Slashdot Mirror
TrueCrypt Author Claims That Forking Is Impossible
An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."
./ editors must not have had their coffee yet.
Anyone knows?
It would appear that the intended meaning is 'impractical'. The code is available, and the original project declared itself dead, so forking is totally possible; but the author believes that it would probably be a better use of time to use the existing project as a reference for building a new one, rather than get sufficiently familiar with the old one that you can (safely) start modifying it.
I don't know if it's true or not; but it's a much less radical assertion.
Hey, this isn't news anymore, we already had a couple of rants about this....
so just let it be, and let those who have to redevelop do their thing... fork or no fork, that's the question, as long as they're not spooning... (uhh... ok i kow stupid joke....)
With few exceptions, rewrites are a bad idea. They only make sense when you need to fundamentally change the architecture, and even then it's often better to refactor heavily. Almost without exception, whenever someone says "Oh, it'll be easier to start from scratch", they're wrong. I understand that the TrueCrypt codebase is something of a mess, but I'm still skeptical that a rewrite is actually a better choice.
However, if the copyright owner and the licenses already issued, don't allow it, then it is impossible. The question is, is he doing this because he really believes it, or because he's trying to throw up obstacles? It's hard to see how it could be the former, since even if he believes a rewrite is easier, others are offering to do the work.
This whole situation is bizarre.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
His answer seems to mean it wouldn't be his preference, rather than being impossible.
did you forget to take your meds?
What has happened with Truecrypt, I mean from a psychological perspective. It would appear as though the team had a nervous breakdown going pear shaped rather quickly. Certainly since the source is available it can be forked, screw that just rewrite it. There's not that much there.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
The article source is from pastebin. Are we really supposed to give this any merit? It's pretty obvious that the authors won't sanction anything related to the project (or did we forget the final cripple commit?)
He says that this might be no good idea ... but he allows to use the existing code...
Holy crap...
Seriously, Slashdot has "no good" editors...
Come on guys. Seriously. Invest two seconds into reading and fixing the sentences. I don't think we're expecting rock solid perfect grammar but this is embarrassing...
Easy to be brave when there's not a TLA breathing down your neck.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If you look at just about any abandoned code base ou will find that the original authors claimed it could not be maintained or should be re-wrriten from scratch. They always wrong and there are usually (better) developers who come along and prove that. Remember when the GNOME desktps said GNOME 2 could not be maintained and they had to scrap everything to make way for GNOME 3. Now the MATE developers have not only carried on the original GNOME 2 code, but thy have also cleaned it up a little and modernized it. Next year they plan to port GNOME 2 to the GTK 3 toolkit, proven the GNOME developers were wrong.
The same issue comes up with many big open source projects. The original devs walk off and claim their code cannot be salvaged or maintained. It's always too big or confusing or complex, they claim. But someone almost always comes along and proves the code still works, can be updated and the fork usually does well.
The TrueCrypt author is obviously incorrect, the code can be forked and maintained. And it likely will be, probably by people who have more time/energy than the original team.
If he suspects the code has a vulnerabitlity, he doesn't want it copied.
Seriously, people, save yourself the time. You'll just also get a letter from the NSA and either have to include their backdoor or drop the project.
And I sure as hell don't want to be the one who did the right thing only to see it going to waste because someone else didn't.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Recall when the announcement was made there was speculation that some USG agencies might have been involved. If the authors got a subpoena (with silencing order), they might feel they cannot take specific action such as putting their sources under LGPL or some such. The response is totally consistent with this, where the authors may (justly) be glad they published sources but are now barred from doing any more with them. Their most recent mods, to enable hidden filesystems, may have just been one too many tweaks of the Beast's tail.
Of course there was the long period where the website asked for money, so the facts may be more benign. We outsiders just can't know.
This is a pissing war. Both sides may be sincere and well intentioned, but it's still a pissing war. Here's a manager type summary. I'll use TC to represent the TC developer who responder and Forkers for the person representing the people who want to fork it.
