Has anyone had any experience with this program, I'd like an opinion
before I buy, how good is it?
Q: Has the DriveCrypt Plus Pack encryption ever been broken/hacked?
A: No! In the past, we have also launched several contests offering up
to 100,000 US$ for the first person able to open a DriveCrypt encrypted
disk…
Nobody succeeded! (See our press section for more details)
Q: Is there a back door in your software?
A: No. There is no "back door" in our software, and there is no point
in making one as we might risk losing the good reputation of our
products. Besides this, today there is no law in Germany that can force
us to make one in our software.
Q: We are from the "Police" "Tax authority" "Security Company"…. and
are investigating on someone whose computer is protected with your
DriveCrypt software. Since we were not able to break into the protected
computer ourselves, could you please assist us getting access to the
encrypted data? If requested, we can provide you with a court order.
A: Sorry, but our software has been designed to be the most secure in
the industry, and as such not even our programmers are able to break
into a DriveCrypt encrypted computer.
The only way to get access to the protected data is by entering the
correct password known only by the legitimate user.
Q: Does DCPP works with Windows Vista ?
A: Yes, starting from version 3.9 of DCPP Windows Vista (32 bit)
compatibility where added.
Q: Can I encrypt my entire operating System with DCPP ?
A: Yes, you can encrypt your entire operating system without loosing
any data on it.
Q: Does installing DCPP require a complete reinstall of WinXP and
previously installed programs?
A: No, you can just install DCPP on top of the operating system, DCPP
makes the rest.
Q: Does any software and hardware that runs under WinXP / Win Vista
also run under XP/Vista with DCPP?
A: Yes
Q: Does one lose any OS or PC functionality by using DCPP ?
A: Hibernate will not work when using DCPP.
Q: Can one use any DOS based tools on the DCPP disk ?
A: Yes. But in read only mode
Q: Can one use partitioning tools like Partition Magic with DCPP ?
A: No. DCPP encrypts the whole partitions and partitioning tools are
not able to understand the DCPP format.
Q: Can one use imaging tools like Acronis with DCPP
A: Yes, see DCPP user manual for instructions.
Q: Can one use the WinXP recovery console if needed?
A: No, not if the boot disk is encrypted
Q: Does DCPP encrypt only an entire disk or can it work on individual
volumes/partitions?
A: It encrypts individual partitions.
Q: Does DCPP work with hardware RAID? Software RAID?
A: We did not test it, so for now RAID is not supported.
Q: What happens if WinXP /Vista or other software crashes?
A: DCPP allows creation of a Recovery Disk, with this disk you can
decrypt the operating system with the bootable Floppy Disk or CD. Then,
after entering your password, the recovery disk will allow you to
decrypt the disk from the DOS level. This is useful if the operating
system gets corrupted and does not boot anymore normally.
Q: How vulnerable is DCPP to corruption errors? Is there any mechanism
to recover the disk after some corruption?
A: Yes there is the emergency repair disk, which handles recovering
from a corrupt MBR
Q: How much performance penalty is there when running WinXP / Win Vista
under DCPP?
A: Usually the user will not notice any loss of performance, however it
may be possible to measure a loss of 1-3%. This numbers are very system
specific.
Q: Does DCPP work with dynamic volumes?
A: No. If you also need to work with dynamic volumes, please consider
using DriveCrypt in combination with DCPP.
Q: What is the purpose of this new DCPPaid.exe file ?
A: The purpose of this file is to keep reminding the user that his
DriveCrypt Plus Pack evaluation period has expired and he should now
uninstall the software. We Did not think it fair to deny him access to
his disks, or suddenly remind him that it would be unavailable pretty
soon, so we designed this reminder program, which cannot be removed
without uninstalling DriveCrypt Plus Pack. The DCPPaid file is not
spyware, and we do not use it to communicate or store anything about the
user's activities.
Q: I would like to have a personalized version of your software, is
this possible?
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info https://www.mixmaster.it
I don't want to knock them out of business, but TrueCrypt is free and
open source. I would go with them. You have to take DriveCrypt's word
concerning not having a back door. Even their claim to not having one
because of the loss of reputation can not be verified. For all you
know this could be an intelligence agency front company. Go with
TrueCrypt.
anonymous <anon@domain.invalid> wrote in news:ggjjsk$sst$1
@news.mixmin.net:
> I don't want to knock them out of business, but TrueCrypt is free and
> open source. I would go with them. You have to take DriveCrypt's word
> concerning not having a back door. Even their claim to not having one
> because of the loss of reputation can not be verified. For all you
> know this could be an intelligence agency front company. Go with
> TrueCrypt.
>
> http://www.truecrypt.org/
Truecrypt is an excellent program BUT...
1) You have no idea who the developers are (they remain pseudonymous)
2) Very few people compile the Windows binaries from source; it is
exceedingly difficult to generate binaries from source that match the
binaries provided by Truecrypt (due to compiler options, etc.)
3) There are NO (zip, nada, zilch) published detailed reviews of the
source code. Availability of open-source *doesn't* mean that reviews
actually get done!
4) Truecrypt has ruthlessley suppressed all earlier versions (from
wayback, sourceforge, oldapps, etc.) even though they were supposedly
open-source (thus making incremental review impossible). This is
ominous!
5) There is no public mechanism for submission and review of bug
reports, etc. Any bug database, etc. is CLOSED! to the public, with only
a "bug report form" available that goes into a black hole unacknowledged.
6) The Truecrypt forums are run in an exceedingly autocratic and
unfriendly way, with many posts arbitrarily removed. Many topics (not
just the ones in the posting guidelines) are "off limits." Moreover, the
forums sometimes close unexplained for long periods (a month or more) and
reemerge with many posts purged. The moderators make it very difficult
for posters to contact each other directly.
7) The license for Truecrypt is NOT open source (e.g., doesn't meet OSI
criteria) and is quite restrictive.
There are a number of rationales presented in defence of the above points
by the developers (e.g., centralized control, quality, reputation, etc.)
but they are all, IMHO, very weak in contrast to the opposing views.
In short, there is NO substantive public evidence that Truecrypt's source
code has been the subject of thorough review, nor is there any reason to
rely on the credentials of the developers (since they remain anonymous).
In that absence, using Truecrypt is an act of blind faith every bit as
much (or more!) than using a closed-source encryption program.
nemo_outis wrote:
> anonymous <anon@domain.invalid> wrote in news:ggjjsk$sst$1
> @news.mixmin.net:
>
>> I don't want to knock them out of business, but TrueCrypt is free and
>> open source. I would go with them. You have to take DriveCrypt's word
>> concerning not having a back door. Even their claim to not having one
>> because of the loss of reputation can not be verified. For all you
>> know this could be an intelligence agency front company. Go with
>> TrueCrypt.
>>
>> http://www.truecrypt.org/
>
>
> Truecrypt is an excellent program BUT...
>
> 1) You have no idea who the developers are (they remain pseudonymous)
>
> 2) Very few people compile the Windows binaries from source; it is
> exceedingly difficult to generate binaries from source that match the
> binaries provided by Truecrypt (due to compiler options, etc.)
>
> 3) There are NO (zip, nada, zilch) published detailed reviews of the
> source code. Availability of open-source *doesn't* mean that reviews
> actually get done!
>
> 4) Truecrypt has ruthlessley suppressed all earlier versions (from
> wayback, sourceforge, oldapps, etc.) even though they were supposedly
> open-source (thus making incremental review impossible). This is
> ominous!
>
> 5) There is no public mechanism for submission and review of bug
> reports, etc. Any bug database, etc. is CLOSED! to the public, with only
> a "bug report form" available that goes into a black hole unacknowledged.
>
> 6) The Truecrypt forums are run in an exceedingly autocratic and
> unfriendly way, with many posts arbitrarily removed. Many topics (not
> just the ones in the posting guidelines) are "off limits." Moreover, the
> forums sometimes close unexplained for long periods (a month or more) and
> reemerge with many posts purged. The moderators make it very difficult
> for posters to contact each other directly.
>
> 7) The license for Truecrypt is NOT open source (e.g., doesn't meet OSI
> criteria) and is quite restrictive.
>
> There are a number of rationales presented in defence of the above points
> by the developers (e.g., centralized control, quality, reputation, etc.)
