Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TrueCrypt Author Claims That Forking Is Impossible

timothy posted about 4 months ago | from the it's-forking-impossible-man dept.

Encryption 250

An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."

cancel ×

250 comments

Sorry! There are no comments related to the filter you selected.

He's a coward and a cunt (-1)

Anonymous Coward | about 4 months ago | (#47271683)

Plain and simple

Re:He's a coward and a cunt (3, Insightful)

Opportunist (166417) | about 4 months ago | (#47271851)

Easy to be brave when there's not a TLA breathing down your neck.

Re:He's a coward and a cunt (5, Insightful)

Anonymous Coward | about 4 months ago | (#47273009)

This.

Try blowing the whistle on something. Revel in satisfying your moral obligation and the feeling of righteousnous. It will last until the first threatening letter from a lawyer arrives. Then you'll see what you're made of. Chances are good that it's not steel. Until you've experienced it, you won't know.

Just about any government organization or better than medium-sized private entity has the resources to crush an individual with very little threat of recourse. You really can't imagine the kinds of crap they can lob. If you are thinking of blowing a whistle, be very careful. Read up on the subject (Google for "how to whistleblower"). Absolutely DO NOT try to use internal channels. There are organizations that try to support whistle blowers, contact one (anonymously) and see what reading material they can give you. Make sure your nose is absolutely clean. Try to find cases of similar acts of whistle-blowing in your legal jurisdiction. How did they turn out for the whistle-blower? Probably not very good. Do everything right. Make sure you have enough evidence for an iron-clad case (without actually stealing anything). And wait until you have some distance. If you can keep the perpetrator(s) from figuring out your identity, absolutely do so. You will save yourself a lot of grief. This means you have to keep your mouth shut and trust nobody. (Note that I'm posting anonymously.) You won't be able to vent to anyone, especially co-workers. This is much harder than you might think. If you like to talk, you'd best just forget what you've seen. If you can time your actions so they hit while the perpetrator is under pressure for other problems, so much the better. Before you pull the trigger, think long and hard about the affect this will have on your loved ones. Consider supporting an anti-corruption organization to satisfy your need to do good rather than risking yourself.

Yes, it's really that bad. The sort of folk that deserve to be found out are more entrenched than you suspect. They are willing to go to extreme lengths to protect themselves. The problem almost definitely is more widespread than you think. The way it often works is that there is a web of wrong-doing, where one fellow's previous mistakes are used as leverage for silence/support by someone else. It makes for a kind of club. Many members of the club will have had one or more whistles blown on them before and have strategies for dodging and attacking the whistle-blower.

And that's just if you are whistle-blowing on a run of the mill organization. Going up against the likes of the NSA, the DOD, or the CIA... The TrueCrypt authors have all of my respect for shutting the project down. It was an act of bravery.

Can someone translate the summary into English? (1)

Anonymous Coward | about 4 months ago | (#47271685)

./ editors must not have had their coffee yet.

Re:Can someone translate the summary into English? (4, Interesting)

GoddersUK (1262110) | about 4 months ago | (#47271817)

So far as I can tell he claims that it would be impossible to re-license it under an OSS license and allow Matthew Green to use the trademark. This may be "impossible" because he doesn't control the IP or he may just be using it as a figure of speech to say that he won't comply with the request. The article title somewhat misleadingly takes the quote out of context. Of course it's just an anonymously posted email on Pastbin, I wouldn't put too much stock by it unless there's some independent confirmation of its validity.

Re:Can someone translate the summary into English? (1)

GoddersUK (1262110) | about 4 months ago | (#47271897)

aha, so the pastbin upload does seem to be from the real Matthew Green. That's a start. https://twitter.com/matthew_d_... [twitter.com]

Re:Can someone translate the summary into English? (3, Interesting)

Z00L00K (682162) | about 4 months ago | (#47272631)

Looking at the TrueCrypt License it sucks pretty bad, and it seems to be the major problem preventing a fork.

Re:Can someone translate the summary into English? (1)

Chrisq (894406) | about 4 months ago | (#47273253)

So far as I can tell he claims that it would be impossible to re-license it under an OSS license and allow Matthew Green to use the trademark.

probably true =- but why not just do what fedora did with "RealCrypt [rpmfind.net] " - fork it and change the name?

Re:Can someone translate the summary into English? (1)

Anonymous Coward | about 4 months ago | (#47271901)

Maybe they're just working on forking English?

Re:Can someone translate the summary into English? (4, Funny)

pecosdave (536896) | about 4 months ago | (#47272865)

As someone from the Southern United States I assure you that the English language has forked.

Re:Can someone translate the summary into English? (1)

TangoMargarine (1617195) | about 4 months ago | (#47272213)

What do you think is wrong with the summary? It makes sense to me.

What whas the problem in the first place? (0)

Anonymous Coward | about 4 months ago | (#47271697)

Anyone knows?

Re:What whas the problem in the first place? (5, Insightful)

ObsessiveMathsFreak (773371) | about 4 months ago | (#47271863)

Reading between the lines here, it seems fairly probable that Truecrypt has either

a) Very serious security bugs, or
b) Had backdoors introduced by the NSA.(Does Truecrypt use elliptic curve cryptography?)

In either event the code is basically tainted and shouldn't be used for any future projects.

The vague and sometimes bizzare nature of the statements from the Truecrypt dev team, including this one, lead me to believe that they have been placed under a standard NSA gagging order and have decided to burn Truecrypt rather than see it be turned against its users. Comments like "Forking is Impossibe" appear to be an open code for communicating that they are essentially unable to communicate, but that Truecrypt is no longer a trustworthy piece of software.

