Stories
Slash Boxes
Comments

SoylentNews is people

TrueCrypt Developer Refuses Fork Permission

posted by janrinok on Friday June 20 2014, @02:03PM   Printer-friendly
from the they-don't-seem-as-secretive-anymore dept.

Ken_g6 writes:

Last month, SoylentNews reported that TrueCrypt was discontinued. Many have speculated that a fork would happen, but the TrueCrypt license makes that complicated. Now, Ars Technica reports about contact with a TrueCrypt developer on the subject:

In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:

"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.

I have no problem with the source code being used as reference."

So, it looks like a fork won't happen after all. But a commenter there noted the existence of FreeOTFE, and I had previously noted tc-play. So even without a TrueCrypt fork, maybe developers won't have to start completely from scratch.

[Ed'sNote: At the time of posting, the Wikipedia entry for FreeOTFE notes that the domain has been dormant for some time. Whether work continues on FreeOTFE is uncertain. The concept sounds very much like the full disk encryption that has been available for linux for quite some time, but which does not provide plausible deniability. If I am wrong in these assumptions, I would welcome being corrected!]

 
This discussion has been archived. No new comments can be posted.
TrueCrypt Developer Refuses Fork Permission | Log In/Create an Account | Top | 21 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:18PM

    by Horse With Stripes (577) on Friday June 20 2014, @06:18PM (#58103)

    I'm not sure they made the wrong choice regarding their license. If TC has been compromised - and I assume that it has - by guaranteeing that the source code isn't forked they are protecting anyone who would use the forked version going forward.

    If they are under the weight of a National Security Letter, or some other secret gag order (TLAs have multiple options here), then they can't come out and tell anyone. By being blatantly uncooperative and disruptive with the non-TLA segment of the population they have created enough awareness and suspicion that they have done right by us all. They've pretty much ruined their goodwill and reputations amongst the coding community. I doubt they did that lightly or for no good reason.

    This isn't about being dicks or restricting OSS. This is about keeping their asses out of jail while keep us from using a poisoned product.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Total Score:   4  

  • (Score: 2) by Lagg on Friday June 20 2014, @06:46PM

    by Lagg (105) on Friday June 20 2014, @06:46PM (#58112) Homepage Journal

    I get that, but up until the moment that this audit (again successful in its first pass) turns up actual bugs indicating a weakness there is nothing whatsoever showing that it's poisoned. The only thing poisoned here are the developers. Hell, is there even any indication that a TLA is involved here besides some somewhat farfetched latin?

    --
    http://lagg.me [lagg.me] 🗿

    • (Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:57PM

      by Horse With Stripes (577) on Friday June 20 2014, @06:57PM (#58115)

      Perhaps the "problem" is so well hidden (or entrenched) in the code that the developers decided to kill it rather than hope someone would eventually find it. I think the actions by the developers indicate a weakness even if the audit doesn't find it. The NSA (or other TLAs) will have worked very, very diligently to ensure their code wouldn't be found. I don't expect anyone to find "/* shhh, NSA backdoor. Don't forget to remove this comment */". Perhaps it's been in for a while and that's why the developers are urging people to stop using it.

      The actions by the developers are extreme. I am assuming that there is a reason behind it besides "my ball, going home, fuck y'all".

      • (Score: 0) by Anonymous Coward on Friday June 20 2014, @09:10PM

        by Anonymous Coward on Friday June 20 2014, @09:10PM (#58158)

        What't to stop any developer in the know from anonymously leaking the tainted code - should it exist?

        • (Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @09:46PM

          by Horse With Stripes (577) on Friday June 20 2014, @09:46PM (#58175)

          These dev are probably under strict surveillance 24/7. Plus, if the TLA arrests them for leaking it, even if they weren't the ones to do it, they are stuck in jail (no bail, possible solitary confinement to keep them from talking, limited access to a lawyer, etc). The government just needs to say "national security, terrorists, think of the children" and these guy won't even see a trial date for a few years.

          Due process stops as soon as one of these TLAs gets their magic security letter and/or do-what-you-want secret warrants. Our Bill of Rights has become a checklist of rights to be violated.