TrueCrypt Author Claims That Forking Is Impossible

An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."

Re:Can someone translate the summary into English?

[GoddersUK]

So far as I can tell he claims that it would be impossible to re-license it under an OSS license and allow Matthew Green to use the trademark. This may be "impossible" because he doesn't control the IP or he may just be using it as a figure of speech to say that he won't comply with the request. The article title somewhat misleadingly takes the quote out of context. Of course it's just an anonymously posted email on Pastbin, I wouldn't put too much stock by it unless there's some independent confirmation of its validity.

Re:Translation

[Pi1grim]

Unless the deveopment is done outside of US. Because in that case you can use the letter to wipe your, let's say tears of joy and carry on writing the project. Unless, ofcourse you are planning to visit US any time in the future.

Re:What whas the problem in the first place?

[a_nonamiss]

I don't think it's unreasonable to conclude that some vague, yet menacing government agency has compromised the code and the developers are unwilling to see what they worked for burned to the ground. I mean, 15 years ago, this would have sounded like the rantings of a paranoid schizophrenic, but with all that's come out about the U.S. government recently, I think it's perfectly rational. Given the level of security TrueCrypt has the potential to provide, and the level of oversight the U.S. Government wants over both foreigners and citizens alike, I would honestly be surprised if TrueCrypt wasn't compromised long ago.

Maybe the goals of this vague, yet menacing government agency are pure and wholesome. After all, TrueCrypt would absolutely benefit those organizations trying to keep their activities secret from authority. But we'll never know because of the veil of secrecy behind it.

Re:What whas the problem in the first place?

[AmiMoJo]

It's more likely that the author is the victim of a National Security Letter, and is obliged to say things like this to discourage people from using TrueCrypt or forking it. Which ever agency got to him must have known that this was likely to happen, and he is probably in it knee deep after putting lots of not-so-subtle hints on the revised homepage.

The 7.1a source code is being audited. There may be issues with the code base, but at least we will soon know with reasonable confidence if it is secure or not. Starting a new project would require a complete audit from scratch to get that level of confidence, and it is likely that at least one of the replacement projects is an NSA shill with backdoors installed from day one. The very fact that they went after TrueCrypt gives us some confidence that it is resilient to their attacks.

Re:What whas the problem in the first place?

[Anonymous Coward]

Lavabit, NSLs, etc are FBI, not NSA. The NSA may have found vulnerabilities, may have even hacked his computer and modified the source code, but they don't dick around with NSLs or gag orders.

Source: I'm a spook.

What's hardest, the crypto or the OS integration?

[swb]

One thing about Truecrypt that always impressed me was how well it worked with Windows -- containers with drive letters, whole disk encryption, etc.

If you were to recreate it, what would be the hardest part -- doing the encryption or doing the OS integration bits? I assume doing encryption securely (ie, not leaving keys or passphrases hanging around in memory or written to swap files) is non-trivial, but I also assume that integrating well with Windows is, too.

Re:What whas the problem in the first place?

[Eravnrekaree]

The situation is probably what it was stated to be, that the developers do not understand the code and its more trouble to try to unravel a poorly written software project than to do it over again. THis is a common problem with open source. Software code is NOT self documenting, but open source people think it is. To really understand a big project in reasonable amount of time you really, really need good documentation and an overview of the system

Re:Can someone translate the summary into English?

[Z00L00K]

Looking at the TrueCrypt License it sucks pretty bad, and it seems to be the major problem preventing a fork.

Re:Translation

[darkmeridian]

That's what the NSA wants you to think: that the rest of the world is not within its grasps. Note that CryptoAG was a Swiss company that was allegedly compromised by the NSA back in the 1950s. God knows what other foreign companies have been hacked by the NSA. Samsung (South Korean) and Huawei (Chinese) hardware have been reportedly compromised by the NSA. If hard drives made by the goddamned Communist Chinese are being shipped with NSA-compromised firmware, then how the hell is stuff coming from Taiwan (nominally a US ally) and Europe going to be any better?

Re:What whas the problem in the first place?

[Anonymous Coward]

I'm seeing a Streisand effect. There is so much suspicion about TC's abrupt ending, especially after the code reviews found that it is a clean product, that more people seem to be using because they feel that it was killed by some powerful party.

TC is the only cross platform product out there that gives plausible deniability, is open source, and has been through an audit. The only thing against it are rumors about backdoors, none found.

Re:What's hardest, the crypto or the OS integratio

[bhoar]

--- Redefining "OS integration" to include "OS and boot integration", the short answer is: the boot process, hands down. You can model a new app based on TC's approach for OS-level (container/partition/disk) encryption, and you can do the same for MBR boot/system disk encryption, but now that everything is moving to TCG-TCM/UEFI/GPT/etc. it's a lot more complicated. -- Some history: IIRC from the TC forum, the TC's developer had issues finding a public API/method in the MS docs that could be used to pass keys and boot control from the MBR/bootloader to the OS and tc driver shim. There were third party apps out there doing it, but there didn't seem to be a documented way to do it, and the tc devs wanted to avoid fragile hacks to get it done. -- Microsoft actually responded to the TC devs by either publicizing a private API or by creating an official one. Again, this was back in the MBR days. -- With UEFI/GPT, trusted boot, etc., this part has become a lot more complex. I'm not sure what Microsoft's responsiveness would be on pursuing an official UEFI/GPT API, but I wouldn't be surprised if it's something along the lines of "Just use Bitlocker, it does this already."

Re:What whas the problem in the first place?

[DarthVain]

It very well could be "code speak" (pardon pun) for; "yes our code is compromised, no we are not allowed to talk about it, end communication".

Then again it could me less complicated than that, and taken at face value they could be saying; "Our code is a mess. Fixing it would take more effort than we are willing to expend for this project so we ended it. You are welcome to try, but we would recommend you just start from scratch as it contains many fundamental problems."

It is too bad, I've always considered it the defacto standard in encryption. I am not a huge fan of the idea of MS being my provider of encryption with bitlocker, though I have heard some good things about it. Then again it isn't exactly free either.

The Slashdot tinfoil hat part of me wants to believe the NSA story, however common sense tells me it is just another open project that was led by a dedicated few with little resources that became too much to maintain over time. That said, they were rather elusive about it in the end, so who knows. Then again that could be a professional record thing, liability, or legal... plausible deniability limiting personal liability sort of thing.

Re:What whas the problem in the first place?

[bill_mcgonigle]

I'd really like to know just what kind of punishment can the NSA hand out, anyway. Is the guy under legitimate threat of being renditioned to some black hole never to be seen again?

The CIA rendition plane was waiitng for Snowden. When Joseph Nacchio (Qwest CEO) refused to play ball with NSA, they set the SEC on him with some bogus charges and then refused to allow him to defend himself in court by classifying the evidence.

When the government starts actually locking people up for dissent, it's game over, isn't it?

Only if people do nothing to stop them. So far, Americans seem as willing to fight as the 30's Germans.

Re:What whas the problem in the first place?

[AmiMoJo]

How could he stop people forking it? If he were to sue them is identity would be revealed.

Re:What whas the problem in the first place?

[Belial6]

This is a common problem with software.