> but they are all, IMHO, very weak in contrast to the opposing views.
>
> In short, there is NO substantive public evidence that Truecrypt's source
> code has been the subject of thorough review, nor is there any reason to
> rely on the credentials of the developers (since they remain anonymous).
> In that absence, using Truecrypt is an act of blind faith every bit as
> much (or more!) than using a closed-source encryption program.
>
> Regards,
DriveCrypt does have an excellent reputation...... And good support.
It looks like the best on the market now are the paid PGP products and
the DriveCrypt Plus Pack.
John Smith <nym@invalid.org> wrote in
news:492d9b8a$0$26143$ec3e2dad@unlimited.usenetmon ster.com:
> DriveCrypt does have an excellent reputation...... And good support.
> It looks like the best on the market now are the paid PGP products and
> the DriveCrypt Plus Pack.
With commercial developers there are a number of things to look for:
1) Company rep
2) Product rep (including bugtraq bugs, etc.)
3) Company Support
4) Price
5) For the paranoid: Company location (outside US, NATO countries, etc.)
6) Product features (especially whether you need the "corporate
adminsitrative stuff" - most vendors make most of their money from
companies, not consumers)
7) Third-party certification, especially FIPS-2.
For instance, Winmagic's Securedoc (from Canada) has FIPS-2 Level 2
certification. No, that isn't equivalent to open-source and some people
believe even the independent FIPS labs may be compromised, but it does
mean the product has undergone a rigorous independent review using a
standardized process.
However, getting FIPS-2 certification is costly and some feel it is
mostly just a marketing thing (like ISO 9000) so that it can be bought by
government and corporate customers who have to comply with shit like
HIPAA and need to cover their butts for necessary certifications/due
diligence.
My personal preference (yes, even over Truecrypt) is closed-source
commercial Bestcrypt Volume Encryption from Jetico (in Finland). Cutting
edge technology (RAID, XTS, multi-password, etc.) from a company with a
long track record. (No FIPS-2 cert though.)
While Bestcrypt or Truecrypt is enough for most, for those with serious
needs I recommend taking the performance and complication hit and using a
multi-layer approach which largely eliminates any single point of failure
(e.g., if one product has a bug or backdoor).
For instance, one might use a Seagate Momentus FDE-2 hardware-encrypted
drive, with Bestcrypt whole-disk encryption layered on. Real paranoids
might even add a third layer, keeping especially sensitive data in
Truecrypt container files.
> Has anyone had any experience with this program, I'd like an opinion
> before I buy, how good is it?
Forget Drivecrypt... there's at the very least three open source,
time tested, free alternatives that aren't distributed by snake
oil peddlers with strong ties to known net scum like the "Evidence
Eliminator" spammers and Privacy.LIE criminals.
> Q: Has the DriveCrypt Plus Pack encryption ever been broken/hacked? =20
Hard to say. We don't KNOW of any such incident, but it's quite
possible DCPP even has some sort of "back door" coded right into it
so that anyone with the keys can hack right in no problem. Let
alone some flaw that someone discovered and hasn't released for
obvious reasons.
> A: No! In the past, we have also launched several contests offering up
> to 100,000 US$ for the first person able to open a DriveCrypt encrypted
> disk=E2=80=A6 =20
> =20
> Nobody succeeded! (See our press section for more details) =20
Anyone who knows anything about encryption software knows what a
sham these sorts of challenges really are. They prove nothing.
Smoke and mirrors designed to cover up the fact that you don't have
enough faith in your own product to subject it to critical, expert
analysis.=20
> Q: Is there a back door in your software? =20
> =20
> A: No. There is no "back door" in our software, and there is no point
> in making one as we might risk losing the good reputation of our
Tell it to the people at JAP, suckers. That little incident both
highlighted the fact that encryption software absolutely CAN and IS
back doored in spite of any concerns about "reputation", and how
open source can be a viable tool against such attacks.
> products. Besides this, today there is no law in Germany that can force
> us to make one in our software. =20
ROTFL!
JAP was back doored by the **German** authorities.