Reading though the Lavabit case, it's clear that those placed under NSA gagging orders have very, very little room for legal/media maneuver, but nevertheless still retain the freedom to walk away from their projects and tell others not to use them. Such actions appear to be the last defense of cryptographers in the US, and I think that is what we're seeing with Truecrypt.

Re:What whas the problem in the first place? (5, Insightful)

kylemonger (686302) | about 4 months ago | (#47272019)

As far as we know so far, Truecrypt hasn't been compromised. So ending use of it might be a victory for the NSA and their kind. And all they had to do was sow some seeds of doubt.

Re:What whas the problem in the first place? (5, Interesting)

Anonymous Coward | about 4 months ago | (#47272819)

I'm seeing a Streisand effect. There is so much suspicion about TC's abrupt ending, especially after the code reviews found that it is a clean product, that more people seem to be using because they feel that it was killed by some powerful party.

TC is the only cross platform product out there that gives plausible deniability, is open source, and has been through an audit. The only thing against it are rumors about backdoors, none found.

wrong (4, Insightful)

tacokill (531275) | about 4 months ago | (#47272925)

When it comes to security, one must always error on the side of caution. There are very strong signs and signals that there is a problem with Truecrypt. Those that don't heed that warning are placing themselves at risk.

The default position of everything is: insecure until proven otherwise. If there's a good chance something is insecure, then we assume it is. We don't want to error in the other direction because the implications are too great if we are wrong. This is where we are with Truecrypt. Those throwing caution to the wind - at this point - are doing themselves a disservice.

Re:What whas the problem in the first place? (2, Informative)

Kremmy (793693) | about 4 months ago | (#47273261)

As far as we know so far, Truecrypt hasn't been compromised.
No, you're wrong.
From the TrueCrypt website:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
WARNING: Using TrueCrypt is not secure
It may not use the explicit word 'compromised', but that says it clearly right there. TrueCrypt is compromised, whether a TLA did it or not.

Re:What whas the problem in the first place? (0)

generatorek (3699929) | about 4 months ago | (#47272059)

Had backdoors introduced by the NSA - and I know it ....

Re:What whas the problem in the first place? (3, Interesting)

a_nonamiss (743253) | about 4 months ago | (#47272061)

I don't think it's unreasonable to conclude that some vague, yet menacing government agency has compromised the code and the developers are unwilling to see what they worked for burned to the ground. I mean, 15 years ago, this would have sounded like the rantings of a paranoid schizophrenic, but with all that's come out about the U.S. government recently, I think it's perfectly rational. Given the level of security TrueCrypt has the potential to provide, and the level of oversight the U.S. Government wants over both foreigners and citizens alike, I would honestly be surprised if TrueCrypt wasn't compromised long ago.

Maybe the goals of this vague, yet menacing government agency are pure and wholesome. After all, TrueCrypt would absolutely benefit those organizations trying to keep their activities secret from authority. But we'll never know because of the veil of secrecy behind it.

Re:What whas the problem in the first place? (0)

Bill, Shooter of Bul (629286) | about 4 months ago | (#47272115)

Man who says crazy things says hes perfectly rational. News at 11.

Re:What whas the problem in the first place? (2)

TangoMargarine (1617195) | about 4 months ago | (#47272241)

A paranoid man is difficult to surprise.

Re:What whas the problem in the first place? (0, Insightful)

Anonymous Coward | about 4 months ago | (#47272307)

You're only paranoid if you turn out to be wrong.

Re:What whas the problem in the first place? (3, Insightful)

LordLimecat (1103839) | about 4 months ago | (#47272677)

Its not even remotely crazy at this point. TLAs are strongly suspected of having backdoored Windows 2000, OpenBSD's IPSec stack, and the PRNG used by RSA. There are some slides floating around on the internet indicating that there is already a backdoor in Bitlocker.

At this point you would have to be crazy NOT to expect a TLA to have an "answer" to Truecrypt-- thats exactly why theres a code audit being done.

Re:What whas the problem in the first place? (1)

Bill, Shooter of Bul (629286) | about 4 months ago | (#47273059)

Whoosh!

Re:What whas the problem in the first place? (5, Interesting)

AmiMoJo (196126) | about 4 months ago | (#47272087)

It's more likely that the author is the victim of a National Security Letter, and is obliged to say things like this to discourage people from using TrueCrypt or forking it. Which ever agency got to him must have known that this was likely to happen, and he is probably in it knee deep after putting lots of not-so-subtle hints on the revised homepage.

The 7.1a source code is being audited. There may be issues with the code base, but at least we will soon know with reasonable confidence if it is secure or not. Starting a new project would require a complete audit from scratch to get that level of confidence, and it is likely that at least one of the replacement projects is an NSA shill with backdoors installed from day one. The very fact that they went after TrueCrypt gives us some confidence that it is resilient to their attacks.

Re:What whas the problem in the first place? (1)

LordLimecat (1103839) | about 4 months ago | (#47272687)

I dont think he has to "discourage" people from forking it. AFAIK the license its under means it cannot be forked, especially not without his blessing.

Re:What whas the problem in the first place? (0)

Anonymous Coward | about 4 months ago | (#47272733)

The U.S. government is extremely corrupt.

Re:What whas the problem in the first place? (0)

Anonymous Coward | about 4 months ago | (#47273061)

And you are extremely stupid.

Re:What whas the problem in the first place? (2, Interesting)

Anonymous Coward | about 4 months ago | (#47272143)

Lavabit, NSLs, etc are FBI, not NSA. The NSA may have found vulnerabilities, may have even hacked his computer and modified the source code, but they don't dick around with NSLs or gag orders.

Source: I'm a spook.

Re:What whas the problem in the first place? (1)

Kremmy (793693) | about 4 months ago | (#47273303)

NSL is just as TLA as the rest of the them. As a spook, you gotta understand that you're in with all the other spooks whether you like it or not.

