Hacker News new | ask | show | jobs
by y-satellite 4397 days ago
The most obvious difference is that the TrueCrypt code has had at least the first stage of a formal security audit done, which uncovered no evidence of backdoors. With BitLocker being closed source and no public audits being done, you don't have the same guarantees. BitLocker may be perfectly secure, but I feel I'm justified in saying that its status is much more uncertain.
1 comments
acqq 4397 days ago
The most aspects of TC were never publicly audited. People were using it on blind faith only: betting that if somebody had cared to audit he'd publish his findings too.

You can have the same assumption for BitLocker.

link
mapt 4397 days ago
Except Microsoft, for all their protest about backdoors from this project, have actually changed fundamental design aspects of their products, like Skype, Hotmail, Outlook.com, and SkyDrive, in order to enable wholesale spying while advertising 'encryption'.

You wouldn't trust the drunk driver who's crashed his last few vehicles to borrow your car. The intelligence agencies own Microsoft, as far as users are concerned, and when cryptosystems have to be crippled for their priorities, we can't expect them to hold up to other attacks.

link
brute 4396 days ago
For TC we have this story: http://wroot.org/posts/daniel-dantas-hard-drive-encryption-w...

And for MS there is this story: http://www.geekwire.com/2013/report-microsoft-nsa/

This is of course no evidence for the (in)security of TC/Bitlocker, but I would call it indirect evidence, and certainly more than 'blind faith'.

link
kaoD 4397 days ago
You can't audit BitLocker, its source is not available. That's a huge difference.
link
acqq 4396 days ago
Microsoft has special licensing models where the sources for OS are available. Somebody looks at that, at least comparable to that how somebody was expected to detect the bug in OpenSSL, or to review TrueCrypt and nobody did until recently, because, well let somebody else care.

So as far as I understand, it is possible to audit Microsoft's crypto code too. I can imagine the audit of crypto code wouldn't find anything. The real problem is:

http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf

"Crypto won't save you either"

"Crypto Summary:

Number of attacks that broke the crypto: 0

Number of attacks that bypassed the crypto: All the rest

- No matter how strong the crypto was, or how large the keys were, the attackers walked around it"

link