Anonymous <cripto@ecn.org> wrote in
news:20081127001123.360691A77CB@isole:
> nemo_outis wrote:
>
>> My personal preference (yes, even over Truecrypt) is closed-source
>> commercial Bestcrypt Volume Encryption from Jetico (in Finland).
>> Cutting
>
> 1. Bestcrypt isn't closed source, you ninny.
Bestcrypt Volume Encryption, the whole-disk version for Windows, is
closed source. *Some but NOT all* of the source code is available for
review under the SDK (software development kit), and furthermore even
this limited source code is NOT provided under an open-source licence.
(PGP Whole Disk Encryption also makes part but NOT all of its source code
available under a restrictive licence, and it too is not open source.
Bestcrypt makes all its Linux source code available for inspection, but
NOT under an open-source licence. Further, the Linux version does NOT
provide whole disk encryption.)
Bestcrypt (and PGP) are to be commended for this, but it falls far short
of making them open-source programs. Being only "partly closed-source" is
like being only "slightly pregnant."
> 2. What happened to you prattling on about it being "whole disk"?
Bestcrypt is described as "Whole disk encryption" under the first bullet
of the Wikipedia subheading "Features" in its article on Bestcrypt. http://en.wikipedia.org/wiki/BestCrypt
Further, even the opening defining words of the Wikipedia article on the
topic treat "full disk encryption" and "whole disk encryption" as
synonymous. http://en.wikipedia.org/wiki/Full_disk_encryption
If you, who are terminologically obtuse, disagree, go argue with the
Wikipedia and stop being a nuisance here.
> 6) The Truecrypt forums are run in an exceedingly autocratic and
> unfriendly way, with many posts arbitrarily removed. Many topics (not
> just the ones in the posting guidelines) are "off limits." Moreover, the
> forums sometimes close unexplained for long periods (a month or more) and
> reemerge with many posts purged. The moderators make it very difficult
> for posters to contact each other directly.
I second that, Truecrypt forums are extremly low quality, they go down
when they feel like it and you can not register with them unless you
use your ISP email which takes away your anonymity.
>
> 7) The license for Truecrypt is NOT open source (e.g., doesn't meet OSI
> criteria) and is quite restrictive.
Quite right, this is the reason why almost all of the Linux
distributions will not include truecrypt, because they do not use the
GPL License. When I have suggested some distro developer to include
Truecrypt out of the box they always point at me at their restrictive
license. Open source does not mean it is necessary GPL licensed.
>> products. Besides this, today there is no law in Germany that can force
>> us to make one in our software. =20
>
> ROTFL!
>
> JAP was back doored by the **German** authorities.
>
Thats correct, and Hushmail was backdoored by the Canadian
authorities at the request of the FBI.
But a HD encryption product is different from a proxy or Email
service, JAP and Hushmail both where backdoored to spy on a
SINGLE individual, if you backdoor a HD encryption product then
all users will be compromised regardless of who they are, this is not
admissible by any country standards, US,Germany or France.
It has been done in the past to intercept communications in mass, but
this remains illegal and no court will authorise this. This kind of
"intelligence" can not usually be used in court against you.
> Anonymous <cripto@ecn.org> wrote in
> news:20081127001123.360691A77CB@isole:
>
> > nemo_outis wrote:
> >
> >> My personal preference (yes, even over Truecrypt) is closed-source
> >> commercial Bestcrypt Volume Encryption from Jetico (in Finland).
> >> Cutting
> >
> > 1. Bestcrypt isn't closed source, you ninny.
>
> Bestcrypt Volume Encryption, the whole-disk version for Windows, is
> closed source. *Some but NOT all* of the source code is available for
Sorry, but you're mistaken.
> (PGP Whole Disk Encryption also makes part but NOT all of its source code
Good grief. You got spanked on this one months ago with a link
right to the complete source code package.
> Bestcrypt is described as "Whole disk encryption" under the first bullet
> of the Wikipedia
Wikipedia... now there's an authoritative source.
Jetico says it's not whole disk, Wikipedia says it is, and you like
a dumbass go with Wikipedia just to try and avoid admitting you're
wrong.
You poor, pathetic, git. If you weren't such a pompous blowhard I'd
actually feel sorry for you.
