from the they-don't-seem-as-secretive-anymore dept.
Last month, SoylentNews reported that TrueCrypt was discontinued. Many have speculated that a fork would happen, but the TrueCrypt license makes that complicated. Now, Ars Technica reports about contact with a TrueCrypt developer on the subject:
In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:
"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.
I have no problem with the source code being used as reference."
So, it looks like a fork won't happen after all. But a commenter there noted the existence of FreeOTFE, and I had previously noted tc-play. So even without a TrueCrypt fork, maybe developers won't have to start completely from scratch.
[Ed'sNote: At the time of posting, the Wikipedia entry for FreeOTFE notes that the domain has been dormant for some time. Whether work continues on FreeOTFE is uncertain. The concept sounds very much like the full disk encryption that has been available for linux for quite some time, but which does not provide plausible deniability. If I am wrong in these assumptions, I would welcome being corrected!]
Related Stories
The TrueCrypt website has been changed it now has a big red warning stating "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues". They recommend using BitLocker for Windows 7/8, FileVault for OS X, or (whatever) for Linux. So, what happened? The TrueCrypt site says:
This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Did the TrueCrypt devs (or SourceForge?) get a NSL? They are offering a "new" version (7.2), but apparently the signing key has changed and a source code diff seems to indicate a lot of the functionality has been stripped out. What's up?
(Score: 5, Insightful) by iwoloschin on Friday June 20 2014, @02:12PM
The developer specifically says it can be used as a "reference" for a future project, just not explicitly forked. That sounds almost like they're requesting someone do a cleanroom implementation of it, to force a full code audit. They don't want anyone using the exact code because, presumably, it is compromised, but it sounds like a clean implementation would catch maliciously placed "bugs" (features?) that a fork would propagate without check.
(Score: 0) by Anonymous Coward on Saturday June 21 2014, @03:44AM
But where's the proof that the person making those statements is really a truecrypt developer?
Maybe someone should fork it and see how they prove they are the developers, and it's not that their signing keys were compromised by the NSA.
(Score: 1) by NullPtr on Saturday June 21 2014, @05:47PM
It doesn't matter what "the developer" says now, only what they put in the licence under which the software you want to fork was released, and it's quite clear there are no legal reasons why one couldn't fork truecrypt.
(Score: 4, Informative) by Ken_g6 on Friday June 20 2014, @02:46PM
tc-play is pretty much a full TrueCrypt cleanroom implementation. Except it only works in Linux, using dm-crypt and it has no GUI.
FreeOTFE is a Windows dm-crypt implementation, with a GUI, but it has limited support at best for TrueCrypt.
But tc-play is BSD-licensed, and FreeOTFE has a BSD-like license. So if someone were to merge their codebases on Windows, in theory you could have a full TrueCrypt cleanroom implementation, on Windows, with a GUI. Then someone could probably backport the GUI to Linux. I don't see a path to Mac or other OSes, but Windows+Linux would be a good start.
(Score: 2) by Marand on Friday June 20 2014, @08:51PM
FreeOTFE is also a pain in the ass on Win7 and beyond thanks to Microsoft's idiotic driver signing requirements. I had hoped that would have been fixed by now, but apparently the project has been abandoned since 2010, so I guess the dev gave up instead.
I evaluated it with the idea that I would use dm-crypt on a dual-boot machine a while back, and eventually gave up on the entire idea because of Windows being actively hostile to unsigned drivers and the lack of a signed dm-crypt implementation.
(Score: 4, Insightful) by Blackmoore on Friday June 20 2014, @03:15PM
I'm pretty sure this means that True-Crypt has been compromised. I would expect NSA - but in anycase you will want to start over.
(Score: 5, Insightful) by MrNemesis on Friday June 20 2014, @03:35PM
...don't depend on software like this unless it's got a FOSS license. Else the $country $government_agency can just make it disappear.
I was always slightly suspicious of TrueCrypt due to its slightly hinky license, but had no problem using it myself and recommending it to people who wanted to do things like secure their USB sticks, and TBH I'm still pretty convinced that the source code for TC is perfectly fine. But this whole scenario just screams that $government_agency pounced on the backs of the authors and said horrible things would happen if they didn't do everything in their power to shut it down because $redacted.
I'm not even a crazy conspiracy theorist (at least I hope I'm not) and I'd be perfectly happy to accept stuff like bitlocker (I figure if $government_agency ever took an interest in me I would be hosed anyway) if it worked on anything approaching multiple platforms. As it is I'll be having to rely on cryptsetup for shunting data around for the time being. Hopefully some enterprising developers will be spurred on to create a twocrypt with a GPL or BSD license that won't be so easily shuttered.
"To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
(Score: 2) by Hairyfeet on Saturday June 21 2014, @02:02AM
I'm sorry but if you think FOSS will do jack shit to stop this I have some bridges you might be interested in. The simple fact is most FOSS projects are understaffed, overworked, and short of money...do you REALLY think they are gonna turn down a new volunteer that is a great coder and has plenty of free time? You are talking about state actors here, the kind that would have NO problem paying a guy for several years to infiltrate something they considered valuable and they have the ability to make any cover story the guy uses look 100% legit from the outside.
