DriveCrypt

Discussion in 'Computer Security' started by George Orwell, Nov 26, 2008.

  1. >
    > But it gets worse yet. Open source review has some chance (not nearly as
    > good as is commonly thought IMHO) of winkling out bugs, but it is much
    > less likely to be effective at outing backdoors that have been created
    > and carefully disguised by skilled opponents (I'll answer objections
    > about JAP, etc. if called upon). The proof of how hard it can be to find
    > carefully crafted flaws in code (rather than ordinary unintentional ones)
    > is illustrated brilliantly by the annual "Underhanded C" contest. You
    > can stare for an hour at 20 lines of code, knowing that there is a bug
    > there, and exactly what kind of bug it is, and still not see it. If the
    > NSA has tens of thousands of lines of source code to sneak in a flaw I
    > have little doubt that the chances of it being outed by less than man-
    > years of careful inspection is damned near zero. Open source may work
    > for outing bugs, but outing good backdoors is a whole different game!
    >
    > Ain't life a bitch?
    >
    > Regards,


    An interesting read. Scary too. Maybe I'll go back to OTP, using my
    caesium decay for the RN source. Tedious, but no back doors and no
    sneaky code. Unless god works for the NSA.
     
    George Orwell, Nov 28, 2008
    #21
    1. Advertising

  2. George Orwell

    nemo_outis Guest

    Re: nemo On Open Source

    Ari <> wrote in
    news:ggpatm$uau$:

    > Your position and mine are about the same.



    Not quite.

    I speak of how open source is not a panacea. Of how the *potential* of
    open source for thorough review and testing is almost never *realized* -
    especially for crypto programs. Of how bugs *may* be exploited and how
    backdoors *might* be inserted and remain undetected in open-source code.
    Of what the NSA and other adversaries *may* be doing.

    But for many of the same reasons that support the *possiblity* of the NSA
    doing such things, I can draw no conclusion whether (and/or to what
    extent) they are *really* doing so. That would be speculation and
    surmise.

    However, depending on their threat model and risk and consequence
    analysis, some parties *may* choose to base their precautions on
    scenarios approaching such worst-case possibilities.

    Regards,

    PS The resources and capabilities of the NSA (and such), great as they
    are, are limited and finite. I suspect (but, for obvious reasons, do not
    know) that the NSA is very selective in which programs it compromises.
    For instance, Windows would be extremely attractive because of its
    ubiquity, and also because mechanisms like frequent updates provide
    attractive paths for ongoing compromise in the face of new
    opportunities/threats. Moreover Windows provides an avenue to compromise
    any program run under it, including completely "clean" crypto programs.

    Compromising all the many crypto programs out there individually would be
    very difficult, even for the NSA (unless, say, AES has a flaw). So many
    contacts with crypto companies/organizations would, for instance, carry a
    high risk of disclosure.

    However, putting out one "ostensibly very good" program cheap or free for
    subsequent widespread adoption could easily be done by the NSA.
    Truecrypt could, for example, be such a program. (I emphasize "could" -
    I have absolutely no substantive evidence for this being true.)
     
    nemo_outis, Nov 28, 2008
    #22
    1. Advertising

  3. George Orwell

    nemo_outis Guest

    George Orwell <> wrote in
    news::

    > An interesting read. Scary too. Maybe I'll go back to OTP, using my
    > caesium decay for the RN source. Tedious, but no back doors and no
    > sneaky code. Unless god works for the NSA.


    Even OTP won't save you if your computer OS has been compromised.

    As for crypto guarantees, I wouldn't accept one from God Himself except
    maybe if I also had a non-compete agreement signed by the Devil :)

    Regards,
     
    nemo_outis, Nov 28, 2008
    #23
  4. George Orwell

    nemo_outis Guest

    Nomen Nescio <> wrote in
    news::

    > Absolutely amazing. No wonder Usenet is such a toilet.