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. Please report spam or misuse to the remailer-operator:
<nightmix@fahr-zur-hoelle.org>
Anonymous wrote:
> nemo_outis wrote:
>
>> My personal preference (yes, even over Truecrypt) is closed-source
>> commercial Bestcrypt Volume Encryption from Jetico (in Finland). Cutting
>
> 1. Bestcrypt isn't closed source, you ninny.
>
Read the BestCrypt license, it fails the open standard requirements at
every level. Among other things, the user is not allowed to modify the
code. That the source code is available for review is important, but it
is not open source.
jc
> 2. What happened to you prattling on about it being "whole disk"?
>
>
On Wed, 26 Nov 2008 16:46:38 GMT, nemo_outis wrote:
> Truecrypt is an excellent program BUT...
>
> 1) You have no idea who the developers are (they remain pseudonymous)
>
> 2) Very few people compile the Windows binaries from source; it is
> exceedingly difficult to generate binaries from source that match the
> binaries provided by Truecrypt (due to compiler options, etc.)
>
> 3) There are NO (zip, nada, zilch) published detailed reviews of the
> source code. Availability of open-source *doesn't* mean that reviews
> actually get done!
>
> 4) Truecrypt has ruthlessley suppressed all earlier versions (from
> wayback, sourceforge, oldapps, etc.) even though they were supposedly
> open-source (thus making incremental review impossible). This is
> ominous!
>
> 5) There is no public mechanism for submission and review of bug
> reports, etc. Any bug database, etc. is CLOSED! to the public, with only
> a "bug report form" available that goes into a black hole unacknowledged.
>
> 6) The Truecrypt forums are run in an exceedingly autocratic and
> unfriendly way, with many posts arbitrarily removed. Many topics (not
> just the ones in the posting guidelines) are "off limits." Moreover, the
> forums sometimes close unexplained for long periods (a month or more) and
> reemerge with many posts purged. The moderators make it very difficult
> for posters to contact each other directly.
>
> 7) The license for Truecrypt is NOT open source (e.g., doesn't meet OSI
> criteria) and is quite restrictive.
>
> There are a number of rationales presented in defence of the above points
> by the developers (e.g., centralized control, quality, reputation, etc.)
> but they are all, IMHO, very weak in contrast to the opposing views.
>
> In short, there is NO substantive public evidence that Truecrypt's source
> code has been the subject of thorough review, nor is there any reason to
> rely on the credentials of the developers (since they remain anonymous).
> In that absence, using Truecrypt is an act of blind faith every bit as
> much (or more!) than using a closed-source encryption program.
>
> Regards,
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
Ari <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in
news:ggorap$nqi$1@news.motzarella.org:
....
>> In short, there is NO substantive public evidence that Truecrypt's
>> source code has been the subject of thorough review, nor is there any
>> reason to rely on the credentials of the developers (since they
>> remain anonymous). In that absence, using Truecrypt is an act of
>> blind faith every bit as much (or more!) than using a closed-source
>> encryption program.
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"
Yes, the above paper - which everyone here should read! - makes a very
powerful point.
But it gets worse, much worse.
Open source code is no panacea. First of all, I don't believe most open
source code gets anything more than very cursory review - if even that.
Oh sure, lots of people may briefly scan the code, a few people may look
at a few small parts of it more intensively, and if a bug or anomaly pops
up in use a few people may try to trace it back to the source code.
That's about it though.
Good thorough code review and testing is hard, tedious, painstaking work.
Hard work with little or no glory in it. Hard work, that to be truly
effective, would have to be repeated with each new software release,
including regression testing, etc. Many, many man-months using a
*structured* approach, not ad-hoc-ery. I don't think that gets done.
But it gets worse yet. Not only do I think that, in general, open-source
testing mostly doesn't get done (except on a very hit and miss basis),
the problem is far worse for cryptographic code. Cryptographic code
requires special expertise, expertise in short supply. Here the "many
eyes" concept of open-source code inspection breaks down badly, since so
few of those eyes are qualified.
But it gets worse yet. As Ross Anderson (of Cambridge) points out in
several scholarly papers, open source opens the code to *both* white hats
and black hats, aiding both defence and offence. The black hats are
looking for exploitable flaws, and having the source code is a big help.
