Hacker News new | past | comments | ask | show | jobs | submit login
Encryption toolkit for media makers: A VeraCrypt guide (freedom.press)
42 points by gasull 3 months ago | hide | past | web | favorite | 15 comments

I don't trust VeraCrypt very much. Mounir Idrassi's company IDRIX was founded in 2006 in Paris and it is one of the classical shady government-near companies that could have close ties to intelligence agencies. Note that I say could not has.

You cannot find any extensive CV of Idrassi online and he played no noteworthy role in international cryptography, neither as a professional nor as an enthusiast, before he forked TrueCrypt into VeraCrypt. Moreover, France has a long anti-cryptography tradition and a fairly extensive and powerful intelligence apparatus.

My apologies to Idrassi for casting doubt on him, but that's how trust works. It's a personal evaluation. From the publicly available information there are enough reasons for me to consider the sudden cessation of TrueCrypt development and the fast takeover by VeraCrypt suspicious.

Sure, you can compile it on your own but if you don't do that, do you also audit and reverse-engineer the binaries?

The article proposes a concrete solution to a problem for media makers: if you need to protect your files, here is a tool you can use, and here is how to use it.

Your response is 'I don't trust this tool'.

The next question from the target audience would then be: 'OK, so what are we supposed to use?'

What would be your response?

Keep in mind, these are users most likely running Mac or Windows to do various media production tasks. Telling them to fire up your pet distro of choice and set up LUKS is not a pragmatic solution.

I don't think saying "be aware of the trust issues" is necessarily dismissing VeraCrypt. OP's point is that you need to keep that in mind when making a decision. The idea that keeping yourself secure is as simple as using a tool is a massive mistake, it's a process. With physical security, we've largely internalized this process, but digital security is something lots of people still don't understand.

But to answer your question, I think that the most reliable form of file encryption remains, probably uninterestingly, GPG. It's not easy and it's not perfect, lacking several advantages of block based tools like VeraCrypt, but it's well tested and publicly vetted. If you are working alone BitLocker and File Vault are both good options for solo use.

I think there is some muddling of the issues at hand here.

Yes, security is a process and involves situation-specific threat modeling, risk assessment, and behavioral conditioning. It is not just a 'here use %foo' band-aid. I don't think anyone here is disputing this.

But that is not the issue here. The issue is that once you've developed your personalised threat model, the issue of which specific tools to use is a very real one. OP has cast ad hominem FUD on VC, and provided no reasonable alternative, leaving someone to ask 'OK, if VC is not trustworthy, what is?' Security is a holistic process, yes, but that by definition includes tools alongside a valid threat model.

So back to the matter at hand: GPG does not provide the functionality that VC does (no FDE, no deniability), and BitLocker and File Vault are closed-source toolkits, are you really proposing them as viable trustworthy alternatives to VC? Which brings us back full circle to the original issue: if VC is deemed not trustworthy by OP, what is a user to use instead?

Is the article proposing that you need an open source FDE solution with deniability? Considering it refers to using Disk Utility as an option if everyone is on MacOS, then I don't think that's what it is going for. It also assumes that these users are using Windows/MacOS, so the need for open source tools doesn't seem to be a primary concern for this organization. I don't personally have a lot of problems with VeraCrypt, but I think most people this article is aimed at would be well served by File Vault and Bit Locker since we have no reasons not to trust those organizations and some reasons to believe they have put their money where their mouth is when it comes to file encryption.

But yes, if what you want is open source FDE with deniability, and cross platform support (not sure why you need cross platform support for FDE) then VeraCrypt is your tool.

Safe guarding data is more of a process than a tool. It's not what software, SaaS, website - but more DO's and DON'Ts.


The guide you link to is ultimately a lengthy exposition of how to use various tools, including a full section on Veracrypt.

The whole purpose of cryptography is that we do not need to trust in people.

In crypto we trust.

Veracrypt is open source and has been audited by OSTIF. It would be best to review code before accusing someone of such a heinious act. :/

When someone attacks the messenger or developer instead of the facts or the code, there could be some kind of agenda. Hope that’s not what it is.

That's absolutely silly and gullible because of the following reasons:

1.) No, cryptography does not replace the trust in people. Your dead wrong if you think so. You need to trust the maker of the cryptographic software, whether it's open source or not, and even if the software has been audited. The only exception would be that you have team of experts who continuously audit the source code and compile every executable themselves. Then, of course, you can also just fork it and develop it yourself. Other than that, you better trust the source.

2.) I was explicitly talking about the binaries. The vast majority of all users will download the binaries and never check the source code. Moreover, if you check the source code, then this gives you no reason to trust the binaries.

Here's how I would do it, if I was working for an intelligence agency supplying bogus open source software: I'd put audited and correct sources on the web, but would make them hard to compile (e.g. complicated dependencies, tool chain setup). Then I would put binaries on the web page, too. And then I would check who downloads the software and based on some heuristics either deliver a perfectly fine web page+binary or a compromised web page+binary to the recipient, depending on whether I want to collect intelligence from that person or not.

Another, simpler method is to ensure that there is always some exploitable bug in the software. If that is found by external auditors, just introduce a new bug. The underhanded C contest shows you how it's done.

In any case, before you start talking about encryption again, we're talking about side channel attacks, of course.

The previous authors of TrueCrypt were full out anonymous...

If you're not afraid of using the command line, dm-crypt is a much better alternative: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_...

(Needless to say, the Arch wiki is an excellent resource for those getting started with Linux.)

Does LUKS provide plausible deniability via hidden volumes like Veracrypt does ? I imagine that this is important for the use case.

To answer my question, a web search delivers:


I have not tried this.

The Freedom of the Press guide is geared towards media producers. Users who need to make heavy use of Adobe, Apple, Avid production tools. Telling them to 'just get started with Linux' is not a realistic, workable approach and in a real-world setting simply results in them either not using anything or using even worse solutions.

While 'use linux' isn't helpful, mentioning that something is common to linux at least lets me know that I could check in with brew to see if I can use it on a Mac. If so, I can learn it to see if there's a way to make it easier for less technically skilled users. So sure, a comment could be better phrased as 'is there a way to use app X commonly available on linux on other platforms?' But at least apps are getting mentioned for others to investigate.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact