Encrypting & Securing your data: Open- or Closed-Source?

[Alexander Turcic]

For the past few days I've been keenly following a particular thread on alt.security.scramdisk, a newsgroup that was originally dedicated to the open-source virtual disk volume encryption Scramdisk. As of November 2001, Scramdisk has been superseded by a closed-source version, DriveCrypt.

The question that nowadays troubles most people in this newsgroup is: If you want security, can you trust a closed-source product such as DriveCrypt to securely protect your sensitive data? DriveCrypt includes dozens of enhancements to Scramdisk, but you don't have any longer access to the underlying source-code. The programmer, Shaun Hollingworth, gives his word that there is no backdoor in his product; but would you trust anyone's word to feel secure in protecting your data? As someone at alt.security.scramdisk wisely expressed it: Collective mind is much more effective against programming screw-ups than a single, even very bright mind.

In the Microsoft Windows world, open-source security products such as Scramdisk are rare - this is especially the case if you are looking for products still being updated, which would also work under Windows XP.

My advice has always been to refuse to trust security programs that do not publish the source code.

My current preferred method to secure sensitive data is to:

• use a dedicate workstation (an archaic Pentium 3 600 is enough)
• install FreeBSD 5.x
• create a GBDE-GEOM-encrypted partition
• mount, if necessary, the encrypted partition via Samba to my local Windows network.

If you are interested, I can supply you wish some more feedback.

Greets
Alex

Quote:

Originally Posted by Alexander

For the past few days I've been keenly following a particular thread on alt.security.scramdisk, a newsgroup ...

I also follow this newsgroup, and one user post seems to express exactly what most of us are thinking:

Quote:

> >Shaun Hollingworth wrote:
> >> Not making money, simply earning a living.... Though that seems to be
> >> a crime for some people nowadays..
> >> The source is still out there for Scramdisk. Install it on a Win98/ME
> >> machine and use that...
> >But if we're using 2000/XP that's not an option is it
> No, but the impression I get is that you think I should be obliged to
> provide an open source version of the software....

Not at all.

You can do whatever works best for you.

We're discussing OUR options with respect to available
encryption software.

Since none of the currently available WinXP software is open
source, that discussion is theoretical, at least until such
software becomes available. When and if it does, many of us
will apparently migrate to that.

In the meantime, DriveCrypt requires product activation;
BestCrypt, Steganos, Dekart, and PGPDisk do not.

In the meantime, DriveCrypt issues expiring keys to purchasers;
BestCrypt, Steganos, Dekart, and PGPDisk do not.

In the meantime, DriveCrypt is managed by an individual who's
been convicted of fraud; BestCrypt, Steganos, Dekart, and
PGPDisk (AFAIK) are not. I note a claim on the
SecurStar 'Reference' page that at least one government agency
with which I'm very familiar uses SecurStar products; that
agency, as do most government agencies, explicitly forbids the
use of unapproved, closed source encryption software. You may
have found individual employees of such agencies who use your
products for personal home use, but implying that the agency
involved endorses your software, without any supporting
evidence, is disingenuous at best.

Those aren't very good recommendations for a product that
depends on the "Trust me, I know what I'm doing" model.

http://www.interhack.net/people/cmcu...e-oil-faq.html

``Trust Us, We Know What We're Doing''

Perhaps the biggest warning sign of all is the ``trust us, we
know what we're doing'' message that's either stated directly or
implied by the vendor. If the vendor is concerned about the
security of their system after describing exactly how it works,
it is certainly worthless. Regardless of whether or not they
tell, smart people will be able to figure it out. The bad guys
after your secrets (especially if you are an especially
attractive target, such as a large company, bank, etc.) are not
stupid. They will figure out the flaws. If the vendor won't tell
you exactly and clearly what's going on inside, you can be sure
that they're hiding something, and that the only one to suffer
as a result will be you, the customer.

[Alexander Turcic]

Great news ahead!

Two (!) open-source on-the-fly encryption products are heading towards Windows users

1.