Forkers: We'd like your permission to fork your code and get the rights to it. We could just fork it without your permission and others no doubt will if you refuse to comply. We want your trademarks and your OK to put the forked code into a different license then you used. We've started looking at your code and while we do agree that there are problems there that desperately need to be fixed, we feel strongly that fixing your broken code is a million times easier than writing this from scratch. So will you play ball with us?
TC: Our code is so broken that you need to start from scratch. That's why we abandoned it - didn't think it was possible to fix without doing a complete re-write. So no, we're not going to "play ball".
What!!?? I thought the developers of TrueCrypt were anonymous and no one knew who they are. When was this mystery solved? And between whom is the email communication? How do we even know it is genuine?
Am I missing something?
I suggest going and rereading the license. It does not (very specifically) allow a product developed from truecrypt to be called truecrypt, to refer
to ancestry as coming from truecrypt, or any similar name. It does allow derivative versions to be created, but under a different name and without
connection to the truecrypt original.
Now admittedly this makes more sense where the original developers are still active, but it is pretty permissive. Ditch the name and don't in the
program claim you derive from Truecrypt, and you can copy code, alter it, add to it, distribute it far as I can see pretty much as you like. What you
are not allowed to do is say it is a truecrypt derivative (at least not directly). You could say (far as I can see, on a quick read) "derived from a popular
and high quality cryptodisk implementation whose authors have dropped development of it", or some such thing (seeing that giving credit where credit
is due is desirable).
There are some other bits of code with separate licenses that require they be acknowledged, but those do not look too hard to deal with.
If one just wanted to make a new name up (virtual disk, VD) maybe you could have the fun again of saying "I gave my system VD"...
Hi folks, I have wondered about this.... If you have a product like TrueCrypt and get a National Security Letter telling you that you can't talk about it, does that include your attorney? I seem to remember that someone decided to sue NSA over this... Just curious...
He says:
"I am sorry, but I think what you're asking for here is impossible."
As a developer, he uses the term "impossible". Nobody says
"impossible" in a development framework. You could
say "difficult" or "expensive" but not "impossible".
He says "impossible" because he is telling us in
specific terms:
It is "impossible" to use the current code base because
it has been compromised. He can't talk about it. He is
under court order or some fucking thing.
Since he cant tell us where the compromise is
he says fuck it all and start from scratch.
He is very specific.
Look, if the developer of an encryption product
says the product is not secure and it is impossible
to fix, I take that as:
"Stay the fuck away from this thing".
To be forewarned...
How would you know it was genuine without consulting a legal professional? I can download the NSA logo from Google Images, find their address from Wikipedia, and write "You should stop doing this thing or we'll invite you to stay at Guantanamo Bay Care Home for the Politically Undesirable. Oh, and where I said 'invite you to stay at' replace it with 'put you in a 4' x 2' x 2' hold-all and ship you freight to'."
Someone should start sending fakes to random US addresses, just to see what happens.
Finally had enough. Come see us over at https://soylentnews.org/
I don't see the problem, codebase is old, in some part flawed, use it for reference and build and new clean stronger software....end of story....
One thing about Truecrypt that always impressed me was how well it worked with Windows -- containers with drive letters, whole disk encryption, etc.
If you were to recreate it, what would be the hardest part -- doing the encryption or doing the OS integration bits? I assume doing encryption securely (ie, not leaving keys or passphrases hanging around in memory or written to swap files) is non-trivial, but I also assume that integrating well with Windows is, too.
1. Evidence seems to point that the main developer is in Europe. So, an NSA NSL doesn't seem (to me) to be a likely factor. 2. Evidence points to the history of the code perhaps being legally murky. But from what I recall of the forum discussion nearly a decade ago, most of the murk wasn't due to the code origins, which appeared to be on the up and up, but due to the legal threats/actions of a company that thought it could prevent a fork from *before* buying code/hiring the developer. That's IIRC, of course, I've seen reporting all over the map on this issue. Also, supposition: there may have also been verbal promises between the dev(s) and outside entities about what might trigger more legal issues. 3. Evidence points to English being the main developer's second language, so the conspiracy theories base on awkward sentence construction are probably just that, theories. 4. Evidence (now gone, due to the tc forums being removed) also seems to point to the main developer having strong feelings about control over the main code line and trademarks for a long time. Some of this seemed rational (wanting to block a plethora of backdoored versions being deployed) but some of this seemed personal. Most devs have been there, some have matured and learned to let it go. Conclusion: the simplest explanation, to me, is that the main dev wants to the code dead and buried so that he is entirely free of any future legal, ethical or emotional consequences of it continuing.
