Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday June 20 2014, @02:03PM   Printer-friendly
from the they-don't-seem-as-secretive-anymore dept.

Last month, SoylentNews reported that TrueCrypt was discontinued. Many have speculated that a fork would happen, but the TrueCrypt license makes that complicated. Now, Ars Technica reports about contact with a TrueCrypt developer on the subject:

In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:

"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.

I have no problem with the source code being used as reference."

So, it looks like a fork won't happen after all. But a commenter there noted the existence of FreeOTFE, and I had previously noted tc-play. So even without a TrueCrypt fork, maybe developers won't have to start completely from scratch.

[Ed'sNote: At the time of posting, the Wikipedia entry for FreeOTFE notes that the domain has been dormant for some time. Whether work continues on FreeOTFE is uncertain. The concept sounds very much like the full disk encryption that has been available for linux for quite some time, but which does not provide plausible deniability. If I am wrong in these assumptions, I would welcome being corrected!]

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Lagg on Friday June 20 2014, @05:02PM

    by Lagg (105) on Friday June 20 2014, @05:02PM (#58071) Homepage Journal

    I know people are trying hard to give them benefit of the doubt and that this is some kind of canary but I just don't buy it. There so many less ambiguous ways of going about it that won't just result in an equally secretive developer giving them the middle finger and forking it anyway. It also shows why PGP keys are worthless without a valid identity tied to them. For all we know these aren't even the right developers. Did they sign their refusal with a valid key that was also signed by people who have a known identity? How does one know that this refusal has merit? As I've said before I don't use truecrypt and never will but people who do and those conducting the audit are well within their right to be mighty pissed off right about now. The evidence of their asshattery is really piling up [soylentnews.org].

    Again, I know that people are trying to give those who are prone to being harassed (e.g. cryptographers) benefit of the doubt right now. But don't give your sympathy to those who don't deserve it. At the very least they should have and could have chosen a license that doesn't give them the ability to be obstacles like this. It's kind of the obvious thing to do if you're maintaining a high risk project, so even if they are being threatened and need to shut it down they brought it entirely on themselves. But again I'm not buying this, it's the arrogant "Only *I* know this code. Everyone else is too dumb" shit we've seen many times before.

    Worst part is, I'm of the philosophy that someone's code is their own thing and their baby that they deserve to be able to be compassionate and protective of. I gave up on Stallman's "your code is everyone's the moment you write it" entitled nonsense years ago. So I'm not trying to make it seem like we have some sort of inherent right to fork. But do understand that they got people using the project and people spent a whole lot of money giving them a free audit. Personally, I'd be honored if people did that for me. But they're throwing all that away for a panicky "use Windows!" alert.

    --
    http://lagg.me [lagg.me] 🗿
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:18PM

    by Horse With Stripes (577) on Friday June 20 2014, @06:18PM (#58103)

    I'm not sure they made the wrong choice regarding their license. If TC has been compromised - and I assume that it has - by guaranteeing that the source code isn't forked they are protecting anyone who would use the forked version going forward.

    If they are under the weight of a National Security Letter, or some other secret gag order (TLAs have multiple options here), then they can't come out and tell anyone. By being blatantly uncooperative and disruptive with the non-TLA segment of the population they have created enough awareness and suspicion that they have done right by us all. They've pretty much ruined their goodwill and reputations amongst the coding community. I doubt they did that lightly or for no good reason.

    This isn't about being dicks or restricting OSS. This is about keeping their asses out of jail while keep us from using a poisoned product.

    • (Score: 2) by Lagg on Friday June 20 2014, @06:46PM

      by Lagg (105) on Friday June 20 2014, @06:46PM (#58112) Homepage Journal

      I get that, but up until the moment that this audit (again successful in its first pass) turns up actual bugs indicating a weakness there is nothing whatsoever showing that it's poisoned. The only thing poisoned here are the developers. Hell, is there even any indication that a TLA is involved here besides some somewhat farfetched latin?

      --
      http://lagg.me [lagg.me] 🗿
      • (Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:57PM

        by Horse With Stripes (577) on Friday June 20 2014, @06:57PM (#58115)

        Perhaps the "problem" is so well hidden (or entrenched) in the code that the developers decided to kill it rather than hope someone would eventually find it. I think the actions by the developers indicate a weakness even if the audit doesn't find it. The NSA (or other TLAs) will have worked very, very diligently to ensure their code wouldn't be found. I don't expect anyone to find "/* shhh, NSA backdoor. Don't forget to remove this comment */". Perhaps it's been in for a while and that's why the developers are urging people to stop using it.

        The actions by the developers are extreme. I am assuming that there is a reason behind it besides "my ball, going home, fuck y'all".

        • (Score: 0) by Anonymous Coward on Friday June 20 2014, @09:10PM

          by Anonymous Coward on Friday June 20 2014, @09:10PM (#58158)

          What't to stop any developer in the know from anonymously leaking the tainted code - should it exist?

          • (Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @09:46PM

            by Horse With Stripes (577) on Friday June 20 2014, @09:46PM (#58175)

            These dev are probably under strict surveillance 24/7. Plus, if the TLA arrests them for leaking it, even if they weren't the ones to do it, they are stuck in jail (no bail, possible solitary confinement to keep them from talking, limited access to a lawyer, etc). The government just needs to say "national security, terrorists, think of the children" and these guy won't even see a trial date for a few years.

            Due process stops as soon as one of these TLAs gets their magic security letter and/or do-what-you-want secret warrants. Our Bill of Rights has become a checklist of rights to be violated.