Proprietary vs open-source encryption/security softwareGuidelines for recommending Open Source vs. Closed...

What is the data structure of $@ in shell?

What is the wife of a henpecked husband called?

Am I a Rude Number?

Is it a fallacy if someone claims they need an explanation for every word of your argument to the point where they don't understand common terms?

Alien invasion to probe us, why?

Making him into a bully (how to show mild violence)

What is the purpose of easy combat scenarios that don't need resource expenditure?

"on its way" vs. "in its way"

Why is it that Bernie Sanders is always called a "socialist"?

A curious equality of integrals involving the prime counting function?

General past possibility with 'could'

How would an AI self awareness kill switch work?

How to make ice magic work from a scientific point of view?

Do authors have to be politically correct in article-writing?

Workflow Comment popup does not show up

Is there any risk in sharing info about technologies and products we use with a supplier?

Citing paywalled articles accessed via illegal web sharing

What is the proper way to reproach a rav?

How to play electric guitar and bass as a duet

Cookies - Should the toggles be on?

When can a QA tester start his job?

Graph with overlapping labels

Eww, those bytes are gross

A Missing Symbol for This Logo



Proprietary vs open-source encryption/security software


Guidelines for recommending Open Source vs. Closed Source?Open Source Java Based Blog Software360 degree feedback: free or open-source software available?Verifying that open source software hasn't been tampered withRemote Desktop software: Why is Teamviewer so much faster than the open source competitors?Good encryption software(preferably free) that doesn't require data reallocation?DropBox without proprietary softwareUSB drive software encryption?Can a freely available add-in to a proprietary softare be considered open source?What does BitLocker actually encrypt and when?













1















I just had an argument with colleagues about the usefulness of Microsoft BitLocker drive encryption for keeping representatives of the state (FBI etc.) out of data. They were convinced that vendors of proprietary software have backdoors in their algorithms which can be used in severe cases, i.e. suspicion of terrorism etc.



The alternative is of course TrueCrypt, because in theory, the code is open and can be reviewed by the public. In practice, even though I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack. Does anyone know if the code has been reviewed by a trustworthy 3rd party? And if so, how is their trustworthyness established?



So, to come to the general questions:




  1. How would a company which really, really wants to keep their files completely secret decide upon their cryptographic solution? They cannot be 100% sure that BitLocker is safe, can they? However, would they in practice be able to make sure that TrueCrypt is?


  2. How would you estimate the chance that Microsoft and similar companies work with government agencies and give them an advantage to breaking their security so that it doesn't take 1000s of years to break (is that how long BitLocker should take)?











share|improve this question




















  • 3





    "I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.

    – Linker3000
    Feb 15 '11 at 12:01






  • 3





    Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.

    – Felix Dombek
    Feb 15 '11 at 12:10
















1















I just had an argument with colleagues about the usefulness of Microsoft BitLocker drive encryption for keeping representatives of the state (FBI etc.) out of data. They were convinced that vendors of proprietary software have backdoors in their algorithms which can be used in severe cases, i.e. suspicion of terrorism etc.



The alternative is of course TrueCrypt, because in theory, the code is open and can be reviewed by the public. In practice, even though I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack. Does anyone know if the code has been reviewed by a trustworthy 3rd party? And if so, how is their trustworthyness established?



So, to come to the general questions:




  1. How would a company which really, really wants to keep their files completely secret decide upon their cryptographic solution? They cannot be 100% sure that BitLocker is safe, can they? However, would they in practice be able to make sure that TrueCrypt is?


  2. How would you estimate the chance that Microsoft and similar companies work with government agencies and give them an advantage to breaking their security so that it doesn't take 1000s of years to break (is that how long BitLocker should take)?











share|improve this question




















  • 3





    "I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.

    – Linker3000
    Feb 15 '11 at 12:01






  • 3





    Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.

    – Felix Dombek
    Feb 15 '11 at 12:10














1












1








1








I just had an argument with colleagues about the usefulness of Microsoft BitLocker drive encryption for keeping representatives of the state (FBI etc.) out of data. They were convinced that vendors of proprietary software have backdoors in their algorithms which can be used in severe cases, i.e. suspicion of terrorism etc.



The alternative is of course TrueCrypt, because in theory, the code is open and can be reviewed by the public. In practice, even though I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack. Does anyone know if the code has been reviewed by a trustworthy 3rd party? And if so, how is their trustworthyness established?



So, to come to the general questions:




  1. How would a company which really, really wants to keep their files completely secret decide upon their cryptographic solution? They cannot be 100% sure that BitLocker is safe, can they? However, would they in practice be able to make sure that TrueCrypt is?


  2. How would you estimate the chance that Microsoft and similar companies work with government agencies and give them an advantage to breaking their security so that it doesn't take 1000s of years to break (is that how long BitLocker should take)?











share|improve this question
















I just had an argument with colleagues about the usefulness of Microsoft BitLocker drive encryption for keeping representatives of the state (FBI etc.) out of data. They were convinced that vendors of proprietary software have backdoors in their algorithms which can be used in severe cases, i.e. suspicion of terrorism etc.



The alternative is of course TrueCrypt, because in theory, the code is open and can be reviewed by the public. In practice, even though I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack. Does anyone know if the code has been reviewed by a trustworthy 3rd party? And if so, how is their trustworthyness established?



So, to come to the general questions:




  1. How would a company which really, really wants to keep their files completely secret decide upon their cryptographic solution? They cannot be 100% sure that BitLocker is safe, can they? However, would they in practice be able to make sure that TrueCrypt is?


  2. How would you estimate the chance that Microsoft and similar companies work with government agencies and give them an advantage to breaking their security so that it doesn't take 1000s of years to break (is that how long BitLocker should take)?








security open-source truecrypt bitlocker proprietary






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 15 '11 at 18:23







Felix Dombek

















asked Feb 15 '11 at 11:44









Felix DombekFelix Dombek

93661545




93661545








  • 3





    "I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.

    – Linker3000
    Feb 15 '11 at 12:01






  • 3





    Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.

    – Felix Dombek
    Feb 15 '11 at 12:10














  • 3





    "I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.

    – Linker3000
    Feb 15 '11 at 12:01






  • 3





    Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.

    – Felix Dombek
    Feb 15 '11 at 12:10








3




3





"I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.

– Linker3000
Feb 15 '11 at 12:01





"I know the programming language, I do not have enough knowledge of the algorithm to be able to spot a possible backdoor or a feature which might give an advantage to a deliberate cryptographic attack." Not a problem because there are probably hundreds of people around the world with that knowledge who are doing this for you.

– Linker3000
Feb 15 '11 at 12:01




3




3





Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.

– Felix Dombek
Feb 15 '11 at 12:10





Have you heard of the "Underhanded C contest"? If there was a deliberate falsification in it, there is no guarantee that anyone would spot it.

– Felix Dombek
Feb 15 '11 at 12:10










4 Answers
4






active

oldest

votes


















5














Microsoft have pretty much stated that there is no backdoor in Bitlocker, and I don't think it is in their best interest to as the backlash would be huge.



The leak of the Microsoft COFFEE tools basically packages a lot of methods already known to the security industry in an easy to use product for law enforcement, but no where is a hack/backdoor for Bitlocker.



I am not saying it doesn't exist, but I find it highly unlikely.



There is nothing stopping you for using a Bitlocker drive and then having a Truecrypt encrypted file inside it!



I think the most likely way encryption like this will be broken is through pure brute force through super computer power.






share|improve this answer
























  • This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

    – Jonas Stein
    31 mins ago



















4














To answer your first question, the company could:




  • Create their own encryption system (very difficult)

  • Hire a consultant or trusted/legally liable 3rd party to review publicly available code

  • Sign up for Microsoft's SharedSource program and review Microsoft's code

  • Use multiple layers of encryption (e.g. Bitlocker and Truecrypt together)


I leave answering the second question to someone more knowledgeable about BitLocker.






share|improve this answer































    1














    I find it highly unlikely that there is a backdoor to Bitlocker. Considering how much scrutiny Microsoft is always under, there are plenty of great programmers out there that are capable to sniffing out Microsoft's attempts at a backdoor. On top of that there are plenty of high profile clients that would leave Microsoft.



    It just sounds like an overall bad business plan.






    share|improve this answer



















    • 4





      Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

      – Martin Beckett
      Feb 15 '11 at 23:30











    • Your answer assumes that "high profile clients" buy good products. Is this always true?

      – Jonas Stein
      27 mins ago



















    0














    1) If someone wants cryptography, he does not look for an closed source tool with unknown code. What is the reason to a trust company selling you a program without code?



    2) You should not blame Microsoft for it. You can simplify the question: If the company x is forced by law, or by the secret service to implement backdoors, will it implement them, or not?



    You may be interested in the literature by Bruce Schneier on this topic for further reading. Yes, there were audits on Truecrypt. However trusted software does not help a lot, if you can not trust your hardware.






    share|improve this answer

























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "3"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f246007%2fproprietary-vs-open-source-encryption-security-software%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      5














      Microsoft have pretty much stated that there is no backdoor in Bitlocker, and I don't think it is in their best interest to as the backlash would be huge.