Re:What whas the problem in the first place? (1)

Rob the Bold (788862) | about 4 months ago | (#47272155)

Reading though the Lavabit case, it's clear that those placed under NSA gagging orders have very, very little room for legal/media maneuver, but nevertheless still retain the freedom to walk away from their projects and tell others not to use them. Such actions appear to be the last defense of cryptographers in the US, and I think that is what we're seeing with Truecrypt.

Just rhetorically speaking, and based on these situations, I'd really like to know just what kind of punishment can the NSA hand out, anyway. Is the guy under legitimate threat of being renditioned to some black hole never to be seen again? He can't be tried in a fully open court where the government has to essentially confirm his story in order to convict him. Even if the government convinces a judge that he's committed some secret offence of a nature that cannot be disclosed, that's still a form of confirmation. So does he get sent to a star chamber to be tried, convicted and never seen again? Can they go Manning on him -- he's not revealing government secrets he learned on the job, right? (Or did he?) When the government starts actually locking people up for dissent, it's game over, isn't it?

Re:What whas the problem in the first place? (1)

Charliemopps (1157495) | about 4 months ago | (#47272375)

They say it is better to kick someone out of a plane than let these people have a day in court.

--Edward Snowden
http://www.theguardian.com/wor... [theguardian.com]

Re:What whas the problem in the first place? (2)

Scot Seese (137975) | about 4 months ago | (#47272263)

You missed an explanation - the TrueCrypt devs determined that the community code audit of TrueCrypt would eventually turn up backdoors, or spotty code in places so bizarre it would have to be intentional - and, possibly combined with a National Security Letter, the debs decided to just burn the house to the ground instead of allowing the government to repeatedly burgle it.

Re:What whas the problem in the first place? (2, Insightful)

Anonymous Coward | about 4 months ago | (#47272379)

I do not read that much into it.

I have many code bases out there. However, I would not recommend people build on them. The team that knows how it works no longer exists. In many cases even if you could get them back together they have not seen the code in years.

Sometimes it is better to throw it out and start over. Using the existing code as your test for features and build yourself a design you understand as you are the one who will be working on it.

Now you could also refactor. That in many cases takes as much work as rewriting it. As that is exactly what you are doing.

I have seen both ways done many times. Both work. But if the orig author says 'i wouldnt bother' it is usually worth at least listening to his advice.

Re:What whas the problem in the first place? (0)

Anonymous Coward | about 4 months ago | (#47272441)

It seems more likely they got tired of the project, especially since it didn't receive much support financially or otherwise.

The previous version of TrueCrypt (before this last hobbled one) is being currently security audited. We'll see how it holds up after the results are out. I'm curious.

Re:What whas the problem in the first place? (1)

LordLimecat (1103839) | about 4 months ago | (#47272595)

Does Truecrypt use elliptic curve cryptography?

No.

In either event the code is basically tainted and shouldn't be used for any future projects.

Given that the author has sworn it off, thatd probably be wise.

Re:What whas the problem in the first place? (3, Interesting)

Eravnrekaree (467752) | about 4 months ago | (#47272599)

The situation is probably what it was stated to be, that the developers do not understand the code and its more trouble to try to unravel a poorly written software project than to do it over again. THis is a common problem with open source. Software code is NOT self documenting, but open source people think it is. To really understand a big project in reasonable amount of time you really, really need good documentation and an overview of the system

Re:What whas the problem in the first place? (0)

Anonymous Coward | about 4 months ago | (#47272673)

I find your statement interesting, and given that just TC is being audited they dump the project, before the results are final.

Given how many other companies have been forced to halt their attempts by the NSA's blackmailing, and or forced to give up its keys without being allowed to make any public statements of the NSA's activities. I can see statements like "forking is impossible" being other way of saying 'we quit the project, to protect people'. At the same time I go back to the project being dumped when they found out it was being audited, hinting they may have been working with the NSA and were about to get caught, given (if I remember right) the group auditing TC can't get the most recent version it would lead to one coming to a a conclusion they are in bed with the NSA.

Definitely going to get interesting to see if the people involved with TC make any statements or interviews after they know in the clear from the NSA's gag orders. Or if they manage to clear the audit without suspicion.

Re: What whas the problem in the first place? (0)

Anonymous Coward | about 4 months ago | (#47272785)

E4M code is still in truecrypt code base. SecurStar may have more to do with this than a TLA, especially if the audit showed the TC code was secure.

Re:What whas the problem in the first place? (4, Funny)

Java Pimp (98454) | about 4 months ago | (#47272847)

They could have said something like "No Such Action should be taken with regard to our code and you Can't Implement Anything based on it. You might Feel Better If you rewrite everything from scratch."

Re:What whas the problem in the first place? (4, Interesting)

DarthVain (724186) | about 4 months ago | (#47273267)

It very well could be "code speak" (pardon pun) for; "yes our code is compromised, no we are not allowed to talk about it, end communication".

Then again it could me less complicated than that, and taken at face value they could be saying; "Our code is a mess. Fixing it would take more effort than we are willing to expend for this project so we ended it. You are welcome to try, but we would recommend you just start from scratch as it contains many fundamental problems."

It is too bad, I've always considered it the defacto standard in encryption. I am not a huge fan of the idea of MS being my provider of encryption with bitlocker, though I have heard some good things about it. Then again it isn't exactly free either.

The Slashdot tinfoil hat part of me wants to believe the NSA story, however common sense tells me it is just another open project that was led by a dedicated few with little resources that became too much to maintain over time. That said, they were rather elusive about it in the end, so who knows. Then again that could be a professional record thing, liability, or legal... plausible deniability limiting personal liability sort of thing.