    Thanks for adding your incremental turd.
     
    nemo_outis, Nov 28, 2008
    #24
  5. George Orwell

    anonymous Guest

    > George Orwell <> wrote in
    > news::
    >
    >> An interesting read. Scary too. Maybe I'll go back to OTP, using my
    >> caesium decay for the RN source. Tedious, but no back doors and no
    >> sneaky code. Unless god works for the NSA.

    >
    > Even OTP won't save you if your computer OS has been compromised.
    >
    > As for crypto guarantees, I wouldn't accept one from God Himself except
    > maybe if I also had a non-compete agreement signed by the Devil :)
    >
    > Regards,


    Then you truly would have deceived yourself, making any agreement
    with
    the devil.
     
    anonymous, Nov 28, 2008
    #25
  6. George Orwell

    nemo_outis Guest

    anonymous <> wrote in news:ggpn1e$6p5$:

    > Then you truly would have deceived yourself, making any agreement
    > with the devil.



    My transactions with the Devil have been eminently satisfactory, those with
    God considerably more problematic :)

    Regards,
     
    nemo_outis, Nov 28, 2008
    #26
  7. George Orwell

    anonymous Guest

    > anonymous <> wrote in news:ggpn1e$6p5$:
    >
    >> Then you truly would have deceived yourself, making any agreement
    >> with the devil.

    >
    >
    > My transactions with the Devil have been eminently satisfactory, those with
    > God considerably more problematic :)
    >
    > Regards,


    OOH, but the payment that is comming due!
     
    anonymous, Nov 28, 2008
    #27
  8. George Orwell

    nemo_outis Guest

    anonymous <> wrote in
    news:ggpq3p$a9r$:


    >> My transactions with the Devil have been eminently satisfactory,
    >> those with God considerably more problematic :)
    >>
    >> Regards,

    >
    > OOH, but the payment that is comming due!


    Voltaire on his deathbed was urged by an attending priest to renounce the
    Devil. Voltaire replied, "Now is not a good time to be making new
    enemies."

    Regards,
     
    nemo_outis, Nov 28, 2008
    #28
  9. George Orwell

    Ari Guest

    Re: nemo On Open Source

    On Fri, 28 Nov 2008 18:37:32 GMT, nemo_outis wrote:

    > The resources and capabilities of the NSA (and such), great as they
    > are, are limited and finite. I suspect (but, for obvious reasons, do not
    > know) that the NSA is very selective in which programs it compromises.


    So you don't think have my pink/baby blue tray icon "You're USB stick is
    deep inside my 2.0 slot" notification tool is compromised?

    > For instance, Windows would be extremely attractive because of its
    > ubiquity, and also because mechanisms like frequent updates provide
    > attractive paths for ongoing compromise in the face of new
    > opportunities/threats. Moreover Windows provides an avenue to compromise
    > any program run under it, including completely "clean" crypto programs.


    I assume it is.

    > Compromising all the many crypto programs out there individually would be
    > very difficult, even for the NSA (unless, say, AES has a flaw). So many
    > contacts with crypto companies/organizations would, for instance, carry a
    > high risk of disclosure.


    They could compromise four or five packages and get both wide
    international results or one package which dominates an important
    software/business sector. E.g. PROMIS

    http://tr.im/1m3v

    nemo, you know geographically that is my ole stompin' grounds.

    > However, putting out one "ostensibly very good" program cheap or free for
    > subsequent widespread adoption could easily be done by the NSA.
    > Truecrypt could, for example, be such a program. (I emphasize "could" -
    > I have absolutely no substantive evidence for this being true.)


