[Cryptography] Fork of TrueCrypt

Peter Trei petertrei at gmail.com
Thu Jun 5 13:44:54 EDT 2014 

Jerry Leichter <leichter at lrw.com> wrote:

>
> Message: 24
> Date: Wed, 4 Jun 2014 17:53:21 -0400
> From: Jerry Leichter <leichter at lrw.com>
> To: Bill Cox <waywardgeek at gmail.com>
> Cc: "cryptography at metzdowd.com" <cryptography at metzdowd.com>
> Subject: Re: [Cryptography] Fork of TrueCrypt
>
>
> On Jun 3, 2014, at 7:05 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> > An auto-update feature pinging the server would alert any network
> snooper of exactly who was using the TrueCrypt fork.  From a security point
> of view, auto-update is DOA.
>


> On the other hand, regularly checking a public location on which the
> latest versions of a wide variety of products are listed reveals pretty
> much nothing.;
>

Can you name one for TC? That is to say, a page which lists the current
versions of (for example)  TC, Safari, Opera, and Firefox, and which was in
place before the recent commotion? I'm not aware of such a page.

> If you act on what you find and go looking for the new version, of
course, you reveal your interest.  But that's true *no matter how
> you check for or download new versions*:  The metadata about where you
connect reveals your interests.  Shock, horror.  Tor.

It's important to remember that TC and other FDE and file encryption
systems are used by people with a wide range of threat models. Sure, it
includes corporations protecting IP and/or sensitive customer data, who are
mainly worried about the data being stolen. However, it also includes
political dissidents, foreign correspondents, and others who may be Not At
All Popular with the powers that be where they operate, including locations
where the rubber hose is regarded as a cryptanalytic tool.

For the latter, not raising flags that they are crypto users is critical,
and plausible deniability when that fails a Good Thing. While you rightly
note that using Tor is difficult to hide, it is a network protocol - it
MUST communicate on the net. FDE and file encryption doesn't have to.
Automatic checks and updates are a nice-to-have feature, but aren't an
essential requirement.

If the userbase includes people who are trying to maintain a low profile,
it is essential that any application-specific communication with the net
take place only when and where the user OKs it.

Even a low profile user can usually find routes to safely perform checks
and and obtain updates; that's how TC has been used up till now.

Peter Trei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140605/9f260519/attachment.html>

More information about the cryptography mailing list