Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched (helpnetsecurity.com)

Posted by EditorDavid on from the squashing-bugs dept.

Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."

75 comments

  1. Social Holes by Fringe · · Score: 3, Interesting

    VeraCrypt/True were already secure -enough-. Cracking through the holes is usually more effort than local law enforcement, your boss or the local mob will care about. If you're on the radar of worse people, they can toss you in jail or threaten your family. So while I consider better security a good thing when it doesn't increase cost or inconvenience, it's not really an essential move forward.

    The bigger problem is common passwords, leaving the volume open, having open drives automatically backed up to "the cloud", emailing documents... things these security code fixes cannot address. We don't hear often that the Feds have used a security hole to extract data from a user's system.

    1. Re:Social Holes by Gravis+Zero · · Score: 0

      VeraCrypt/True were already secure -enough-.

      Then you have no need to update any of your systems, right?

      We don't hear often that the Feds have used a security hole to extract data from a user's system.

      Just because they don't announce it to the world doesn't mean they aren't doing it regularly.

      --
      Anons need not reply. Questions end with a question mark.
    2. Re:Social Holes by Gravis+Zero · · Score: 0

      You are an idiot, because you do not understand the question at hand at all, but make arrogant and insulting comments nonetheless.

      Pot, why are you obsessed with my color? Also, it makes sense to add wifi to a kettle but why would anyone need a wifi pot?!

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Social Holes by mspohr · · Score: 1

      Or... they could just do this:
      https://yro.slashdot.org/story...

      --
      I don't read your sig. Why are you reading mine?
    4. Re:Social Holes by Anonymous Coward · · Score: 0

      VeraCrypt/True were already secure -enough-.

      they WERE "secure enough" until flaws were found, now not so much

    5. Re:Social Holes by Anonymous Coward · · Score: 0

      Then they find nothing, and claim that everyone is using hidden volumes. Except no one is using hidden volumes, so everyone goes to jail for not giving up something they don't have and cannot prove does not exist.

      When a thug has no way of knowing if you've given up all the information you know, why would anyone trust the thug to stop the torture after they give up everything they do know?

    6. Re:Social Holes by Anonymous Coward · · Score: 0

      " We don't hear often that the Feds have used a security hole to extract data from a user's system. " - But what % of what they do are you ever going to hear about anyway?

    7. Re: Social Holes by Anonymous Coward · · Score: 0

      The "holes" are for new feature code, and are fucking minor. If you create a volume mount like the system's core and tested design is, you will be benefitting from all the extra veracrypt security (new options, more iterations), etc. If you are relying on the new uefi boot, then you will want to update at some point.

      It is good that the audit found this stuff.

  2. Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 3, Insightful

    Honest question. Should we be using TrueCrypt 7.1a instead? I, personally, am. We live in scary times, and it is hard to trust any authority. I feel that TrueCrypt 7.1a, the last version prior to the strange shut down of the project, is probably less likely to have backdoors than any of the newer TrueCrypt versions or forks (specifically, VeraCrypt and CipherShed). Can someone convince me otherwise?

    1. Re:Should we be using TrueCrypt 7.1a instead? by Fragnet · · Score: 1

      I would like this answer too, please, someone...

    2. Re: Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 3, Informative

      Well, if you read the article you'll notice a long list of vulnerabilities which already existed in truecrypt and have been patched in veracrypt. Regardless of whether they're 'backdoors' or not truecrypt demonstrably has a large number of vulnerabilities that don't exist in veracrypt.

    3. Re:Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 0

      Stack your encryption. Use Veracrypt as full disk encryption, but once booted, fire up a VM, install linux (or boot TAILS) and use dm-crypt. As a bonus, you can try for plausible deniability of the VM's password if you live in a jurisdiction that can compel you to reveal passwords. Give 'em the boot password to the outer layer, but 'forget' the linux one. You were trying out new distros, used a few words at random and have since forgotten it. Far more believable than claiming you've forgotten the boot password to a machine that you would be expected to be using on a regular basis.

    4. Re: Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 0

      Veracrypt( TrueCrypt ( dm-crypt )))

    5. Re:Should we be using TrueCrypt 7.1a instead? by gweihir · · Score: 3, Interesting

      I think so. TrueCrypt 7.1a has, as far as I remember, only local exploits that matter. In the regular scenario (laptop), there is no other user and they do not matter at all. I do not trust the VeraCrypt person.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re: Should we be using TrueCrypt 7.1a instead? by gweihir · · Score: 3, Insightful

      The length of the list of vulnerabilities is completely irrelevant. What matters is whether they are a risk in the specific deployment scenario. Security cannot be estimated without understanding.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Should we be using TrueCrypt 7.1a instead? by Kjella · · Score: 4, Informative

      I would like this answer too, please, someone...