When it comes to security, one must always error on the side of caution. There are very strong signs and signals that there is a problem with Truecrypt. Those that don't heed that warning are placing themselves at risk.
The default position of everything is: insecure until proven otherwise. If there's a good chance something is insecure, then we assume it is. We don't want to error in the other direction because the implications are too great if we are wrong. This is where we are with Truecrypt. Those throwing caution to the wind - at this point - are doing themselves a disservice.
--- Redefining "OS integration" to include "OS and boot integration", the short answer is: the boot process, hands down. You can model a new app based on TC's approach for OS-level (container/partition/disk) encryption, and you can do the same for MBR boot/system disk encryption, but now that everything is moving to TCG-TCM/UEFI/GPT/etc. it's a lot more complicated. -- Some history: IIRC from the TC forum, the TC's developer had issues finding a public API/method in the MS docs that could be used to pass keys and boot control from the MBR/bootloader to the OS and tc driver shim. There were third party apps out there doing it, but there didn't seem to be a documented way to do it, and the tc devs wanted to avoid fragile hacks to get it done. -- Microsoft actually responded to the TC devs by either publicizing a private API or by creating an official one. Again, this was back in the MBR days. -- With UEFI/GPT, trusted boot, etc., this part has become a lot more complex. I'm not sure what Microsoft's responsiveness would be on pursuing an official UEFI/GPT API, but I wouldn't be surprised if it's something along the lines of "Just use Bitlocker, it does this already."
This.
Try blowing the whistle on something. Revel in satisfying your moral obligation and the feeling of righteousnous. It will last until the first threatening letter from a lawyer arrives. Then you'll see what you're made of. Chances are good that it's not steel. Until you've experienced it, you won't know.
Just about any government organization or better than medium-sized private entity has the resources to crush an individual with very little threat of recourse. You really can't imagine the kinds of crap they can lob. If you are thinking of blowing a whistle, be very careful. Read up on the subject (Google for "how to whistleblower"). Absolutely DO NOT try to use internal channels. There are organizations that try to support whistle blowers, contact one (anonymously) and see what reading material they can give you. Make sure your nose is absolutely clean. Try to find cases of similar acts of whistle-blowing in your legal jurisdiction. How did they turn out for the whistle-blower? Probably not very good. Do everything right. Make sure you have enough evidence for an iron-clad case (without actually stealing anything). And wait until you have some distance. If you can keep the perpetrator(s) from figuring out your identity, absolutely do so. You will save yourself a lot of grief. This means you have to keep your mouth shut and trust nobody. (Note that I'm posting anonymously.) You won't be able to vent to anyone, especially co-workers. This is much harder than you might think. If you like to talk, you'd best just forget what you've seen. If you can time your actions so they hit while the perpetrator is under pressure for other problems, so much the better. Before you pull the trigger, think long and hard about the affect this will have on your loved ones. Consider supporting an anti-corruption organization to satisfy your need to do good rather than risking yourself.
Yes, it's really that bad. The sort of folk that deserve to be found out are more entrenched than you suspect. They are willing to go to extreme lengths to protect themselves. The problem almost definitely is more widespread than you think. The way it often works is that there is a web of wrong-doing, where one fellow's previous mistakes are used as leverage for silence/support by someone else. It makes for a kind of club. Many members of the club will have had one or more whistles blown on them before and have strategies for dodging and attacking the whistle-blower.
And that's just if you are whistle-blowing on a run of the mill organization. Going up against the likes of the NSA, the DOD, or the CIA... The TrueCrypt authors have all of my respect for shutting the project down. It was an act of bravery.