Re:What whas the problem in the first place? (1)

DarthVain (724186) | about 4 months ago | (#47273363)

Also if they find a big flaw, the reason for burning the project, announcing that it exists and what it is, opens it up for exploitation.

Knowing it is there, large enough that it is not fixable within the current state of the code or at least not easily (say without starting from scratch), might make them abandon the project, yet be quiet about the actual details as to why. If they say how it is broken, and expose peoples data to exploitation, are they going to get sued? Likely there is wording that indemnifies them, but that might not keep people from trying. Just defending yourself can cost money. Also I have seen plenty of situations, where people know they are in the right legally, but choose a non-confrontation path, as it is best to avoid it altogether if at all possible, taking the lowest possible risk as they can, and if possible I am pretty sure lawyers would suggest this course of action if it is an option..

Re:What whas the problem in the first place? (1)

Agares (1890982) | about 4 months ago | (#47273367)

My thoughts exactly well said.

You keep using that word... (5, Informative)

fuzzyfuzzyfungus (1223518) | about 4 months ago | (#47271703)

It would appear that the intended meaning is 'impractical'. The code is available, and the original project declared itself dead, so forking is totally possible; but the author believes that it would probably be a better use of time to use the existing project as a reference for building a new one, rather than get sufficiently familiar with the old one that you can (safely) start modifying it.

I don't know if it's true or not; but it's a much less radical assertion.

Re:You keep using that word... (0)

Anonymous Coward | about 4 months ago | (#47271879)

Context added:

Of course some will fork the reject regardless of the legal issues, but this doesn’t seem appropriate without clear guidance. What we would like is permission to take at least portions of the current codebase and fork it under a standard open source license (e.g., GPL/MIT/BSD). We would also like permission to use the Truecrypt trademark as part of this effort. If that’s not possible, we would accept a clear statement that you would prefer the software not be renamed.

The initial email mentions possibility in regards to their acquisition of the trademark (or maybe everything in the above quote, but the rest of the sentence implies that they're significantly concerned with getting the name), which probably means that is what the original developer is countering with "impossible."

So, just start up GNUCrypt, follow the old dev's advice, and see how that one forks wildly.

Re:You keep using that word... (2, Insightful)

Anonymous Coward | about 4 months ago | (#47272163)

Just RTF-original, not the usual Slashdot-bastardized summary... oh yeah sorry I frogrot, not Slashdot practice. In any case, reading the linked original, it's re-licensing and trademarks, or failing that, just a statement that they want the Truecrypt name to go on that he's calling "impossible".

It's certainly a curious turn of words though. If taken at face value, it would either imply the person doesn't actually own those rights, or that they're under orders specifically prohibiting them from doing those. Of course, it might just be as they go on to say, that the codebase has become too unwieldly to support, but I must agree that their communications do seem far too strange and contrived for the "obvious, bening" explanation. I also doubt there's anyone at all familiar with what's going on who would even doubt that that project and its authors are very high on the feds "hit list".

Re:You keep using that word... (1)

TangoMargarine (1617195) | about 4 months ago | (#47272257)

If forking is against the license, it is impossible to fork...without violating the license.

But yes, computers are just bits and we can do whatever we have the power to do.

Re:You keep using that word... (2)

melchoir55 (218842) | about 4 months ago | (#47273273)

Let's toss a few axioms:
1.In order to fork TrueCrypt it must be practically possible to create a fork which is secure (free of backdoors etc.).
2.A fork of TrueCypt must take less time to create and certify than writing an entirely new product from scratch. Otherwise, there is no point.
3. The algorithms used by TrueCrypt must be fundamentally sound. If you change them you are no longer forking TrueCrypt, you are really just writing a new product.

And a totally reasonable assumption:
The authors of TrueCrypt believe the project is compromised in a manner so subtle that the effort required to detect it would be as great or greater than creating a new project from scratch and/or the algorithms TrueCrypt is using are not secure against attacks known to TLAs (or whoever).

In this case the term "impossible" is reasonably applied, if maybe a bit looser than you might like.

First post (-1)

Anonymous Coward | about 4 months ago | (#47271705)

First forking post!

Fork or no fork, as long as they're not spooning (0)

Anonymous Coward | about 4 months ago | (#47271765)

Hey, this isn't news anymore, we already had a couple of rants about this....
so just let it be, and let those who have to redevelop do their thing... fork or no fork, that's the question, as long as they're not spooning... (uhh... ok i kow stupid joke....)

Rewrites Suck (0)

swillden (191260) | about 4 months ago | (#47271785)

With few exceptions, rewrites are a bad idea. They only make sense when you need to fundamentally change the architecture, and even then it's often better to refactor heavily. Almost without exception, whenever someone says "Oh, it'll be easier to start from scratch", they're wrong. I understand that the TrueCrypt codebase is something of a mess, but I'm still skeptical that a rewrite is actually a better choice.

However, if the copyright owner and the licenses already issued, don't allow it, then it is impossible. The question is, is he doing this because he really believes it, or because he's trying to throw up obstacles? It's hard to see how it could be the former, since even if he believes a rewrite is easier, others are offering to do the work.

This whole situation is bizarre.

Re:Rewrites Suck (1)

manu144x (3377615) | about 4 months ago | (#47271865)

Maybe some government agency inserted some code there, and the author knows it. That's why he recommends rewriting from scratch, because even he doesn't remember where the code is injected, and it's probably very hard to trace.

Re:Rewrites Suck (1)

L4t3r4lu5 (1216702) | about 4 months ago | (#47271869)

If we're going to re-write it, do we continue with the ongoing audit? Do we hold back on paying for more testing so we can audit the re-write?

