It is currently Sat Dec 16, 2017 10:34 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 35 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Veracrypt - volume encryption (TrueCrypt Fork)
PostPosted: Fri Jun 06, 2014 7:23 am 
Offline
User avatar

Joined: Mon Dec 07, 2009 7:09 am
Posts: 3887
Location: Sol3
[Moderator note: this thread has been split from the TrueCrypt thread.]

---

Briefly checked user Mixture's alternative suggestions (http://www.portablefreeware.com/?id=199#comment26017).

IMHO, Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...

FYI, Veracrypt resides at http://veracrypt.codeplex.com/.


Top
 Profile  
 
 Post subject: Re: TrueCrypt
PostPosted: Fri Jun 06, 2014 3:04 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
Midas wrote:
Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...

I dunno ... Veracrypt license is MS-Pl, which isn't a license I have much faith in ...

Quote:
incompatible with the GPL and ... if you submit code with this license, your code can then be taken into a proprietary black hole by someone else.
(source)

Still, it's better than the TrueCrypt license (at least OSI-accepted) assuming their license allows for forks like this, which I guess Haller was calling into question above.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: TrueCrypt
PostPosted: Sun Jun 08, 2014 12:39 am 
Offline
User avatar

Joined: Sat Jul 31, 2010 1:19 am
Posts: 1719
Location: Helsinki, Finland
webfork wrote:
Midas wrote:
Veracrypt should get our userbase urgent attention, in the interest of possible database inclusion...

I dunno ... Veracrypt license is MS-Pl, which isn't a license I have much faith in ...

Quote:
incompatible with the GPL and ... if you submit code with this license, your code can then be taken into a proprietary black hole by someone else.
(source)

Still, it's better than the TrueCrypt license (at least OSI-accepted) assuming their license allows for forks like this, which I guess Haller was calling into question above.


Well, based on the article you linked, Ms-PL is not bad at all.

According to the Free Software Foundation "it has a copyleft that is not strong, but incompatible with the GNU GPL". GPL incompatibility is not a big problem: it mostly means that no one can create a GPL fork of VeraCrypt.

"if you submit code with this license, your code can then be taken into a proprietary black hole by someone else" - it's arguably a feature. A developer can use Ms-PL if he/she explicitly wants to allow the code to be used in commercial programs. In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)

See also https://tldrlegal.com/license/microsoft-public-license-%28ms-pl%29.

There is one problem in VeraCrypt's licensing, though: I doubt the developers have permission to relicence the code as Ms-PL...

_________________
My YouTube channel | Release date of my 11th playlist: January 26, 2018


Top
 Profile  
 
 Post subject: Re: TrueCrypt
PostPosted: Mon Jun 09, 2014 5:50 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
SYSTEM wrote:
There is one problem in VeraCrypt's licensing, though: I doubt the developers have permission to relicence the code as Ms-PL...

Yeah, true. However, I do want to talk about my hesitation with Ms-PL since this will probably come up again in the future...

SYSTEM wrote:
In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)

You're absolutely right that you are free to do whatever you want to do with the code. However, in practice I think this ends up being less free.

  • Some developers are bothered for example by the idea that what they're working on could get snapped up by some company who would add the marginal necessary features/polish and then sell it. This certainly happened with Microsoft who used the BSD networking stack and at least to some extent from Apple with Darwin. It might also explain the success of Linux over the many flavors of *BSD.

  • Some users are bothered by the fact that a company can take an open protocol or system, go commercial with it to adopt and improve it in a closed way, and then dump it later (the embrace, extend, extinguish strategy).

More critically, I want a security program's code to remain open so that we can have audits like the one that was run on TrueCrypt. The GPL a better license to encourage that type of analysis and ongoing scrutiny because the community is less afraid that it's going to get yanked into something commercial.

All that aside, we're not doing great in the security realm right now so if a great program comes out, I'll definitely use it regardless of my hesitations about the license.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: TrueCrypt
PostPosted: Mon Jun 09, 2014 8:10 pm 
Offline
User avatar

Joined: Sat Jul 31, 2010 1:19 am
Posts: 1719
Location: Helsinki, Finland
webfork wrote:
SYSTEM wrote:
In my opinion such code is more free than code under the GPL. (However, I'd use an even more permissive license such as BSD or MIT.)