      The leak of the Microsoft COFFEE tools basically packages a lot of methods already known to the security industry in an easy to use product for law enforcement, but no where is a hack/backdoor for Bitlocker.



      I am not saying it doesn't exist, but I find it highly unlikely.



      There is nothing stopping you for using a Bitlocker drive and then having a Truecrypt encrypted file inside it!



      I think the most likely way encryption like this will be broken is through pure brute force through super computer power.






      share|improve this answer
























      • This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

        – Jonas Stein
        31 mins ago
















      5














      Microsoft have pretty much stated that there is no backdoor in Bitlocker, and I don't think it is in their best interest to as the backlash would be huge.



      The leak of the Microsoft COFFEE tools basically packages a lot of methods already known to the security industry in an easy to use product for law enforcement, but no where is a hack/backdoor for Bitlocker.



      I am not saying it doesn't exist, but I find it highly unlikely.



      There is nothing stopping you for using a Bitlocker drive and then having a Truecrypt encrypted file inside it!



      I think the most likely way encryption like this will be broken is through pure brute force through super computer power.






      share|improve this answer
























      • This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

        – Jonas Stein
        31 mins ago














      5












      5








      5







      Microsoft have pretty much stated that there is no backdoor in Bitlocker, and I don't think it is in their best interest to as the backlash would be huge.



      The leak of the Microsoft COFFEE tools basically packages a lot of methods already known to the security industry in an easy to use product for law enforcement, but no where is a hack/backdoor for Bitlocker.



      I am not saying it doesn't exist, but I find it highly unlikely.



      There is nothing stopping you for using a Bitlocker drive and then having a Truecrypt encrypted file inside it!



      I think the most likely way encryption like this will be broken is through pure brute force through super computer power.






      share|improve this answer













      Microsoft have pretty much stated that there is no backdoor in Bitlocker, and I don't think it is in their best interest to as the backlash would be huge.



      The leak of the Microsoft COFFEE tools basically packages a lot of methods already known to the security industry in an easy to use product for law enforcement, but no where is a hack/backdoor for Bitlocker.



      I am not saying it doesn't exist, but I find it highly unlikely.



      There is nothing stopping you for using a Bitlocker drive and then having a Truecrypt encrypted file inside it!



      I think the most likely way encryption like this will be broken is through pure brute force through super computer power.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Feb 15 '11 at 12:41









      William HilsumWilliam Hilsum

      108k16161253




      108k16161253













      • This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

        – Jonas Stein
        31 mins ago



















      • This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

        – Jonas Stein
        31 mins ago

















      This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

      – Jonas Stein
      31 mins ago





      This is the correct answer. If Microsoft stated that there is no backdoor, how should there be one? Impossible.

      – Jonas Stein
      31 mins ago













      4














      To answer your first question, the company could:




      • Create their own encryption system (very difficult)

      • Hire a consultant or trusted/legally liable 3rd party to review publicly available code

      • Sign up for Microsoft's SharedSource program and review Microsoft's code

      • Use multiple layers of encryption (e.g. Bitlocker and Truecrypt together)


      I leave answering the second question to someone more knowledgeable about BitLocker.






      share|improve this answer




























        4














        To answer your first question, the company could:




        • Create their own encryption system (very difficult)

        • Hire a consultant or trusted/legally liable 3rd party to review publicly available code

        • Sign up for Microsoft's SharedSource program and review Microsoft's code

        • Use multiple layers of encryption (e.g. Bitlocker and Truecrypt together)


        I leave answering the second question to someone more knowledgeable about BitLocker.






        share|improve this answer


























          4












          4








          4







          To answer your first question, the company could:




          • Create their own encryption system (very difficult)

          • Hire a consultant or trusted/legally liable 3rd party to review publicly available code

          • Sign up for Microsoft's SharedSource program and review Microsoft's code

          • Use multiple layers of encryption (e.g. Bitlocker and Truecrypt together)


          I leave answering the second question to someone more knowledgeable about BitLocker.






          share|improve this answer













          To answer your first question, the company could:




          • Create their own encryption system (very difficult)

          • Hire a consultant or trusted/legally liable 3rd party to review publicly available code

          • Sign up for Microsoft's SharedSource program and review Microsoft's code

          • Use multiple layers of encryption (e.g. Bitlocker and Truecrypt together)


          I leave answering the second question to someone more knowledgeable about BitLocker.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Feb 15 '11 at 12:16









          LawrenceCLawrenceC

          59.4k11103181




          59.4k11103181























              1














              I find it highly unlikely that there is a backdoor to Bitlocker. Considering how much scrutiny Microsoft is always under, there are plenty of great programmers out there that are capable to sniffing out Microsoft's attempts at a backdoor. On top of that there are plenty of high profile clients that would leave Microsoft.



