Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption Open Source Security Software

TrueCrypt Gets a New Life, New Name 270

storagedude writes: Amid ongoing security concerns, the popular open source encryption program TrueCrypt may have found new life under a new name. Under the terms of the TrueCrypt license — which was a homemade open source license written by the authors themselves rather than a standard one — a forking of the code is allowed if references to TrueCrypt are removed from the code and the resulting application is not called TrueCrypt. Thus, CipherShed will be released under a standard open source license, with long-term ambitions to become a completely new product.
This discussion has been archived. No new comments can be posted.

TrueCrypt Gets a New Life, New Name

Comments Filter:
  • by supertall ( 1163993 ) on Friday September 19, 2014 @01:11PM (#47947243)
    Suddenly I think of banjos.
    • by pushing-robot ( 1037830 ) on Friday September 19, 2014 @01:16PM (#47947297)

      They're obviously using my HorribleNameGenerator library. I'm proud to have contributed to so many FOSS projects.

      • by westlake ( 615356 ) on Friday September 19, 2014 @01:37PM (#47947573)

        They're obviously using my HorribleNameGenerator library. I'm proud to have contributed to so many FOSS projects.

        Nothing inspires more confidence in a complex cryptographic system than a name like "CipherShed.'

        Is the geek born with this impulse to shoot himself in the foot?

      • by Kjella ( 173770 ) on Friday September 19, 2014 @02:34PM (#47948215) Homepage

        They're obviously using my HorribleNameGenerator library. I'm proud to have contributed to so many FOSS projects.

        Clearly you didn't use it for your own project, I suppose you had to write it first or it would have suggested HorribleUniqueNameGenerator. Because like the developers of the GNU Image Manipulator Program knows, a catchy acronym never hurt anyone.

        • To make things worse, GIMP is an acronym that includes a backronym.

          The ATA guys really like their silly nested acronyms like nobody else, though. Seriously, whose brilliant idea was "eSATAp".
          eSATA powered
          external SATA powered
          external Serial ATA powered
          external Serial AT Attachment powered
          external Serial AT-sounds-like-a-cool-name Attachment powered

        • It's not as if their excellent communication skills or competitiveness with professional programs has anything to do with it. They even got a reference in a Tarantino movie which I am sure was to honor their excellent contact with the graphics design professionals.
  • by Anonymous Coward

    Here's hoping the audit is a success.

    • by Anonymous Coward on Friday September 19, 2014 @01:27PM (#47947425)

      For anyone that doesn't have time to read the article, here's the audit part:

      Organizations are loathe to walk away from TrueCrypt because it is free, it is cross platform and, perhaps most importantly, the code is available for inspection. Critically, the code is not just available, but a security audit of the code is underway. The eyeballs on the code are not just theoretical, but are also there in practice -- and they are professional eyeballs at that.

      The first part of the code audit was completed in April - a source code assisted security assessment of the TrueCrypt bootloader and Windows kernel driver. No serious problems were found, although many issues were highlighted, including a lack of comments, use of insecure or deprecated functions and inconsistent variable types. The product is also nearly impossible to compile from the source code, which means the majority of users download pre-compiled binaries, with all the attendant security risks.

      The next part of the audit, a formal cryptanalysis, is underway.

      I would keep my eye on the project that the remaining parts of the audit actually get completed properly.

  • by I'm New Around Here ( 1154723 ) on Friday September 19, 2014 @01:13PM (#47947265)

    allow a fork to be released under a standard open source license?

    Because I can take software with a standard open source license and put TrueCrypt's name back into it.

    Not that I intend to do so, but it just seems off, somehow.

    • by Anonymous Coward on Friday September 19, 2014 @01:18PM (#47947337)

      Having RTFA (I know, I know), I can answer your question.
      The first CipherShed version will be under the TrueCrypt license. They hope to rewrite and replace code until they have something new they can release under a standard OSI-approved license.

      • They hope to rewrite and replace code until they have something new they can release under a standard OSI-approved license.

        LAME was developed in the same way, by replacing pieces of the ISO's reference MP3 encoder until it was finished in May 2000 [slashdot.org]. Is there a better name for this "ship of Theseus" method?

        • "Clean Room Design"
          "Chinese Wall Implementation"
          "Brewer and Nash Model"

          The key isn't replacing the code...it's replacing the code in such a way that it does not infringe on the copyright of the original code. Usually this means new code created by someone with no knowledge of the original code, therefore it cannot be a derivative work, therefore it does not infringe on the original copyright.

          • Since they are working with the original source code and simply implementing new code with a different license, I don't think those three terms you gave apply. When I think of "Clean Room Design", I think of programmers who program a different implementation knowing only the API and the expected results of the subroutine, method, or entire Application.

            This is probably more of a "wink... wink.. Clean Room Design... cough... cough."

        • Is there a better name for this "ship of Theseus" method?

          How about Neurath's boat?

    • I think you're onto something. Perhaps *that's* why the secret formula for Coke has never been open-sourced, but remains locked in a vault in Atlanta to this very day. Likewise for the secret Krabby-patty formuler. Just think what havoc Pepsi and Plankton could wreak with the TrueCrypt code...

  • FOSS names (Score:5, Interesting)

    by asmkm22 ( 1902712 ) on Friday September 19, 2014 @01:20PM (#47947357)

    Just curious. Is there some kind of unwritten rule that FOSS project names have to as crappy as possible? Is it just a translation thing, where maybe the name makes more sense or sounds better in the dev's native tongue? Has anyone been part of a FOSS project and was involved in the naming of it?

