From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Sat, 17 May 2014 13:42:02 +0200 (CEST)
Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch
 [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id A5CD934FA001
 for <dm-crypt@saout.de>; Sat, 17 May 2014 13:42:01 +0200 (CEST)
Date: Sat, 17 May 2014 13:42:01 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20140517114201.GA10381@tansi.org>
References: <20140516111139.GC31000@tansi.org>
 <20140517070806.GA2130@fancy-poultry.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140517070806.GA2130@fancy-poultry.org>
Subject: Re: [dm-crypt] Truecrypt audit
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Sat, May 17, 2014 at 09:08:06 CEST, Heinz Diehl wrote:
> On 16.05.2014, Arno Wagner wrote: 
> 
> > I just want to warn everybody not to place too great stock 
> > into these results. I have participated in similar, non-public
> > analyses and they can only ever go so deep. Cleverly hidden or
> > disguised backdoors may easily be overlooked...
> 
> I agree.
> 
> I posted the article because of TC's widespread use, and I'm not aware
> of any comprehensive review/audit of its source (I'm not using TC
> myself).

Posting it is fine. It does contain valuable information.

For example, I think from the report one can deduce that 
TrueCrypt is not very likely to have low-value vulnerabilities, 
hence, for example, ordinary law-enforcement and ordinary 
criminals will likely not get in and more widely available 
forensics tools will likely also not work.

I just wanted to give context which may be non-obvious to
people that have not done something like this themselves.

And yes, I am using TC, but not for secret things. "Business
Confidential" is the highest level I am willing to trust it 
with.

Arno
-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato