Main Area and Open Discussion > General Software Discussion
Password Protect File Or Folder?
f0dder:
I don't believe that open-source automagically means "more secure" than closed-source... just look at how long the chunked-transfer exploit bug was in Apache until it was found & patched.
However, I strongly believe that you should never used closed-source version of systems like TrueCrypt, because that's one field where Security Through Obscurity fails miserably. Sure, a company making money off a product might have greater interests at stake, but that doesn't stop them from writing shitware and trying to cover up the facts behind code obfuscation etc. Anybody remember the Diebold voting machine horror stories? Or the gaping security holes in Skype that were found even through skype is heavily obfuscated? (thankfully it wasn't exploited on the massive scaled that I had predicted). Microsoft uses code reordering to make it harder to detect what's patched in their hotfixes in order to make exploit-writing harder, but bindiff was constructed in order to overcome that... There's a lot of other examples as well.
Yes, there's more to security than "just using TrueCrypt", but if somebody needs decent encryption it really is the best choice (for several reasons), and a sentence like "but it's not exactly secure but most users consider it secure enough." is plain wrong and misleading. It's not fanboyism, it's just the product being the best choice. Might be overkill for what siouxdax needs, but I can't advocate using software that gives a false sense of security :)
PS: I've never had any stability issues with TrueCrypt, and it's definitely not heavy-weight either.
Paul Keith:
I would say that the difference between a privacy encryption app like TrueCrypt and the examples you've used are that the ones you listed especially with the DieBold machines which centers around voting rather than privacy all revolve around the flaw of being translucent rather than transparent in their execution of their jobs where as a privacy app need not be that way. It simply needs to be 1. effective and 2. not be as you pointed out "shitware"
In fact such examples though different in category highlight what happens when people become apathetic towards the value by which they claim to cherish and then only find out later on that they have been screwed yet continued to bitch about it rather than make a difference because the technology forced them to remain clueless yet paranoid. A common result when people are led to believe in technology blindly (sometimes not even led, just apathetic to any cons technology brings which isn't help by ones own subconscious apathy towards the voting system)
I would also say that the flaw of saying something is the best at what it does must still assume that the user wants to have the best encryption program rather than the best way to keep their privacy. This leads to two major flaws IMO:
a) By saying that you are merely pointing out to what you consider the best choice totally throws out your earlier argument of Open Source vs. Closed Source:
Imho this is wrong. The only thing closed-source gains you is obscurity - and everybody who's into security is going to say that security through obscurity never works. For stuff like encryption, having the source code open inspires more trust than depending on bugs (and backdoors?) not being discovered.
--- End quote ---
Why? Because you are inherently comparing the best Open Source model in TrueCrypt and justifying the model of Open Source through that one app rather than addressing the actual model of Open Source.
I don't think that opinion is wrong and I did hint of it's popularity in my reply but it still does throw out the open source model and rather makes a case that the popular optimum model is the best choice when choosing a privacy app and that being Open Source only has relevance to it because the current popular program happens to be one.
b) By assuming it is the best choice, such attitudes (especially when it becomes one adapted by a group large enough) becomes the very influencing factor in convincing people (especially people ignorant of the backbones of privacy applications) to assume that it is the sole Holy Grail of privacy apps and yet even as you point to it being what you perceived as the best choice, you also allude to it only to being a "decent" encryption program (something I disagree with btw, I think most apps have reached that stage of being great encryption programs for their purposes) and also that there is more to security than it alone.
Words like those in my opinion only prove that TrueCrypt isn't exactly secure but only considered secure enough by the majority of tech users. Words like those also hide the fact that TrueCrypt still requires improving so even though it is the best choice considered by many currently, it is only if you enforce that belief from the software design and effectiveness perspective rather than the privacy perspective that it becomes "secure enough".
nosh:
Now that the OP's found his solution, a little digression can be forgiven...