    How about Unix/Linux?
    --
    Meet Ari!
    http://tr.im/1fa3
     
    Ari, Nov 29, 2008
    #29
  10. George Orwell

    Ari Guest

    Re: nemo On Open Source

    On Fri, 28 Nov 2008 18:10:25 GMT, Marty wrote:

    > On Fri, 28 Nov 2008 12:48:38 -0500, Ari
    > <> wrote:
    >
    >>>
    >>> Open source code is no panacea. [SNIP]

    >>
    >>> Hard work with little or no glory in it. [SNIP]
    >>>
    >>> Here the "many
    >>> eyes" concept of open-source code inspection breaks down badly, since so
    >>> few of those eyes are qualified. [SNIP]

    >
    >>> The black hats are
    >>> looking for exploitable flaws, and having the source code is a big help. [SNIP]

    >
    > In the meantime, Linux is growing and thriving. And for some reason
    > you don't need a new operating system to run new hardware - like
    > USB on Win9x because there is no driver available. Imagine that.
    >
    > Marty


    McFly, if you don't think that distros of Linux can be comprmised,
    you're delusional.

    Imagine that.
    --
    Meet Ari!
    http://tr.im/1fa3
     
    Ari, Nov 29, 2008
    #30
  11. George Orwell

    grrrl germs Guest

    Re: nemo On Open Source

    "Ari" <> wrote in message
    news:ggq2ht$gut$...
    > On Fri, 28 Nov 2008 18:37:32 GMT, nemo_outis wrote:
    >
    >> The resources and capabilities of the NSA (and such), great as they
    >> are, are limited and finite. I suspect (but, for obvious reasons, do
    >> not
    >> know) that the NSA is very selective in which programs it compromises.

    >
    > So you don't think have my pink/baby blue tray icon "You're USB stick is
    > deep inside my 2.0 slot" notification tool is compromised?
    >
    >> For instance, Windows would be extremely attractive because of its
    >> ubiquity, and also because mechanisms like frequent updates provide
    >> attractive paths for ongoing compromise in the face of new
    >> opportunities/threats. Moreover Windows provides an avenue to
    >> compromise
    >> any program run under it, including completely "clean" crypto programs.

    >
    > I assume it is.
    >
    >> Compromising all the many crypto programs out there individually would
    >> be
    >> very difficult, even for the NSA (unless, say, AES has a flaw). So
    >> many
    >> contacts with crypto companies/organizations would, for instance, carry
    >> a
    >> high risk of disclosure.

    >
    > They could compromise four or five packages and get both wide
    > international results or one package which dominates an important
    > software/business sector. E.g. PROMIS
    >
    > http://tr.im/1m3v
    >
    > nemo, you know geographically that is my ole stompin' grounds.
    >



    wot ARE u talkin' about, mister? i bet its complicated. it looks
    complicatred. today's gud news IS one bully in heer got OWNED and the
    other got warned about Nic. did U kno that? i'm going to put it on my
    blog. donald says U might have a crush on me ! R U nice? if U hav a
    crush U can test it at DR LOVE's LOVECALCULATOR
    http://www.lovecalculator.com/

    U got 24 http://www.lovecalculator.com/love.php?name1=ari&name2=grrrlgerms
    so U dont have a crush that means U can't be a PERV on me then. UR ok.
    but a bit boring.
    i checked out Alric Knebel (cos hes been STALKING me). we got 71
    http://www.lovecalculator.com/love.php?name1=Alric Knebel &name2=grrrlgerms .
    I think he's a PERV. i mean 71 is high. how high does it HAVE to be
    before a perv attaks? U and Nic can protect me if U like.

    i checked out BULLY bear bottoms and he got 11. maybe its becuase hes not
    normal and wants to FLAGILATE me (that means whip) or bully me. is he
    GAY? i mean theres nothing rong about someone being GAY as long as theyre
    not homosexual.

    im going to try that calculator on other people.



    --

    no invitations for the moment
     
    grrrl germs, Nov 29, 2008
    #31
  12. nemo_outis wrote:

    > anonymous <> wrote in
    > news:ggpq3p$a9r$:
    >
    >
    > >> My transactions with the Devil have been eminently satisfactory,
    > >> those with God considerably more problematic :)
    > >>
    > >> Regards,

    > >
    > > OOH, but the payment that is comming due!

    >
    > Voltaire on his deathbed was urged by an attending priest to renounce the
    > Devil. Voltaire replied, "Now is not a good time to be making new
    > enemies."