      If you have system encryption enabled (traditional BIOS, no UEFI support) and you have a strong passphrase and you are the only user and you're not worried that anyone can physically tamper with your system boot or rescue disc - in which case they might just as well use a key logger - then there's no critical issues.

      There are several nice to haves that make weak passwords stronger by increasing iterations, close various attacks that other users/processes can do and cleaning up better if you only use containers. The ugliest is probably a privilege escalation attack, malicious software can use the TrueCrypt driver to escalate to admin but if malware is running on your machine you probably have big problems anyway.

      Probably the most interesting part about VeraCrypt is the potential for UEFI boot but apparently there's no way to secure erase the keyboard buffer, all you can do is reset it (which they didn't do, but do now) and hope the driver actually overwrites it. But if you can dump the entire UEFI memory area it might still be there. Hopefully legacy BIOS mode will be around for a while longer, in this case simpler is safer.

      --
      Live today, because you never know what tomorrow brings
    8. Re:Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 0

      I am not sure that I agree with this.
      TrueCrypt has had many security issues found, which have been already patched in VeraCrypt.
      I agree that not all security bugs are equal; however I did not spend enough time to go through the list with a fine comb and assess the severity of any of those.
      Care to enlighten us by pointing out into about
      1) the fact that TC bugs where all low impact and 2) the VC bugs which are high impact?

    9. Re:Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 0

      As a bonus, you can try for plausible deniability of the VM's password if you live in a jurisdiction that can compel you to reveal passwords.

      You can try, but you'll fail. When they find nothing incriminating on the volume that you readily gave a password to, they will simply assume that you have a hidden volume, and then haul your ass to jail for not giving up a password to something that does not exist and cannot be proven to not exist.

    10. Re:Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 0

      There are two things addressed in VeraCrypt but still present in TrueCrypt 7.1a:
      - there is a flaw that allows detection of hidden volumes
      - low key derivation iteration count (not a bug, only matters with weak password)

      So there are differences even in the "shut-down laptop stolen scenario". They don't matter if you have a strong password (which you should have anyways) and don't rely plausible deniability.

    11. Re: Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 0

      That is why you put socially damning but legal stuff on the outer volume. It's far more believable when they find bestiality porn on your encreypted volume, "I wanted to be sure my wife/kids/mom can't find it" is a lot more convincing than just having systemd installed.

    12. Re:Should we be using TrueCrypt 7.1a instead? by gweihir · · Score: 1

      That was my reasoning.

      1) Plausible deniability is more of a problem than a solution and hard to use right. Hidden volumes need a lot of care and special preparation before going into danger ion order to not be pretty obvious. They are one of these ideas that sound great but fail catastrophically in the face of a competent attacker.
      2) Weak passwords cannot really be fixed anyways, only attacker effort can be driven up a bit.

      With good security practices neither of these problems matter.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. dmcrypt? by Anonymous Coward · · Score: 0

    Has there been any similar audit of dmcrypt?

  4. I use it and appreciate the developer's approach. by RoverDaddy · · Score: 4, Insightful

    I am not a security expert and can't tell you whether Veracrypt is 100% secure, but I've been using it and I'm reasonably convinced that at least nobody short of a 'state actor' is likely to get at my data, and they're not the people I'm securing data from. It's the petty thieves who might steal my backup drives, or somebody who finds a USB stick I accidentally drop on the ground, that I'm protecting myself from.

    I've been to the support forums for Veracrypt and my impression is the developer is trying hard to be transparent and responsive and make the product as secure as possible.

    --
    RETURN without GOSUB in line 1050
  5. VeraCrypt designer is an authoritarian idiot by gweihir · · Score: 1

    VeraCrypt forces long iteration on shorter passphrases (>70 sec on my laptop, i.e. unusable), regardless of how secure that passphrase actually is. There is no way to switch this off. No response on a complaint. This and some other things lead me to not trust this person. I am back to the last TrueCrypt version that does not have this brain-dead and insulting limitation.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      If it's a shorter passphrase it isn't secure.

