Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday June 20 2014, @02:03PM   Printer-friendly
from the they-don't-seem-as-secretive-anymore dept.

Last month, SoylentNews reported that TrueCrypt was discontinued. Many have speculated that a fork would happen, but the TrueCrypt license makes that complicated. Now, Ars Technica reports about contact with a TrueCrypt developer on the subject:

In the days immediately following last month's TrueCrypt retirement, Johns Hopkins University professor Matt Green asked one of the secretive developers if it would be OK for other software engineers to use the existing source code to start an independent version. The developer responded:

"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypt's current codebase.

I have no problem with the source code being used as reference."

So, it looks like a fork won't happen after all. But a commenter there noted the existence of FreeOTFE, and I had previously noted tc-play. So even without a TrueCrypt fork, maybe developers won't have to start completely from scratch.

[Ed'sNote: At the time of posting, the Wikipedia entry for FreeOTFE notes that the domain has been dormant for some time. Whether work continues on FreeOTFE is uncertain. The concept sounds very much like the full disk encryption that has been available for linux for quite some time, but which does not provide plausible deniability. If I am wrong in these assumptions, I would welcome being corrected!]

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Hairyfeet on Saturday June 21 2014, @02:02AM

    by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Saturday June 21 2014, @02:02AM (#58267) Journal

    I'm sorry but if you think FOSS will do jack shit to stop this I have some bridges you might be interested in. The simple fact is most FOSS projects are understaffed, overworked, and short of money...do you REALLY think they are gonna turn down a new volunteer that is a great coder and has plenty of free time? You are talking about state actors here, the kind that would have NO problem paying a guy for several years to infiltrate something they considered valuable and they have the ability to make any cover story the guy uses look 100% legit from the outside.

    And if you are talking about the "many eyes" fallacy i would ask you to look up a little something called "Heartbleed" that was sitting there for years without any of those "many eyes" catching it, I would also ask you to go download the top 3 entries from the obfuscated C contest for the last three contests and WITHOUT looking up the answers look at the code and tell us 1.-where the malware is, 2.-what it is doing, and 3.-what programs if any it is accessing to make the exploit work. Remember with the of C contest you KNOW with 100% certainty that there is malware there and its still DAMN hard to answer those 3 questions and spot the bug...you think you are gonna have any better luck with a program that has hundreds of thousands of lines of code and may or may not have malware which may or may not be a smaller part of a larger payload that requires one or more other programs to execute?

    I have said it before and I'll say it again, there is only ONE definite advantage you can claim with FOSS over proprietary and even that is conditional and that is this...no FOSS software can be EOLed by the devs. this is of course ONLY true if and ONLY IF there are skilled coders willing to donate their time to keep the project going or there is enough users willing to invest money to hire the coders to keep the project going...that's it, that's all. you can't guarantee there isn't a plant in the project, you can't guarantee that there isn't a hole being exploited like Heartbleed, the only thing you can guarantee is that nobody can pull the plug if enough users are willing to keep the old version going.

    I'm sure this will piss off the die hard FOSS advocates but I'm sorry to burst your bubble, source code isn't magic. You can have the code to every bit of the stack, from the kernel to the clock app, but if you don't have enough highly skilled volunteers willing to invest an insane amount of time doing code audits? Then the code could be filled with ASCII Goatse pics for all you know. hell look at Truecrypt, look at how many large and small corps used it...and it is only NOW getting a major code audit, and you believe the code for all the little pissling ass bits of your distro has been vetted and audited...really? I bet if you went and looked up every bit of code that goes into your average distro there is probably a good 30%-40% that isn't fucked with by anybody but the project guys, much less ever had a real code auditing. Show of hands, how many here have done a code audit on the clock in ubuntu? Network manager? Hell how many here have done a serious code audit on the big ones like FF,LO,and Gimp? Thought so and even if somebody here managed to do an audit of one of the above before the audit would be finished at least two new versions would be out,negating the entire audit in the first place!

    --
    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Sunday June 22 2014, @06:13PM

    by Anonymous Coward on Sunday June 22 2014, @06:13PM (#58758)

    how many here have done a serious code audit on the big ones like FF,LO,and Gimp?

    I'm an IOCCC winner and I can't get Gimp or OpenOffice to compile. Every time I run the binaries, I take it on faith that they vaguely resemble the published code.

    even if somebody here managed to do an audit of one of the above before the audit would be finished at least two new versions would be out,negating the entire audit in the first place!

    In theory, once a good known state had been reached, it would be possible to audit diffs. However, you'd have to be really fucking careful. With enough diffs, it would be possible sneak through a deliberately amateur-looking Lisp interpreter.