Forgot your password?
typodupeerror
Encryption Open Source Privacy Software

TrueCrypt Author Claims That Forking Is Impossible 250

Posted by timothy
from the it's-forking-impossible-man dept.
An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."
This discussion has been archived. No new comments can be posted.

TrueCrypt Author Claims That Forking Is Impossible

Comments Filter:
  • by fuzzyfuzzyfungus (1223518) on Thursday June 19, 2014 @10:13AM (#47271703) Journal
    It would appear that the intended meaning is 'impractical'. The code is available, and the original project declared itself dead, so forking is totally possible; but the author believes that it would probably be a better use of time to use the existing project as a reference for building a new one, rather than get sufficiently familiar with the old one that you can (safely) start modifying it.

    I don't know if it's true or not; but it's a much less radical assertion.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Just RTF-original, not the usual Slashdot-bastardized summary... oh yeah sorry I frogrot, not Slashdot practice. In any case, reading the linked original, it's re-licensing and trademarks, or failing that, just a statement that they want the Truecrypt name to go on that he's calling "impossible".

      It's certainly a curious turn of words though. If taken at face value, it would either imply the person doesn't actually own those rights, or that they're under orders specifically prohibiting them from doing those.

    • If forking is against the license, it is impossible to fork...without violating the license.

      But yes, computers are just bits and we can do whatever we have the power to do.

      • If forking is against the license, it is impossible to fork...without violating the license.

        Yet, the authors are unlikely to decloak to enforce their copyright.

    • Let's toss a few axioms:
      1.In order to fork TrueCrypt it must be practically possible to create a fork which is secure (free of backdoors etc.).
      2.A fork of TrueCypt must take less time to create and certify than writing an entirely new product from scratch. Otherwise, there is no point.
      3. The algorithms used by TrueCrypt must be fundamentally sound. If you change them you are no longer forking TrueCrypt, you are really just writing a new product.

      And a totally reasonable assumption:
      The authors of TrueCrypt be

  • His answer seems to mean it wouldn't be his preference, rather than being impossible.

  • What has happened with Truecrypt, I mean from a psychological perspective. It would appear as though the team had a nervous breakdown going pear shaped rather quickly. Certainly since the source is available it can be forked, screw that just rewrite it. There's not that much there.

    • by Aaden42 (198257)

      Government spooks knocking at your door (virtual or physical) does tend to result in symptoms similar to having a nervous breakdown.

      It’s technologically possible to fork the code base, but if the license as provided with the last (useable) version is an impediment to that (and my reading of said license (IANAL) suggests it would indeed be problem), then you can’t fork the code legally. A fork that nobody can legally use isn’t of much value outside certain small circles.

      TrueCrypt was sourc

    • by AHuxley (892839)
      recall the '"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues""
      "TrueCrypt probably didn't leave a Latin message alerting users to NSA spying"
      http://www.theguardian.com/tec... [theguardian.com] (17 June 2014)
      "Using TrueCrypt is not secure as it may contain unfixed security issues"
  • The article source is from pastebin. Are we really supposed to give this any merit? It's pretty obvious that the authors won't sanction anything related to the project (or did we forget the final cripple commit?)
  • Translation (Score:5, Insightful)

    by Opportunist (166417) on Thursday June 19, 2014 @10:26AM (#47271913)

    Seriously, people, save yourself the time. You'll just also get a letter from the NSA and either have to include their backdoor or drop the project.

    And I sure as hell don't want to be the one who did the right thing only to see it going to waste because someone else didn't.

    • Re:Translation (Score:5, Interesting)

      by Pi1grim (1956208) on Thursday June 19, 2014 @10:29AM (#47271959)

      Unless the deveopment is done outside of US. Because in that case you can use the letter to wipe your, let's say tears of joy and carry on writing the project. Unless, ofcourse you are planning to visit US any time in the future.

      • Re:Translation (Score:5, Insightful)

        by Anonymous Coward on Thursday June 19, 2014 @10:46AM (#47272185)

        > Unless the deveopment is done outside of US.

        At this point this is the way it has to be. Any piece of software developed by US citizens, companies, foundations, etc. is no longer trustworthy. The US is dead as far as secure software is concerned.

        • Re:Translation (Score:4, Interesting)

          by darkmeridian (119044) <william.chuang@g ... com minus distro> on Thursday June 19, 2014 @11:30AM (#47272713) Homepage

          That's what the NSA wants you to think: that the rest of the world is not within its grasps. Note that CryptoAG was a Swiss company that was allegedly compromised by the NSA back in the 1950s. God knows what other foreign companies have been hacked by the NSA. Samsung (South Korean) and Huawei (Chinese) hardware have been reportedly compromised by the NSA. If hard drives made by the goddamned Communist Chinese are being shipped with NSA-compromised firmware, then how the hell is stuff coming from Taiwan (nominally a US ally) and Europe going to be any better?

