Slashdot Mirror

← Back to Stories (view on slashdot.org)

TrueCrypt Gets a New Life, New Name

Posted by Soulskill on from the and-hopefully-won't-disappear-into-the-void dept.

storagedude writes: Amid ongoing security concerns, the popular open source encryption program TrueCrypt may have found new life under a new name. Under the terms of the TrueCrypt license — which was a homemade open source license written by the authors themselves rather than a standard one — a forking of the code is allowed if references to TrueCrypt are removed from the code and the resulting application is not called TrueCrypt. Thus, CipherShed will be released under a standard open source license, with long-term ambitions to become a completely new product.

41 of 270 comments (clear)

  1. "CipherShed" by supertall · · Score: 5, Funny

    Suddenly I think of banjos.

    1. Re:"CipherShed" by pushing-robot · · Score: 5, Funny

      They're obviously using my HorribleNameGenerator library. I'm proud to have contributed to so many FOSS projects.

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:"CipherShed" by Kjella · · Score: 5, Funny

      They're obviously using my HorribleNameGenerator library. I'm proud to have contributed to so many FOSS projects.

      Clearly you didn't use it for your own project, I suppose you had to write it first or it would have suggested HorribleUniqueNameGenerator. Because like the developers of the GNU Image Manipulator Program knows, a catchy acronym never hurt anyone.

      --
      Live today, because you never know what tomorrow brings
    3. Re: "CipherShed" by aix+tom · · Score: 5, Insightful

      It worked pretty OK for centuries. You could buy a "Plow from John Smith over in Blurn Hollows", or you could buy a "Plow from George Smith over in Redneck Fields", and nobody would be confused that they were called the same.

      These days, if you buy a "FuxMatic3000XP from XentTeck" one day, you have to make sure if you want to buy one a year later that neither the FuxMatic3000XP nor the XentTeck Trademark have been sold in the meantime and are completely different things and/or products, or if the company itself did a product switcheroo in the meantime.

    4. Re:"CipherShed" by Spy+Handler · · Score: 4, Funny

      Nah, it wouldn't be cool to go against the wishes of the original authors. They put a lot of work into it. If you're gonna leech off their code then naming your project something other than Truecrypt is the least you can do.

      I suggest RealCrypt.

    5. Re:"CipherShed" by Anonymous Coward · · Score: 3, Funny

      Well it`s better than the NSA fork - DeCrypt. ;-)

    6. Re:"CipherShed" by WaywardGeek · · Score: 4, Informative

      So, I'm invovled in the CipherShed project. In fact, I bought the domain originally when Niklas suggested it. I also bought FalseCrypt :-)

      This thread is actually very helpful. I've been very concerned that we need to pick a better name. The unfortunate truth is that we geeks totally suck at picking name!

      RealCrypt is excellent, IMO. That's why the RealCrypt fork of TrueCrypt exists :-) It's a Fedora-packaged fork that drops all the Windows stuff. There's also a VeraCrypt fork. OpenCrypt.net was offered to us by the owner, which is very generous, but there is an OpenCrypt already, which oddly enough has to do with encryption rather than vampires.

      Please keep picking on the name, and suggesting alternatives! If someone here provides one, I'll try to have it adopted. We *barely* still have time to make a name change.

      --
      Celebrate failure, and then learn from it - Nolan Bushnell
    7. Re:"CipherShed" by Snotnose · · Score: 2

      I suggest TrooKrypt.

    8. Re:"CipherShed" by WaywardGeek · · Score: 2

      IronCrypt is a good suggestion. It is fucking squated. God I hate squatters. Worse than lice or ticks.

      --
      Celebrate failure, and then learn from it - Nolan Bushnell
    9. Re: "CipherShed" by bill_mcgonigle · · Score: 2

      but in this case the authors were anonymous - they are NOT going to de-cloak to enforce a trademark.

      It's probably better for the security of the community at large to carry on calling it TrueCrypt (3.0, clear who the new team is, etc.). Trademarks exist to prevent confusion - in this case, using the same name is the minimally confusing option. The license is unenforceable and securing people's communications is more important to society than the wishes of the retired authors.

