TrueCrypt Gets a New Life, New Name

storagedude writes: Amid ongoing security concerns, the popular open source encryption program TrueCrypt may have found new life under a new name. Under the terms of the TrueCrypt license — which was a homemade open source license written by the authors themselves rather than a standard one — a forking of the code is allowed if references to TrueCrypt are removed from the code and the resulting application is not called TrueCrypt. Thus, CipherShed will be released under a standard open source license, with long-term ambitions to become a completely new product.

Re:Does the TrueCrypt License

Having RTFA (I know, I know), I can answer your question.
The first CipherShed version will be under the TrueCrypt license. They hope to rewrite and replace code until they have something new they can release under a standard OSI-approved license.

Re:Maybe it'll actually be trustworthy this time

For anyone that doesn't have time to read the article, here's the audit part:

Organizations are loathe to walk away from TrueCrypt because it is free, it is cross platform and, perhaps most importantly, the code is available for inspection. Critically, the code is not just available, but a security audit of the code is underway. The eyeballs on the code are not just theoretical, but are also there in practice -- and they are professional eyeballs at that.

The first part of the code audit was completed in April - a source code assisted security assessment of the TrueCrypt bootloader and Windows kernel driver. No serious problems were found, although many issues were highlighted, including a lack of comments, use of insecure or deprecated functions and inconsistent variable types. The product is also nearly impossible to compile from the source code, which means the majority of users download pre-compiled binaries, with all the attendant security risks.

The next part of the audit, a formal cryptanalysis, is underway.

I would keep my eye on the project that the remaining parts of the audit actually get completed properly.

They've already screwed the pooch.

[tlambert]

They've already screwed the pooch.

They've published the source archive under the original TrueCrypt license. As a result, unless there's a legal entity (person or company) to which all contributors make an assignment of rights, or they keep the commit rights down to a "select group" that has agreed already to relicense the code, they will not be able to later release the code under an alternate license, since all contributions will be derivative works and subject to the TrueCrypt license (as the TrueCrypt license still in the source tree makes clear).

The way you do these things is: sanitize, relicense, THEN announce. Anyone who wants to contribute as a result of the announcement can't, without addressing the relicensing issue without having already picked a new license.

Re:Does the TrueCrypt License

Section III.1.4 of the license (https://tldrlegal.com/license/truecrypt-license-version-3.0#fulltext) says that any code that you provide that is not part of the original TrueCrypt can be licensed under completely different terms, as long as the terms satisfy certain conditions listed in that section.

Re:FOSS names

[sexconker]

"Citation needed" is the internet equivalent of "Nuh-uh! PROVE IT!" and "LALALALA I CAN'T HEAR YOU!".
Go look at the Wikipedia page, the kind of drivel morons like you slurp up.

The name Wine initially was an acronym for Windows emulator.[5] Its meaning later shifted to the recursive backronym, Wine is not an emulator in order to differentiate the software from CPU emulators.[6] While the name sometimes appears in the forms WINE and wine, the project developers have agreed to standardize on the form Wine.[7]

You lose.

The phrase "wine is not an emulator" is a reference to the fact that no processor code execution emulation occurs when running a Windows application under Wine. "Emulation" usually refers to the execution of compiled code intended for one processor (such as x86) by interpreting/recompiling software running on a different processor (such as PowerPC). Such emulation is almost always much slower than execution of the same code by the processor for which the code was compiled. In Wine, the Windows application's compiled x86 code runs at full native speed on the computer's x86 processor, just as it does when running under Windows. Windows system services are also supplied by Wine, in the form of wineserver.

Emulate (verb)
1 - To match or surpass (a person or achievement), typically by imitation.
2 - To imitate.

WINE is an emulator. It is not emulating hardware or an instruction set, it is emulating pieces of Windows. They initially claimed it was an emulator because it was. They later claimed it wasn't an emulator because they didn't want idiots (like yourself) to think that meant they were emulating hardware or an instruction set, and thus incurring a severe performance penalty. Emulation is absolutely not restricted to hardware or instruction sets, using recompilers, interpreters, or anything else.

Re:"CipherShed"

[WaywardGeek]

So, I'm invovled in the CipherShed project. In fact, I bought the domain originally when Niklas suggested it. I also bought FalseCrypt :-)

This thread is actually very helpful. I've been very concerned that we need to pick a better name. The unfortunate truth is that we geeks totally suck at picking name!

RealCrypt is excellent, IMO. That's why the RealCrypt fork of TrueCrypt exists :-) It's a Fedora-packaged fork that drops all the Windows stuff. There's also a VeraCrypt fork. OpenCrypt.net was offered to us by the owner, which is very generous, but there is an OpenCrypt already, which oddly enough has to do with encryption rather than vampires.

Please keep picking on the name, and suggesting alternatives! If someone here provides one, I'll try to have it adopted. We *barely* still have time to make a name change.

Re:Expect a FISA or PRISM notice in...

[WaywardGeek]

Some people post warrat canaries, but I stopped. Our current defense strategy is having developers around the world. Also, we have weekly voice meetings that are hard to fake, and enable us to know we're dealing with the same person each week.

Personally, I've boning up on skills for finding weaknesses in crypto code. I just did a 2-week marathon of being a huge a-hole over at the Password Hashing Competition. Telling people why you think their algorithms are not secure does not make you popular, but I have to admit it was fun. Applying the same sort of analysis to TrueCrypt makes me want to set my hair on fire.

TrueCrypt's saving grace is that it is not an on-line app. Even in the first "rebranding" release, we're removing it's tendency to ping the Internet whenever you click on a help button. If an attacker could hack the volume data, for example, he'd totally pwn TrueCrypt. But... in that case, he already owns you most likely.