On Thu, 26 Jun 2014 22:14:55 -0400 "Alain Forget" <aforget@xxxxxxx> wrote: > >-----Original Message----- > >From: ciphershed-bounce@xxxxxxxxxxxxx [mailto:ciphershed- > >bounce@xxxxxxxxxxxxx] On Behalf Of Jason Pyeron > >Sent: Thursday, June 26, 2014 21:15 > >To: ciphershed@xxxxxxxxxxxxx > >Subject: [ciphershed] Re: Protectorion - low quality encryption for Windows > > > >> -----Original Message----- > >> From: Bill Cox > >> Sent: Thursday, June 26, 2014 21:11 > >> > >> Jos skyped me this morning that Protectorion used > >> @TrueCryptNext in a tweet apparently as an advertisement to > >> switch to using their closed-source Windows encryption tool. > >> I told him I'd check it out, and here is what I found. > >> > >> > >> Protectorion is a very poor security tool which puts making > >> money over security. When you start it, it phones home, with > >> a lengthy HTTP exchange with their servers in Germany. This > >> is likely for auto-update, but it also tells them and any ISP > >> listening exactly who is using this encryption. There is no > >> easy way to verify that it is not sending all sorts of > >> personal data to their servers. > >> > >> > >> Being closed source, I cannot review any of their algorithms. > >> However, the install process requests a "master password" > >> and gives a nice "strength" meter. I used 123456789123456 > >> and got the maximum strength score! It didn't even check to > >> see if I had used any non-digits. Also, the worlds most > >> common password, 123456, rated a "medium" score. There is no > >> delay in opening the safe, so there's no decent memory-hard > >> key stretching or VeraCrypt style high-count PBKDF2. > > > >But it is more secure than the Air Shield in SpaceBalls. > > > >> > >> > >> They automate putting the encrypted volume in Dropbox. Well, > >> kudos for providing better privacy for DropBox, but anyone > >> using a weak master password puts both their data and their > >> password at risk using this feature. Their marketing > >> material claims their password meter insures high security, > >> but it's a joke. > >> > > > >Nice review. > > > > > > Very good to know about and be aware of, but we need to keep in mind that, > from the user's perspective, they usually can't tell the difference between > what's actually secure, and what's crap. All they know is what's the easiest > to use and what they trust the most. There's no easy solution to this, but > it's worth keeping in mind that relatively insecure solutions like that could > win the hearts of users if we don't consider the end-users carefully enough. > > Alain > > Exactly, the average user can't tell. Since now already that kind of people start trying to pull people from TCNext's popularity, we should really quickly get ready for Jo to spread the news about CipherShed. -- Niklas At the time of writing, no warrants have ever been served to me, Niklas Lemcke, nor am I under any personal legal compulsion concerning the CipherShed project. I do not know of any searches or seizures of my assets.
Attachment:
signature.asc
Description: PGP signature
