Last month, SoylentNews reported that TrueCrypt was discontinued. Many have speculated that a fork would happen, but the TrueCrypt license makes that complicated. Now, Ars Technica reports about contact with a TrueCrypt developer on the subject:
In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:
"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.
I have no problem with the source code being used as reference."
So, it looks like a fork won't happen after all. But a commenter there noted the existence of FreeOTFE, and I had previously noted tc-play. So even without a TrueCrypt fork, maybe developers won't have to start completely from scratch.
[Ed'sNote: At the time of posting, the Wikipedia entry for FreeOTFE notes that the domain has been dormant for some time. Whether work continues on FreeOTFE is uncertain. The concept sounds very much like the full disk encryption that has been available for linux for quite some time, but which does not provide plausible deniability. If I am wrong in these assumptions, I would welcome being corrected!]
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:18PM
I'm not sure they made the wrong choice regarding their license. If TC has been compromised - and I assume that it has - by guaranteeing that the source code isn't forked they are protecting anyone who would use the forked version going forward.
If they are under the weight of a National Security Letter, or some other secret gag order (TLAs have multiple options here), then they can't come out and tell anyone. By being blatantly uncooperative and disruptive with the non-TLA segment of the population they have created enough awareness and suspicion that they have done right by us all. They've pretty much ruined their goodwill and reputations amongst the coding community. I doubt they did that lightly or for no good reason.
This isn't about being dicks or restricting OSS. This is about keeping their asses out of jail while keep us from using a poisoned product.
(Score: 2) by Lagg on Friday June 20 2014, @06:46PM
I get that, but up until the moment that this audit (again successful in its first pass) turns up actual bugs indicating a weakness there is nothing whatsoever showing that it's poisoned. The only thing poisoned here are the developers. Hell, is there even any indication that a TLA is involved here besides some somewhat farfetched latin?
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:57PM
Perhaps the "problem" is so well hidden (or entrenched) in the code that the developers decided to kill it rather than hope someone would eventually find it. I think the actions by the developers indicate a weakness even if the audit doesn't find it. The NSA (or other TLAs) will have worked very, very diligently to ensure their code wouldn't be found. I don't expect anyone to find "/* shhh, NSA backdoor. Don't forget to remove this comment */". Perhaps it's been in for a while and that's why the developers are urging people to stop using it.
The actions by the developers are extreme. I am assuming that there is a reason behind it besides "my ball, going home, fuck y'all".
(Score: 0) by Anonymous Coward on Friday June 20 2014, @09:10PM
What't to stop any developer in the know from anonymously leaking the tainted code - should it exist?
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @09:46PM
These dev are probably under strict surveillance 24/7. Plus, if the TLA arrests them for leaking it, even if they weren't the ones to do it, they are stuck in jail (no bail, possible solitary confinement to keep them from talking, limited access to a lawyer, etc). The government just needs to say "national security, terrorists, think of the children" and these guy won't even see a trial date for a few years.
Due process stops as soon as one of these TLAs gets their magic security letter and/or do-what-you-want secret warrants. Our Bill of Rights has become a checklist of rights to be violated.