You're absolutely right that you are free to do whatever you want to do with the code. However, in practice I think this ends up being less free.

  • Some developers are bothered for example by the idea that what they're working on could get snapped up by some company who would add the marginal necessary features/polish and then sell it. This certainly happened with Microsoft who used the BSD networking stack and at least to some extent from Apple with Darwin. It might also explain the success of Linux over the many flavors of *BSD.
  • Some users are bothered by the fact that a company can take an open protocol or system, go commercial with it to adopt and improve it in a closed way, and then dump it later (the embrace, extend, extinguish strategy).


It's up to the developer if he/she wants to allow it. Not every company that uses open source is evil. :) More about it below.

webfork wrote:
More critically, I want a security program's code to remain open so that we can have audits like the one that was run on TrueCrypt. The GPL a better license to encourage that type of analysis and ongoing scrutiny because the community is less afraid that it's going to get yanked into something commercial.


Even if a company creates a closed-source fork of a security program, that doesn't automatically mean that the original open source project dies. They can coexist, or the closed-source project can die (e.g. if it's payware and no one is willing to pay).

----

Myself I'm on the other side of the fence: I develop commercial software. We use some open source libraries such as Box2D. Of course we respect licenses and don't use GPL code at all.

We have no intention of killing Box2D or any other library we use. After all, we benefit from upstream improvements. :)

_________________
My YouTube channel | Release date of my 11th playlist: January 26, 2018


Top
 Profile  
 
 Post subject: Re: TrueCrypt
PostPosted: Fri Jun 27, 2014 4:49 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
SYSTEM wrote:
Even if a company creates a closed-source fork of a security program, that doesn't automatically mean that the original open source project dies. They can coexist, or the closed-source project can die (e.g. if it's payware and no one is willing to pay).

No, it definitely doesn't imply an automatic death. No question there.

SYSTEM wrote:
We have no intention of killing Box2D or any other library we use. After all, we benefit from upstream improvements.

This is kind of a GPL vs. BSD argument in a bottle. The BSD crowd counts on openness being in everyone's best interests, whereas the GPL crowd is concerned about their work going into some company's "new" format.

The only other thing I can add here is that open formats aren't in the interests of a big company. A few examples that come to mind:

  • Microsoft has been making millions off it's exclusive control of the standard office format for documents, spreadsheets, and presentations. They continually create "Microsoft" versions of existing technologies to try and grasp this in other areas (audio, network, video, etc.)

  • Apple makes a ton of money selling the only power adapter that really works for Apple laptops. Quicktime is remarkably bad at playing any video format other than those created by Apple products.

  • Google dumped the Open Document Format in favor of their own, developed their own browser even after they put quite a bit of time and money into Firefox.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: VeraCrypt
PostPosted: Thu Dec 04, 2014 4:15 am 
Offline
User avatar

Joined: Mon Dec 07, 2009 7:09 am
Posts: 3887
Location: Sol3
VeraCrypt v1.0e released (changelog and downloads at http://sourceforge.net/projects/veracrypt/files/).

    UPDATE September 15th 2014 : VeraCrypt 1.0e is out with many security fixes and performance enhancements. [...] It supports MacOSX 10.6 and above and it requires OSXFUSE 2.3 and later (https://osxfuse.github.io/). MacFUSE compatibility layer must checked during OSXFUSE installation. Also a Linux version is available [...] Linux and MacOSX releases are signed with a PGP key.

      Image


Top
 Profile  
 
 Post subject: Re: Veracrypt
PostPosted: Mon Jan 05, 2015 5:56 pm 
Offline
User avatar

Joined: Mon Dec 07, 2009 7:09 am
Posts: 3887
Location: Sol3
EDIT: it must be noted that for extensive coverage of the current TrueCrypt status (plus downright support -- and mirror), it's highly recommended to check security expert Steve Gibson dedicated page at http://www.grc.com/misc/truecrypt/truecrypt.htm.

VeraCrypt v1.0f-1 released (changelog and download at http://veracrypt.codeplex.com/releases/view/565079).

Most importantly, VeraCrypt now supports TrueCrypt volumes and containers...