And if you are talking about the "many eyes" fallacy i would ask you to look up a little something called "Heartbleed" that was sitting there for years without any of those "many eyes" catching it, I would also ask you to go download the top 3 entries from the obfuscated C contest for the last three contests and WITHOUT looking up the answers look at the code and tell us 1.-where the malware is, 2.-what it is doing, and 3.-what programs if any it is accessing to make the exploit work. Remember with the of C contest you KNOW with 100% certainty that there is malware there and its still DAMN hard to answer those 3 questions and spot the bug...you think you are gonna have any better luck with a program that has hundreds of thousands of lines of code and may or may not have malware which may or may not be a smaller part of a larger payload that requires one or more other programs to execute?
I have said it before and I'll say it again, there is only ONE definite advantage you can claim with FOSS over proprietary and even that is conditional and that is this...no FOSS software can be EOLed by the devs. this is of course ONLY true if and ONLY IF there are skilled coders willing to donate their time to keep the project going or there is enough users willing to invest money to hire the coders to keep the project going...that's it, that's all. you can't guarantee there isn't a plant in the project, you can't guarantee that there isn't a hole being exploited like Heartbleed, the only thing you can guarantee is that nobody can pull the plug if enough users are willing to keep the old version going.
I'm sure this will piss off the die hard FOSS advocates but I'm sorry to burst your bubble, source code isn't magic. You can have the code to every bit of the stack, from the kernel to the clock app, but if you don't have enough highly skilled volunteers willing to invest an insane amount of time doing code audits? Then the code could be filled with ASCII Goatse pics for all you know. hell look at Truecrypt, look at how many large and small corps used it...and it is only NOW getting a major code audit, and you believe the code for all the little pissling ass bits of your distro has been vetted and audited...really? I bet if you went and looked up every bit of code that goes into your average distro there is probably a good 30%-40% that isn't fucked with by anybody but the project guys, much less ever had a real code auditing. Show of hands, how many here have done a code audit on the clock in ubuntu? Network manager? Hell how many here have done a serious code audit on the big ones like FF,LO,and Gimp? Thought so and even if somebody here managed to do an audit of one of the above before the audit would be finished at least two new versions would be out,negating the entire audit in the first place!
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0) by Anonymous Coward on Sunday June 22 2014, @06:13PM
I'm an IOCCC winner and I can't get Gimp or OpenOffice to compile. Every time I run the binaries, I take it on faith that they vaguely resemble the published code.
In theory, once a good known state had been reached, it would be possible to audit diffs. However, you'd have to be really fucking careful. With enough diffs, it would be possible sneak through a deliberately amateur-looking Lisp interpreter.
(Score: 4, Insightful) by HiThere on Saturday June 21 2014, @04:52AM
You learned the wrong lesson. The right lesson is that one shouldn't depend on software that uses a proprietary data format to store the data. It's almost the same idea, but not quite. A text editor can be as closed as it wants to be, because the files that it creates are open. A word processor that uses a proprietary format can leave you unable to access your data. It isn't only fancy disk encryption schemes that present this kind of danger, all applications do. And the code doesn't really NEED to be open, as long as the file formats are. (That said, I *much* prefer FOSS, after having some applications I trusted an paid good money for suddenly stop working, but that's just a preference. The file formats are the necessity.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Lagg on Friday June 20 2014, @05:02PM
I know people are trying hard to give them benefit of the doubt and that this is some kind of canary but I just don't buy it. There so many less ambiguous ways of going about it that won't just result in an equally secretive developer giving them the middle finger and forking it anyway. It also shows why PGP keys are worthless without a valid identity tied to them. For all we know these aren't even the right developers. Did they sign their refusal with a valid key that was also signed by people who have a known identity? How does one know that this refusal has merit? As I've said before I don't use truecrypt and never will but people who do and those conducting the audit are well within their right to be mighty pissed off right about now. The evidence of their asshattery is really piling up [soylentnews.org].
Again, I know that people are trying to give those who are prone to being harassed (e.g. cryptographers) benefit of the doubt right now. But don't give your sympathy to those who don't deserve it. At the very least they should have and could have chosen a license that doesn't give them the ability to be obstacles like this. It's kind of the obvious thing to do if you're maintaining a high risk project, so even if they are being threatened and need to shut it down they brought it entirely on themselves. But again I'm not buying this, it's the arrogant "Only *I* know this code. Everyone else is too dumb" shit we've seen many times before.
Worst part is, I'm of the philosophy that someone's code is their own thing and their baby that they deserve to be able to be compassionate and protective of. I gave up on Stallman's "your code is everyone's the moment you write it" entitled nonsense years ago. So I'm not trying to make it seem like we have some sort of inherent right to fork. But do understand that they got people using the project and people spent a whole lot of money giving them a free audit. Personally, I'd be honored if people did that for me. But they're throwing all that away for a panicky "use Windows!" alert.
