Forgot your password?
typodupeerror
Encryption Open Source Privacy Software

TrueCrypt Author Claims That Forking Is Impossible 250

Posted by timothy
from the it's-forking-impossible-man dept.
An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."
This discussion has been archived. No new comments can be posted.

TrueCrypt Author Claims That Forking Is Impossible

Comments Filter:
  • by Opportunist (166417) on Thursday June 19, 2014 @10:21AM (#47271851)

    Easy to be brave when there's not a TLA breathing down your neck.

  • Reading between the lines here, it seems fairly probable that Truecrypt has either

    a) Very serious security bugs, or
    b) Had backdoors introduced by the NSA.(Does Truecrypt use elliptic curve cryptography?)

    In either event the code is basically tainted and shouldn't be used for any future projects.

    The vague and sometimes bizzare nature of the statements from the Truecrypt dev team, including this one, lead me to believe that they have been placed under a standard NSA gagging order and have decided to burn Truecrypt rather than see it be turned against its users. Comments like "Forking is Impossibe" appear to be an open code for communicating that they are essentially unable to communicate, but that Truecrypt is no longer a trustworthy piece of software.

    Reading though the Lavabit case, it's clear that those placed under NSA gagging orders have very, very little room for legal/media maneuver, but nevertheless still retain the freedom to walk away from their projects and tell others not to use them. Such actions appear to be the last defense of cryptographers in the US, and I think that is what we're seeing with Truecrypt.

  • Translation (Score:5, Insightful)

    by Opportunist (166417) on Thursday June 19, 2014 @10:26AM (#47271913)

    Seriously, people, save yourself the time. You'll just also get a letter from the NSA and either have to include their backdoor or drop the project.

    And I sure as hell don't want to be the one who did the right thing only to see it going to waste because someone else didn't.

  • Pissing war (Score:3, Insightful)

    by Zontar_Thing_From_Ve (949321) on Thursday June 19, 2014 @10:28AM (#47271941)
    This is a pissing war. Both sides may be sincere and well intentioned, but it's still a pissing war. Here's a manager type summary. I'll use TC to represent the TC developer who responder and Forkers for the person representing the people who want to fork it.

    Forkers: We'd like your permission to fork your code and get the rights to it. We could just fork it without your permission and others no doubt will if you refuse to comply. We want your trademarks and your OK to put the forked code into a different license then you used. We've started looking at your code and while we do agree that there are problems there that desperately need to be fixed, we feel strongly that fixing your broken code is a million times easier than writing this from scratch. So will you play ball with us?
    TC: Our code is so broken that you need to start from scratch. That's why we abandoned it - didn't think it was possible to fix without doing a complete re-write. So no, we're not going to "play ball".
  • by kylemonger (686302) on Thursday June 19, 2014 @10:34AM (#47272019)
    As far as we know so far, Truecrypt hasn't been compromised. So ending use of it might be a victory for the NSA and their kind. And all they had to do was sow some seeds of doubt.
  • by Anonymous Coward on Thursday June 19, 2014 @10:44AM (#47272163)

    Just RTF-original, not the usual Slashdot-bastardized summary... oh yeah sorry I frogrot, not Slashdot practice. In any case, reading the linked original, it's re-licensing and trademarks, or failing that, just a statement that they want the Truecrypt name to go on that he's calling "impossible".

    It's certainly a curious turn of words though. If taken at face value, it would either imply the person doesn't actually own those rights, or that they're under orders specifically prohibiting them from doing those. Of course, it might just be as they go on to say, that the codebase has become too unwieldly to support, but I must agree that their communications do seem far too strange and contrived for the "obvious, bening" explanation. I also doubt there's anyone at all familiar with what's going on who would even doubt that that project and its authors are very high on the feds "hit list".

  • Re:Translation (Score:5, Insightful)

    by Anonymous Coward on Thursday June 19, 2014 @10:46AM (#47272185)

    > Unless the deveopment is done outside of US.

    At this point this is the way it has to be. Any piece of software developed by US citizens, companies, foundations, etc. is no longer trustworthy. The US is dead as far as secure software is concerned.

  • by Anonymous Coward on Thursday June 19, 2014 @10:57AM (#47272307)

    You're only paranoid if you turn out to be wrong.

  • by Anonymous Coward on Thursday June 19, 2014 @11:01AM (#47272379)

    I do not read that much into it.

    I have many code bases out there. However, I would not recommend people build on them. The team that knows how it works no longer exists. In many cases even if you could get them back together they have not seen the code in years.

    Sometimes it is better to throw it out and start over. Using the existing code as your test for features and build yourself a design you understand as you are the one who will be working on it.

    Now you could also refactor. That in many cases takes as much work as rewriting it. As that is exactly what you are doing.

    I have seen both ways done many times. Both work. But if the orig author says 'i wouldnt bother' it is usually worth at least listening to his advice.

  • by L4t3r4lu5 (1216702) on Thursday June 19, 2014 @11:01AM (#47272385)
    How would you know it was genuine without consulting a legal professional? I can download the NSA logo from Google Images, find their address from Wikipedia, and write "You should stop doing this thing or we'll invite you to stay at Guantanamo Bay Care Home for the Politically Undesirable. Oh, and where I said 'invite you to stay at' replace it with 'put you in a 4' x 2' x 2' hold-all and ship you freight to'."

