See the link I posted: http://www.pcworld.com/article/2454...-weak-crypto-standard-nist-advisers-find.html (which is just a random Google hit btw)I choose the lessor of the two evils, in this case the government. If i'm doing something illegal, then yes I should go to jail and be caught. 3rd party auditors are much more supportable to bribery than government agents.
In computer security there is nothing you can trust 100%, you opinion is the government is out to get you... If you are a criminal they should be.
BTW, Please prove the government malice due to Full Disk Encryption failures. (Good luck finding that)
The controversy around https://en.wikipedia.org/wiki/Dual_EC_DRBG was not a small one.
By government malice I meant that they are actively weakening crypto standards, let alone what they mandate to corporations that they do in their closet. At this point you have to assume that every closed source cryptosystem by a US company is outfitted with mandatory backdoors.[1] The evidence is clear.
This is plain wrong. If you obscure the code itself, you _have_ no secure layer that you're adding an obscure layer to. The obscure layer becomes the only one. This is the most basic crypto knowledge there is.As for security though obscurity, your right in the security field it's generally not accepted. Especially if it's your ONLY protection, in this case it's not. It's an extra layer to help protect the total security of the software.
See above.What proof to your claim that hardware encryption questionable? Can you prove it?
At this point in history, any government certification should be a reason to look at the code even closer, not to trust a complete lack of code visibility more.If the only claim is that it's not FIPS validated then?
The most critical part is not using a certain algorithm, it's using it _correctly_. Most trouble comes from botched _implementations_, not from using completely self-rolled crypto algorithms, which would be even more negligent.Is it that you do not trust AES256?
Implementation and key management is crucial. Slapping on a "uses AES256" sticker doesn't magically make it secure. You have to get the implementation right.Even your worshiped solution truecrypt uses defacto encryption standards such as AES256. So I don't see why you believe truecrypt is any better than hardware encryption.
The point is, you cannot know.Unless of course you are saying virtually every tech company is malicious. As the OPAL standard for hardware encryption is supported by all these the TCG members.
Of course, use whatever fits your threat model. But to correctly assess that, you need correct information and not FUD and "trust the government" hogwash. If someone is interested in using crypto, it's best they err on the side of caution.
Edit:
[1] Not in the sense that the product phones home or is accessible from the outside, but mainly that it uses weak/not-random/predetermined/... keys.
Last edited: