TrueCrypt Author Claims That Forking Is Impossible 250
An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."
Re:Can someone translate the summary into English? (Score:4, Interesting)
Re:Translation (Score:5, Interesting)
Unless the deveopment is done outside of US. Because in that case you can use the letter to wipe your, let's say tears of joy and carry on writing the project. Unless, ofcourse you are planning to visit US any time in the future.
Re:What whas the problem in the first place? (Score:4, Interesting)
Maybe the goals of this vague, yet menacing government agency are pure and wholesome. After all, TrueCrypt would absolutely benefit those organizations trying to keep their activities secret from authority. But we'll never know because of the veil of secrecy behind it.
Re:What whas the problem in the first place? (Score:5, Interesting)
It's more likely that the author is the victim of a National Security Letter, and is obliged to say things like this to discourage people from using TrueCrypt or forking it. Which ever agency got to him must have known that this was likely to happen, and he is probably in it knee deep after putting lots of not-so-subtle hints on the revised homepage.
The 7.1a source code is being audited. There may be issues with the code base, but at least we will soon know with reasonable confidence if it is secure or not. Starting a new project would require a complete audit from scratch to get that level of confidence, and it is likely that at least one of the replacement projects is an NSA shill with backdoors installed from day one. The very fact that they went after TrueCrypt gives us some confidence that it is resilient to their attacks.
Re:What whas the problem in the first place? (Score:2, Interesting)
Lavabit, NSLs, etc are FBI, not NSA. The NSA may have found vulnerabilities, may have even hacked his computer and modified the source code, but they don't dick around with NSLs or gag orders.
Source: I'm a spook.
What's hardest, the crypto or the OS integration? (Score:4, Interesting)
One thing about Truecrypt that always impressed me was how well it worked with Windows -- containers with drive letters, whole disk encryption, etc.
If you were to recreate it, what would be the hardest part -- doing the encryption or doing the OS integration bits? I assume doing encryption securely (ie, not leaving keys or passphrases hanging around in memory or written to swap files) is non-trivial, but I also assume that integrating well with Windows is, too.
Re:What whas the problem in the first place? (Score:4, Interesting)
The situation is probably what it was stated to be, that the developers do not understand the code and its more trouble to try to unravel a poorly written software project than to do it over again. THis is a common problem with open source. Software code is NOT self documenting, but open source people think it is. To really understand a big project in reasonable amount of time you really, really need good documentation and an overview of the system
Re:Can someone translate the summary into English? (Score:4, Interesting)
Looking at the TrueCrypt License it sucks pretty bad, and it seems to be the major problem preventing a fork.
Re:Translation (Score:4, Interesting)
That's what the NSA wants you to think: that the rest of the world is not within its grasps. Note that CryptoAG was a Swiss company that was allegedly compromised by the NSA back in the 1950s. God knows what other foreign companies have been hacked by the NSA. Samsung (South Korean) and Huawei (Chinese) hardware have been reportedly compromised by the NSA. If hard drives made by the goddamned Communist Chinese are being shipped with NSA-compromised firmware, then how the hell is stuff coming from Taiwan (nominally a US ally) and Europe going to be any better?
Re:What whas the problem in the first place? (Score:5, Interesting)
I'm seeing a Streisand effect. There is so much suspicion about TC's abrupt ending, especially after the code reviews found that it is a clean product, that more people seem to be using because they feel that it was killed by some powerful party.
TC is the only cross platform product out there that gives plausible deniability, is open source, and has been through an audit. The only thing against it are rumors about backdoors, none found.
Re:What's hardest, the crypto or the OS integratio (Score:5, Interesting)
Re:What whas the problem in the first place? (Score:5, Interesting)
It very well could be "code speak" (pardon pun) for; "yes our code is compromised, no we are not allowed to talk about it, end communication".
Then again it could me less complicated than that, and taken at face value they could be saying; "Our code is a mess. Fixing it would take more effort than we are willing to expend for this project so we ended it. You are welcome to try, but we would recommend you just start from scratch as it contains many fundamental problems."
It is too bad, I've always considered it the defacto standard in encryption. I am not a huge fan of the idea of MS being my provider of encryption with bitlocker, though I have heard some good things about it. Then again it isn't exactly free either.
The Slashdot tinfoil hat part of me wants to believe the NSA story, however common sense tells me it is just another open project that was led by a dedicated few with little resources that became too much to maintain over time. That said, they were rather elusive about it in the end, so who knows. Then again that could be a professional record thing, liability, or legal... plausible deniability limiting personal liability sort of thing.
Re:What whas the problem in the first place? (Score:4, Interesting)
I'd really like to know just what kind of punishment can the NSA hand out, anyway. Is the guy under legitimate threat of being renditioned to some black hole never to be seen again?
The CIA rendition plane was waiitng for Snowden. When Joseph Nacchio (Qwest CEO) refused to play ball with NSA, they set the SEC on him with some bogus charges and then refused to allow him to defend himself in court by classifying the evidence.
When the government starts actually locking people up for dissent, it's game over, isn't it?
Only if people do nothing to stop them. So far, Americans seem as willing to fight as the 30's Germans.
Re:What whas the problem in the first place? (Score:4, Interesting)
How could he stop people forking it? If he were to sue them is identity would be revealed.
Re:What whas the problem in the first place? (Score:5, Interesting)