    Someone should start sending fakes to random US addresses, just to see what happens.
  • by LordLimecat (1103839) on Thursday June 19, 2014 @11:26AM (#47272677)

    Its not even remotely crazy at this point. TLAs are strongly suspected of having backdoored Windows 2000, OpenBSD's IPSec stack, and the PRNG used by RSA. There are some slides floating around on the internet indicating that there is already a backdoor in Bitlocker.

    At this point you would have to be crazy NOT to expect a TLA to have an "answer" to Truecrypt-- thats exactly why theres a code audit being done.

  • wrong (Score:5, Insightful)

    by tacokill (531275) on Thursday June 19, 2014 @11:47AM (#47272925)
    When it comes to security, one must always error on the side of caution. There are very strong signs and signals that there is a problem with Truecrypt. Those that don't heed that warning are placing themselves at risk.

    The default position of everything is: insecure until proven otherwise. If there's a good chance something is insecure, then we assume it is. We don't want to error in the other direction because the implications are too great if we are wrong. This is where we are with Truecrypt. Those throwing caution to the wind - at this point - are doing themselves a disservice.
  • by Anonymous Coward on Thursday June 19, 2014 @11:53AM (#47273009)

    This.

    Try blowing the whistle on something. Revel in satisfying your moral obligation and the feeling of righteousnous. It will last until the first threatening letter from a lawyer arrives. Then you'll see what you're made of. Chances are good that it's not steel. Until you've experienced it, you won't know.

    Just about any government organization or better than medium-sized private entity has the resources to crush an individual with very little threat of recourse. You really can't imagine the kinds of crap they can lob. If you are thinking of blowing a whistle, be very careful. Read up on the subject (Google for "how to whistleblower"). Absolutely DO NOT try to use internal channels. There are organizations that try to support whistle blowers, contact one (anonymously) and see what reading material they can give you. Make sure your nose is absolutely clean. Try to find cases of similar acts of whistle-blowing in your legal jurisdiction. How did they turn out for the whistle-blower? Probably not very good. Do everything right. Make sure you have enough evidence for an iron-clad case (without actually stealing anything). And wait until you have some distance. If you can keep the perpetrator(s) from figuring out your identity, absolutely do so. You will save yourself a lot of grief. This means you have to keep your mouth shut and trust nobody. (Note that I'm posting anonymously.) You won't be able to vent to anyone, especially co-workers. This is much harder than you might think. If you like to talk, you'd best just forget what you've seen. If you can time your actions so they hit while the perpetrator is under pressure for other problems, so much the better. Before you pull the trigger, think long and hard about the affect this will have on your loved ones. Consider supporting an anti-corruption organization to satisfy your need to do good rather than risking yourself.

    Yes, it's really that bad. The sort of folk that deserve to be found out are more entrenched than you suspect. They are willing to go to extreme lengths to protect themselves. The problem almost definitely is more widespread than you think. The way it often works is that there is a web of wrong-doing, where one fellow's previous mistakes are used as leverage for silence/support by someone else. It makes for a kind of club. Many members of the club will have had one or more whistles blown on them before and have strategies for dodging and attacking the whistle-blower.

    And that's just if you are whistle-blowing on a run of the mill organization. Going up against the likes of the NSA, the DOD, or the CIA... The TrueCrypt authors have all of my respect for shutting the project down. It was an act of bravery.

  • by Anonymous Coward on Thursday June 19, 2014 @12:15PM (#47273233)

    The Guardian reported on a hidden Latin message: TrueCrypt probably didn't leave a Latin message alerting users to NSA spying [theguardian.com]. I'm not so sure about their in-headline conclusion, though.

    They quote this comment on Wikipedia by 'Bardon' [mediawiki.org]:

    There is a hidden message on the new sourceforge TrueCrypt site [sourceforge.net]. The first line of the site is this: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

    If you take just the first letter of each word, except the word "WARNING":

    Using TrueCrypt is not secure as it may contain unfixed security issues

    you get this:
    uti nsa im cu si

    It's Latin that roughly means:
    Unless I want to use the NSA

    So, the full message seems to be this:
    WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues, unless I want to use the NSA

    Which is English that roughly means:
    Don't use TrueCrypt because it is under the control of the NSA

    The Guardian article rebuffs this with: "In fact, "uti nsa im cu si" is meaningless in Latin - except to Google translate, (mis)translates it to the message Badon discovered."

    But isn't that enough? It's a hidden message; it doesn't need to be correct Latin as long as the point gets across. If you put into Google Translate [google.com] right now, you get "If I wish to use the NSA". Unusual that it's been changed slightly, but still expresses the same message: The NSA has compromised TrueCrypt.

    I'm not one for conspiracy theories, but this entire TrueCrypt saga has been bizarre. Obviously something happened beyond "the task of maintaining a widely used cryptography program just became too much work" or else why not just say that?

  • by kylemonger (686302) on Thursday June 19, 2014 @01:49PM (#47274263)
    The first statement is a tautology and the second is unconfirmed and could just be FUD-mongering to discourage us from using a product the TLAs haven't cracked. If you give up a privacy tool every time someone merely claims to have subverted it, soon you will have no tools left. By the way, your home is not secure; I've subverted it. Good luck.
  • by Anonymous Coward on Thursday June 19, 2014 @02:16PM (#47274521)

    The license doesn't really matter. They can't sue if they want to remain anonymous.

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Working...