Quote:

X-Abuse-Report: abuse@teranews.com
Message-ID: <2712cd2944b778683bedc30a7292889d@news.teranews.co m>
Date: Mon, 02 Feb 2004 14:06:45 GMT
Lines: 18
Newsgroups: alt.security.scramdisk
Subject: New free open-source on-the-fly encryption system for Windows XP/2000/98 released
From: TrueCrypt Team <tmp0402@truecrypt.org>
Organization: truecrypt.org
User-Agent: Xnews/5.04.25

TrueCrypt 1.0 Released

February 2, 2004

We are proud to announce that TrueCrypt 1.0 has been released today.
To our best knowledge, it is currently the only free open-source
on-the-fly encryption software capable of encrypting partitions
larger than 2 GB under Windows XP/2000. On Windows XP/2000, it is
also the only open-source on-the-fly encryption system that offers
plausible deniability. It can either encrypt entire partitions or
devices, or it can create virtual encrypted disks within files.
TrueCrypt is based on (and might be considered a sequel to) a
discontinued product called Encryption for the Masses (E4M) by Paul
Le Roux. The differences between E4M and TrueCrypt include plausible
deniability, Windows XP support, significant increase in the volume
size limit, improved sector scrambling algorithm and many more.
For more information, please visit http://www.truecrypt.org

2.

Quote:

From: stefan scherrer <stefan.news@scherrer.cc>
Newsgroups: alt.security.scramdisk
Subject: NoName linux compatible gnu on the fly entcryption system
Date: Tue, 03 Feb 2004 00:25:37 +0100
Lines: 36
Message-ID: <bvmmc5$u0k12$1@ID-220741.news.uni-berlin.de>
NNTP-Posting-Host: 194-208-137-068.tele.net (194.208.137.68)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: news.uni-berlin.de 1075764421 31477794 194.208.137.68 ([220741])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7a) Gecko/20040128
X-Accept-Language: en-us, en

Features:

TwoFish (Suse) linux loop device compatible.

ContainerFiles. Fat / ntfs (Should work with containers on network shares.)

CD Format is supported. (This was my main goal so I can read CD's
encryped under linux with windows). You can mount unencrypted iso
images as well (as IE DaemonTools replacement ).

if someone has an idea how to name this project or wants to testdrive it
please let me know..

mfg,
Stefan

PS: maybe I should join forces with the TrueCrypt team, But my goal is
to stay linux compatible. So i can go with ever OS I want without having
to worry.

PPS: It will have a GNU license.

Next Targets:
*) finding a name ...
*) finding some beta testers (please write a email simply remove .news
*) making a small website for faq and so on..
*) making a tool for creating encrypted iso images. ready to burn
*) maybe a gui.
*) implement loop-aes

Now I really wonder what SecurStar & Co are doing next. At least I don't care about them!

[sas]

Alexander, these are great news. I do miss ScramDisk, though the whole concept of storing really sensitive personal information on anything else than a PDA is nowadays strange for me. Still, one should be able to protect his data also on a PC, which brings me back to the original question. Most people /including myself/ are not programmers. Even if I see the code, I can't understand if it is secure or not. Some people, including us, believe that if it is open source, and no one found anything doubtful - it should be more reliable, than some company's claim that 'everything is OK'. But most users want phone & customer support more than widely tested features. And from this point of view - closed-source single-company product has advantages than open-soure, but not so user-friendly supported one. And the ideal combination is too rare....

BTW - the link to truecrypt does not work for me - is it only me?

[Alexander Turcic]

Doesn't work for me either. Some people on scramdisk newsgroup were able to download it before the site became unavailable - let's hope it comes back soon or at least that someone at least puts a mirror out.

[Alexander Turcic]

Quote:

Originally Posted by sas

Most people /including myself/ are not programmers. Even if I see the code, I can't understand if it is secure or not. Some people, including us, believe that if it is open source, and no one found anything doubtful - it should be more reliable, than some company's claim that 'everything is OK'. But most users want phone & customer support more than widely tested features. And from this point of view - closed-source single-company product has advantages than open-soure, but not so user-friendly supported one.