Re:Rewrites Suck (4, Informative)

Megol (3135005) | about 4 months ago | (#47272209)

With few exceptions, rewrites are a bad idea. They only make sense when you need to fundamentally change the architecture, and even then it's often better to refactor heavily. Almost without exception, whenever someone says "Oh, it'll be easier to start from scratch", they're wrong. I understand that the TrueCrypt codebase is something of a mess, but I'm still skeptical that a rewrite is actually a better choice.

My opinion is the exact opposite: rewrites are often better when reaching a certain codebase size. The main reason is that existing functionality can often be put into a better shape by taking the big picture and adjusting everything according from the experience of the existing code.

The idea that rewrites are bad (that is often taught in programming classes) is mostly economical: it is less economical to do a rewrite rather than patch another level of indirection somewhere in the code tree. It requires more effort, a thorough understanding of the existing codebase (which often doesn't exist at all when code reaches some size, depending on _what_ the code does) and it requires a time gap between the releases.
But all these problems are fundamentally economical. But doing a rewrite can often be more economical, it's just that doing a patch is easier to quantify in money than a rewrite that will simplify patching/upgrades in the future and avoid fragile bug promoting messes.

Refactoring is essentially a "running rewrite" where parts of the code is changed while keeping most/all other parts intact or slightly changed. It decreases the time gap problem but in most cases require more effort than a rewrite while making many types of improvements hard or impossible.

Re:Rewrites Suck (1)

swillden (191260) | about 4 months ago | (#47272297)

I used to feel the same way, but over the decades experience has taught me otherwise.

Re:Rewrites Suck (0)

Anonymous Coward | about 4 months ago | (#47272637)

that's an anecdote, not an argument. perhaps you're just not
good at starting from scratch.

Re:Rewrites Suck (1)

rjstanford (69735) | about 4 months ago | (#47273203)

Rewrites often work well if the original goal for the software has morphed over time, so that its overall structure just no longer makes sense. In other cases codebase does contain a ton of good tribal knowledge that's often lost and has to be relearned during a rewrite process. Confusing things is the fact that in many areas the tools available to developers now (libraries, etc) are far more powerful than they were even 4-5 years ago, so removing code that isn't necessary to meet a business need can really help.

tl;dr: its complicated, and it all depends.

Why impossible? (1)

js3 (319268) | about 4 months ago | (#47271799)

His answer seems to mean it wouldn't be his preference, rather than being impossible.

I'm confused (1)

Virtucon (127420) | about 4 months ago | (#47271815)

What has happened with Truecrypt, I mean from a psychological perspective. It would appear as though the team had a nervous breakdown going pear shaped rather quickly. Certainly since the source is available it can be forked, screw that just rewrite it. There's not that much there.

Source (2)

Bobberly (1677220) | about 4 months ago | (#47271829)

The article source is from pastebin. Are we really supposed to give this any merit? It's pretty obvious that the authors won't sanction anything related to the project (or did we forget the final cripple commit?)

No Good Editor (1)

Anonymous Coward | about 4 months ago | (#47271837)

He says that this might be no good idea ... but he allows to use the existing code...

Holy crap...

Seriously, Slashdot has "no good" editors...

Come on guys. Seriously. Invest two seconds into reading and fixing the sentences. I don't think we're expecting rock solid perfect grammar but this is embarrassing...

Re:No Good Editor (1)

jones_supa (887896) | about 4 months ago | (#47272277)

It should actually be "He says that this it ain't no cool beanz".

Common concern, always wrong (1)

Anonymous Coward | about 4 months ago | (#47271859)

If you look at just about any abandoned code base ou will find that the original authors claimed it could not be maintained or should be re-wrriten from scratch. They always wrong and there are usually (better) developers who come along and prove that. Remember when the GNOME desktps said GNOME 2 could not be maintained and they had to scrap everything to make way for GNOME 3. Now the MATE developers have not only carried on the original GNOME 2 code, but thy have also cleaned it up a little and modernized it. Next year they plan to port GNOME 2 to the GTK 3 toolkit, proven the GNOME developers were wrong.

The same issue comes up with many big open source projects. The original devs walk off and claim their code cannot be salvaged or maintained. It's always too big or confusing or complex, they claim. But someone almost always comes along and proves the code still works, can be updated and the fork usually does well.

The TrueCrypt author is obviously incorrect, the code can be forked and maintained. And it likely will be, probably by people who have more time/energy than the original team.

Read between the lines (1)

Anonymous Coward | about 4 months ago | (#47271889)

If he suspects the code has a vulnerabitlity, he doesn't want it copied.

Translation (4, Insightful)

Opportunist (166417) | about 4 months ago | (#47271913)

Seriously, people, save yourself the time. You'll just also get a letter from the NSA and either have to include their backdoor or drop the project.

And I sure as hell don't want to be the one who did the right thing only to see it going to waste because someone else didn't.

Re:Translation (5, Interesting)

Pi1grim (1956208) | about 4 months ago | (#47271959)

Unless the deveopment is done outside of US. Because in that case you can use the letter to wipe your, let's say tears of joy and carry on writing the project. Unless, ofcourse you are planning to visit US any time in the future.

Re:Translation (5, Insightful)

Anonymous Coward | about 4 months ago | (#47272185)

> Unless the deveopment is done outside of US.

At this point this is the way it has to be. Any piece of software developed by US citizens, companies, foundations, etc. is no longer trustworthy. The US is dead as far as secure software is concerned.