    • Re:FOSS names (Score:5, Insightful)

      by gigaherz ( 2653757 ) on Friday September 19, 2014 @01:38PM (#47947589)
      The sillier the name the lower the chances someone will abuse that name for commercial reasons. Saves a lot of money on trademarks.
      • by sexconker ( 1179573 ) on Friday September 19, 2014 @02:34PM (#47948219)

        The sillier the name the lower the chances someone will abuse that name for commercial reasons. Saves a lot of money on trademarks.

        I'm happy to announce my new FOSS project: CUNTT. It's a universal network tracing tool.
        It stands for "CUNTT isn't a Universal Network Tracing Tool".

  • by Bomarc ( 306716 ) on Friday September 19, 2014 @01:37PM (#47947567) Homepage
    How long before they get a FISA or PRISM notice?
    Wonder if they will have a "Warrant Canary" posting.
    • by WaywardGeek ( 1480513 ) on Friday September 19, 2014 @06:47PM (#47950583) Journal

      Some people post warrat canaries, but I stopped. Our current defense strategy is having developers around the world. Also, we have weekly voice meetings that are hard to fake, and enable us to know we're dealing with the same person each week.

      Personally, I've boning up on skills for finding weaknesses in crypto code. I just did a 2-week marathon of being a huge a-hole over at the Password Hashing Competition. Telling people why you think their algorithms are not secure does not make you popular, but I have to admit it was fun. Applying the same sort of analysis to TrueCrypt makes me want to set my hair on fire.

      TrueCrypt's saving grace is that it is not an on-line app. Even in the first "rebranding" release, we're removing it's tendency to ping the Internet whenever you click on a help button. If an attacker could hack the volume data, for example, he'd totally pwn TrueCrypt. But... in that case, he already owns you most likely.

    • Since it's an open sourced project, the only ways they could maintain a back door would be:
      1) find a pre-existing flaw, and either hope it isn't fixed or threaten each developer to keep them from fixing or mentioning that flaw.. Perhaps they could monitor the developers and catch them as soon as they talk about a flaw privately
      2) threaten a developer and REQUIRE him to add a flaw and not reveal that he's doing it.

      1) is a harder case, but it can partially be prevented by making all communication through a pu

  • by tlambert ( 566799 ) on Friday September 19, 2014 @01:40PM (#47947609)

    They've already screwed the pooch.

    They've published the source archive under the original TrueCrypt license. As a result, unless there's a legal entity (person or company) to which all contributors make an assignment of rights, or they keep the commit rights down to a "select group" that has agreed already to relicense the code, they will not be able to later release the code under an alternate license, since all contributions will be derivative works and subject to the TrueCrypt license (as the TrueCrypt license still in the source tree makes clear).

    The way you do these things is: sanitize, relicense, THEN announce. Anyone who wants to contribute as a result of the announcement can't, without addressing the relicensing issue without having already picked a new license.

    • by Kjella ( 173770 )

      First of all, there's very little in a rebranding effort that will be of any significance if they're looking to relicense. The tricky part is that they must replicate the functionality from scratch, without getting derivative - typing it up again or changing the function or variable names won't be enough. That's a job they have to do in parallel, in the background until they're ready to ditch CipherShed 1.x (based on TrueCrypt) and release CipherShed 2.0 based entirely on non-TrueCrypt source code under the

    • This is not correct. Each individual file in TrueCrypt has a clear copyright notice at the top. Every file with any E4M license will be replaced from scratch. After that, we'll do the files that have TrueCrypt license, though mainly so we can migrate to a better FOSS license.

    • Apparently any new code they write can co-exist with a different license. So they intend to slowly replace it all.
  • by gatkinso ( 15975 ) on Friday September 19, 2014 @02:47PM (#47948321)

    CipherShed indeed.

    • by NReitzel ( 77941 )

      Strange that you should mention this. In point of fact, they released the source code.

      Let's read that again:

      They Released The Source Code

      Dude, that genie is -out- of the bottle. The source builds easily on several platforms, and produces a nice functional FakeCrypt wherever you might want it. Now, let us examine the implications of litigation against people who have brought up their own version.

      First, ostensibly honest people who just want some security will be the targets. And wha

  • I like the doxbox [github.io] project - it works with linux crypto containers as well. Its a fork of freeotfe [wikipedia.org] that was always better than truecrypt because its easier to use and has a license that encourages people to contribute.
  • Secure? Wordpress? (Score:3, Insightful)

    by X10 ( 186866 ) on Friday September 19, 2014 @03:45PM (#47948971) Homepage

    Their site says "proudly powered by wordpress". Err, "security", "wordpress", isn't that mutually exclusive?

    • You beat me to it. You can't write security software and have a Wordpress based website. It's just insane. My trust level went from 70% to 0% as soon as I noticed Wordpress in the footer.
      Go use Nikola (or similar). You can easily maintain the website publicly within a Git repo!
  • This is great news and honestly, its the best news I've had today.
  • by qw(name) ( 718245 ) on Friday September 19, 2014 @06:49PM (#47950593) Journal
    But then he sold one.
  • by hodet ( 620484 ) on Friday September 19, 2014 @10:38PM (#47951681)

    Well we only had one Beer story today, so I nominate BeerCrypt. Because we all love beer and crypto. It's a no brainer and the quicker you bring Cipher-Shed behind the wood shed the better. Let Mcafee have Endpoint and Microsoft have BitLocker. Nice catchy names to make the most hard assed CEO blush and gush. BeerCrypt. You know you want it.

  • by cellocgw ( 617879 ) <cellocgw@g[ ]l.com ['mai' in gap]> on Saturday September 20, 2014 @09:16AM (#47953233) Journal

    That's easy to pronounce, and since part of the intent of the encryption software is to present a disk with no evidence of there being an encrypted file, the 'invisibility' part may make sense to the nontechies.

    I was going to suggest Data-B-Gone but that's probably trademarked by QVC :-)

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!