On 05/30/2014 09:13 AM Arno Wagner wrote:
Hi,
On Fri, May 30, 2014 at 11:07:12 CEST, web1bastler@xxxxxxxxxxxxxx wrote:
....
I knew for quite a time that American agencies such as the NSA ask
developers to build in backdoors into their encryption programs or even HW
encryption chips.
I think it’s ridiculous that those agencies get so many rights that they
can even stomp on the freedom of a person in a different country which is
totally not democratic.
So I want to know if my sensitive data is still safe on a LUKS encrypted
volume.
It should be. But also note that it depends on more than cryptsetup.
cryptsetup is just a set-up front-end from dm-crypt and the kernel
encryption code. On the other hand, the only thing that could have
a relvant backdoor there is the crypto-RNG, and there is reson to
believe the kernel folks are taking that one pretty serious and
it likely is not compromised.
....
Julian reported <http://tinyurl.com/2know-src> that agency in question
has a budget of $350M to corrupt developers into introducing backdoors
into code. I read decades ago that this same agency had a "slush fund"
of $20B for whatever purpose they wanted and we would imagine that over
the years it's just gotten much larger, in effect, may well have become
unlimited funds to carry out whatever they believe their mission is.
How many developers could resist a large suitcase full of cash in
exchange for their principles? (A lot of them, I would hope. All of
them...? not so sure.)
For this reason there should be (1) archived records of who introduced
what code into software (both FOSS and proprietary), (2) *many* more
eyes reviewing code in order to find and eliminate vulnerabilities, and
(3) much more documentation within the code to make it less obscure and
more readable by those others' eyes.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