Re:Translation (3, Interesting)

darkmeridian (119044) | about 4 months ago | (#47272713)

That's what the NSA wants you to think: that the rest of the world is not within its grasps. Note that CryptoAG was a Swiss company that was allegedly compromised by the NSA back in the 1950s. God knows what other foreign companies have been hacked by the NSA. Samsung (South Korean) and Huawei (Chinese) hardware have been reportedly compromised by the NSA. If hard drives made by the goddamned Communist Chinese are being shipped with NSA-compromised firmware, then how the hell is stuff coming from Taiwan (nominally a US ally) and Europe going to be any better?

Re:Translation (4, Informative)

melchoir55 (218842) | about 4 months ago | (#47273307)

Foreign software isn't immune. No one thinks it is. The point is that US software is vulnerable *by law*. It is legally impossible to create secure software if you are a US entity. At least if the software is created in another country it is possible that it is secure. Even if the chance is 1/100, that chance is greater than 0.

Re:Translation (0)

Anonymous Coward | about 4 months ago | (#47272287)

Unless the deveopment is done outside of US

Of course, then developers have to worry about getting a letter from their own country's government requiring them to intentionally put in a weakness, or even a backdoor into the code. But more likely what'll happen is some nation's intelligence service will simply pay a developer, one that may even be well regarded in the security community, to put in subtly exploitative code. It happened to BSD, it's very likely happening to the Linux kernel and any number of other FOSS projects that can be used to remotely compromise machines.

Re:Translation (0)

Charliemopps (1157495) | about 4 months ago | (#47272413)

Unless the deveopment is done outside of US. Because in that case you can use the letter to wipe your, let's say tears of joy and carry on writing the project. Unless, ofcourse you are planning to visit US any time in the future.

Keep in mind, the NSA has no problem sending a missle into your living room. Anything short of that is them being nice. For example, beating you with a hammer until you agree to install the backdoor.

Agencies with unlimited resources and the attitude of "The ends justify the means" are very dangerous.

Re:Translation (1)

Anonymous Coward | about 4 months ago | (#47272575)

Keep in mind, the NSA has no problem sending a missle into your living room.

NSA doesn't do that. NSA does not issue NSLs or court orders either. They gather information.

CIA may send a missile into your living room. The FBI may get court orders, etc. But not the NSA.

This is all rather sad that no one seem to know which parts of the government actually are doing something. And no, I'm not even American and I know these things.

Re:Translation (1)

naughtynaughty (1154069) | about 4 months ago | (#47272455)

So the TC developers, who are outside the US, receive a letter from the NSA that says include a backdoor or else. 1) So they include the backdoor and the code change is immediately apparent to everyone. How is that an effective technique to backdoor code? It merely exposes a backdooring technique that is easily removed from the source code or prompts a fork. 2) They ignore the letter because a letter from the NSA to someone outside the US has no legal significance. I am skeptical that this is anything but a group of developers who lost interest in a project a long time ago and finally pulled the plug. It's a shame, TC could have been turned into a financially viable project with the right leadership. I look forward to a fork doing exactly that.

Re:Translation (1)

Opportunist (166417) | about 4 months ago | (#47272679)

No, for them it's a hint more complicated. For them, the local authorities get a letter and THEIR intelligence service then sends the letter. Of course it would be turned into a CSS project as well, which would for sure create a bit of an outcry by the OSS purists but not really much backlash from anywhere else as long as it stays free. To cover the tracks a bit better, they could make it free for noncommercial use only, just never enforce it and thus ensure it stays popular.

Want to take a bet that this will happen should someone pick it up?

Re:Translation (1)

Mr. Slippery (47854) | about 4 months ago | (#47273117)

They ignore the letter because a letter from the NSA to someone outside the US has no legal significance.

A letter from the NSA to someone inside the US has no legal significance either. That doesn't stop the U.S. government from acting illegally.

Re:Translation (0)

Anonymous Coward | about 4 months ago | (#47272723)

Seriously, people, save yourself the time. You'll just also get a letter from the NSA and either have to include their backdoor or drop the project.

And I sure as hell don't want to be the one who did the right thing only to see it going to waste because someone else didn't.

Please provide evidence that the NSA had anything to do with TrueCrypt ending development.

Secret government pressure? (0)

Anonymous Coward | about 4 months ago | (#47271923)

Recall when the announcement was made there was speculation that some USG agencies might have been involved. If the authors got a subpoena (with silencing order), they might feel they cannot take specific action such as putting their sources under LGPL or some such. The response is totally consistent with this, where the authors may (justly) be glad they published sources but are now barred from doing any more with them. Their most recent mods, to enable hidden filesystems, may have just been one too many tweaks of the Beast's tail.
    Of course there was the long period where the website asked for money, so the facts may be more benign. We outsiders just can't know.

Re:Secret government pressure? (2)

naughtynaughty (1154069) | about 4 months ago | (#47272521)

A security letter could ask for a lot of things but it would be a bit strange for it to demand that the source code license not be modified. To make that of any value the security letter would also have to demand that the group of developers enforce their copyright. That is easily tested. Fork the code, create NewTrueCrypt and put it up on a website. If a cease and desist letter appears then you are, perhaps, correct. If not, you are likely incorrect.

Pissing war (2, Insightful)

Zontar_Thing_From_Ve (949321) | about 4 months ago | (#47271941)

This is a pissing war. Both sides may be sincere and well intentioned, but it's still a pissing war. Here's a manager type summary. I'll use TC to represent the TC developer who responder and Forkers for the person representing the people who want to fork it.

Forkers: We'd like your permission to fork your code and get the rights to it. We could just fork it without your permission and others no doubt will if you refuse to comply. We want your trademarks and your OK to put the forked code into a different license then you used. We've started looking at your code and while we do agree that there are problems there that desperately need to be fixed, we feel strongly that fixing your broken code is a million times easier than writing this from scratch. So will you play ball with us?
TC: Our code is so broken that you need to start from scratch. That's why we abandoned it - didn't think it was possible to fix without doing a complete re-write. So no, we're not going to "play ball".