    Starting from version 1.0f, VeraCrypt can load TrueCrypt volume. It also offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format.

    UPDATE January 5th 2014 : Support of the old TrueCrypt 6.0 has been included in VeraCrypt 1.0f-1, which is a minor update of VeraCrypt 1.0f.


Top
 Profile  
 
 Post subject: VeraCrypt - TrueCrypt Fork
PostPosted: Sat Apr 04, 2015 9:29 am 
Offline

Joined: Thu Aug 04, 2011 10:01 am
Posts: 73
VeraCrypt is a free disk encryption software that is based on TrueCrypt.

VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.
VeraCrypt also solves many vulnerabilities and security issues found in TrueCrypt. The following post describes parts of the major enhancements and corrections done so far: https://veracrypt.codeplex.com/discussi ... nt_1313325

As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data.

Starting from version 1.0f, VeraCrypt can load TrueCrypt volume. It also offers the possibility to convert TrueCrypt containers and non-system partitions to VeraCrypt format.

Website
Database entry needs votes

Image[/url]


Top
 Profile  
 
 Post subject: Re: VeraCrypt - TrueCrypt Fork
PostPosted: Sat Apr 04, 2015 9:53 am 
Offline
User avatar

Joined: Thu Aug 07, 2008 4:51 am
Posts: 4139
@abc

https://veracrypt.codeplex.com/license

viewtopic.php?p=70024#p70024

_________________
Bəəs 2.0


Top
 Profile  
 
 Post subject: Re: VeraCrypt - TrueCrypt Fork
PostPosted: Sat Apr 04, 2015 5:30 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
I am Baas wrote:
http://www.portablefreeware.com/forums/viewtopic.php?p=70024#p70024

Merged. This needed to get split from the TrueCrypt thread anyhow.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: VeraCrypt - TrueCrypt Fork
PostPosted: Fri Apr 10, 2015 2:02 am 
Offline
User avatar

Joined: Mon Dec 07, 2009 7:09 am
Posts: 3887
Location: Sol3
abc wrote:
Database entry needs votes ...

    Edited and voted. Thanks. :)


Top
 Profile  
 
 Post subject: Re: VeraCrypt - TrueCrypt Fork
PostPosted: Fri Apr 10, 2015 5:51 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
abc wrote:
Database entry needs votes

I made a few edits because I wanted to back off the notion of "immunity" to brute force and that the vulnerabilities are now "fixed". Hopefully that's the case but it might be a little soon to tell.

Edit: switched the license over to Ms-Pl. Though I noticed the TL:DR legal site you listed. Very interesting site.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: Veracrypt - volume encryption (TrueCrypt Fork)
PostPosted: Sun Jul 26, 2015 9:18 am 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
webfork wrote:
switched the license over to Ms-Pl

Happily, the authors switched over to Apache 2.0. Updated entry and voted.

Edit: few usage notes:

  • The license file included with the program download still lists the old license, which is probably binding
  • I was unable to create an NTFS volume. Although the help file suggests this is a limitation of those without admin privileges, I don't have this problem on my machine. I'm not sure what's wrong and I am unwilling to use FAT for anything but data I don't care if I lose. Edit: this was caused by my volume being too small.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: Veracrypt - volume encryption (TrueCrypt Fork)
PostPosted: Sat Aug 01, 2015 1:37 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7421
Location: US, Texas
User MoisheP noted in the entry comments that the program's inability to be uniextracted or opened with 7-zip means it's encrypted or less open than it should be. Some suggestions on this:

    1. Contact the developers and ask:

      A. ... what compression they used to figure out if there's a way to decompress it without executing self-extract code. It might even be listed in the forums.

      B. ... them to distribute a 7-zipped version

    2. Go ahead and execute the code inside a sandbox to see if it does anything bad, then analyze the components

    3. Build the software from source and skip the compression bit

For the record, I don't think this is a serious concern with regard to Veracrypt's security. I think the EXE distro is more than adequate for analysis in VirusTotal, since that tool's reputation analysis isn't independent of the extracted contents. As a long time TrueCrypt user, I think there are much more pressing questions, specifically around whether VeraCrypt can reasonably secure computers in a very weird era of security.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 35 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group