an encrypted container. We can do that any number of ways, not least just encrypted loopback, but all of them leak the same amount of information.
Truecrypt's selling point was full disk encryption and a bootloader that hook BIOS interrupts to allow live, in-memory, OS-agnostic transparent decryption. That's not something you can do with a shell-script.
Anything not full-disk-encryption is worthless is the machine is stolen - it probably takes minutes to find the key in swap-files and unlock the containers if they've been used recently. The plain-text is probably still lurking around on disk as temporary files etc.
The only reason I used TrueCrypt was that you could full-disk encrypt and nobody could get in without modifying the hardware of the machine and then getting me to enter my passphrase. Not something that a thief was going to be able to do. It means it was Data Protection compliant, that you could afford to lose the entire machine and not worry, and that it didn't matter what you did with the machine underneath, what OS, what partitioning, etc. even fake partitions with false copies of Windows, etc. in them.
Sorry, but your slashvertisement is exactly what it says - a shell script around some basic command line utilities. It's nowhere close to a TrueCrypt replacement unless your use-case is extremely trivial and - actually - not that secure at all.
As it is, I don't think there's currently a product I can use that I can trust complete boot-time control of, except for TrueCrypt and it's directly-compatible replacements. I will look at various projects as they evolve but, for me, the winner will be whoever gets a UEFI bootloader first.
Downside is, is that if the LUKS header gets corrupted or destroyed, the entire partition is lost.
To be fair - that's the downside of encryption (without regular backups). A single bit of difference means no information recovery.
Using LUKS is unlikely to measurably decrease your chances of being unable to recover information. ie. if the encrypted medium is modified you'll only ever be able to recover data. Data, that doesn't translate into useful information.
TrueCrypt worked flawlessly on Windows, Mac, and Linux.
Anything which supports only one of the three major platforms is no successor of TrueCrypt.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Read again. I said you were involved with extremists. Not that you were one of them. They damage the credibility of anyone with genuine problems with systemd.
ACK and agree. I'm sure you understand that to transform a years old flame into a decent discussion is quite a hell of a process.
Apologies for overreacting, I recognize you do have legitimate observations, but really I've been through the systemd-grinder enough to quickly put up defenses.
That posting of the "financial reports" is the first time you' ve published any information about business registration. Where is the posted information about dyne.org? Where are all those certified accounts available? Why doesn't Archive.org have them?
Man, we are paying taxes to the Netherlands, not to Archive.org. I think you have a different idea of transparency... we are producing all the documentation needed for the institutions and organizations that require them, including the EU commission for some projects. However in case of donors you are right, more work must be done towards transparency...
And no, that's not transparent accounting. I have no reason to believe you are engaging in fraud - or even paying yourself to design logos. Transparent "accounting" is when expenditures are detailed (show where the money went - not on what) and are certified by a registered accountant as being true and complete, and made public. You've only done the last part.
SFI is a registered non-profit. Debian is a registered non-profit funded by SFI, and other organisations. All display that information as required by law and produce annual returns certified by registered accountants. Just as gnu.org does.
...and we'll check these aspects out. Its a good advice to see how other long-standing good examples are operating and we'll certainly need to extend our team to include someone that is proficient with this side of things. This is a growth process and its not easy, yet at Dyne.org we are determined to not blow it up with a VC, but to have a rhythm of growth that is slow and organic. We are just opening an office in Amsterdam, after some years of difficulties, and this will help a lot.
"You sound like"
Want the truth? I don't fit into any of the labeled boxes. I'm most comfortable with the libertarian label - but I don't agree with all their shit either.
Why don't you take a good, hard look at the two party system? The two are in collusion to prevent any other party from gaining any power. Look at federal funding. The D's and the R's agreed to split all of the money that the fed has available for elections. They gave a little lip service to the concept of democracy, by saying IF any other party gained x% of the vote, THEN that party could gain funding from the fed. And, all the while, the two parties continue to split all the fed's money on campaigns designed to ensure that no third party ever gets x% of the vote.
And, that is one of the Libertarian party's beefs, as well as one of their goals. They are closing in on x. Each and every election cycle, they gain a point.
Watch carefully now - the D's and the R's are about due to move the goalposts. Instead of x% it's going to be changed to 5x% or more.
And - no, a Libertarian is not a Republican. The two share SOME ideas, beliefs, and opinions - but Libertarians have far more in common with liberalism than they do with conservatism.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br