This has been an ongoing discussion on the scramdisk newsgroup, and of course, Drivecrypt (closed-source) - fans have been arguing along these lines.

However, trust me, there are always people who actually review the code of open-source security applications (I am one of them).

Open-source itself might not be the guarantee for an backdoor-/bug-free application - but it is definitely the prerequisite!

In the case of DriveCrypt for example, you have no way of knowing
a) whether it is bug-free (if it contains a nasty bug compromising its security - how would you know?)
b) whether it contains a back-door (I don't give much for promises of a profit company)

Also, one example that open-source security code actually gets closely scrutinized:

GBDE-GEOM based encryption in FreeBSD 5.x (see my first post of this thread).

GBDE was reviewed by two very well respected cryptographers - Dr David Wagner from Berkeley U and Lucky Green.

[Colin Dunstan]

There is a mirror for TrueCrypt V1.0.

Note that supposedly V1.0a is already out; the mirror also doesn't include the source code.

Let's see how long it takes for Truecrypt.org to come back!

[Alexander Turcic]

OK I know why http://www.truecrypt.org has been unreachable for the past 48 hours. Wilfried Hafner, CEO of SecurStar (Drivecrypt), has been threatening them by legal means! How much I despite SecurStar! Here is the official news:

Quote:

X-Abuse-Report: abuse@teranews.com
Message-ID: <a7b8b26d77f67aa7c5cc3f55b84c3975@news.teranews.co m>
Date: Wed, 04 Feb 2004 00:17:40 GMT
Lines: 40
Newsgroups: alt.security.scramdisk
Subject: P. Le Roux (author of E4M) accused by W.Hafner (SecurStar)
From: TrueCrypt Team <tmp0402c@truecrypt.org>
Organization: TrueCrypt Team
User-Agent: Xnews/5.04.25



February 3, 2004

In the last two days, we have been receiving e-mails from Wilfried
Hafner, manager of SecurStar. In the e-mails he repeatedly accuses
Paul Le Roux, the author of Encryption for the Masses (E4M), of the
following:

1) Intellectual property theft, stealing the source code of E4M
from SecurStar (as an employee of SecurStar)

2) Writing an illegal license that permits anyone to base his/her
own work on E4M and distribute such modified work (while, according
to W. Hefner, P. Le Roux did not have any right to do so).

3) Distributing E4M illegally (according to W. Hefner, all versions
of E4M always belonged only to SecurStar)


These statements have been made to make us stop developing and
distributing TrueCrypt, which is based on E4M 2.02a.

As we have a strong suspicion that these statements are false, we
e-mailed Paul Le Roux and asked him to clear up this issue. Paul, we
would also appreciate if you could post a statement to this newsgroup
and sign it with the PGP key used to sign the archives containing
the original E4M 2.02a source code. The PGP key properties:


Name: Software Professionals <info@swprofessionals.com>
ID: 0xE7959B99
Fingerprint: B37D C864 9437 CD4D C313 9DC9 60E9 73E4
Type: RSA Legacy
Created: December 15, 1998


TrueCrypt distribution is suspended, until this issue is resolved.


Members of TrueCrypt Team

[Alexander Turcic]

The license of E4M looks pretty clear to me, no idea how SecurStar could claim any ownership over it (any attorney here?)

Quote:

License agreement for Encryption for the Masses.

Copyright (C) 1998-2000 Paul Le Roux. All Rights Reserved.

This product can be copied and distributed free of charge, including
source code.

You may modify this product and source code, and distribute such
modifications,
and you may derive new works based on this product, provided that:

1. Any product which is simply derived from this product cannot be
called E4M, or Encryption for the Masses.

2. If you use any of the source code in your product, and your product
is distributed with source code, you must include this notice with
those portions of this source code that you use.

