Enjoy your secrecy.
US and UK spy agencies defeat privacy and security on the internet | World news | theguardian.com
Doesn’t surprise me in the slightest.
I have nothing worth encrypting on my machine other than bank details and family photo albums (only encrypt them because family members would be less than pleased if they appeared on the internet).
The program I use is TrueCrypt, I don’t trust it, never have and I’m 100% certain that “insert vulnerabilities into commercial encryption systems” includes TrueCrypt (even though it’s not commercial).
On Fri, 13 Sep 2013 17:16:02 +0000, DaveMB wrote:
> The program I use is TrueCrypt, I don’t trust it, never have and I’m
> 100% certain that “insert vulnerabilities into commercial encryption
> systems” includes TrueCrypt (even though it’s not commercial).
The code is /completely/ open for TrueCrypt - you don’t think that there
would be someone out there who detected some sort of backdoor in it if
there were one?
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
of course the source code is completely open for inspection, But I suspect that a lot of people (likely the majority) would just download the binary and install that.
I can’t find it now but have read reports that the TrueCrypt source code when compiled does not match the pre-compiled binarys, I can’t remember the exact phrase used but it was something along the lines of there was sufficient evidence to suggest that the ready available binarys are ‘not’ the same as those you compile yourself from the source code!.
Maybe ‘somebody’ is banking on the fact that most people will just download and install and not stop to think maybe -just maybe- the pre-compiled binarys have a little ‘something extra’ in the code.
On 2013-09-13 19:31, Jim Henderson wrote:
> On Fri, 13 Sep 2013 17:16:02 +0000, DaveMB wrote:
>
>> The program I use is TrueCrypt, I don’t trust it, never have and I’m
>> 100% certain that “insert vulnerabilities into commercial encryption
>> systems” includes TrueCrypt (even though it’s not commercial).
>
> The code is /completely/ open for TrueCrypt - you don’t think that there
> would be someone out there who detected some sort of backdoor in it if
> there were one?
Those agencies insert their own people on the boards designing
encrypting protocols, who insert subtle weakness in the protocols
themselves, so that when implemented the software is faulty at the very
root.
Sorry, no source for this, save radio news archive in Spanish.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On Fri, 13 Sep 2013 18:03:07 +0000, Carlos E. R. wrote:
> Those agencies insert their own people on the boards designing
> encrypting protocols, who insert subtle weakness in the protocols
> themselves, so that when implemented the software is faulty at the very
> root.
That sounds very “tinfoil hat” oriented.
Software like this is scrutinized by the public pretty closely. I would
have to see evidence (yes, actual evidence) that this is happening rather
than conspiracy theories and supposition.
But you already knew that.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Fri, 13 Sep 2013 17:56:02 +0000, DaveMB wrote:
> of course the source code is completely open for inspection, But I
> suspect that a lot of people (likely the majority) would just download
> the binary and install that.
Sure, but if 10,000 people download it, more than 1% have probably spent
time looking at the code. It’s not just “normal” end users who have
concerns about weaknesses in crypto algorithms.
> I can’t find it now but have read reports that the TrueCrypt source code
> when compiled does not match the pre-compiled binarys,
That’s hardly surprising, given that different compiler optimizations
yield different outputs. Different compilers even can yield different
outputs. That doesn’t mean there’s anything nefarious going on.
> Maybe ‘somebody’ is banking on the fact that most people will just
> download and install and not stop to think maybe -just maybe- the
> pre-compiled binarys have a little ‘something extra’ in the code.
And maybe it’s all just a conspiracy theory, like the moon landings
didn’t happen, and UFOs are real (they are, really!). 
Evidence is what counts. Not supposition, not rumors. Facts. 
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Totally agree but supposition and rumours together with the ‘facts’ about what the NSA and GCHQ are doing secretly behind our backs is enough to make me wonder.
Though I’m not reaching for the tin foil just yet 
On 2013-09-13 22:32, Jim Henderson wrote:
> On Fri, 13 Sep 2013 18:03:07 +0000, Carlos E. R. wrote:
>
>> Those agencies insert their own people on the boards designing
>> encrypting protocols, who insert subtle weakness in the protocols
>> themselves, so that when implemented the software is faulty at the very
>> root.
>
> That sounds very “tinfoil hat” oriented.
>
> Software like this is scrutinized by the public pretty closely. I would
> have to see evidence (yes, actual evidence) that this is happening rather
> than conspiracy theories and supposition.
>
> But you already knew that.
The article in the 3 big newspaper is kind of evidence to me
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-09-13 22:56, DaveMB wrote:
> Though I’m not reaching for the tin foil just yet
It would not protect you, anyway
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On Fri, 13 Sep 2013 20:56:02 +0000, DaveMB wrote:
> Totally agree but supposition and rumours together with the ‘facts’
> about what the NSA and GCHQ are doing secretly behind our backs is
> enough to make me wonder.
