i***l
发帖数: 9994 | 1 尼玛,以后没有什么可靠的加密软件了。TrueCrypt看起来被勒令关闭,project终止解
散,连原来的老版本软件都没有了。操,N3A吃相太难看了吧。 |
c****i
发帖数: 7933 | |
i***l
发帖数: 9994 | 3 我用的是2012年download的7.1a,应该还是安全的。
好多人都用回2012年初的7.0a了,不过我觉得没必要。
不过现在它网站上的那个7.2就不知道安不安全了。
【在 c****i 的大作中提到】
: 网上议论一片,什么理论都有。
: 7.1a安全吗?
|
a*o
发帖数: 19981 | 4 我有2009年的6.3,嘿嘿。
【在 i***l 的大作中提到】
: 我用的是2012年download的7.1a,应该还是安全的。
: 好多人都用回2012年初的7.0a了,不过我觉得没必要。
: 不过现在它网站上的那个7.2就不知道安不安全了。
|
n****1
发帖数: 1136 | 5 早知如此,何不早早开源?如果已经开源了,NSL也拿它没办法。
Contrary to popular belief, TrueCrypt was not free open source. Different
parts of the program were licensed under different conditions by different
authors. Many parts of the code base are under source-available license
terms which means that the code is public for review, but modifications and
redistribution are not permitted. This means that a fork of the TrueCrypt
project isn't legally possible without the permission of the authors of the
non-free sections. |
x***4
发帖数: 1815 | 6 自己写一个rsa的code自用可以吗?
and
【在 n****1 的大作中提到】
: 早知如此,何不早早开源?如果已经开源了,NSL也拿它没办法。
: Contrary to popular belief, TrueCrypt was not free open source. Different
: parts of the program were licensed under different conditions by different
: authors. Many parts of the code base are under source-available license
: terms which means that the code is public for review, but modifications and
: redistribution are not permitted. This means that a fork of the TrueCrypt
: project isn't legally possible without the permission of the authors of the
: non-free sections.
|
n****1
发帖数: 1136 | 7 干嘛自己写,直接用gpg/openpgp/openssl都可以对单个文件加密,而且都很容易跨平
台,连android上都有。
truecrypt牛逼在于block-level encryption,这个在windows上面很难实现。
【在 x***4 的大作中提到】
: 自己写一个rsa的code自用可以吗?
:
: and
|
l*******b
发帖数: 2586 | 8 开源软件里nsa 不知道埋了多少bug呵呵。。。
【在 n****1 的大作中提到】
: 干嘛自己写,直接用gpg/openpgp/openssl都可以对单个文件加密,而且都很容易跨平
: 台,连android上都有。
: truecrypt牛逼在于block-level encryption,这个在windows上面很难实现。
|
i***l
发帖数: 9994 | 9 不至于吧。大家都看着呢。
【在 l*******b 的大作中提到】
: 开源软件里nsa 不知道埋了多少bug呵呵。。。
|
k**o
发帖数: 15334 | 10 truecrypt本来就不怎么样,神神秘秘的不知道在搞什么,也不开源,
bug也不少。不知道为啥最出名。可能是因为功能比较全,可以disk和
file加密,我看别的软件都是分开做这两个功能。 |
|
|
n****1
发帖数: 1136 | 11 哪些软件能做disk加密啊?
【在 k**o 的大作中提到】
: truecrypt本来就不怎么样,神神秘秘的不知道在搞什么,也不开源,
: bug也不少。不知道为啥最出名。可能是因为功能比较全,可以disk和
: file加密,我看别的软件都是分开做这两个功能。
|
i***l
发帖数: 9994 | 12 是开源的,只不过source code不允许别人修改,所以不是一般意义上的开源软件,因
为一般开源的都是允许修改的。它的source code大家都是看的到的,没有问题。
唯一可能有问题的就是compiling过程中有没有猫腻。前一阵不是有个audit吗,好像第
一阶段没有发现问题。
【在 k**o 的大作中提到】
: truecrypt本来就不怎么样,神神秘秘的不知道在搞什么,也不开源,
: bug也不少。不知道为啥最出名。可能是因为功能比较全,可以disk和
: file加密,我看别的软件都是分开做这两个功能。
|
k**o
发帖数: 15334 | 13 diskcryptor
【在 n****1 的大作中提到】
: 哪些软件能做disk加密啊?