      It's brain dead to use a shorter passphrase

      Glad to help

    2. Re:VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      You can't fix stupid. In this case, you'd be the stupid one using short passphrases to encrypt something.

      Buy a new laptop -- I've used VeraCrypt inside virtual machines using long phrases and 3-method encryption that only took a few seconds maximum... on my 3 year old laptop.

      Was your laptop made this century? Is what you're trying to encrypt worth encrypting right, or do you want it broken in a few days with a basic dictionary or rainbow table attack?

      Sounds like it's only unusable to you because you have a terrible use-case.

    3. Re:VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      Veracrypt Iteration Multiplier

    4. Re:VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      So that'd be about 14 characters, a-zA-Z?

      Down to 13 characters if we add 0-9 and special symbols.

      Hell, with lowercase or uppercase only, it'd only still be 17 characters.

      Not bad. I think I'll save myself a couple of shift-key presses the next time I generate myself a new random password.

    5. Re: VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      Dude, just use a longer password. Pad your super secure high entropy whatever with trailing x's to get to 20 characters, and quit bitching.

    6. Re:VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      Frankly, you could tack 123456 to the end to get past the 20-character minimum the code has (or so you mentioned in a different post).

    7. Re:VeraCrypt designer is an authoritarian idiot by Khyber · · Score: 1

      You can't have high-entropy in a short password. The math simply does not work out.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    8. Re: VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      VeraCrypt forces long iteration on shorter passphrases (>70 sec on my laptop, i.e. unusable), regardless of how secure that passphrase actually is.

      Really? It was an option when I just installed it on my craptop. Since my threat scenario is mostly lost/stolen/failed drives I don't need a long password or a huge number of iterations.

      Any encryption at all thwarts a casual thief from rummaging through my data once the device is out of my control. They'll likely trash it or reinstall it.

      But I could reduce the iteration count when setting up the volumes. I decided to leave it at the default because otherwise I'd need to remember what count I chose, as well as the pass phrase.

    9. Re: VeraCrypt designer is an authoritarian idiot by Anonymous Coward · · Score: 0

      VeraCrypt forces long iteration on shorter passphrases (>70 sec on my laptop, i.e. unusable), regardless of how secure that passphrase actually is.

      Really? It was an option when I just installed it on my craptop.

      If the password is shorter than 20 characters you can still set a PIM but not below 98 (system encryption) or 485 (other). That's still a lot slower than TrueCrypt. On my Core i5 Quad-Core it would take 10 to 40 seconds depending on the Algo.

    10. Re:VeraCrypt designer is an authoritarian idiot by TrekkieGod · · Score: 2

      VeraCrypt forces long iteration on shorter passphrases (>70 sec on my laptop, i.e. unusable), regardless of how secure that passphrase actually is. There is no way to switch this off. No response on a complaint. This and some other things lead me to not trust this person. I am back to the last TrueCrypt version that does not have this brain-dead and insulting limitation.

      I agree with you completely, and it's the reason I'm still using TrueCrypt.

      Secure high-entropy passwords aside, what the people responding to you don't get it is that the user should be allowed to have a more convenient, but more less secure encryption solution if he chooses. I have a short, low entropy password. I could write software that would crack it and it would complete the work in a day or two. I **know** that, and I don't care. I'm not protecting state secrets with it. I'm not worried the NSA will get hold of it. I just want the random person who finds my lost USB flash drive to not have immediate access to the data. Most people wouldn't care to crack it, from those that would most wouldn't know how to go about it. In the statistically unlikely case whoever finds it both wants to crack it and is able to, the data they'll find will be disappointing to them and not a big deal to me. Some of the things I encrypt are more for privacy than security.

      Basically, any decent criminal can lock-pick my front door. I still lock it, and it protects against the opportunist criminal. That's the level of security I want, and it makes no sense to tell me I can't have it. They could just pop a big red and flashing warning when I first create the volume that says, "based on the password and number of iterations you've chosen the average desktop computer would be able to crack your encrypted volume in 32 hours. Are you sure you don't want to choose a more complex password?" At that point, they've done their due diligence.

      --

      Warning: Opinions known to be heavily biased.