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:18PM
I'm not sure they made the wrong choice regarding their license. If TC has been compromised - and I assume that it has - by guaranteeing that the source code isn't forked they are protecting anyone who would use the forked version going forward.
If they are under the weight of a National Security Letter, or some other secret gag order (TLAs have multiple options here), then they can't come out and tell anyone. By being blatantly uncooperative and disruptive with the non-TLA segment of the population they have created enough awareness and suspicion that they have done right by us all. They've pretty much ruined their goodwill and reputations amongst the coding community. I doubt they did that lightly or for no good reason.
This isn't about being dicks or restricting OSS. This is about keeping their asses out of jail while keep us from using a poisoned product.
(Score: 2) by Lagg on Friday June 20 2014, @06:46PM
I get that, but up until the moment that this audit (again successful in its first pass) turns up actual bugs indicating a weakness there is nothing whatsoever showing that it's poisoned. The only thing poisoned here are the developers. Hell, is there even any indication that a TLA is involved here besides some somewhat farfetched latin?
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:57PM
Perhaps the "problem" is so well hidden (or entrenched) in the code that the developers decided to kill it rather than hope someone would eventually find it. I think the actions by the developers indicate a weakness even if the audit doesn't find it. The NSA (or other TLAs) will have worked very, very diligently to ensure their code wouldn't be found. I don't expect anyone to find "/* shhh, NSA backdoor. Don't forget to remove this comment */". Perhaps it's been in for a while and that's why the developers are urging people to stop using it.
The actions by the developers are extreme. I am assuming that there is a reason behind it besides "my ball, going home, fuck y'all".
(Score: 0) by Anonymous Coward on Friday June 20 2014, @09:10PM
What't to stop any developer in the know from anonymously leaking the tainted code - should it exist?
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @09:46PM
These dev are probably under strict surveillance 24/7. Plus, if the TLA arrests them for leaking it, even if they weren't the ones to do it, they are stuck in jail (no bail, possible solitary confinement to keep them from talking, limited access to a lawyer, etc). The government just needs to say "national security, terrorists, think of the children" and these guy won't even see a trial date for a few years.
Due process stops as soon as one of these TLAs gets their magic security letter and/or do-what-you-want secret warrants. Our Bill of Rights has become a checklist of rights to be violated.
(Score: 5, Interesting) by bucc5062 on Friday June 20 2014, @05:18PM
The true Crypt (TC) story is certainly as confounding as the missing MH370 news piece. Will we ever know the "real" story? I doubt it for like our mysterious pilots, the developers are hidden, anonymous, and not about to crawl out from whatever rock they are hiding under.
Then in regards to either the licensing and/or the code. Why all this fuss about forking the code. Hell, even before these guys went more underground people could have just said "Screw it, we're forking the code and doing what we want" and there would be only two outcomes. The first and most likely, the developers remain sotto voce since they have not wanted themselves revealed thus they cannot enforce their own license, or the other option is "someone" comes out from the closest and says "I'm the real TC developer, stop what you are doing". Yeah right, prove it.
The current code is being audited and I would figure by some very smart security guys. I would like to think they know what to look for in back doors and be able to say "yep, see right thar, now that thar is some nasty NSA bug, but we'in gots some bug spray to makes it all bette". Our experts certify the code as clean; then I'd say Fork Away. Anyone who comes out of closest to say you can't do that should be either denounced as a liar (prove it), called out to answer for what they did and said, or/and told to fuck off, because they gave up that right the moment an announcement was made to go elsewhere. You can't say "Get off my lawn" if you basically gave up those rights (or can't prove them).
I have no capability to fork and understand code like TC. I am but a simple mature programmer, but if I had any talent, just to shove their smug attitude back into their unknown, anonymous faces I would fork it, clean it up, and change the license to completely open use. I would like to think that if the NSA came knocking and said shut it down with an NSL I'd tell them sure, then post the letter, tell everyone what they did and fight the damn thing to the Supreme Court. There is a difference between national security when it comes to investigating a person and national security when it comes to stepping on my rights to speak and create a product. if one person says "but think of the terrorists who may use it to hide plans to kill people" I would ask why we then not shut down gun manufacturers or stop them selling weapons to regular people for clearly terrorists are using guns to kill other people right now
Fork it, call it "RealCrypt" and let them stay in their closet like little cowards.
The more things change, the more they look the same
(Score: 2) by HiThere on Saturday June 21 2014, @05:00AM
And if you do fork it, they have no reasonable way to stop you. They can't prove who they are and go to court on it. But on your head be the results...and, of course, on the head of everyone who trusts you.
OTOH, it's quite likely that only one small group of people knows how to get through the encryption, so probably for most users it won't matter. Probably.
OTOH, this is just a guess at what's going on. You guess the other way, and you might be right. Perhaps.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by cafebabe on Sunday June 22 2014, @06:27PM
Don't be so certain. See http://www.bash.org/?507269 [bash.org] for an example.
1702845791×2
(Score: 0) by Anonymous Coward on Friday June 20 2014, @09:32PM
Fork you. That is all.
(Score: 0) by Anonymous Coward on Sunday June 22 2014, @10:13AM
A hilarious contradiction...