              It just sounds like an overall bad business plan.






              share|improve this answer



















              • 4





                Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

                – Martin Beckett
                Feb 15 '11 at 23:30











              • Your answer assumes that "high profile clients" buy good products. Is this always true?

                – Jonas Stein
                27 mins ago
















              1














              I find it highly unlikely that there is a backdoor to Bitlocker. Considering how much scrutiny Microsoft is always under, there are plenty of great programmers out there that are capable to sniffing out Microsoft's attempts at a backdoor. On top of that there are plenty of high profile clients that would leave Microsoft.



              It just sounds like an overall bad business plan.






              share|improve this answer



















              • 4





                Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

                – Martin Beckett
                Feb 15 '11 at 23:30











              • Your answer assumes that "high profile clients" buy good products. Is this always true?

                – Jonas Stein
                27 mins ago














              1












              1








              1







              I find it highly unlikely that there is a backdoor to Bitlocker. Considering how much scrutiny Microsoft is always under, there are plenty of great programmers out there that are capable to sniffing out Microsoft's attempts at a backdoor. On top of that there are plenty of high profile clients that would leave Microsoft.



              It just sounds like an overall bad business plan.






              share|improve this answer













              I find it highly unlikely that there is a backdoor to Bitlocker. Considering how much scrutiny Microsoft is always under, there are plenty of great programmers out there that are capable to sniffing out Microsoft's attempts at a backdoor. On top of that there are plenty of high profile clients that would leave Microsoft.



              It just sounds like an overall bad business plan.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Feb 15 '11 at 13:10









              surfasbsurfasb

              20.7k34271




              20.7k34271








              • 4





                Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

                – Martin Beckett
                Feb 15 '11 at 23:30











              • Your answer assumes that "high profile clients" buy good products. Is this always true?

                – Jonas Stein
                27 mins ago














              • 4





                Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

                – Martin Beckett
                Feb 15 '11 at 23:30











              • Your answer assumes that "high profile clients" buy good products. Is this always true?

                – Jonas Stein
                27 mins ago








              4




              4





              Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

              – Martin Beckett
              Feb 15 '11 at 23:30





              Microsoft is also a US corporation with a lot of government contracts - it would find it very difficult to turn down a request for special access.

              – Martin Beckett
              Feb 15 '11 at 23:30













              Your answer assumes that "high profile clients" buy good products. Is this always true?

              – Jonas Stein
              27 mins ago





              Your answer assumes that "high profile clients" buy good products. Is this always true?

              – Jonas Stein
              27 mins ago











              0














              1) If someone wants cryptography, he does not look for an closed source tool with unknown code. What is the reason to a trust company selling you a program without code?



              2) You should not blame Microsoft for it. You can simplify the question: If the company x is forced by law, or by the secret service to implement backdoors, will it implement them, or not?



              You may be interested in the literature by Bruce Schneier on this topic for further reading. Yes, there were audits on Truecrypt. However trusted software does not help a lot, if you can not trust your hardware.






              share|improve this answer






























                0














                1) If someone wants cryptography, he does not look for an closed source tool with unknown code. What is the reason to a trust company selling you a program without code?



                2) You should not blame Microsoft for it. You can simplify the question: If the company x is forced by law, or by the secret service to implement backdoors, will it implement them, or not?



                You may be interested in the literature by Bruce Schneier on this topic for further reading. Yes, there were audits on Truecrypt. However trusted software does not help a lot, if you can not trust your hardware.






                share|improve this answer




























                  0












                  0








                  0







                  1) If someone wants cryptography, he does not look for an closed source tool with unknown code. What is the reason to a trust company selling you a program without code?



                  2) You should not blame Microsoft for it. You can simplify the question: If the company x is forced by law, or by the secret service to implement backdoors, will it implement them, or not?



                  You may be interested in the literature by Bruce Schneier on this topic for further reading. Yes, there were audits on Truecrypt. However trusted software does not help a lot, if you can not trust your hardware.






                  share|improve this answer















                  1) If someone wants cryptography, he does not look for an closed source tool with unknown code. What is the reason to a trust company selling you a program without code?



                  2) You should not blame Microsoft for it. You can simplify the question: If the company x is forced by law, or by the secret service to implement backdoors, will it implement them, or not?



                  You may be interested in the literature by Bruce Schneier on this topic for further reading. Yes, there were audits on Truecrypt. However trusted software does not help a lot, if you can not trust your hardware.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 21 mins ago

























                  answered 36 mins ago









                  Jonas SteinJonas Stein

                  4962824




                  4962824






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Super User!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f246007%2fproprietary-vs-open-source-encryption-security-software%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

                      Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

                      VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...