On Wed, 17 Jan 2007, Saqib Ali wrote:
[[addressed to Steven Bellovin, but copied to the whole list]]
> I would like to invite you to try out a Free FDE product called
> Compusec < http://www.ce-infosys.com/ >

If I have data that's valuable enough to need encryption, I'm going
to be nervous trusting it to closed-source software.  How do I know
that Compusec's cryto is done properly?  As Bruce Schneier has
famously said, to the user snake-oil crypto looks just like good
crypto -- both scramble the bits enough to look "random" to the eye.

In contrast, even though I haven't personally read the {linux,bsd}
crypto source code, lots of serious crypto geeks have, so I can be
a lot more confident that it's of at least reasonable quality.

Another issue is that closed-source crypto hardware/software has had
back doors planted in it in the past, either for "key recovery when
customers loose their keys", or after pressure by assorted government
agencies.  I'm sure the NSA could bribe someone to backdoor the Linux
kernel, but it would be really hard to keep this a secret when many
"uncontrolled" people get to browse the source code.


> After trying, please let me know if the distinction between "disk
> encryption" (e.g. TrueCrypt) and "full disk encryption" (e.g.
> Compusec) is insufficient.

For the above reasons, I wouldn't trust either of these.
I keep _my_ confidential files under Matt Blaze's CFS; any of the
other open-source {linux,bsd} cryptographic file systems would be
reasonable alternatives.

--
-- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe"     http://www.aei.mpg.de/~jthorn/home.html      
   "Washing one's hands of the conflict between the powerful and the
    powerless means to side with the powerful, not to be neutral."
                                      -- quote by Freire / poster by Oxfam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to