Re: [dm-crypt] Question about backdoors and the NSL

[ken <gebser@mousecar.com>]

On 05/30/2014 09:13 AM Arno Wagner wrote:
> Hi,
>
> On Fri, May 30, 2014 at 11:07:12 CEST, web1bastler@googlemail.com wrote:
>> ....
>> I knew for quite a time that American agencies such as the NSA ask
>> developers to build in backdoors into their encryption programs or even HW
>> encryption chips.
>>
>> I think it’s ridiculous that those agencies get so many rights that they
>> can even stomp on the freedom of a person in a different country which is
>> totally not democratic.
>>
>> So I want to know if my sensitive data is still safe on a LUKS encrypted
>> volume.
>
> It should be. But also note that it depends on more than cryptsetup.
> cryptsetup is just a set-up front-end from dm-crypt and the kernel
> encryption code. On the other hand, the only thing that could have
> a relvant backdoor there is the crypto-RNG, and there is reson to
> believe the kernel folks are taking that one pretty serious and
> it likely is not compromised.
> ....

Julian reported <http://tinyurl.com/2know-src> that agency in question 
has a budget of $350M to corrupt developers into introducing backdoors 
into code.  I read decades ago that this same agency had a "slush fund" 
of $20B for whatever purpose they wanted and we would imagine that over 
the years it's just gotten much larger, in effect, may well have become 
unlimited funds to carry out whatever they believe their mission is. 
How many developers could resist a large suitcase full of cash in 
exchange for their principles?  (A lot of them, I would hope.  All of 
them...? not so sure.)

For this reason there should be (1) archived records of who introduced 
what code into software (both FOSS and proprietary), (2) *many* more 
eyes reviewing code in order to find and eliminate vulnerabilities, and 
(3) much more documentation within the code to make it less obscure and 
more readable by those others' eyes.