How are we to know that this is a legitimate letter from a TC developer, and not some random bullshit posted by some lamer (or TLA agent) trying to persuade people from discontinuing work on TC?
The Guardian reported on a hidden Latin message: TrueCrypt probably didn't leave a Latin message alerting users to NSA spying. I'm not so sure about their in-headline conclusion, though.
They quote this comment on Wikipedia by 'Bardon':
The Guardian article rebuffs this with: "In fact, "uti nsa im cu si" is meaningless in Latin - except to Google translate, (mis)translates it to the message Badon discovered."
But isn't that enough? It's a hidden message; it doesn't need to be correct Latin as long as the point gets across. If you put into Google Translate right now, you get "If I wish to use the NSA". Unusual that it's been changed slightly, but still expresses the same message: The NSA has compromised TrueCrypt.
I'm not one for conspiracy theories, but this entire TrueCrypt saga has been bizarre. Obviously something happened beyond "the task of maintaining a widely used cryptography program just became too much work" or else why not just say that?
Truecrypt was forced to shut down and anyone forking it would face the same secret threats and gag orders.
Yeah, there was an article a few years back over this where attorneys was even't allowed to talk about the laws the client "officially" broke because it was against the law to acknowledge those laws even existed in the first place! WTF?!
I'll be darned if I can remember the link ...
Yeah, sounds fun. Why don't you try it and let us know how it goes?...
Peter predicted that you would "deliberately forget" creation 2000 years ago...
"I am sorry, but I think what you're asking for here is impossible. I don't feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase.
I have no problem with the source code being used as reference."
Ascalante: Your bride is over 3,000 years old.
Kull: She told me she was 19!
The hardest part is getting people to trust it.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
No, in fact, you may not consult an attorney about an NSL. You must comply with the NSL forthwith and without delay, and without disclosing it to any person, even an attorney.
You only have a right to consult with an attorney when you are being investigated or accused of a criminal offense. Otherwise your interactions with an attorney are voluntary and subject to regulation or prohibition by government as it sees fit, including the standard prohibition included with an NSL.
Come on, folks. Read the message between the lines. Isn't it obvious that the authors have been ordered and gagged by a Nation-State?
The authors are saying it is not secure. The authors are saying it may contain unfixed security problems.
They are saying everything they can say to get the point across - TRUECRYPT IS NOT SAFE. It will not protect your data from a Nation-State.
The way I see it, Truecrypt is safe to use for everything but the most extreme national security or corporate espionage sensitivities until we hear about someone whose truecrypt data was compromised by a government agency without having providing the key. If the NSA or anyone else has a way to do this, it won't be a secret forever. Chances are, you will have ample warning before your own data is compromised. It's a sensitive time for those with a legitimate reason to worry that they will be the first to have their data compromised, though... No doubt about that.
Impersonating the government worked out great for that guy in Peoria.
Tangentially related: If you Google "peoria mayor" it shows a picture of Jim Ardis with a hitler mustache.
Frankly, nothing could concern me less than making it work well with Windows. I am only interested in using it with an open source OS. I don't care in the least whether a hypothetical recreation of TrueCrypt works with Windows at all. Mod me down if it makes you feel good. It's only an personal preference.
In the very near future 'coming out' won't be the declaration of your sexual orientation, but the refusal to knuckle under to the fascist pricks of the Spook-Industrial complex via an NSL.
Yes, it will be hard, yes, it may even be prison time but this is the whole point of repressive intimidation tactics: the hope of the power-mad that individuals stay cowed and powerless, not unified and unbowed in the face of true oppression - that actual freedom isn't free.
Can you imagine if a project of TrueCrypt's successor got an NSL and _every_ person even remotely connected to the project all appeared together in the live-streamed press conference exposing and denouncing FedGov... they're gonna prosecute all of them? All together? In a show trial, perhaps? Cockroaches hate exposure to the light.
Any piece of software developed by US citizens, companies, foundations, etc. is no longer trustworthy. The US is dead as far as secure software is concerned.
