看看reddit上最近掀起了对TrueCrypt的一些质疑。
No one knows who wrote TrueCrypt. No one knows who maintains TC. Moderators on the TC forum ban users who ask questions. TC claims to be based on Encryption for the Masses (E4M). They also claim to be open source, but do not maintain public CVS/SVN repositories and do not issue change logs. They ban folks from the forums who ask for change logs or old source code. They also silently change binaries (md5 hashes change) with no explanation... zero. The Trademark is held by a man in the Czech Republic ((REGISTRANT) Tesarik, David INDIVIDUAL CZECH REPUBLIC Taussigova 1170/5 Praha CZECH REPUBLIC 18200.) Domains are registered private by proxy. Some folks claim it has a backdoor. Who Knows? These guys say they can find TC volumes:
http://16systems.com/TCHunt/index.html
For these reasons, I won't use it. Encryption is important and TC looks great and makes great claims, but TC should be more transparent.
TrueCrypt的虽然是开源软件,但是很奇怪的找不到任何CVS/SVN/GIT/Hg源码托管和版本控制。虽然可以下载到源码包,但是版本很旧,你自个儿编译的话,由于系统版本、内核版本、编译工具的细微差别,99%的可能性你编译出来的和官方发布的二进制版本不一样。而且有这样一个故事
Let me tell you a little story. In 1983, during his Turing Award lecture, Ken Thompson admitted to a back door in the UNIX kernel which enabled him to log in. Because UNIX was distributed as source, he was concerned about being discovered. So instead he wrote the C compiler to recognize that it was compiling the kernel, and to insert the relevant code into the binary during compilation. But because the C compiler was also distributes as source, he wrote the compiler so that it would recognize it was compiling a copy of itself, and then insert the relevant recognition code into the new C compiler. The result: a back door installed in an operating system distributed entirely as source code (without the back door).
So I don't think your claim is valid.
http://cm.bell-labs.com/who/ken/trust.html
有人给出了替代方案:FreeOTFE
假如,仅仅是假如TrueCrypt是CIA的邪恶 后门程序,不得不说这帮淫太smart ass了。在Windows里留后门?风险太大被曝光了肯定轰动全世界。但是做一个李鬼式的开源的、免费软件,恰恰能够收集很多绝密资料。开源软件有几个 hidden的属性,首先是不适用反垄断法。微软的浏览器真的很烂吗?真的很烂。为什么不做一个很好的呢?因为要反垄断。你真的认为微软没有实力去把XP默认的画图做成photoshop吗?Ubuntu就不同。开源,所以一切bad ass的好软件都可以统统集成到系统里,而且司法部没话说。其次,开源是免责的。顾客买了你的软件,你就得为软件负责吧。免费的软件呢?FLOSS软件有一句很著名的话
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND
就算是CIA的后门,你也没得话说。你自己情愿去用这个软件的。因为这个东西恰好利用了人们的心理学缺陷,逻辑非常精明:见不得人的东西才会加密,加密的东西肯定都是有一定情报价值的。其次,普通大众对开源有一种近乎愚昧的迷信,认为开源就是阳光透明的,开源等于安全吗?
至于中国,情况就更加特殊了。软件传到中国,一般都是在天空、华军甚至多特这样的地方下载的汉化版,“开源”只不过又是一个金光闪闪的牙防组标志罢了。跟普通二进制闭源发行的软件包没有任何区别。企业内部、个人对TrueCrypt这样的软件的盲目信任,对开源软件默认开绿灯white list,不得不说有一定风险那。。。 |
发表于 2010-7-5 14:47:25
发表于 2010-7-5 14:49:09
发表于 2010-7-5 15:57:42