Re:Pissing war (1)

Anonymous Coward | about 4 months ago | (#47272195)

They abandoned it because the NSA was going to force them to backdoor it, or found a vulnerability and told them not to fix it. So in that sense they're actually trying to protect the new devs from inheriting NSA problems, which I agree with. Rewrite from scratch, in a non-US country, and include a canary system to let users know if they are ever compromised by a security agency.

Re:Pissing war (2)

naughtynaughty (1154069) | about 4 months ago | (#47272553)

The NSA can't force a backdoor without it being instantly obvious. There haven't been any code changes in a very long time and the source code is currently being audited. Any change would be heavily scrutinized. If the NSA found a vulnerability they wouldn't tell the TC developers. Given their lack of interest in the project it seems unlikely the developers spotted a vulnerability recently and discussed, privately, fixing it, with the NSA intercepting their discussion and demanding they not fix it. But we'll know that soon enough, the code audit has been underway and they are the canary for exposing this possibility. If they abandon the audit or come out with their own cryptic remarks about the code then you would be correct. If they don't, you are likely incorrect.

Re:Pissing war (1)

Z00L00K (682162) | about 4 months ago | (#47272591)

In addition to that the license for TrueCrypt sucks pretty badly, and that license is what may prevent a fork.

So essentially what is stated is - you can fork, but make sure that the fork is rewritten so much that it's no longer possible to trace it back to TrueCrypt.

The product is contaminated, mostly by a bad license from start, but also from suspicion that there may be other crap injected - like NSA.

Is this really genuine? (0)

Anonymous Coward | about 4 months ago | (#47272053)

What!!?? I thought the developers of TrueCrypt were anonymous and no one knew who they are. When was this mystery solved? And between whom is the email communication? How do we even know it is genuine?

Am I missing something?

Re:Is this really genuine? (1)

Smerta (1855348) | about 4 months ago | (#47273207)

Matt Green, the cryptographer leading the TC audit effort, had established contact with one or more developers (somehow) over the last year or so.

So, to most of us, the TC developers are still anonymous, but not to everyone...

The license does not allow fork as truecrypt (0)

Anonymous Coward | about 4 months ago | (#47272113)

I suggest going and rereading the license. It does not (very specifically) allow a product developed from truecrypt to be called truecrypt, to refer
to ancestry as coming from truecrypt, or any similar name. It does allow derivative versions to be created, but under a different name and without
connection to the truecrypt original.
Now admittedly this makes more sense where the original developers are still active, but it is pretty permissive. Ditch the name and don't in the
program claim you derive from Truecrypt, and you can copy code, alter it, add to it, distribute it far as I can see pretty much as you like. What you
are not allowed to do is say it is a truecrypt derivative (at least not directly). You could say (far as I can see, on a quick read) "derived from a popular
and high quality cryptodisk implementation whose authors have dropped development of it", or some such thing (seeing that giving credit where credit
is due is desirable).

There are some other bits of code with separate licenses that require they be acknowledged, but those do not look too hard to deal with.

If one just wanted to make a new name up (virtual disk, VD) maybe you could have the fun again of saying "I gave my system VD"...

If you get the NSL, can you consult your attorney? (1)

i_want_you_to_throw_ (559379) | about 4 months ago | (#47272167)

Hi folks, I have wondered about this.... If you have a product like TrueCrypt and get a National Security Letter telling you that you can't talk about it, does that include your attorney? I seem to remember that someone decided to sue NSA over this... Just curious...

Re:If you get the NSL, can you consult your attorn (3, Insightful)

L4t3r4lu5 (1216702) | about 4 months ago | (#47272385)

How would you know it was genuine without consulting a legal professional? I can download the NSA logo from Google Images, find their address from Wikipedia, and write "You should stop doing this thing or we'll invite you to stay at Guantanamo Bay Care Home for the Politically Undesirable. Oh, and where I said 'invite you to stay at' replace it with 'put you in a 4' x 2' x 2' hold-all and ship you freight to'."

Someone should start sending fakes to random US addresses, just to see what happens.

Re:If you get the NSL, can you consult your attorn (1)

UnknownSoldier (67820) | about 4 months ago | (#47273289)

Yeah, there was an article a few years back over this where attorneys was even't allowed to talk about the laws the client "officially" broke because it was against the law to acknowledge those laws even existed in the first place! WTF?!

I'll be darned if I can remember the link ...

Let me attempt to translate for you guys (5, Informative)

satan666 (398241) | about 4 months ago | (#47272201)

He says:
"I am sorry, but I think what you're asking for here is impossible."

As a developer, he uses the term "impossible". Nobody says
"impossible" in a development framework. You could
say "difficult" or "expensive" but not "impossible".
He says "impossible" because he is telling us in
specific terms:

It is "impossible" to use the current code base because
it has been compromised. He can't talk about it. He is
under court order or some fucking thing.

Since he cant tell us where the compromise is
he says fuck it all and start from scratch.
He is very specific.

Look, if the developer of an encryption product
says the product is not secure and it is impossible
to fix, I take that as:

"Stay the fuck away from this thing".

To be forewarned...

Re:Let me attempt to translate for you guys (0)

Anonymous Coward | about 4 months ago | (#47272851)

I would concur. There must be some fundamental flaw in TrueCrypt that probably is tied to TrueCrypt's tight integration with the Windows OS. It must be such that the author can't fix it and for some other reason isn't going to write another program. What makes TrueCrypt so easy to use most likely makes it vulnerable and I imagine the author has been made aware of this in some manner.

Re:Let me attempt to translate for you guys (0)

Anonymous Coward | about 4 months ago | (#47273017)

As a developer, he uses the term "impossible". Nobody says
"impossible" in a development framework.