          • Re:Translation (Score:5, Informative)

            by melchoir55 (218842) on Thursday June 19, 2014 @12:21PM (#47273307)

            Foreign software isn't immune. No one thinks it is. The point is that US software is vulnerable *by law*. It is legally impossible to create secure software if you are a US entity. At least if the software is created in another country it is possible that it is secure. Even if the chance is 1/100, that chance is greater than 0.

        • Any piece of software developed by US citizens, companies, foundations, etc. is no longer trustworthy. The US is dead as far as secure software is concerned.

          The geek's insistence that the US is hopelessly corrupt and salvation is to found elsewhere is ridiculous.

          Every country keeps watch over its, neighbors, friends and enemies alike. Alliances are never permanent, only interests.

  • Pissing war (Score:3, Insightful)

    by Zontar_Thing_From_Ve (949321) on Thursday June 19, 2014 @10:28AM (#47271941)
    This is a pissing war. Both sides may be sincere and well intentioned, but it's still a pissing war. Here's a manager type summary. I'll use TC to represent the TC developer who responder and Forkers for the person representing the people who want to fork it.

    Forkers: We'd like your permission to fork your code and get the rights to it. We could just fork it without your permission and others no doubt will if you refuse to comply. We want your trademarks and your OK to put the forked code into a different license then you used. We've started looking at your code and while we do agree that there are problems there that desperately need to be fixed, we feel strongly that fixing your broken code is a million times easier than writing this from scratch. So will you play ball with us?
    TC: Our code is so broken that you need to start from scratch. That's why we abandoned it - didn't think it was possible to fix without doing a complete re-write. So no, we're not going to "play ball".
    • by Z00L00K (682162)

      In addition to that the license for TrueCrypt sucks pretty badly, and that license is what may prevent a fork.

      So essentially what is stated is - you can fork, but make sure that the fork is rewritten so much that it's no longer possible to trace it back to TrueCrypt.

      The product is contaminated, mostly by a bad license from start, but also from suspicion that there may be other crap injected - like NSA.

      • by fnj (64210)

        I'm afraid a fork by definition can't be cleansed so it can't be traced back. What you're looking for is either a clean-room rewrite or a fork plus a middle finger. Yeah, you can do a rewrite without a clean-room, the implication being that you are referring to the original source for reference but not copying any of it, in which case you might have to go to a lot of trouble defending it.

        BTW, for a long time now there has been what amounts to a fork. It is called RealCrypt. The sole purpose of it was to rem

  • Hi folks, I have wondered about this.... If you have a product like TrueCrypt and get a National Security Letter telling you that you can't talk about it, does that include your attorney? I seem to remember that someone decided to sue NSA over this... Just curious...
    • by L4t3r4lu5 (1216702) on Thursday June 19, 2014 @11:01AM (#47272385)
      How would you know it was genuine without consulting a legal professional? I can download the NSA logo from Google Images, find their address from Wikipedia, and write "You should stop doing this thing or we'll invite you to stay at Guantanamo Bay Care Home for the Politically Undesirable. Oh, and where I said 'invite you to stay at' replace it with 'put you in a 4' x 2' x 2' hold-all and ship you freight to'."

      Someone should start sending fakes to random US addresses, just to see what happens.
    • Yeah, there was an article a few years back over this where attorneys was even't allowed to talk about the laws the client "officially" broke because it was against the law to acknowledge those laws even existed in the first place! WTF?!

      I'll be darned if I can remember the link ...

    • by AHuxley (892839)
      "Librarians' NSL Challenge" (May 26, 2006)
      https://www.aclu.org/national-... [aclu.org]
      https://www.aclu.org/blog/cont... [aclu.org]
      The US legal system has faced the unconstitutional NSL issue.
      Once in light the press and in open court the gov just "withdrew its demand".
  • by satan666 (398241) on Thursday June 19, 2014 @10:47AM (#47272201) Homepage

    He says:
    "I am sorry, but I think what you're asking for here is impossible."

    As a developer, he uses the term "impossible". Nobody says
    "impossible" in a development framework. You could
    say "difficult" or "expensive" but not "impossible".
    He says "impossible" because he is telling us in
    specific terms:

    It is "impossible" to use the current code base because
    it has been compromised. He can't talk about it. He is
    under court order or some fucking thing.

    Since he cant tell us where the compromise is
    he says fuck it all and start from scratch.
    He is very specific.