    It seems only fitting that one of the historical entities you
    "connect" with enough to cite in defense of your asininity,
    would happen to be one that rotted away, and eventually died, of
    syphilis.
     
    Anonymous Remailer, Dec 1, 2008
    #32
  13. nemo_outis wrote:

    > Nomen Nescio <> wrote in
    > news::
    >
    > > Absolutely amazing. No wonder Usenet is such a toilet.

    >
    > Thanks for adding your incremental turd.


    I notice you don't have the balls to refute the fact that you're a
    congenital liar regarding the openness of Truecrypt source code, and
    your idiot-savant is a congenital dimwit who actually thinks
    there's a crumb of credibility to anything you say. No, you had to
    snip and run from all that and make one of your failed attempts to
    be cute, as cover. Didn't you kiddo.

    That makes you an exposed coward, and me the Tidy Bowl Man.

    That's right. Gotcha *again*, bitch. :p

    Gonna crumble into your usual pile of quivering "blither" spew for
    us this time?
    ~~~~~~~~~~~~~~~~~~~~~
    This message was posted via one or more anonymous remailing services.
    The original sender is unknown. Any address shown in the From header
    is unverified. Please report spam or misuse to the remailer-operator:
    <>
     
    Nightmix-Remailer, Dec 1, 2008
    #33
  14. George Orwell

    nemo_outis Guest

    Anonymous Remailer <> wrote in
    news::

    >> Voltaire on his deathbed was urged by an attending priest to renounce
    >> the Devil. Voltaire replied, "Now is not a good time to be making
    >> new enemies."

    >
    > It seems only fitting that one of the historical entities you
    > "connect" with enough to cite in defense of your asininity,
    > would happen to be one that rotted away, and eventually died, of
    > syphilis.


    You're a feckin' moron, and with this gem you've won the non-sequitur of
    the week award!

    Voltaire lived to 84 (a ripe old age for those days) and the cause of his
    death was unspecified - there's not a hint of him having syphilis. Perhaps
    in the muddled porridge of your brain you confused Voltaire with his
    fictional character, Dr. Pangloss?

    Regards,
     
    nemo_outis, Dec 1, 2008
    #34
  15. George Orwell

    nemo_outis Guest

    Nightmix-Remailer <> wrote in
    news::

    It's nice you have access to a computer down there at the home for the
    feeble-minded.
     
    nemo_outis, Dec 1, 2008
    #35
  16. George Orwell

    Ari Guest

    On 1 Dec 2008 01:22:01 -0000, Nightmix-Remailer wrote:

    > nemo_outis wrote:
    >
    >> Nomen Nescio <> wrote in
    >> news::
    >>
    >>> Absolutely amazing. No wonder Usenet is such a toilet.

    >>
    >> Thanks for adding your incremental turd.

    >
    > I notice you don't have the balls to refute the fact that you're a
    > congenital liar


    My God! nemo lied as a fetus! Nemo, you never told me! lol
    --
    Meet Ari!
    http://tr.im/1fa3
     
    Ari, Dec 1, 2008
    #36
  17. George Orwell

    Ari Guest

    On Mon, 01 Dec 2008 01:47:11 +0100, Anonymous Remailer wrote:

    > nemo_outis wrote:
    >
    >> anonymous <> wrote in
    >> news:ggpq3p$a9r$:
    >>
    >>>> My transactions with the Devil have been eminently satisfactory,
    >>>> those with God considerably more problematic :)
    >>>>
    >>>> Regards,
    >>>
    >>> OOH, but the payment that is comming due!

    >>
    >> Voltaire on his deathbed was urged by an attending priest to renounce the
    >> Devil. Voltaire replied, "Now is not a good time to be making new
    >> enemies."

    >
    > It seems only fitting that one of the historical entities you
    > "connect" with enough to cite in defense of your asininity,
    > would happen to be one that rotted away, and eventually died, of
    > syphilis.