The geek's insistence that the US is hopelessly corrupt and salvation is to found elsewhere is ridiculous.
Every country keeps watch over its, neighbors, friends and enemies alike. Alliances are never permanent, only interests.
I'm a huge fan of forking, it's too bad my old lady will not do it until our kid is born, I mean she still lets me oral fork her but I need some poon. :(
http://vault.fbi.gov/National%...
Right. If there is such a market demand for it, why not make a new version? Ohh, that would require work and risk. Nm.
Half Life 3 confirmed!
Hail Eris, full of mischief...
E pluribus sanguinem
No one outside the NSA knows what the NSA does. NO ONE. The U.S. government is the primary killer of other humans in the entire world. If the NSA wants to kill someone, what would stop that? The killing would be done with "deniability", of course.
Don't think you know what a secret agency does.
Mod parent up - I'm replying here, so can't use mod points :-)
Passing the decryption keys around in BIOS-style boot is somewhat dirty - haven't perused the TC source, so I don't know how they specifically do it, but it'd probably be along the lines of leaving the key at some fixed memory location, and let the Windows boot-time driver read it from there. UEFI drivers have a whole new way of booting the system, so you'd need to adapt to that. It's probably doable, and probably doesn't even need big voodoo - but if you've been working on a codebase for ~10 years, don't need UEFI support yourself, and probably have a family to look after now... it'd be a darn big task implementing. While UEFI stuff can be programmed in C rather than assembly and has SDK and documentation, it's quite a different world.
If we ignore (or postpone) encrypted boot volumes, however, I'm pretty sure that very large parts of the TrueCrypt codebase could be re-used - and at the same time, the really archaic build environment requirements could be dropped.
Coffee-driven development.
I thought /. editors were supposed to...you know...edit posts before they were put on the front page.
Frankly, nothing could concern me less than making it work well with Windows. I am only interested in using it with an open source OS.
How awesome for you.
Some people believe that privacy is a right and work to ensure that as many people of possible have means of protecting that right. I say thank you to those people.
But I just got this from the truecrypt authors:
http://pastebin.com/TSLR4ig9
I wonder, if it's legalise though. The Author might claim that a fork can't be done, to cover himself from the legal argument of still being responsible for the work, if it's criminally abused. Possibly he is pessured to cease the work and possibly on the basis that it is used criminally, or in a way that compromises "national security". It wouldn't make sense to craft a cryptic message that puts him under further suspicion. I am assuming, the odd statements are a move to protect the devs, not as some sort of "warning".
It's equal to the guardian destrying those laptops and harddrives under pressure in the Snowden case.
You absolutely have the right to consult with an attorney before you are investigated or accused of a crime. A big part of an attorney's job is showing people how to accomplish something without breaking the law. Your notion that the government can prohibit me from consulting with an attorney about a lease I am about to sign because I haven't been accused of a crime has no basis in reality. You are simply making up your "fact: that "you may not consult with an attorney about an NSL". NSL's have been the subject of multiple court cases and in each of those court cases attorneys have been involved.
Damn, and I had no mod points to mod the parent up as funny!
Too busy playing games to notice what your government is doing?
"Librarians' NSL Challenge" (May 26, 2006)
https://www.aclu.org/national-...
https://www.aclu.org/blog/cont...
The US legal system has faced the unconstitutional NSL issue.
Once in light the press and in open court the gov just "withdrew its demand".
Domestic spying is now "Benign Information Gathering"
With the number of tame brands hardware and software layers helping between your keyboard and your secure crypto software? :)
You almost want your own file system and OS
http://www.theguardian.com/wor... (7 June 2013)
Experts have had a while to think about what is under and around their secure crypto projects on the big consumer, prosumer and 'free' OS.
Domestic spying is now "Benign Information Gathering"
More like you're too busy chasing conspiracy theories to know when you're being mocked for it.
Hail Eris, full of mischief...
E pluribus sanguinem
Here you go:
46:06 Even More Tamagotchis Were Harmed in the Making of this Presentation [30c3]
Wait till you get a load of us Aussies , cobba!
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.