Thread for TrueCrypt alternatives [FOSS preferred]

Discussion in 'privacy technology' started by Morthawt, May 29, 2014.

Thread Status:
Not open for further replies.
  1. Haggishunter

    Haggishunter Guest

    Well, there is no such thing as a free lunch, so, as previously done, I recommend again BestCrypt from Jetico. It costs $60 but is the only encryption software that uses (amongst many others) the IDEA algorithm which was never broken. Also, all new versions are backwards compatible (which even means back to the DOS versions). I used ScramDisk and later on E4M. With ScramDisk, I once lost a data container which is why I switched to E4M. When Win XP came, I started using BestCrypt. It is extremely sturdy; I now use it for about eight years or more. When E4M eventually stopped, TC and DriveCrypt arrived. TC was from the beginning on a bit dodgy, since we never knew who was behind it. Re DriveCrypt, you can google the owner's background yourself... It is all the same: TC, DriveCrypt, PrivaZer, Blackphone. But people never learn. And Bruce Schneier starts really getting boring. All that conspiracy drivel. Why is only BestCrypt using IDEA? Can somebody enlighten me on that?
     
    Last edited by a moderator: Jun 1, 2014
  2. Haggishunter

    Haggishunter Guest

    What did I write on 4th Feb. 2014 and on 6th March 2014 about TC? So pathetic this discussion. TC always was snake oil.
     
  3. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    What did you write? Can you paraphrase for the rest of us that did not see? Though, I highly doubt TC was ever snake oil.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    He's just gloating ;) He's probably not the only one who is.
     
  5. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    Either way there is an audit of the code, for what it's worth now TC is no more.
     
    Last edited: Jun 1, 2014
  6. Haggishunter

    Haggishunter Guest

  7. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    SecurStar rubs me the wrong way. Read the history of TrueCrypt to see why:

    https://en.wikipedia.org/wiki/TrueCrypt#History

    I admit the original TC Team could have been lying, but it doesn't seem like it. And I don't see a reason they would or what they'd get out of it.

    And I'm sure if someone looked they could find some official documentation from Hafner or Le Roux that would at least confirm the allegation that SecurStar went after Le Roux. If you read the old usenet logs it sure does sound like the community was calling BS on the idea that E4M came from SecurStar. It was out way before Le Roux worked there, and the company never said anything about it or the license until TC came around.

    And their commentary on their own site sounds in line with it too:

    The fact that they take credit for Scramdisk and E4M is enough for me. From everything i've read, that's laughable nonsense.

    And this is all aside from the fact that you have to place a "substantial order" (whatever that is) and "sign a nondisclosure agreement" just to inspect the source code.
     
  8. Haggishunter

    Haggishunter Guest

    Forget the audit. It's a waste of time. Anyway, who knows about the background of Kenn and Matt? BestCrypt got a development kit which contains source codes of version 8 of BestCrypt Container Encryption for Windows. I think some people participate in a race where there is no price to win (=> the "auditors", Kenn & Matt).
     
  9. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    How can you say the audit is a waste of time? It is the definitive method of proving TrueCrypt was secure. That does not mean forked projects are as trustworthy though, but at least we would have certainty that if it gets forked we can know their starting position is secure.
     
  10. Haggishunter

    Haggishunter Guest

    You made vy good points. Dig a bit deeper re SecurStar and his owner... You'll find much more.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Truecrypt is NOT over ! If you have earlier versions, you got them. Sure no more updates, but it's still here. I'll continue to use it, until i hear/read a VERY good Believable reason/s not to.

    I installed v6.3.1.0 in 2k9 & recently DL'd v7.1a Portable, & cross referenced the hash @ various places on the www, & it's identical. I did that in case it disappears, or is tampered with in future.

    I don't use FDE though, just containers, which is fine for me.
     
  12. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    Could you be any more vague?
     
  13. Haggishunter

    Haggishunter Guest

    Yes: Google hafner blueboxing
     
  14. Morthawt

    Morthawt Registered Member

    Joined:
    Jul 10, 2008
    Posts:
    79
    Location:
    UK
    I am going to say again. Could you be any more vague? I could google for weeks and not come across the specific info you are supposedly hinting that you know.
     