Worse yet, with crypto code, the black hats (e.g., the NSA) may have much
more motivation, much better-qualified people, and much bigger budgets
than the white hats. And, obviously, the black hats aren't going to
publish their findings.
But it gets worse yet. Open source review has some chance (not nearly as
good as is commonly thought IMHO) of winkling out bugs, but it is much
less likely to be effective at outing backdoors that have been created
and carefully disguised by skilled opponents (I'll answer objections
about JAP, etc. if called upon). The proof of how hard it can be to find
carefully crafted flaws in code (rather than ordinary unintentional ones)
is illustrated brilliantly by the annual "Underhanded C" contest. You
can stare for an hour at 20 lines of code, knowing that there is a bug
there, and exactly what kind of bug it is, and still not see it. If the
NSA has tens of thousands of lines of source code to sneak in a flaw I
have little doubt that the chances of it being outed by less than man-
years of careful inspection is damned near zero. Open source may work
for outing bugs, but outing good backdoors is a whole different game!
> Anonymous wrote:
> > nemo_outis wrote:
> >
> >> My personal preference (yes, even over Truecrypt) is closed-source
> >> commercial Bestcrypt Volume Encryption from Jetico (in Finland). Cutting
> >
> > 1. Bestcrypt isn't closed source, you ninny.
> >
>
> Read the BestCrypt license, it fails the open standard
<snip>
Who said it did?
My god you people are idiots. On one hand you have the mouth that
roared calling source that's open for public inspection "closed",
and on the other you have someone chiming in to tell the world
they're not bright enough to understand there's a whole range of
possibilities between closed source, and strict compliance to GNU
open source standards.
Absolutely amazing. No wonder Usenet is such a toilet.
>> "You can't trust code that you did not totally create yourself"
>> Ken Thompson "Reflections on Trusting Trust"
On Fri, 28 Nov 2008 14:32:16 GMT, nemo_outis wrote:
> Yes, the above paper - which everyone here should read! - makes a very
> powerful point.
>
> But it gets worse, much worse.
>
> Open source code is no panacea. First of all, I don't believe most open
> source code gets anything more than very cursory review - if even that.
> Oh sure, lots of people may briefly scan the code, a few people may look
> at a few small parts of it more intensively, and if a bug or anomaly pops
> up in use a few people may try to trace it back to the source code.
> That's about it though.
It's cost prohibitive, time prohibitive, less than stellar science and
fucking hard to do.
> Good thorough code review and testing is hard, tedious, painstaking work.
lol I should read ahead.
> Hard work with little or no glory in it. Hard work, that to be truly
> effective, would have to be repeated with each new software release,
> including regression testing, etc. Many, many man-months using a
> *structured* approach, not ad-hoc-ery. I don't think that gets done.
>
> But it gets worse yet. Not only do I think that, in general, open-source
> testing mostly doesn't get done (except on a very hit and miss basis),
> the problem is far worse for cryptographic code. Cryptographic code
> requires special expertise, expertise in short supply. Here the "many
> eyes" concept of open-source code inspection breaks down badly, since so
> few of those eyes are qualified.
Then you have to qualify the qualified to see if they are truly
qualified.
> But it gets worse yet. As Ross Anderson (of Cambridge) points out in
> several scholarly papers, open source opens the code to *both* white hats
> and black hats, aiding both defence and offence. The black hats are
> looking for exploitable flaws, and having the source code is a big help.
> Worse yet, with crypto code, the black hats (e.g., the NSA) may have much
> more motivation, much better-qualified people, and much bigger budgets
> than the white hats. And, obviously, the black hats aren't going to
> publish their findings.
Plus they can bring enormous pressure on the original coders since they
aren't the most moral of the rotting bunch of TLAs.
> But it gets worse yet. Open source review has some chance (not nearly as
> good as is commonly thought IMHO) of winkling out bugs, but it is much
> less likely to be effective at outing backdoors that have been created
> and carefully disguised by skilled opponents (I'll answer objections
> about JAP, etc. if called upon). The proof of how hard it can be to find
> carefully crafted flaws in code (rather than ordinary unintentional ones)
> is illustrated brilliantly by the annual "Underhanded C" contest. You
> can stare for an hour at 20 lines of code, knowing that there is a bug
> there, and exactly what kind of bug it is, and still not see it. If the
> NSA has tens of thousands of lines of source code to sneak in a flaw I
> have little doubt that the chances of it being outed by less than man-
> years of careful inspection is damned near zero. Open source may work
> for outing bugs, but outing good backdoors is a whole different game!