    11. Re:VeraCrypt designer is an authoritarian idiot by bluefoxlucid · · Score: 2

      Actually, if you're using a 94-element space (26 + 26 + 10 + 32), an 8-character password is on the same magnitude as a 26-element space (all lower-case letters) at 11 characters (7.2 x 10^15 vs 3.7 x 10^15). With a 1,000-element space, 5 characters (words) are on the same magnitude (1.0 x 10^15); although the 1,000-most-common words don't include conjugations and plurals, which takes you to several thousand. You have to breach a 5,700-element space for 4 characters to be on par (1.1 x 10^15).

      So all-lower-case can actually be secure as the standard four-classes, eight-character password just by adding three characters. In all of these, we're looking at 50-53 bits (1.1 x 10^15 to 9.0 x 10^15) of entropy.

      Seriously, the 8-character password with complexity requirements thing should have never come about. When they went from "8 characters" to "something more secure", it should have been 11 characters.

      --
      Support my political activism on Patreon.
    12. Re: VeraCrypt designer is an authoritarian idiot by gweihir · · Score: 1

      I did that for a few weeks, until I realized how completely brain-dead that is and that the problem is not on my side.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:VeraCrypt designer is an authoritarian idiot by gweihir · · Score: 2

      It depends on the definition of "short". VeraCrypt thinks "short" is 20 chars or less and that is pretty much a complete fail.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:VeraCrypt designer is an authoritarian idiot by gweihir · · Score: 1

      I did that. Until I realized how completely stupid that is. I do not trust "security" I have to work around.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    15. Re:VeraCrypt designer is an authoritarian idiot by gweihir · · Score: 1

      Indeed. Advising the user is perfectly fine, but _forcing_ the user to some perceived security level (and doing it badly) is not acceptable and indicates a systematic problem on the side of the designer. And where there is one such systematic problem, there is a pretty good chance of more.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    16. Re:VeraCrypt designer is an authoritarian idiot by Khyber · · Score: 1

      That assumes you're allowed to use a 94-element space. I've come across too many password systems on the web where you're limited to 62-elements (alphanumeric only, upper and lowercase.)

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    17. Re:VeraCrypt designer is an authoritarian idiot by bluefoxlucid · · Score: 1

      Yes but I just explained that 12-character, all-lower-case passwords are more-secure than 8-character, 4-class passwords.

      --
      Support my political activism on Patreon.
  6. Needs improvement by AmiMoJo · · Score: 2

    I'm a long time Truecrypt user who recently tried Veracrypt. It's okay, some nice new features, but as this shows the devs don't seem to be security experts or even skilled at writing secure code.

    It's also a little less stable than Truecrypt. I've had some system lockups that don't happen in Truecrypt with SSDs.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Needs improvement by ledow · · Score: 2, Insightful

      I'd be MUCH more worried if said audit produced nothing at all.

      The fact that the flaws are mostly in the new bootloader code - new, untested, complicated - is EXACTLY right. You don't need to use that bootloader, and TrueCrypt NEVER had that kind of bootloader (so the choice is nothing or VeraCrypt in that instance).

      There is nothing to suggest that the people behind TrueCrypt were any better - their audit turned up stuff too, and that was YEARS and YEARS after their first releases. VeraCrypt code hasn't had even have that amount of time to catch up.

      So I don't see a problem. I've used both. TrueCrypt is going to stop working eventually - whether that's because UEFI bootloaders become ubiquitous, which is what MS are pushing for, or some other reason.

      Where security is concerned, better a project that people are actively working on (i.e. looking for, and fixing, flaws) than something that was once secure stagnating because nobody is coding on it. Take OpenSSL and OpenOffice as the prime examples of this lately.

    2. Re:Needs improvement by Anonymous Coward · · Score: 0

      Thank goodness all the companies that have security experts writing code don't have security flaws in their software.

      I thought security was hard but thanks to your insights I now know that you merely need to have security experts who are skilled at writing secure code

    3. Re:Needs improvement by Anonymous Coward · · Score: 0

      I don't understand.

      Do you think OpenSSL and OpenOffice are examples of code that has been kept up-to-date or code that has stagnated?

      Because both of those projects are still under active development. Sure, they don't have a new release every morning when you wake up, but that's the nature of mature products.

    4. Re:Needs improvement by ledow · · Score: 1

      Both have been in the news in recent years for falling into obsolescence where nobody was actually checking the code properly any more (because of a lack of developers) and both retained serious security flaws for many years.

      And both have much more active development on their "Libre" equivalents (LibreSSL and LibreOffice) where those kinds of things are found and fixed pretty damn quickly and all the legacy cruft that nobody was looking at, let alone maintaining, is removed.

