Last month, SoylentNews reported that TrueCrypt was discontinued. Many have speculated that a fork would happen, but the TrueCrypt license makes that complicated. Now, Ars Technica reports about contact with a TrueCrypt developer on the subject:
In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:
"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.
I have no problem with the source code being used as reference."
So, it looks like a fork won't happen after all. But a commenter there noted the existence of FreeOTFE, and I had previously noted tc-play. So even without a TrueCrypt fork, maybe developers won't have to start completely from scratch.
[Ed'sNote: At the time of posting, the Wikipedia entry for FreeOTFE notes that the domain has been dormant for some time. Whether work continues on FreeOTFE is uncertain. The concept sounds very much like the full disk encryption that has been available for linux for quite some time, but which does not provide plausible deniability. If I am wrong in these assumptions, I would welcome being corrected!]
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @06:57PM
Perhaps the "problem" is so well hidden (or entrenched) in the code that the developers decided to kill it rather than hope someone would eventually find it. I think the actions by the developers indicate a weakness even if the audit doesn't find it. The NSA (or other TLAs) will have worked very, very diligently to ensure their code wouldn't be found. I don't expect anyone to find "/* shhh, NSA backdoor. Don't forget to remove this comment */". Perhaps it's been in for a while and that's why the developers are urging people to stop using it.
The actions by the developers are extreme. I am assuming that there is a reason behind it besides "my ball, going home, fuck y'all".
(Score: 0) by Anonymous Coward on Friday June 20 2014, @09:10PM
What't to stop any developer in the know from anonymously leaking the tainted code - should it exist?
(Score: 4, Insightful) by Horse With Stripes on Friday June 20 2014, @09:46PM
These dev are probably under strict surveillance 24/7. Plus, if the TLA arrests them for leaking it, even if they weren't the ones to do it, they are stuck in jail (no bail, possible solitary confinement to keep them from talking, limited access to a lawyer, etc). The government just needs to say "national security, terrorists, think of the children" and these guy won't even see a trial date for a few years.
Due process stops as soon as one of these TLAs gets their magic security letter and/or do-what-you-want secret warrants. Our Bill of Rights has become a checklist of rights to be violated.