>
> Ain't life a bitch?
>
> Regards,
Your position and mine are about the same. The above may come off as a
rant but I am fully convinced of the excellent viciousness the NSA in
particular has their handiwork in code. The fact that it is nearly
impossible /if/ you went looking for a backdoor /to find one/ has to be
one of the goldenest ops for them to advantage.
Serious as a last heartbeat, I expect that they have capabilities in all
OS, all major financial transaction software, SAP, Oracle blah
blah...the fool is the not the one who believes *everything* is
compromised....then backs away to a more pratical POV..the fool is the
one who starts from "let's find where they have done their handiwork and
see if we can find some and progresses up that from that level of
naïveté.
On Fri, 28 Nov 2008 12:48:38 -0500, Ari
<DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote:
>>
>> Open source code is no panacea. [SNIP]
>
>> Hard work with little or no glory in it. [SNIP]
>>
>> Here the "many
>> eyes" concept of open-source code inspection breaks down badly, since so
>> few of those eyes are qualified. [SNIP]
>> The black hats are
>> looking for exploitable flaws, and having the source code is a big help. [SNIP]
In the meantime, Linux is growing and thriving. And for some reason
you don't need a new operating system to run new hardware - like
USB on Win9x because there is no driver available. Imagine that.
>
> But it gets worse yet. Open source review has some chance (not nearly as
> good as is commonly thought IMHO) of winkling out bugs, but it is much
> less likely to be effective at outing backdoors that have been created
> and carefully disguised by skilled opponents (I'll answer objections
> about JAP, etc. if called upon). The proof of how hard it can be to find
> carefully crafted flaws in code (rather than ordinary unintentional ones)
> is illustrated brilliantly by the annual "Underhanded C" contest. You
> can stare for an hour at 20 lines of code, knowing that there is a bug
> there, and exactly what kind of bug it is, and still not see it. If the
> NSA has tens of thousands of lines of source code to sneak in a flaw I
> have little doubt that the chances of it being outed by less than man-
> years of careful inspection is damned near zero. Open source may work
> for outing bugs, but outing good backdoors is a whole different game!
>
> Ain't life a bitch?
>
> Regards,
An interesting read. Scary too. Maybe I'll go back to OTP, using my
caesium decay for the RN source. Tedious, but no back doors and no
sneaky code. Unless god works for the NSA.
Ari <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in
news:ggpatm$uau$1@news.motzarella.org:
> Your position and mine are about the same.
Not quite.
I speak of how open source is not a panacea. Of how the *potential* of
open source for thorough review and testing is almost never *realized* -
especially for crypto programs. Of how bugs *may* be exploited and how
backdoors *might* be inserted and remain undetected in open-source code.
Of what the NSA and other adversaries *may* be doing.
But for many of the same reasons that support the *possiblity* of the NSA
doing such things, I can draw no conclusion whether (and/or to what
extent) they are *really* doing so. That would be speculation and
surmise.
However, depending on their threat model and risk and consequence
analysis, some parties *may* choose to base their precautions on
scenarios approaching such worst-case possibilities.
Regards,
PS The resources and capabilities of the NSA (and such), great as they
are, are limited and finite. I suspect (but, for obvious reasons, do not
know) that the NSA is very selective in which programs it compromises.
For instance, Windows would be extremely attractive because of its
ubiquity, and also because mechanisms like frequent updates provide
attractive paths for ongoing compromise in the face of new
opportunities/threats. Moreover Windows provides an avenue to compromise
any program run under it, including completely "clean" crypto programs.
Compromising all the many crypto programs out there individually would be
very difficult, even for the NSA (unless, say, AES has a flaw). So many
contacts with crypto companies/organizations would, for instance, carry a
high risk of disclosure.