And what if his/her English isn't very good? I think you're reading too much into the word choice.

Re:Let me attempt to translate for you guys (2)

satan666 (398241) | about 4 months ago | (#47273223)

Maybe. In view of recent NSA developments and discoveries, do you think I'm unjustified in being VERY careful about what I read and how I read it? If Snowden did nothing else, he made us aware just how deep and dark the NSA chest of secrets is.

Just sayin'

Re:Let me attempt to translate for you guys (1)

Anonymous Coward | about 4 months ago | (#47273073)

. Nobody says "impossible" in a development framework.

Agreed: http://www.collegehumor.com/em... [collegehumor.com]

quite fair (1)

Mr_Nitro (1174707) | about 4 months ago | (#47272459)

I don't see the problem, codebase is old, in some part flawed, use it for reference and build and new clean stronger software....end of story....

What's hardest, the crypto or the OS integration? (3, Interesting)

swb (14022) | about 4 months ago | (#47272567)

One thing about Truecrypt that always impressed me was how well it worked with Windows -- containers with drive letters, whole disk encryption, etc.

If you were to recreate it, what would be the hardest part -- doing the encryption or doing the OS integration bits? I assume doing encryption securely (ie, not leaving keys or passphrases hanging around in memory or written to swap files) is non-trivial, but I also assume that integrating well with Windows is, too.

Re:What's hardest, the crypto or the OS integratio (5, Interesting)

bhoar (1226184) | about 4 months ago | (#47272943)

--- Redefining "OS integration" to include "OS and boot integration", the short answer is: the boot process, hands down. You can model a new app based on TC's approach for OS-level (container/partition/disk) encryption, and you can do the same for MBR boot/system disk encryption, but now that everything is moving to TCG-TCM/UEFI/GPT/etc. it's a lot more complicated. -- Some history: IIRC from the TC forum, the TC's developer had issues finding a public API/method in the MS docs that could be used to pass keys and boot control from the MBR/bootloader to the OS and tc driver shim. There were third party apps out there doing it, but there didn't seem to be a documented way to do it, and the tc devs wanted to avoid fragile hacks to get it done. -- Microsoft actually responded to the TC devs by either publicizing a private API or by creating an official one. Again, this was back in the MBR days. -- With UEFI/GPT, trusted boot, etc., this part has become a lot more complex. I'm not sure what Microsoft's responsiveness would be on pursuing an official UEFI/GPT API, but I wouldn't be surprised if it's something along the lines of "Just use Bitlocker, it does this already."

Occam's Razor (1)

bhoar (1226184) | about 4 months ago | (#47272777)

1. Evidence seems to point that the main developer is in Europe. So, an NSA NSL doesn't seem (to me) to be a likely factor. 2. Evidence points to the history of the code perhaps being legally murky. But from what I recall of the forum discussion nearly a decade ago, most of the murk wasn't due to the code origins, which appeared to be on the up and up, but due to the legal threats/actions of a company that thought it could prevent a fork from *before* buying code/hiring the developer. That's IIRC, of course, I've seen reporting all over the map on this issue. Also, supposition: there may have also been verbal promises between the dev(s) and outside entities about what might trigger more legal issues. 3. Evidence points to English being the main developer's second language, so the conspiracy theories base on awkward sentence construction are probably just that, theories. 4. Evidence (now gone, due to the tc forums being removed) also seems to point to the main developer having strong feelings about control over the main code line and trademarks for a long time. Some of this seemed rational (wanting to block a plethora of backdoored versions being deployed) but some of this seemed personal. Most devs have been there, some have matured and learned to let it go. Conclusion: the simplest explanation, to me, is that the main dev wants to the code dead and buried so that he is entirely free of any future legal, ethical or emotional consequences of it continuing.

Please don't use pastebin as a news source (0)

Anonymous Coward | about 4 months ago | (#47273231)

How are we to know that this is a legitimate letter from a TC developer, and not some random bullshit posted by some lamer (or TLA agent) trying to persuade people from discontinuing work on TC?

I'm more worried about the hidden Latin message. (5, Insightful)

Anonymous Coward | about 4 months ago | (#47273233)

The Guardian reported on a hidden Latin message: TrueCrypt probably didn't leave a Latin message alerting users to NSA spying [theguardian.com] . I'm not so sure about their in-headline conclusion, though.

They quote this comment on Wikipedia by 'Bardon' [mediawiki.org] :

There is a hidden message on the new sourceforge TrueCrypt site [sourceforge.net] . The first line of the site is this: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

If you take just the first letter of each word, except the word "WARNING":

Using TrueCrypt is not secure as it may contain unfixed security issues

you get this:
uti nsa im cu si

It's Latin that roughly means:
Unless I want to use the NSA

So, the full message seems to be this:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues, unless I want to use the NSA

Which is English that roughly means:
Don't use TrueCrypt because it is under the control of the NSA

The Guardian article rebuffs this with: "In fact, "uti nsa im cu si" is meaningless in Latin - except to Google translate, (mis)translates it to the message Badon discovered."

But isn't that enough? It's a hidden message; it doesn't need to be correct Latin as long as the point gets across. If you put into Google Translate [google.com] right now, you get "If I wish to use the NSA". Unusual that it's been changed slightly, but still expresses the same message: The NSA has compromised TrueCrypt.

I'm not one for conspiracy theories, but this entire TrueCrypt saga has been bizarre. Obviously something happened beyond "the task of maintaining a widely used cryptography program just became too much work" or else why not just say that?

id est (0)

Anonymous Coward | about 4 months ago | (#47273257)

Truecrypt was forced to shut down and anyone forking it would face the same secret threats and gag orders.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?