    BWAHAHAHAAAA. Your anonymous Google fucked your history lesson up.
    --
    Meet Ari!
    http://tr.im/1fa3
     
    Ari, Dec 1, 2008
    #37
  18. George Orwell

    Nomen Nescio Guest

    nemo_outis wrote:

    > Ari <> wrote in
    > news:ggorap$nqi$:
    >
    > ...
    > >> In short, there is NO substantive public evidence that Truecrypt's
    > >> source code has been the subject of thorough review, nor is there any
    > >> reason to rely on the credentials of the developers (since they
    > >> remain anonymous). In that absence, using Truecrypt is an act of
    > >> blind faith every bit as much (or more!) than using a closed-source
    > >> encryption program.

    >
    > > "You can't trust code that you did not totally create yourself"
    > > Ken Thompson "Reflections on Trusting Trust"

    >
    > Yes, the above paper - which everyone here should read! - makes a very
    > powerful point.


    If you're a moron. There's nothing wrong with trusting code someone
    else wrote. individuals, businesses, and even governments do it
    every day with no ill effects. The key is learning enough to know
    WHICH code to trust and definitely not listening to idiots like you.

    >
    > But it gets worse, much worse.
    >
    > Open source code is no panacea.


    Nobody ever said it was. It makes you feel like a grownup to lie
    and try to make it sound like someone did, but it never happened.

    Once again, open source is an additional barrier for bad or evil
    code to overcome. The ideal would be poth public and private review.

    > First of all, I don't believe most open
    > source code gets anything more than very cursory review


    Yeah, that's why the last two flaws in GnuPG were discovered by an
    independent reviewer. And why the last SSL bug was discovered the
    same way.

    Never mind the fact that reality PROVES it works or anything, just
    go ahead on and blither.

    > Good thorough code review and testing is hard, tedious, painstaking work.


    Wy do you suppose it is you have to pretend it's an either/or world
    just to try and make a point?

    Do you suppose you've had your ass handed to you over this before
    and now your ego just won't let you sleep unless you spread this
    sort of nonsense?

    Of course that's it.

    <rest snipped unread>
     
    Nomen Nescio, Dec 1, 2008
    #38
  19. nemo_outis wrote:

    > Anonymous Remailer <> wrote in
    > news::
    >
    > >> Voltaire on his deathbed was urged by an attending priest to renounce
    > >> the Devil. Voltaire replied, "Now is not a good time to be making
    > >> new enemies."

    > >
    > > It seems only fitting that one of the historical entities you
    > > "connect" with enough to cite in defense of your asininity,
    > > would happen to be one that rotted away, and eventually died, of
    > > syphilis.

    >
    > You're a feckin' moron, and with this gem you've won the non-sequitur of
    > the week award!
    >
    > Voltaire lived to 84 (a ripe old age for those days) and the cause of his
    > death was unspecified


    I see you're still having a fling with Wikipedia.

    What an idiot you've become.
     
    Non scrivetemi, Dec 1, 2008
    #39
  20. nemo_outis wrote:

    > Ari <> wrote in
    > news:ggorap$nqi$:
    >
    > > "You can't trust code that you did not totally create yourself"
    > > Ken Thompson "Reflections on Trusting Trust"

    >
    > I don't even trust code that I wrote :)


    Join the club.
     
    Dave U. Random, Dec 1, 2008
    #40
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    3,014
  2. JRS

    Put off DriveCrypt - ? alternative

    JRS, Oct 21, 2003, in forum: Computer Security
    Replies:
    6
    Views:
    855
  3. Supachai

    DRIVECRYPT - missing memory

    Supachai, Jan 24, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    508
    Supachai
    Jan 24, 2004
  4. Boship

    Ping group, Drivecrypt weakness?

    Boship, May 28, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    506
    Boship
    May 28, 2004
  5. =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D

    What is the 'dcrserv.exe' loaded by Drivecrypt?

    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D, Sep 20, 2004, in forum: Computer Security
    Replies:
    13
    Views:
    2,153
    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D
    Sep 26, 2004
Loading...

Share This Page