Trust Issues

Post Reply
donaldelgato
Posts: 2
Joined: Sat Aug 29, 2020 11:33 pm

Trust Issues

Post by donaldelgato »

Hello.

First, I would just like to say thank you for this work. It looks very promising.

I tried to ask these questions over on a different security forum. But, they appear to be pruning posts there before allowing them to be public (which is a bit suspicious if you ask me). So, anyway:

I am interested in Diskcryptor because it appears to perform better than VeraCrypt and the technology decisions behind other options like Bitlocker seem surprisingly behind (deliberately?).

However, while it seems like a great thing that DC code is opensource, that has to be paired with actual reviewing of the code. Trust is created if/when security related code actually is reviewed by competent people (I, for example, could not competently review any code for security flaws).

Maybe it's because this fork is relatively new and only time is needed. But, I'm having a hard time seeing the necessary elements that would at least suggest this code is being properly scrutinized. The forum only has a few members who have posted anything. I see almost no external sites reviewing the software, let alone the code. Almost no serious/technical comparisons with other products. I don't see any security audits completed or planned. I don't know who the author(s?) are or why I should trust them? Without those elements, how can I know that this project is not something other than what it is described as?

Please don't take offense. I am pointing out these concerns because I am hoping that you or someone else can provide good answers. Maybe an audit is planned?

DavidXanatos
Posts: 48
Joined: Mon Jan 27, 2020 8:05 pm

Re: Trust Issues

Post by DavidXanatos »

Its a non profit project so unless a security company will do an audit for free there will be no audit done.

As no one offered to audit the code no audit has been done yet.

I understand the concerns, and probably the best approach is to diff the code with original DC source to see that all the changes done don't affect the security.
Ofcause that assumes that the original code is secure.

Its kind of a chicken and egg problem, any security company will only do a free review if they expect it to be publicized enough to be a worth while marketing ploy.
But as probably without a security audit less people will use it hence the marketing impact of a free audit will not be as big.

A alternative would be to crowd found an audit but than again for that enough interested users are required.

David X.

Post Reply