Given the amount of misdirection common in the intelligence community,
I’m not convinced that anything that’s claimed is actually true.
> Though I’m not reaching for the tin foil just yet
That’s good. We need sane people to be evaluating what information is
out there.
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Fri, 13 Sep 2013 22:13:24 +0000, Carlos E. R. wrote:
> On 2013-09-13 22:32, Jim Henderson wrote:
>> On Fri, 13 Sep 2013 18:03:07 +0000, Carlos E. R. wrote:
>>
>>> Those agencies insert their own people on the boards designing
>>> encrypting protocols, who insert subtle weakness in the protocols
>>> themselves, so that when implemented the software is faulty at the
>>> very root.
>>
>> That sounds very “tinfoil hat” oriented.
>>
>> Software like this is scrutinized by the public pretty closely. I
>> would have to see evidence (yes, actual evidence) that this is
>> happening rather than conspiracy theories and supposition.
>>
>> But you already knew that.
>
> The article in the 3 big newspaper is kind of evidence to me
Because newspapers never have a bias, do they?
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On 2013-09-14 01:38, Jim Henderson wrote:
>> > The article in the 3 big newspaper is kind of evidence to me
> Because newspapers never have a bias, do they?
So do we all
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On Fri, 13 Sep 2013 23:58:07 +0000, Carlos E. R. wrote:
> On 2013-09-14 01:38, Jim Henderson wrote:
>>> > The article in the 3 big newspaper is kind of evidence to me
>> Because newspapers never have a bias, do they?
>
> So do we all
And seeking out sources that confirm what you already think has a name:
“confirmation bias”.
That’s why I prefer to find out on my own - a source that not only says
“this is true” but also says “and here’s how you can confirm it on your
own system” is going to carry far more weight than an article written in
a “big newspaper” by someone who maybe has no idea what they’re talking
about when it comes to technology.
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Articles in 3 big newspapers is evidence? Really? So some reporter is a cryptology expert? That’s not how I define an “expert”, but OK. If that’s how you want to define it.
Jim is right when he said that compiling it versus a binary are very different. Comipling it depends on which compiler is used, and options passed durring compiling, and so on.
Code auditing is really one of the better ways to find a flaw with the code. There are other ways, but I don’t really want to get into all that, and Jim would be better versed on that anyway.
On 2013-09-14 02:22, Jim Henderson wrote:
> On Fri, 13 Sep 2013 23:58:07 +0000, Carlos E. R. wrote:
> And seeking out sources that confirm what you already think has a name:
> “confirmation bias”.
>
> That’s why I prefer to find out on my own - a source that not only says
> “this is true” but also says “and here’s how you can confirm it on your
> own system” is going to carry far more weight than an article written in
> a “big newspaper” by someone who maybe has no idea what they’re talking
> about when it comes to technology.
In the “intelligence” world, there is no confirmation available to
outsiders - that is, to us. We do not need to know. >:-)
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-09-14 02:56, Jonathan R wrote:
> Code auditing is really one of the better ways to find a flaw with the
> code. There are other ways, but I don’t really want to get into all
> that, and Jim would be better versed on that anyway.
I can read code. But I can not audit encryption code, because I’m not
the mathematical genius that can really understand encryption algorithms.
That narrows very much what auditing is available to us.
And of those experts that are there, many are probably hired by
“someone”, and restricted from speaking out what they know.
Not very long ago, they wanted to prosecute the inventor of PGP…
encryption technology for everyone is something the intelligence
agencies worldwide hate. A forbidden technology if they can have their want.
Don’t you remember that some years ago Netscape had to had its
encryption capabilities crippled for export from the USA? in the number
of bits used for keys (for https).
Don’t you remember that there were two different versions of the SuSE
distribution, one served from ftp.suse.de, and a different one from
ftp.suse.com? The second one came from the USA and had lower grade
encryption software. The first one came for Germany and had no such
restriction.
I do not need sources for this - I was there, SuSE published this
information. I still have some memory left.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
From what I gather, the algorithms were not compromised. They might be exploiting weak implementations, perhaps inserting back doors or key loggers.
On Sat, 14 Sep 2013 01:03:17 +0000, Carlos E. R. wrote:
> In the “intelligence” world, there is no confirmation available to
> outsiders - that is, to us. We do not need to know. >:-)
Except that we always seem to find out in the end…
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Sat, 14 Sep 2013 01:13:15 +0000, Carlos E. R. wrote:
> I can read code. But I can not audit encryption code, because I’m not
> the mathematical genius that can really understand encryption
> algorithms.
>
> That narrows very much what auditing is available to us.
To you, maybe, but there are plenty of people who are versed in crypto
who audit the code. Phil Zimmerman comes to mind - somehow it seems
pretty hard to believe that he’d be speaking out for privacy rights while
at the same time subverting the very crypto algorithms his business
depends on.
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C