I try to be fair to all vendors, and I’m always willing to look at their products. I point my corporate and government clients toward products that meet their needs. But TLP is about the average person, and it’s hard to beat a good level of security for free. As I often tell my clients, price, features, support. Pick two

As a result, we depend on bloggers and articles in free media sites to give us a “point of view” that we can put into our own context.

Interestingly, I am finding myself in a similar situation as you, and am only able to afford the time to evaluate products I’ve had the opportunity to use. I have, in fact, been approached by PR companies on behalf of their clients who are security vendors. So, I get a better look at their products and a chance to evaluate their merits. I don’t try to pick a winner as much as highlight their strengths. I don’t have time to argue about what information I may have missed.

But people still find the insights useful. Thanks for standing up for all of us who enjoy writing to bring our insights to others who appreciate them!

http://secunia.com/advisories/product/19432/

That site also shows no vulnerabilities in V5, three in V4.
Also http://www.cert.org shows no vulnerabilities for TrueCrypt.

It’s fair to say that TrueCrypt has no currently known vulnerabilities, unless Rynhere is aware of some through other means. If this is the case, then personally, I invite him to present a paper on such vulnerabilities.

The article was not intended as a overview of the market, and one can, as you point out, purchase that from Gartner. The point of the article is that people should be encrypting their notebook hard drives. In most cases any FDE product with pre-boot authentication would put people miles ahead of where they are now.

I’m not aware of any serious vulnerabilities in the current version of Truecrypt, and the fact that it is free open source software is great news for individuals and small businesses that need hard drive encryption. In today’s economy a good free security product is hard to ignore.

I haven’t had the opportunity to try out the PGP, Utimaco, or Guardian Edge products. If you are by chance connected with one of these vendors, do feel free to point your media relations person in my direction.

On the topic of certifications, while FIPS 140-2 is nice, calling it the “gold standard industry certification” is quite a stretch, especially when you don’t state which level of 140-2 you refer to. FDE Software can only be verified to FIPS 140-2 Level 1, which only really means that the cryptographic module in the software works right. To put this in perspective, you can download a free FIPS 140-2 Level 1 crypto library and use it in your product. FIPS 140-2 certification does not provide assurance that the software product as a whole provides any given level of security. If you’re serious about your cryptographic products you should be looking for both FIPS 140-2 (preferably Level 2) and EAL4 against a good protection profile.

But for the vast majority of us, any reasonable product that prompts the notebook thief for a passphrase prior to booting the operating system and that protects data from access via a boot CD or connecting it to another computer is good enough.

Your article is a poor overview of the drive encryption market, for one matter. You should have looked at the drive encryption vendors on the Gartner magic quadrant and correlated that with drive encryption products that at least hold industry certifications like FIPS 140-2, the gold standard industry certification that assures that a vendors encryption product functions as they assert.

For another issue, how in the world do you derive that Truecrypt should find itself on the “good product” list when it’s an open source utility that has many well documented vulnerabilities, including storing encryption keys in the clear (ie, unencrypted)?

Why didn’t you include PGP? or Utimaco? or Guardian Edge? in your “good vendor” list?

Please do research before throwing out baseless assertions about products that you likely used while you still lived at home and connected to the internet through AOL. Is that too much to ask?

For anyone who has missed the issue, border agents in Canada are abusing the \"border search exemption\" to examine and copy information from hard drives and other media without even as much as a reasonble suspicion of wrongdoing. The real issue is that when the exemption was put in place, there was no such thing as electronic data, and the border agents were searching physical goods. Now they feel that they also have the right to look at information, even though any other law enforcement officer in Canada would need to obtain a warrant.

The child pornography argument is simply positioning to make it harder for people to oppose. It is easier to violate people\’s rights if you can come up with a way to make anyone who objects seem like a bad guy. It\’s the \"if you don\’t have anything to hide\" falacy.

Interestingly enough, while there have been a lot of social and technical discussions on it, even by lawyers, what we haven\’t seen is discussion on the issue of whether or not border agents have the ability to compel one to disclose a password. I don\’t believe that they do, but of course I\’m not a lawyer.

AFAIK, they cannot compel the password from you, however. So if you don\’t want some border troll picking over your sensitive work files, your family pictures and personal information, it\’s important to have it encrypted. It\’s also important to have it backed up in case the device is seized.