      Imaginary property ain't real but the risks of electronic adversaries certainly are.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  2. Maybe it'll actually be trustworthy this time by Anonymous Coward · · Score: 2, Interesting

    Here's hoping the audit is a success.

    1. Re:Maybe it'll actually be trustworthy this time by Anonymous Coward · · Score: 5, Informative

      For anyone that doesn't have time to read the article, here's the audit part:

      Organizations are loathe to walk away from TrueCrypt because it is free, it is cross platform and, perhaps most importantly, the code is available for inspection. Critically, the code is not just available, but a security audit of the code is underway. The eyeballs on the code are not just theoretical, but are also there in practice -- and they are professional eyeballs at that.

      The first part of the code audit was completed in April - a source code assisted security assessment of the TrueCrypt bootloader and Windows kernel driver. No serious problems were found, although many issues were highlighted, including a lack of comments, use of insecure or deprecated functions and inconsistent variable types. The product is also nearly impossible to compile from the source code, which means the majority of users download pre-compiled binaries, with all the attendant security risks.

      The next part of the audit, a formal cryptanalysis, is underway.

      I would keep my eye on the project that the remaining parts of the audit actually get completed properly.

  3. Does the TrueCrypt License by I'm+New+Around+Here · · Score: 4, Insightful

    allow a fork to be released under a standard open source license?

    Because I can take software with a standard open source license and put TrueCrypt's name back into it.

    Not that I intend to do so, but it just seems off, somehow.

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    1. Re:Does the TrueCrypt License by Anonymous Coward · · Score: 5, Informative

      Having RTFA (I know, I know), I can answer your question.
      The first CipherShed version will be under the TrueCrypt license. They hope to rewrite and replace code until they have something new they can release under a standard OSI-approved license.

    2. Re:Does the TrueCrypt License by Marginal+Coward · · Score: 2

      I think you're onto something. Perhaps *that's* why the secret formula for Coke has never been open-sourced, but remains locked in a vault in Atlanta to this very day. Likewise for the secret Krabby-patty formuler. Just think what havoc Pepsi and Plankton could wreak with the TrueCrypt code...

    3. Re:Does the TrueCrypt License by Anonymous Coward · · Score: 5, Informative

      Section III.1.4 of the license (https://tldrlegal.com/license/truecrypt-license-version-3.0#fulltext) says that any code that you provide that is not part of the original TrueCrypt can be licensed under completely different terms, as long as the terms satisfy certain conditions listed in that section.

  4. FOSS names by asmkm22 · · Score: 4, Interesting

    Just curious. Is there some kind of unwritten rule that FOSS project names have to as crappy as possible? Is it just a translation thing, where maybe the name makes more sense or sounds better in the dev's native tongue? Has anyone been part of a FOSS project and was involved in the naming of it?

    1. Re:FOSS names by gigaherz · · Score: 4, Insightful

      The sillier the name the lower the chances someone will abuse that name for commercial reasons. Saves a lot of money on trademarks.

    2. Re:FOSS names by jones_supa · · Score: 4, Insightful

      Good ones: Inkscape, Thunderbird, Blender, VirtualBox, Linux...

      Crappy ones: GIMP, Tahoe-LAFS, Ubuntu, Kdenlive, XFCE...

      I personally think that you hit the sweet spot when you have a name which sounds cool and professional, is easy to remember, and at least tries to vaguely describe the function of the program.

    3. Re:FOSS names by sexconker · · Score: 5, Funny

      The sillier the name the lower the chances someone will abuse that name for commercial reasons. Saves a lot of money on trademarks.

      I'm happy to announce my new FOSS project: CUNTT. It's a universal network tracing tool.
      It stands for "CUNTT isn't a Universal Network Tracing Tool".

    4. Re:FOSS names by Dragonslicer · · Score: 2

      Good ones: Inkscape, Thunderbird, Blender, VirtualBox, Linux...

      Crappy ones: GIMP, Tahoe-LAFS, Ubuntu, Kdenlive, XFCE...

      I personally think that you hit the sweet spot when you have a name which sounds cool and professional, is easy to remember, and at least tries to vaguely describe the function of the program.