My first impression of TrueCrypt which I've implemented recently on my system:
I finally forced myself to take the plunge after a long period of fear+hesitation. I formatted two 1TB (single partition) drives and hid both partitions using Partition Magic. Truecrypt detected both partitions and I created a normal TrueCrypt volume on each. Some of the programs store their data files on these drives, so I had to figure out Google a way to mount the drives before any regular programs started - a fitting solution was found here.
My system has been stable so far and it's a big relief to know that if a drive fails, I can give it for warranty-replacement without having to worry about the company's tech-monkeys going through my data.
As far as performance is concerned, TrueCrypt isn't a total heavyweight but I wouldn't categorize it as a lightweight either. Copying large amounts of data across both TrueCrypted volumes, the CPU (2 x 3.16GHz) shows a load of of anything between 25-40%.
My overall experience with TC has been positive. The original intention was to lose the encryption after the drive warranty period expired since I'm not worried about theft or authorities, but it's completely non-intrusive and in actuality, I hardly notice the performance hit either. So unless TrueCrypt throws an ugly suprise in my face some time in the future, it's here to stay.
f0dder:
Paul: TrueCrypt is the technologically best choice - this doesn't have to do with the fact that it's opensource. Most people here will know that I'm not the biggest fan of opensource, but I still firmly believe that it's important for privacy as well as transparency applications. Companies with commercial interests are more likely to stay silent about bugs or inefficiencies (like, continuing to use CBC mode instead of LRW or XTS).
Words like those in my opinion only prove that TrueCrypt isn't exactly secure but only considered secure enough by the majority of tech users.
--- End quote ---
It's basically as secure as it gets. It has technically sound application of encryption algorithms, and it avoids making temporary writes of unencrypted data to disk (which the usermode applications tend to do, making them basically useless).
nosh: sure thing, the de/encryption does cost - 256bit AES performs at around ~110MB/s on a 3GHz core2. The recent versions of TC has multithreading support - I'm not sure just how the parallelization is done, but I would expect at least one thread per volume. So a dualcore 3GHz should be able to copy full speed from one physical drive to another (unless you have extremely high-end drives :)). During normal daily operation disk access tends to be in bursts though - I don't find it has much of an impact on system performance. I wouldn't encrypt partitions used for video editing or heavy games, though :)
Paul Keith:
@fodder
That's also my current stance but that is also why I said it's not secure enough. I'm not limiting the discussion to the technologically best choice, I'm putting the discussion to where TrueCrypt's core functionality is concerned: on privacy first and not on software capability.
It also has something to do with open source because your original problem with my comment addressed only the open source vs. closed source debate prior to switching to the angle of best technological choice.
I guess we're getting nowhere here and you're probably wondering why I'm focusing on about it. (I guess it's not a common stance in the internet world yet.)
Well basically I've currently been reading about Technopoly which deals with how technology can change one's mindset on how to tackle a problem for better and worse and the previous book I've read was The Revolution: A Manifesto which somewhat deals with your issue about DieBold machines and other political structures (but it's really at it's core all about the U.S. Constitution) that explains how we as a culture (or at least Americans) are made to think differently on dealing with problems because the structure of a concept has been kept from our minds although you might really need to research more about the author's stance to really find it's relation with privacy in general.
I'm not saying you should read these books or that you can get the same conclusion as my own but it did cause a light bulb in my head to light up and made me value the importance of not only how I saw software with altruistic goals like TrueCrypt but in general it made me value the fact that you can't short hand privacy and constantly let the software trump the goal. At the end of the day, I believe we're either recommending these things to either help someone's privacy or we're recommending these things because it's an effective application and I'd rather still value the former even if I'm doing the latter just so we don't get used to settling on the value and end up creating a new generation of pseudo-blind sheeps not because I'm accusing you of a fanboy (I think your last comment hinted at a suspicion that it is what I'm trying to call your choice of TrueCrypt as) but because we ourselves didn't do anything to remind people that technologically best enough isn't the same as being able to secure our privacy enough.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version