Re: DriveCrypt

Computer Software Security - Computer security - desktop and server software, encryption and similar subjects 

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date Re: DriveCrypt anonymous 11-26-2008  Re: DriveCrypt nemo_outis 11-26-2008  Re: DriveCrypt John Smith 11-26-2008  Re: DriveCrypt nemo_outis 11-26-2008  Re: DriveCrypt Anonymous 11-26-2008  Re: DriveCrypt nemo_outis 11-26-2008  Re: DriveCrypt nemo_outis 11-27-2008  Re: DriveCrypt Non scrivetemi 11-27-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt jc 11-27-2008  Re: DriveCrypt Nomen Nescio 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt nemo_outis 11-30-2008  Re: DriveCrypt nemo_outis 12-01-2008  Re: DriveCrypt Anonymous Remai... 12-02-2008  Re: DriveCrypt Ari 12-01-2008  Re: DriveCrypt Anonymous Remai... 12-02-2008  Re: DriveCrypt Box750 11-26-2008  Re: DriveCrypt Ari 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt Dave U. Random 12-01-2008  Re: DriveCrypt nemo_outis 12-01-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: nemo On Open Source Marty 11-28-2008  Re: nemo On Open Source Ari 11-28-2008  Re: nemo On Open Source nemo_outis 11-28-2008  Re: nemo On Open Source Ari 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt anonymous 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt anonymous 11-28-2008  Re: DriveCrypt nemo_outis 11-28-2008  Re: DriveCrypt Anonymous Remai... 11-30-2008  Re: DriveCrypt nemo_outis 11-30-2008  Re: DriveCrypt Non scrivetemi 12-01-2008  Re: DriveCrypt nemo_outis 12-01-2008
Posted by nemo_outis on November 28, 2008, 1:37 pm If you were  Registered and logged in, you could reply and use other advanced thread options > Your position and mine are about the same. Not quite. I speak of how open source is not a panacea. Of how the *potential* of open source for thorough review and testing is almost never *realized* - especially for crypto programs. Of how bugs *may* be exploited and how backdoors *might* be inserted and remain undetected in open-source code. Of what the NSA and other adversaries *may* be doing. But for many of the same reasons that support the *possiblity* of the NSA doing such things, I can draw no conclusion whether (and/or to what extent) they are *really* doing so. That would be speculation and surmise. However, depending on their threat model and risk and consequence analysis, some parties *may* choose to base their precautions on scenarios approaching such worst-case possibilities. Regards, PS The resources and capabilities of the NSA (and such), great as they are, are limited and finite. I suspect (but, for obvious reasons, do not know) that the NSA is very selective in which programs it compromises. For instance, Windows would be extremely attractive because of its ubiquity, and also because mechanisms like frequent updates provide attractive paths for ongoing compromise in the face of new opportunities/threats. Moreover Windows provides an avenue to compromise any program run under it, including completely "clean" crypto programs. Compromising all the many crypto programs out there individually would be very difficult, even for the NSA (unless, say, AES has a flaw). So many contacts with crypto companies/organizations would, for instance, carry a high risk of disclosure. However, putting out one "ostensibly very good" program cheap or free for subsequent widespread adoption could easily be done by the NSA. Truecrypt could, for example, be such a program. (I emphasize "could" - I have absolutely no substantive evidence for this being true.) Posted by Ari on November 28, 2008, 7:31 pm If you were  Registered and logged in, you could reply and use other advanced thread options On Fri, 28 Nov 2008 18:37:32 GMT, nemo_outis wrote: > The resources and capabilities of the NSA (and such), great as they > are, are limited and finite. I suspect (but, for obvious reasons, do not > know) that the NSA is very selective in which programs it compromises. So you don't think have my pink/baby blue tray icon "You're USB stick is deep inside my 2.0 slot" notification tool is compromised? > For instance, Windows would be extremely attractive because of its > ubiquity, and also because mechanisms like frequent updates provide > attractive paths for ongoing compromise in the face of new > opportunities/threats. Moreover Windows provides an avenue to compromise > any program run under it, including completely "clean" crypto programs. I assume it is. > Compromising all the many crypto programs out there individually would be > very difficult, even for the NSA (unless, say, AES has a flaw). So many > contacts with crypto companies/organizations would, for instance, carry a > high risk of disclosure. They could compromise four or five packages and get both wide international results or one package which dominates an important software/business sector. E.g. PROMIS http://tr.im/1m3v nemo, you know geographically that is my ole stompin' grounds. > However, putting out one "ostensibly very good" program cheap or free for > subsequent widespread adoption could easily be done by the NSA. > Truecrypt could, for example, be such a program. (I emphasize "could" - > I have absolutely no substantive evidence for this being true.) How about Unix/Linux? -- Meet Ari! http://tr.im/1fa3 Posted by nemo_outis on November 28, 2008, 1:48 pm If you were  Registered and logged in, you could reply and use other advanced thread options > An interesting read. Scary too. Maybe I'll go back to OTP, using my > caesium decay for the RN source. Tedious, but no back doors and no > sneaky code. Unless god works for the NSA. Even OTP won't save you if your computer OS has been compromised. As for crypto guarantees, I wouldn't accept one from God Himself except maybe if I also had a non-compete agreement signed by the Devil :-) Regards, Posted by anonymous on November 28, 2008, 4:15 pm If you were  Registered and logged in, you could reply and use other advanced thread options > >> An interesting read. Scary too. Maybe I'll go back to OTP, using my >> caesium decay for the RN source. Tedious, but no back doors and no >> sneaky code. Unless god works for the NSA. > > Even OTP won't save you if your computer OS has been compromised. > > As for crypto guarantees, I wouldn't accept one from God Himself except > maybe if I also had a non-compete agreement signed by the Devil :-) > > Regards, Then you truly would have deceived yourself, making any agreement with the devil. Posted by nemo_outis on November 28, 2008, 5:02 pm If you were  Registered and logged in, you could reply and use other advanced thread options > Then you truly would have deceived yourself, making any agreement > with the devil. My transactions with the Devil have been eminently satisfactory, those with God considerably more problematic :-) Regards, Similar Threads Posted Re: DriveCrypt November 26, 2008, 6:11 pm Re: DriveCrypt December 1, 2008, 9:40 am DriveCrypt July 7, 2009, 4:29 am bestcrypt 7.20 vs drivecrypt 4.4 December 18, 2006, 7:37 am DriveCrypt Plus Boot Problem November 16, 2008, 3:50 pm Drivecrypt won't open dcv file on DVD disk February 10, 2008, 11:57 am Drivecrypt pre-boot auth versus multiple users October 11, 2005, 3:12 pm