    Look, if the developer of an encryption product
    says the product is not secure and it is impossible
    to fix, I take that as:

    "Stay the fuck away from this thing".

    To be forewarned...

    • by Kjella (173770)

      I think something got lost in translation. If it was compromised 2+ years ago, why didn't the developer pull this stunt back then? If he knew, he sure waited a very long time and NSLs don't expire. If he didn't know, how did he find it since development was essentially dead and how did the NSA know their backdoor was about to get exposed? The more logical explanation is that he's being forced now in 2014 to burn the 2012 version which was too good for NSA to let live. I think the people abandoning TrueCrypt

    • by fnj (64210)

      If that is indeed the rationale behind his phrasing, then he appears to be crazy. He could just shut the fuck up rather spouting nonsense. Let the forker worry about making sure there are no compromises in the code. The code is not an enigma, for heaven's sake. It is written in a widely used computer language and subject to analysis.

      I admit to finding it far-fetched that the feds could ORDER somebody to spout nonsense, rather than muzzling them, but I suppose in the end nothing is impossible.

  • by swb (14022) on Thursday June 19, 2014 @11:18AM (#47272567)

    One thing about Truecrypt that always impressed me was how well it worked with Windows -- containers with drive letters, whole disk encryption, etc.

    If you were to recreate it, what would be the hardest part -- doing the encryption or doing the OS integration bits? I assume doing encryption securely (ie, not leaving keys or passphrases hanging around in memory or written to swap files) is non-trivial, but I also assume that integrating well with Windows is, too.

    • by bhoar (1226184) on Thursday June 19, 2014 @11:49AM (#47272943)
      --- Redefining "OS integration" to include "OS and boot integration", the short answer is: the boot process, hands down. You can model a new app based on TC's approach for OS-level (container/partition/disk) encryption, and you can do the same for MBR boot/system disk encryption, but now that everything is moving to TCG-TCM/UEFI/GPT/etc. it's a lot more complicated. -- Some history: IIRC from the TC forum, the TC's developer had issues finding a public API/method in the MS docs that could be used to pass keys and boot control from the MBR/bootloader to the OS and tc driver shim. There were third party apps out there doing it, but there didn't seem to be a documented way to do it, and the tc devs wanted to avoid fragile hacks to get it done. -- Microsoft actually responded to the TC devs by either publicizing a private API or by creating an official one. Again, this was back in the MBR days. -- With UEFI/GPT, trusted boot, etc., this part has become a lot more complex. I'm not sure what Microsoft's responsiveness would be on pursuing an official UEFI/GPT API, but I wouldn't be surprised if it's something along the lines of "Just use Bitlocker, it does this already."
    • by AmiMoJo (196126) *

      The hardest part is getting people to trust it.

    • by fnj (64210)

      Frankly, nothing could concern me less than making it work well with Windows. I am only interested in using it with an open source OS. I don't care in the least whether a hypothetical recreation of TrueCrypt works with Windows at all. Mod me down if it makes you feel good. It's only an personal preference.

  • by Anonymous Coward on Thursday June 19, 2014 @12:15PM (#47273233)

    The Guardian reported on a hidden Latin message: TrueCrypt probably didn't leave a Latin message alerting users to NSA spying [theguardian.com]. I'm not so sure about their in-headline conclusion, though.

    They quote this comment on Wikipedia by 'Bardon' [mediawiki.org]:

    There is a hidden message on the new sourceforge TrueCrypt site [sourceforge.net]. The first line of the site is this: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

    If you take just the first letter of each word, except the word "WARNING":

    Using TrueCrypt is not secure as it may contain unfixed security issues

    you get this:
    uti nsa im cu si

    It's Latin that roughly means:
    Unless I want to use the NSA

    So, the full message seems to be this:
    WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues, unless I want to use the NSA

    Which is English that roughly means:
    Don't use TrueCrypt because it is under the control of the NSA

    The Guardian article rebuffs this with: "In fact, "uti nsa im cu si" is meaningless in Latin - except to Google translate, (mis)translates it to the message Badon discovered."

    But isn't that enough? It's a hidden message; it doesn't need to be correct Latin as long as the point gets across. If you put into Google Translate [google.com] right now, you get "If I wish to use the NSA". Unusual that it's been changed slightly, but still expresses the same message: The NSA has compromised TrueCrypt.

    I'm not one for conspiracy theories, but this entire TrueCrypt saga has been bizarre. Obviously something happened beyond "the task of maintaining a widely used cryptography program just became too much work" or else why not just say that?

  • "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase.

    I have no problem with the source code being used as reference."

Scientists will study your brain to learn more about your distant cousin, Man.

Working...