|
f****p
发帖数: 18483 | |
i***l
发帖数: 9994 | 15 http://truecrypt.ch
老版本本身还是安全的。希望以后能有fork出来新的版本。
Bitlocker基本铁定有后门,反正我从来不用。你看看网上对这个的评价就知道了。
【在 f****p 的大作中提到】
: http://truecrypt.sourceforge.net/
: 用bitlocker吧
|
l*******b
发帖数: 2586 | 16 是摆在那里,问题有几个人有去看几万行代码,几十万行代码的需求。去看了,能理清
里面的头绪。关键的地方人家不给你注释,更本看不明白。加密这样的事情,用上点算
法,基本和天书差不多了。都能整明白的估计没几个。然后基本都被nsa 这样的机构收
编了。呵呵呵
埋bug这种事情其实看能不能过作者这一关。最简单的办法就是收买作者。收买不了就
耍流氓,这才是此次事件的本质。
互联网时代是打着自由旗号的巨大洗脑运动。被不被洗,就看你自己了。freedom is
not for free
【在 i***l 的大作中提到】
: 不至于吧。大家都看着呢。
|
i***l
发帖数: 9994 | 17 好多人都是你这么想的,所以才有人要audit truecrypt的code。好像是一个Johns
Hopkins的教授带头搞得。第一阶段结束了,没有发现后门。现在正在搞第二阶段的分
析,就是算法分析。
我觉得这次Truecrypt被关掉,就是因为作者不肯屈服于N3A让他们加入后门的压力,所
以决定毁掉自己的作品。
现在都是臆测,等最终audit结果吧。觉得truecrypt不安全,就去用替代品。照你的说
法,所有的open source的软件都是极有可能有后门的。我觉得这个基本不可能。美欧
还是有很多软件作者又奉献精神的。
【在 l*******b 的大作中提到】
: 是摆在那里,问题有几个人有去看几万行代码,几十万行代码的需求。去看了,能理清
: 里面的头绪。关键的地方人家不给你注释,更本看不明白。加密这样的事情,用上点算
: 法,基本和天书差不多了。都能整明白的估计没几个。然后基本都被nsa 这样的机构收
: 编了。呵呵呵
: 埋bug这种事情其实看能不能过作者这一关。最简单的办法就是收买作者。收买不了就
: 耍流氓,这才是此次事件的本质。
: 互联网时代是打着自由旗号的巨大洗脑运动。被不被洗,就看你自己了。freedom is
: not for free
|
l*******b
发帖数: 2586 | 18 有后门不妨碍用呀,一个系统上跑那么多软件,后门只要一个就够了。nsa想看看就是
了,随便看。
用google 搜索不也一样么,google 不但知道你会什么也知道你不会什么,层次明显很
高,那你就不用google了。。。
【在 i***l 的大作中提到】
: 好多人都是你这么想的,所以才有人要audit truecrypt的code。好像是一个Johns
: Hopkins的教授带头搞得。第一阶段结束了,没有发现后门。现在正在搞第二阶段的分
: 析,就是算法分析。
: 我觉得这次Truecrypt被关掉,就是因为作者不肯屈服于N3A让他们加入后门的压力,所
: 以决定毁掉自己的作品。
: 现在都是臆测,等最终audit结果吧。觉得truecrypt不安全,就去用替代品。照你的说
: 法,所有的open source的软件都是极有可能有后门的。我觉得这个基本不可能。美欧
: 还是有很多软件作者又奉献精神的。
|
i***l
发帖数: 9994 | |
l*******b
发帖数: 2586 | |
|
|
i***l
发帖数: 9994 | 21 你拿到source code,一行一行的audit,还信不过,要如何你才能信呢?
【在 l*******b 的大作中提到】
: 不可信呀,软件安全audit 有靠谱过么
|
l*******b
发帖数: 2586 | 22 自己写的,不超过几百行,一两年actively maintained, 过过5 6遍以上,没有发现过
漏洞的。。。
是不是强迫症了。。。
【在 i***l 的大作中提到】
: 你拿到source code,一行一行的audit,还信不过,要如何你才能信呢?
|
D*******r
发帖数: 7 | 23 这么折腾就为了藏几部毛片?
【在 l*******b 的大作中提到】
: 自己写的,不超过几百行,一两年actively maintained, 过过5 6遍以上,没有发现过
: 漏洞的。。。
: 是不是强迫症了。。。
|
l*******b
发帖数: 2586 | 24 毛片用得着藏么。。。
【在 D*******r 的大作中提到】
: 这么折腾就为了藏几部毛片?
|
L***s
发帖数: 1148 | 25
编译器也可能有后门,所以发布的二进制文件也可能是不可靠的。
除非你自己audit源码,然后用自己信任的编译器自己编译。
【在 i***l 的大作中提到】
: 你拿到source code,一行一行的audit,还信不过,要如何你才能信呢?
|
L***s
发帖数: 1148 | 26 http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_d
这个推测比较靠谱:
Would be almost too obvious, right?
Here's a fun scenario:
1. Audit shows there are no vulnerabilities
2. NSA pressures the developers into halting the project and putting up a
website with detailed instructions on how to switch to software with
approved backdoors
3. Developers follow the instructions as closely as possible but make
absolutely no effort to make it seem believable, knowing that everyone with
so much as a passing interest in cryptography isn't going to buy it
Edit: I'm torn between that and a hack. Many people would need to be
silenced in order to make this crap believable at all. |
L***s
发帖数: 1148 | 27 没人贴这个?
http://lavabit.com/
May 20th, 2014
My Fellow Citizens,
My legal saga started last summer with a knock at the door, behind which
stood two federal agents ready to serve me with a court order requiring the
installation of surveillance equipment on my company’s network.
My company, Lavabit, provided email services to 410,000 people, and thrived
by offering features specifically designed to protect the privacy and
security of its customers. I had no choice but to consent to the
installation of their device, which would have provided the government with
access to all of the messages, for all of my customers, as they travelled to
and from other providers on the Internet.
But that wasn’t enough. The federal agents also said their court order
required me to surrender the company’s private encryption keys, and I
balked. What they claimed to need were customer passwords, which were sent
securely, so they could access the plain-text of messages for users taking
advantage of my company’s encrypted storage feature. (The government would
later claim they only demanded the encryption keys because of my "
noncompliance".) I didn’t realize until I retained an attorney that what
the agents proposed would have exceeded their authority.
Bothered by what the agents were saying, I informed them I would first need
to read the order they had just delivered and then consult with an attorney.
The feds seemed surprised by my hesitation.
What ensued was a flurry of legal proceedings that would last 38 days. When
the dust settled I found myself the owner of a $10,000 civil contempt fine,
my business shut down, and bit by bit, the very principle upon which I
founded it – that we all have a right to personal privacy, slipping quickly
away. (To appreciate just how fast the case moved, consider the median
timeframe for a similar proceedings was 9.7 months in 2012.)
The government lawyers tried to overwhelm me. In the first two weeks, I was
served court orders a total of seven times – leading to contact with the
FBI every other day. (This was the stretch a prosecutor would later
characterize as the "long period of silence".) It took a week for me to
identify an attorney who could adequately represent me given the complex
issues involved – and we were in contact for less than a day when agents
served me with a summons ordering me to appear in a Virginia courtroom (over
1,000 miles from home). Two days later, after admitting their demand to my
lawyer, I was served a subpoena for the encryption keys – also marking the
first time they put their demand in writing.
With such short notice, my first attorney was unable to appear alongside me
in court. Because the whole case was under seal, I couldn't admit to anyone
who wasn't a lawyer that I needed help, let alone why. In the days before my
appearance I would spend hours repeating the facts of the case to a dozen
attorneys, as I sought someone else that was qualified to represent me. I
also discovered that as a third party in a federal criminal indictment, I
had no right to counsel. Thus my pleas for more time were denied. After all,
only my property was in jeopardy – not my liberty. My right to a “fair
hearing” was treated as a nuisance, easily trampled by a team of determined
prosecutors. In the end, I was forced to choose between appearing alone, or
face a bench warrant for my arrest.