      If you haven't seen the actual cause of HeartBleed and the Apache OpenOffice vulnerabilities, I suggest you go read up.

  7. FDE on Linux by Anonymous Coward · · Score: 0

    Would be nice if VC had FDE on Linux. (Yes I know about LVM and LUKS)

  8. Illusion of secure encryption on an insecure OS by ffkom · · Score: 4, Insightful

    Veracrypt may provide decent cryptographic functionality, but given that its main audience is Windows and Mac users, the two huge security holes they cannot fix are called "MicroSoft" and "Apple". You can make Veracrypt as secure and error-free as you want, as long as it has to expose the decrypted data to some commercial, closed-source operating system that phones home like crazy to provide its manufacturer with valuable data, there is no actual security. Not to mention the backdoors builtin for certain 3-letter-agencies.

    1. Re:Illusion of secure encryption on an insecure OS by Striek · · Score: 0

      This has precisely nothing to do with the article, and your opinion has no impact on the security of VeraCrypt.

      -1 Offtopic

      --
      "Government is like fire; a handy servant, but a dangerous master." -- George Washington
    2. Re:Illusion of secure encryption on an insecure OS by jbn-o · · Score: 4, Insightful

      Indeed; there are many reasons not to do business with Apple and many reasons to never use proprietary, user-subjugating software. Contrary to one of the follow-ups to the parent post, this has everything to do with TrueCrypt, VeraCrypt, and any other free software to which one entrusts their sensitive information. There's nothing these programs can do to fix the real problem. The user has to switch operating systems to a fully free software, user-respecting OS and install only free software on top of that to do the best we can do to avoid the aforementioned problems. So while nobody can blame these free software programs for leaked keys, passphrases, and other leaked information there's no reason to trust the underlying proprietary software these free programs rely on to do everything they do when running on non-free OSes.

      --
      Digital Citizen
    3. Re:Illusion of secure encryption on an insecure OS by Anonymous Coward · · Score: 0

      Oh my, been a while since I've read GNU propaganda on slashdot ...

  9. Re: Illusion of secure encryption on an insecure O by Anonymous Coward · · Score: 0

    My Apple computers do not phone home. Citation needed or stfu.

  10. Fuck VC by Anonymous Coward · · Score: 0, Troll

    "I think so. TrueCrypt 7.1a has, as far as I remember, only local exploits that matter. In the regular scenario (laptop), there is no other user and they do not matter at all. I do not trust the VeraCrypt person."

    Mod parent up.. Fuck VC.

  11. but who is going to audit the audit? by Anonymous Coward · · Score: 0

    i like to clap my cheeks together while saying, "You're such a cheeky fellow".

  12. "No actual security"? by Anonymous Coward · · Score: 0

    So you're saying if some lowlife steals my encrypted laptop, it's useless because all they have to do is ask MS or the NSA for my data?
    Of course they would be happy to help random methheads commit identity theft.
    Security is not that black&white you know, there are several enemies.

  13. it was slow at mounting volumes, I still use TC by Anonymous Coward · · Score: 0

    "Anyone want to share their experiences with VeraCrypt?"

    I don't remember which version I tried exactly - it was at the begining of last year. When I tried to mount volume it hanged for more than 60 seconds (I don't remember exactly - maybe more). I tried different algorithms - the same behaviour on all. I don't know if it's normal VeraCrypt behaviour.

    I installed TrueCrypt - it works for me. Maybe NSA can break it - maybe not. I don't care. I care about protecting my data agains normal thiefs that could steal my laptop. And against these stupid servisants from asus service that wanted my password.

    1. Re:it was slow at mounting volumes, I still use TC by Anonymous Coward · · Score: 0

      "Anyone want to share their experiences with VeraCrypt?"

      I don't remember which version I tried exactly - it was at the begining of last year. When I tried to mount volume it hanged for more than 60 seconds (I don't remember exactly - maybe more). I tried different algorithms - the same behaviour on all. I don't know if it's normal VeraCrypt behaviour.

      It is normal. The TrueCrypt audit complained about low key derivation iteration count. This was vastly increased in VeraCrypt which makes it harder to crack. Unfortunately this hardening also slows down as much as it makes the password harder to crack.

