威廉小宅

听到这个消息以后我有点慌。。truecrypt一直是我最喜欢的加密软件，从密保卡到密钥，我都是用它储存的，但是据说它给CIA预留了后门，原文如下：

原帖地址：http://bbs.kafan.cn/thread-739842-1-1.html

网上传说TrueCrypt有后门，不知道是否属实！！！
假如一个常用的免费加密软件，最终被发现是后门程序。令人反感！
传说，官方对源码进行了二次编译……
PS，传说只是传说而已，关键还是心态。
～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·～·
回来看子一下各位饭友的贴子，没有想到有这么多朋友回帖。
在这里更正一下部分饭友的认识，这里所说明的关于 TrueCrypt 的后门，并非指其会有类似木马的联网动作并偷偷上传数据什么，而是指 TrueCrypt 软件本身的后门，类似于Ｗｉｎｄｏｗｓ的漏洞，而 TrueCrypt 的”漏洞“后门可能是官方特意留下的以图求什么的。
ＰＳ，过段时间，看看能不能在网上找些关于软件后门的资料什么的和各位饭友分享下。

我有点小慌，开源软件大摇大摆的出预留后门！这还了得，遂进一步了解，发现：

这位童鞋对此也表示关注：

http://huaidan.org/archives/2751.html

No one knows who wrote TrueCrypt. No one knows who maintains TC. Moderators on the TC forum ban users who ask questions. TC claims to be based on Encryption for the Masses (E4M). They also claim to be open source, but do not maintain public CVS/SVN repositories and do not issue change logs. They ban folks from the forums who ask for change logs or old source code. They also silently change binaries (md5 hashes change) with no explanation… zero. The Trademark is held by a man in the Czech Republic ((REGISTRANT) Tesarik, David INDIVIDUAL CZECH REPUBLIC Taussigova 1170/5 Praha CZECH REPUBLIC 18200.) Domains are registered private by proxy. Some folks claim it has a backdoor. Who Knows? These guys say they can find TC volumes:
http://16systems.com/TCHunt/index.html
For these reasons, I won’t use it. Encryption is important and TC looks great and makes great claims, but TC should be more transparent.

Let me tell you a little story. In 1983, during his Turing Award lecture, Ken Thompson admitted to a back door in the UNIX kernel which enabled him to log in. Because UNIX was distributed as source, he was concerned about being discovered. So instead he wrote the C compiler to recognize that it was compiling the kernel, and to insert the relevant code into the binary during compilation. But because the C compiler was also distributes as source, he wrote the compiler so that it would recognize it was compiling a copy of itself, and then insert the relevant recognition code into the new C compiler. The result: a back door installed in an operating system distributed entirely as source code (without the back door).
So I don’t think your claim is valid.
http://cm.bell-labs.com/who/ken/trust.html

他最终得出的结论是：

TrueCrypt的虽然是开源软件，但是很奇怪的找不到任何CVS/SVN/GIT/Hg源码托管和版本控制。虽然可以下载到源码包，但是版本很旧，你自个儿编译的话，由于系统版本、内核版本、编译工具的细微差别，99%的可能性你编译出来的和官方发布的二进制版本不一样。

这已经是2009/01/15 21:08时候的事情了。

那么难道TC真的是传说中CIA的后门？

我很囧的发现。其实这的的确确只是个谣传，因为教他们引发质疑的原因是这东西源码编译所得和官方编译所得的不一样。而且官方给出的源码包很老。于是在x年后的今天，我又一次翻阅了TrueCrypt的源码包，发现托管的源码完完全全和发行版本是一致的，建议有兴趣的童鞋自己编译一下试试看：

源码下载：http://www.truecrypt.org/downloads2

再者

TC虽然没有就该怀疑正面声明，但是对于其安全性事实上已经做出了解释：

http://www.truecrypt.org/faq  – 请参阅issue 2

I forgot my password – is there any way ("backdoor") to recover the files from my TrueCrypt volume?

TrueCrypt does not contain any mechanism or facility that would allow partial or complete recovery of your encrypted data without knowing the correct password or the key used to encrypt the data. The only way to recover your files is to try to "crack" the password or the key, but it could take thousands or millions of years depending on the length and quality of the password/keyfiles, on software/hardware efficiency, and other factors. If you find this hard to believe, consider the fact that even the FBI was not able to decrypt a TrueCrypt volume after a year of trying.

所以说TC是CIA后门的这种说法个人认为是一个误会。

如果显示异常，请点击“本文链接地址”以获得更好的阅读效果！

　» 转载请注明来源：威廉小宅 » 《最好用的truecrypt有CIA后门？》

　» 本文链接地址：http://blog.wkj8.com/20100727-552.html

　» 订阅本站：威廉小宅的RSS