However, putting out one "ostensibly very good" program cheap or free for
subsequent widespread adoption could easily be done by the NSA.
Truecrypt could, for example, be such a program. (I emphasize "could" -
I have absolutely no substantive evidence for this being true.)
George Orwell <nobody@mixmaster.it> wrote in
news:64a9ae567d05254aa28829abd480fe15@mixmaster.it :
> An interesting read. Scary too. Maybe I'll go back to OTP, using my
> caesium decay for the RN source. Tedious, but no back doors and no
> sneaky code. Unless god works for the NSA.
Even OTP won't save you if your computer OS has been compromised.
As for crypto guarantees, I wouldn't accept one from God Himself except
maybe if I also had a non-compete agreement signed by the Devil :-)
> George Orwell <nobody@mixmaster.it> wrote in
> news:64a9ae567d05254aa28829abd480fe15@mixmaster.it :
>
>> An interesting read. Scary too. Maybe I'll go back to OTP, using my
>> caesium decay for the RN source. Tedious, but no back doors and no
>> sneaky code. Unless god works for the NSA.
>
> Even OTP won't save you if your computer OS has been compromised.
>
> As for crypto guarantees, I wouldn't accept one from God Himself except
> maybe if I also had a non-compete agreement signed by the Devil :-)
>
> Regards,
Then you truly would have deceived yourself, making any agreement
with
the devil.
> anonymous <anon@domain.invalid> wrote in news:ggpn1e$6p5$1@news.mixmin.net:
>
>> Then you truly would have deceived yourself, making any agreement
>> with the devil.
>
>
> My transactions with the Devil have been eminently satisfactory, those with
> God considerably more problematic :-)
>
> Regards,
anonymous <anon@domain.invalid> wrote in
news:ggpq3p$a9r$1@news.mixmin.net:
>> My transactions with the Devil have been eminently satisfactory,
>> those with God considerably more problematic :-)
>>
>> Regards,
>
> OOH, but the payment that is comming due!
Voltaire on his deathbed was urged by an attending priest to renounce the
Devil. Voltaire replied, "Now is not a good time to be making new
enemies."
On Fri, 28 Nov 2008 18:37:32 GMT, nemo_outis wrote:
> The resources and capabilities of the NSA (and such), great as they
> are, are limited and finite. I suspect (but, for obvious reasons, do not
> know) that the NSA is very selective in which programs it compromises.
So you don't think have my pink/baby blue tray icon "You're USB stick is
deep inside my 2.0 slot" notification tool is compromised?
> For instance, Windows would be extremely attractive because of its
> ubiquity, and also because mechanisms like frequent updates provide
> attractive paths for ongoing compromise in the face of new
> opportunities/threats. Moreover Windows provides an avenue to compromise
> any program run under it, including completely "clean" crypto programs.
I assume it is.
> Compromising all the many crypto programs out there individually would be
> very difficult, even for the NSA (unless, say, AES has a flaw). So many
> contacts with crypto companies/organizations would, for instance, carry a
> high risk of disclosure.
They could compromise four or five packages and get both wide
international results or one package which dominates an important
software/business sector. E.g. PROMIS
nemo, you know geographically that is my ole stompin' grounds.
> However, putting out one "ostensibly very good" program cheap or free for
> subsequent widespread adoption could easily be done by the NSA.
> Truecrypt could, for example, be such a program. (I emphasize "could" -
> I have absolutely no substantive evidence for this being true.)
> On Fri, 28 Nov 2008 12:48:38 -0500, Ari
> <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote:
>
>>>
>>> Open source code is no panacea. [SNIP]
>>
>>> Hard work with little or no glory in it. [SNIP]
>>>
>>> Here the "many
>>> eyes" concept of open-source code inspection breaks down badly, since so
>>> few of those eyes are qualified. [SNIP]
>
>>> The black hats are
>>> looking for exploitable flaws, and having the source code is a big help. [SNIP]
>
> In the meantime, Linux is growing and thriving. And for some reason
> you don't need a new operating system to run new hardware - like
> USB on Win9x because there is no driver available. Imagine that.
>
> Marty
McFly, if you don't think that distros of Linux can be comprmised,
you're delusional.
DriveCrypt 
Linear Mode