      You can reduce the number of iterations:
      https://veracrypt.codeplex.com/wikipage?title=Personal%20Iterations%20Multiplier%20(PIM)

  14. Re: I use it and appreciate the developer's approa by Anonymous Coward · · Score: 1

    This is exactly the problem. Security, especially encryption, is usually so far above people's heads, that there is no possibility of them self-analysis their own risk. You think you are safe using it, but you admit that you have no reasonable reason to think that.

  15. Re: Illusion of secure encryption on an insecure O by Anonymous Coward · · Score: 2, Informative

    My Apple computers do not phone home. Citation needed or stfu.

    Would you like to see my little snitch logs? Mac OS gets chattier with every new release.

  16. Re:I use it and appreciate the developer's approac by AHuxley · · Score: 1

    The problem is for travellers. Can the chat down at a crossing result in a scan of working hardware show any and all encryption?
    The user is then asked to decrypt.

    --
    Domestic spying is now "Benign Information Gathering"
  17. Reliable sources: TrueCrypt 7.1a by Futurepower(R) · · Score: 3, Informative

    TrueCrypt 7.1a

    TrueCrypt 7.1a hashes.

    TrueCrypt from Switzerland -- Swiss Mirror

  18. VeraCrypt is sponsored by Microsoft? by Futurepower(R) · · Score: 1, Insightful

    VeraCrypt is hosted on a Microsoft web site: VeraCrypt at codeplex.com.

    That scares me. Consider this Network World article: Windows 10 is possibly the worst spyware ever made. Quote: "Buried in the service agreement is permission to poke through everything on your PC."

    1. Re:VeraCrypt is sponsored by Microsoft? by tattood · · Score: 1

      Its also hosted at SourceForge if you don't like downloading from Microsoft.

      --
      WTB [sig], PST!!!
  19. Thomas Ptacek by Anonymous Coward · · Score: 0

    Didn't Thomas Ptacek and/or iSec do an audit of TrueCrypt 7.1a? Don't recall the results exactly, but presumably these are different items. Does that mean Ptacek and company missed these items, or were these introduced by VeraCrypt?

    1. Re:Thomas Ptacek by Anonymous Coward · · Score: 0

      Both. There were problems found in TrueCrypt after "the" first audit, this audit and in-between. Some of those only in VeraCrypt, others in both VeraCrypt and TrueCrypt.

  20. We don't hear it, no, but... Parallel Construction by Anonymous Coward · · Score: 1

    We don't HEAR often that the Feds have used a security hole to extract data from a user's system.

    Emphasis added. We already know authorities use "parallel-construction", which is when they fabricate a fraudulent evidence-trail to convince people they obtained crucial information through some not-so-secret means.

  21. chaussure nike air max 90 bw by jkufghfg · · Score: 1

    air max Pas Cher Mais ça c’était avant. Avant que la crise de 2008 ne conduise ces mêmes constructeurs au bord de la faillite. Avant que le smartphone ne remplace la voiture dans le cur des jeunes générations. Avant que la sortie de la Tesla Model S démontre que l’on pouvait produire en moins de 10 ans non pas la meilleure voiture électrique, mais la meilleure voiture du monde tout court. Avant le développement exponentiel de start-up comme Uber, Lyft ou Zipcar.Depuis, le monde du transport regarde vers la Silicon Valley pour connaître son futur. Les grands constructeurs et équipementiers y ont installé des centres de recherche et d’innovation.

  22. On the topic of Entropy... by Anonymous Coward · · Score: 0

    VeraCrypt supports unicode passwords...

  23. Re:I use it and appreciate the developer's approac by hodet · · Score: 1

    Sadly this is how I feel as well. Trust is a very complicated and difficult problem to solve. I always say, "At least Goober can't access my family photos". But if a powerful nation state wanted to access my hard drive (I use LUKS for full disk encryption and truecrypt 7.1a for containers) I don't feel so good about that. I lead a pretty straight life anyway, but it bothers me that there is no truly trustworthy solution, even if what we have is ultimately secure. How would you know?

    Now we have one laptop with Windows 10 and I can't even do full DE with TrueCrypt. So what did we do? Bitlocker (shudders). Goober still can't access it but the government can pretty much just snap their fingers and they will get in. So Bitlocker is a true joke in my opinion and only useful for keep Goober out.

  24. What is Microsoft's influence on VeraCrypt? by Futurepower(R) · · Score: 1

    What is Microsoft's influence on VeraCrypt? It seems to me that Microsoft has strongly positioned itself as a company that cannot be trusted.