Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] TrueCrypt Alternatives?

Greg greg at kinostudios.com
Fri Oct 3 12:24:09 PDT 2014


On Oct 3, 2014, at 12:04 PM, Steve Weis <steveweis at gmail.com> wrote:

> Hi Greg. The burden of proof is on Espionage to convince people that
> it is safe. I can't trust it based on marketing claims alone.
> 
> There is not a sufficiently detailed design document on the website,
> much less a battle-tested, peer-reviewed design.

And how many free opensource source encryption utilities like Espionage fit that description?

None? Maybe the defunct TrueCrypt?

As far as crypto goes, we are using scrypt (free/open source) [1] and Apple's disk images (100% closed source).

[1] https://www.tarsnap.com/scrypt.html

We're not thrilled about the Apple part. I linked to a review by @ioerror (and someone he worked with) that contains their analysis of it in the r/security link that was mentioned earlier in this thread.

We are investigating ways of removing our dependence on Apple's sparsebundles.

> I don't see any reference to independent third-party audits.

I would love to do a professional audit once we can safely afford one.

In the meantime, those who would like to audit us pro-bono are welcome to so long as they sign the NDA:

https://www.taoeffect.com/forum/index.php?board=14.0

BTW, does anyone here want to donate to an audit of Espionage? Cause that would be swell! (Should we start a TrueCrypt-like campaign? I'm not sure that would go over well given that we charge for it.)

> I can't find any indication the development team has security or crypto expertise and I
> cannot personally sign an NDA to view the source code.

I have security expertise, but am not a cryptographer, and therefore I use existing code, like Colin Percival's scrypt.

> If I'm missing something or you're willing to give source access
> without an NDA, please let me know.

Why are you unable to sign the NDA?

> Otherwise, I have to advise people to avoid Espionage.

I'm sorry to hear that. :-(

Here is a list of other software that supports deniability (but not the same kind that Espionage does) that you might want to recommend in its place:

https://en.wikipedia.org/wiki/Deniable_encryption#Software

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

> 
> 
> On Thu, Oct 2, 2014 at 5:50 PM, Greg <greg at kinostudios.com> wrote:
>> 
>> Stating a thing does not make it true, not matter how many times it is repeated.
>> It is not "apply". It is apply.
>> Anyone is welcome, so long as they:
>> 
>> 1. Are software security professionals. (Nobody else matters in this context, after all.)
>> 2. Don't work for government intelligence agencies.
>> 3. Sign the NDA we give them, the salient points of which are enumerated on our site.
>> 
>> They will be given a free license to Espionage.
>> 
>> Also, you convince me how to keep providing high quality software and support while simultaneously making Espionage completely free and open source and I will do it in a flash.
> --
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141003/d7cf44d0/attachment-0001.html>


More information about the liberationtech mailing list