And if you use an encrypted device on a machine which someone else
can read the hard drive of, then over time, as you modify the
drive, if the IV you use for encrypting each block depends only
on the block number, you are creating messages (each subsequent
version of the block) which are encrypted with the same key and IV.
Lots of them.
Now, OFB and counter mode are *particularly* bad, as you can XOR
two versions of a block together and recover the XOR of the
plaintexts. Generally a bad idea. CFB mode has problems,
but even CFB mode reveals the location of an alteration.
The hack used in Peter Gutmann's MS-DOS SFS device driver of
using a checksum of the plaintext (and the block offset, and
some per-volume unique information) is advisable.
-- -Colin