[dm-crypt] Question about backdoors and the NSL

[dm-crypt] Question about backdoors and the NSL

[web1bastler]

[-- Attachment #1: Type: text/plain, Size: 866 bytes --]

Hello dear cryptsetup team,


I want to ask if you received a national security letter because I want to know if my LUKS encrypted volumes are still safe.


I heard about what happened to True Crypt just recently and there has been some speculation whether the developer has gotten a nsl or something else.

I knew for quite a time that American agencies such as the NSA ask developers to build in backdoors into their encryption programs or even HW encryption chips.

I think it’s ridiculous that those agencies get so many rights that they can even stomp on the freedom of a person in a different country which is totally not democratic.

So I want to know if my sensitive data is still safe on a LUKS encrypted volume.


I’m thanking you in advance and it would be nice if you could reply in about 1-2 weeks


Yours sincerely,

web1bastler

[-- Attachment #2: Type: text/html, Size: 1996 bytes --]

Re: [dm-crypt] Question about backdoors and the NSL

[Arno Wagner]

Hi,

On Fri, May 30, 2014 at 11:07:12 CEST, web1bastler@googlemail.com wrote:
> Hello dear cryptsetup team,
>  
> I want to ask if you received a national security letter because I want to
> know if my LUKS encrypted volumes are still safe. 

First, you should know that your question is not very bright.
Recipients of valid NSLs are not allowed to talk about them or 
admit they have gotten one. Hence what do you expect as answer if
there were an NSL?

But second, Milan and I are not located in the US, so I doubt
that they could legally give either of us an NSL and even if
they did, I doubt it would have any effect. But please notice
that I am not answering your question, to be sure you have to 
verify what I just said yourself.
 
> I heard about what happened to True Crypt just recently and there has been
> some speculation whether the developer has gotten a nsl or something else.
>
> I knew for quite a time that American agencies such as the NSA ask
> developers to build in backdoors into their encryption programs or even HW
> encryption chips.
> 
> I think it’s ridiculous that those agencies get so many rights that they
> can even stomp on the freedom of a person in a different country which is
> totally not democratic.
> 
> So I want to know if my sensitive data is still safe on a LUKS encrypted
> volume.

It should be. But also note that it depends on more than cryptsetup.
cryptsetup is just a set-up front-end from dm-crypt and the kernel
encryption code. On the other hand, the only thing that could have
a relvant backdoor there is the crypto-RNG, and there is reson to
believe the kernel folks are taking that one pretty serious and
it likely is not compromised.

Arno
  
> I’m thanking you in advance and it would be nice if you could reply in
> about 1-2 weeks
> 
> 
> Yours sincerely,
> 
> web1bastler

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato

Re: [dm-crypt] Question about backdoors and the NSL

[Milan Broz]

On 05/30/2014 03:13 PM, Arno Wagner wrote:
> On Fri, May 30, 2014 at 11:07:12 CEST, web1bastler@googlemail.com wrote:
>> Hello dear cryptsetup team,
>>  
>> I want to ask if you received a national security letter because I want to
>> know if my LUKS encrypted volumes are still safe. 
> 
> First, you should know that your question is not very bright.
> Recipients of valid NSLs are not allowed to talk about them or 
> admit they have gotten one. Hence what do you expect as answer if
> there were an NSL?
> 
> But second, Milan and I are not located in the US, so I doubt
> that they could legally give either of us an NSL and even if
> they did, I doubt it would have any effect. But please notice
> that I am not answering your question, to be sure you have to 
> verify what I just said yourself.

Exactly.

Cryptsetup is opensource under clear license, every meaningful
and independent audit is welcome of course.

...

>> So I want to know if my sensitive data is still safe on a LUKS encrypted
>> volume.
> 
> It should be. But also note that it depends on more than cryptsetup.
> cryptsetup is just a set-up front-end from dm-crypt and the kernel
> encryption code. On the other hand, the only thing that could have
> a relvant backdoor there is the crypto-RNG, and there is reson to
> believe the kernel folks are taking that one pretty serious and
> it likely is not compromised.

Also I am releasing and signing source code only, so you have to trust
distro maintainers as well which are compiling the code.

Milan

Re: [dm-crypt] Question about backdoors and the NSL

[ken]

On 05/30/2014 09:13 AM Arno Wagner wrote:
> Hi,
>
> On Fri, May 30, 2014 at 11:07:12 CEST, web1bastler@googlemail.com wrote:
>> ....
>> I knew for quite a time that American agencies such as the NSA ask
>> developers to build in backdoors into their encryption programs or even HW
>> encryption chips.
>>
>> I think it’s ridiculous that those agencies get so many rights that they
>> can even stomp on the freedom of a person in a different country which is
>> totally not democratic.
>>
>> So I want to know if my sensitive data is still safe on a LUKS encrypted
>> volume.
>
> It should be. But also note that it depends on more than cryptsetup.
> cryptsetup is just a set-up front-end from dm-crypt and the kernel
> encryption code. On the other hand, the only thing that could have
> a relvant backdoor there is the crypto-RNG, and there is reson to
> believe the kernel folks are taking that one pretty serious and
> it likely is not compromised.
> ....

Julian reported <http://tinyurl.com/2know-src> that agency in question 
has a budget of $350M to corrupt developers into introducing backdoors 
into code.  I read decades ago that this same agency had a "slush fund" 
of $20B for whatever purpose they wanted and we would imagine that over 
the years it's just gotten much larger, in effect, may well have become 
unlimited funds to carry out whatever they believe their mission is. 
How many developers could resist a large suitcase full of cash in 
exchange for their principles?  (A lot of them, I would hope.  All of 
them...? not so sure.)

For this reason there should be (1) archived records of who introduced 
what code into software (both FOSS and proprietary), (2) *many* more 
eyes reviewing code in order to find and eliminate vulnerabilities, and 
(3) much more documentation within the code to make it less obscure and 
more readable by those others' eyes.