Re: TrueCrypt 4.0 Out

From: David Wagner (
Date: 11/06/05

Date: Sun, 6 Nov 2005 22:30:49 +0000 (UTC)

Kelsey Bjarnason wrote:
>On Fri, 04 Nov 2005 21:49:04 +0000, David Wagner wrote:
>> That's exactly backwards. When choosing an information security
>> system, you should assume it insecure until proven secure. Doing
>> anything else leads to a very high risk of security breaches.
>So what system are you going to use? This leaves out any conventional
>system - RSA, for example - because they're not provably secure.

Probably the word "proof" is too strong. I would look for systems
where there is positive evidence for their security. We might not have
mathematical reason, but we have some reason to believe that RSA is
probably pretty good.

Probably the most important point I wanted to make, though, is that
absence of evidence of insecurity is not the same as evidence of security.

Relevant Pages

  • Re: Ten least secure programs
    ... and generate a specific response to a question that exists in many Security ... Baselines are determined through sound Configuration Management. ... >I recommend the following be identified as the most insecure: ...
  • Re: Secure host newbie - fun - humm
    ... Show us that is insecure. ... needs to back it up -- show us that is secure. ... If you understood security, you'd know that the best position to start ... it's a basic fact that there are undisclosed vulnerabilities. ...
  • Re: ActiveX Not Working After KB896688 (MS05-052)
    ... As for the "main applications" that do not work, the patch shuts down some ... Yes, it will affect some Microsoft products, as well as third-party ... As for the "they publish insecure software...", let it be said again, for ... A security flaw was ...
  • Re: marshal vs pickle
    ... >> security. ... The marshal module is not intended to be secure against ... >> doesn't construct arbitrary code objects. ... Marshal is similarly insecure if you evaluate a code ...
  • RE: Password security
    ... hardware on each computer that is going to access the network, ... way you're making your security requirements sound, ... an array of 68 possible characters (alpha num and some easily-typed ... can be deployed across many dumb insecure computers across an insecure ...