  15. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    @Morthawt
    The post is obviously amateur, but sounds legit to me. Aside from the overall point being SecurStar engaged in fraudulent marketing practices, the relevant section is here:

    http://infosecurity.ch/20100201/evi...-a-fake-independent-research-on-voice-crypto/
     
  16. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    I'm definitely interested in this. Is Twofish really considered more secure that AES? I always hear that Serpent is considered the more robust of the top three finalists in terms of security, but was Twofish really second in that category? I've noticed that even Bruce Schneier recommends AES (I guess just out of sheer usage data, meaning it has such a large presence in the wild and in so many implementations that it has a better proven track record just based on the amount of attention that's been on it and probably the number of attacks it's stood up to).

    I also was under the impression that Rijndael was chosen based in part on its superior speed. Do you really find Twofish performing noticeably better?
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, so Wilfred Hafner founded SecurStar. And there was some conflict between SecurStar, E4M and TrueCrypt developers over stolen code. And maybe there have been two or more generations of anonymous TrueCrypt developers.

    But how is that relevant to current TrueCrypt (7.1 that is) functionality? The source code is available, and it's being audited. And it could be forked, with little chance of litigation. Or it could be forked anonymously.

    Also, what is the relevance of Wilfred Hafner's history as a for-profit phracker to any of that? Is it a plus or a minus for some code that may remain in TrueCrypt? Would we rather have code touched by former NSA consultants, or by former white-collar criminals? It's a subtle difference, I admit ;)
     
  18. BeardyFace

    BeardyFace Registered Member

    Joined:
    May 29, 2014
    Posts:
    80
    Doesn't matter who wrote the code if the code is sound, any more than if the guy who built your garden wall had a conviction or not, the wall is sound or it isn't.. same for the code, which is being audited, which should tell us if it's sound
     
  19. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    I will admit it is only worth discussing because if one wants to truly understand Truecrypt (and maybe the whole thing that led to this "alternatives" thread), you must go through Shaun Hollingworth (Scramdisk) and Paul Le Roux (e4m). Both eventually ended up working "for" SecurStar. Of course, I know a lot of professional people who had night jobs accepting donations (scratch that -- I mean tips). People will go to elaborate lengths to hide, deceive, obstruct, on and on in order to keep the money from the still out back. Sorry for mixing the metaphors. At any rate, it's always been an interesting story.

    I would stick with TC 7.1a, at least for now, and I'm a big believer in hardware encryption and would use it in combo. When it comes to another alternative for software FDE, I really do trust Jetico and BestCrypt and wouldn't hesitate using it at all.
     
    Last edited: Jun 1, 2014
  20. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    I guess that was my fault. Paranoid Eye offered SecurStar's Drivecrypt as his alternative. In this post I was explaining why I'm not a fan of them and why I wouldn't use their products just on a personal level, let alone for the security concerns related to closed-source.

    But just to be clear I don't think it's fair to call it "conflict over stolen code", as that implies theft actually took place. From everything I've seen, even preliminary facts all put confirm that Hafner/SecurStar is full of it.
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I never knew any of that. It does put the current situation in context, though. Crazy stuff :eek:

    So do you/they think that one of those people are/were the anonymous TrueCrypt developers?
    That's the prudent path, I agree.
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, of course. Given that I have zero first-hand knowledge, I should have written: "reported conflict over allegedly stolen code".
     
  23. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    What's the story with hardware encryption? Are you ever worried about it messing up? It would seem that that's one area where you have virtually no way of knowing how secure it is...but at the same time you're risking data loss if a component fails.

    Seems like a needless risk if you're using software encryption, no?

    I'm not familiar with those. What's the background? Are they proprietary?
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I have the opposite concern. But it's related, in that there's no direct interface with the HDD or SSD. I'd love to see a succinct discussion of the various hardware FDE methods, explaining their pros and cons. I started looking into SSDs with hardware encryption, and was put off by the apparent lack of secure approaches (such as Crucial's M series) for Linux. In my next VM host, it'd be fun to use four SSDs in RAID 10 ;)
     
  25. Randcal

    Randcal Registered Member

    Joined:
    May 29, 2014
    Posts:
    76
    If you want a sort of uncited grapevine-type account of the story, you can check it here:

    http://www.statemaster.com/encyclopedia/TrueCrypt

    And I seriously doubt Hollingworth or Le Roux were involved in TC at any point. As it says in the Wikipedia history, Le Roux was in contact with them only because the legitimacy of his E4M license was in question and that directly affected TC. And you can just read through the old usenet logs to know Hollingworth neither had, nor wanted, anything to do with TC.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.