When I appeared in Virginia, the government replaced their subpoena for the
encryption key with a search warrant and a new court date. I retained a
small local law firm before returning home, and they took on the task of
assembling a legal strategy and filing briefs in the few short days
available. The court barred them from consulting outside experts, making it
difficult to understand the complex legal and technological issues involved.
Even a request to discuss the case with members of Congress was denied. To
make matters worse, the court wouldn’t deliver transcripts for my first
appearance for another two months. My legal team was forced to proceed
without access to information they needed.
Then, a federal judge entered an order of contempt against me – without
even a hearing. Let me be clear. I did not devoted 10 years of my life to
building Lavabit, with its focus on privacy, only to become complicit in a
plan which would have meant the wholesale violation of my customers’ right
to privacy. Thus with my options in court exhausted, the decision was easy.
I had to shut down my service. Placing my faith in the integrity of the
appeals process.
When the judge granted the contempt charge unopposed – ignoring my attorney
’s request to dispute the government’s claims – he created a loophole. I
was never given an opportunity to object, let alone provide a meaningful
defense. An important point, since the contempt charge endorsed new legal
claims – reversing what the court had previously indicated. Without an
objection on the record, the appellate court would rule that my right to an
appeal had been waived – since the charges hadn’t been disputed in
district court. Given the Supreme Court’s tradition of declining to review
cases decided on procedural grounds, I will likely be denied justice,
forever.
The most important question raised by my appeal was what constitutes a "
search," i.e., whether law enforcement may demand the encryption keys of a
business and use those keys to inspect the private communications of every
customer, when they are only authorized to access information belonging to a
select few.
The problem here is technological: until a communication has been decrypted
and the contents parsed, it is impossible for a surveillance device to
determine which network connections belong to the targeted accounts. The
government argued that since the "inspection" would be carried out by a
machine, they were exempt from the normal search-and-seizure protections of
the fourth amendment.
More importantly, the prosecution argued the exemption was because my users
had no expectation of privacy, even though the encryption they were trying
to break was created specifically to ensure a users' privacy.
If my experience serves any purpose, it is to illustrate what most already
know: our courts must not be allowed to consider matters of great importance
in secret, lest we find ourselves summarily deprived of meaningful due
process. If we allow our government to continue operating in secret, it is
only a matter of time before you or a loved one find yourself in a position
like I was – standing in a secret courtroom, alone, and without any of the
unalienable rights that are supposed to protect us from an abuse of the
state’s authority.
Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC
With my fight in court all but lost, I am focusing my attention on a
technical fix. Help me put control over who reads your email back into your
hands. Donate to the Lavabit Dark Mail Development Initiative today. Because
keeping your business your business is our business. |
N*****m
发帖数: 42603 | 28 好奇,如果程序员在国外网站开发,nsa还管得着吗?
the
thrived
【在 L***s 的大作中提到】
: 没人贴这个?
: http://lavabit.com/
: May 20th, 2014
: My Fellow Citizens,
: My legal saga started last summer with a knock at the door, behind which
: stood two federal agents ready to serve me with a court order requiring the
: installation of surveillance equipment on my company’s network.
: My company, Lavabit, provided email services to 410,000 people, and thrived
: by offering features specifically designed to protect the privacy and
: security of its customers. I had no choice but to consent to the
|
J*********n
发帖数: 6974 | |
B*D
发帖数: 5016 | 30 如果是盟国,那么通过程序
如果是敌国,麻烦一些,小国家,估计收买收购不行,就直接派人到公司内部服务器上
安装后门,遇到类似中国这样的对等国家,那么只能DOJ打嘴炮
【在 N*****m 的大作中提到】
: 好奇,如果程序员在国外网站开发,nsa还管得着吗?
:
: the
: thrived
|