Or,

If your product is distributed in binary form only, you must display
on any packaging, and marketing materials which reference
your product, a notice which states:

"This product uses components written by Paul Le Roux
<pleroux@swprofessionals.com>"

3. If you use any of the source code originally by Eric Young, you must
in addition follow his terms and conditions.

4. Nothing requires that you accept this License, as you have not
signed it. However, nothing else grants you permission to modify or
distribute the product or its derivative works.

These actions are prohibited by law if you do not accept this License.

5. If any of these license terms is found to be to broad in scope, and
declared invalid by any court or legal process, you agree that all other
terms shall not be so affected, and shall remain valid and enforceable.

6. THIS PROGRAM IS DISTRIBUTED FREE OF CHARGE, THEREFORE THERE IS NO
WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. UNLESS OTHERWISE
STATED THE PROGRAM IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO
THE
QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.

7. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM, INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS, EVEN IF SUCH HOLDER OR OTHER PARTY HAD PREVIOUSLY BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES.

[Alexander Turcic]

On http://www.e4m.net, which is now owned by SecurStar, SecurStar itself talks about E4M being public (see taken screenshot, in case SecurStar takes down the text in near future).

[Colin Dunstan]

I am not surprised by SecurStar's response. I think their days are numbered...

I found the download link for the other open source otf-encryption tool mentioned, CrossCrypt. You can download it here.

[Colin Dunstan]

Here is what Peter Gutmann (!!) initially said about the case:

Quote:

TrueCrypt Team <tmp0402c@truecrypt.org> writes:

>2) Writing an illegal license that permits anyone to base his/her
>own work on E4M and distribute such modified work (while, according
>to W. Hefner, P. Le Roux did not have any right to do so).

>3) Distributing E4M illegally (according to W. Hefner, all versions
>of E4M always belonged only to SecurStar)

Disclaimer: IANAL, and it's been a long time since I talked to one about this
sort of thing, so count this as just an opinion:

This would depend on the terms of the license that Paul signed with SecurStar.
From discussions over this many years ago, it's not possible to unilaterally
retroactively change a license in this manner (this is why you'll occasionally
find open-source apps based on formerly freely-available work that's gone
commercial building on really old code that was distributed under a more
liberal license). If the license that Paul signed with SecurStar explicitly
says that it supersedes all previous ones then it'd be more tricky and you'd
need to get a lawyer to look at it. I assume it's also going to be governed
by European law, which may rule out getting a US lawyer to comment on it (for
example Europe has a stronger concept of moral rights than the US, which may
help in this case since it affects an artist's ability to control future use
of their work).

You could always submit it to slashdot and get the peanut gallery's opinion
:-).

Peter.

[Alexander Turcic]

Btw, if you want to reach truecrypt.org (their nameserver is down), you can do the following:

You must add this line to your hostfile WINDOWS\system32\drivers\etc\hosts:

65.161.144.72 www.truecrypt.org

Then you can access the page. Unfortunately, the downloads are disabled right now since SecurStar's ridiculous claim.

[Alexander Turcic]

Quote:

Originally Posted by Morpheus

There is a mirror for TrueCrypt V1.0.

Note that supposedly V1.0a is already out; the mirror also doesn't include the source code.

Let's see how long it takes for Truecrypt.org to come back!

V1.0a is essentially the same as V1.0, however without Windows 9x/ME support. They removed the portions of the Windows 9x/ME driver source code by Aman, at his request (Aman = Shaun Hollingworth, creator of Scramdisk and employed at SecurStar).

Also note that you should be careful when you download Truecrypt from a mirror (especially in the case of the binary distribution). It could always contain a worm or virus.

[sas]

Quote:

Originally Posted by Alexander

Open-source itself might not be the guarantee for an backdoor-/bug-free application - but it is definitely the prerequisite!

Totally agree. This is what I was trying to say

Morpheus, thank you for the link.

Quote:

Originally Posted by Alexander

Also note that you should be careful when you download Truecrypt from a mirror (especially in the case of the binary distribution). It could always contain a worm or virus.

How can you stamp / verify it? PGP keys? Certificates?