      A lot of software fails your last requirement (Thunderbird, Blender, Linux for a lot of people), but that isn't limited to open source software. While Microsoft has the reasonably-named Windows and Word, they also have Outlook, Excel, and PowerPoint.

    5. Re:FOSS names by WaywardGeek · · Score: 2

      I find EncryptAll not bad. The bar here is not that high... just has to be an improvement. The guys on the CipherShed team would kill me for suggesting Pure-Crypt, but I think that's available and also aligns us well with Pure-Privacy, the new foundation promoting online privacy.

      --
      Celebrate failure, and then learn from it - Nolan Bushnell
  5. Expect a FISA or PRISM notice in... by Bomarc · · Score: 3, Interesting

    How long before they get a FISA or PRISM notice?
    Wonder if they will have a "Warrant Canary" posting.

    1. Re:Expect a FISA or PRISM notice in... by WaywardGeek · · Score: 3, Informative

      Some people post warrat canaries, but I stopped. Our current defense strategy is having developers around the world. Also, we have weekly voice meetings that are hard to fake, and enable us to know we're dealing with the same person each week.

      Personally, I've boning up on skills for finding weaknesses in crypto code. I just did a 2-week marathon of being a huge a-hole over at the Password Hashing Competition. Telling people why you think their algorithms are not secure does not make you popular, but I have to admit it was fun. Applying the same sort of analysis to TrueCrypt makes me want to set my hair on fire.

      TrueCrypt's saving grace is that it is not an on-line app. Even in the first "rebranding" release, we're removing it's tendency to ping the Internet whenever you click on a help button. If an attacker could hack the volume data, for example, he'd totally pwn TrueCrypt. But... in that case, he already owns you most likely.

      --
      Celebrate failure, and then learn from it - Nolan Bushnell
  6. Why does this always happen? by westlake · · Score: 3, Funny

    They're obviously using my HorribleNameGenerator library. I'm proud to have contributed to so many FOSS projects.

    Nothing inspires more confidence in a complex cryptographic system than a name like "CipherShed.'

    Is the geek born with this impulse to shoot himself in the foot?

    1. Re:Why does this always happen? by ihtoit · · Score: 2

      Dammit, I was going to go with "Popplers" or "Tastecicles".

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    2. Re:Why does this always happen? by CreatureComfort · · Score: 4, Funny

      Howbout...MaybeCrypt? Wouldn't want to use FalseCrypt...

      I've got it! SchrödingersCrypt!

      --
      "Unheard of means only it's undreamed of yet,
      Impossible means not yet done." ~~ Julia Ecklar
    3. Re:Why does this always happen? by flyingfsck · · Score: 2

      There is nothing wrong with the word gimp in most of the civilized world. It is only a slightly derogatory teenager slang word in some US high schools.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  7. They've already screwed the pooch. by tlambert · · Score: 2, Informative

    They've already screwed the pooch.

    They've published the source archive under the original TrueCrypt license. As a result, unless there's a legal entity (person or company) to which all contributors make an assignment of rights, or they keep the commit rights down to a "select group" that has agreed already to relicense the code, they will not be able to later release the code under an alternate license, since all contributions will be derivative works and subject to the TrueCrypt license (as the TrueCrypt license still in the source tree makes clear).

    The way you do these things is: sanitize, relicense, THEN announce. Anyone who wants to contribute as a result of the announcement can't, without addressing the relicensing issue without having already picked a new license.

  8. Re:Shed?? by CaptSlaq · · Score: 3, Funny

    Like TVR.

  9. I guess FalseCrypt was taken by gatkinso · · Score: 2

    CipherShed indeed.

    --
    I am very small, utmostly microscopic.
    1. Re:I guess FalseCrypt was taken by NReitzel · · Score: 2

      Strange that you should mention this. In point of fact, they released the source code.

      Let's read that again:

            They Released The Source Code

      Dude, that genie is -out- of the bottle. The source builds easily on several platforms, and produces a nice functional FakeCrypt wherever you might want it. Now, let us examine the implications of litigation against people who have brought up their own version.

      First, ostensibly honest people who just want some security will be the targets. And what will happen to fundamental terrorist groups? Why, nothing of course. They will have strong crypto and being sued for copyright infringement is the very least of their worries, since they intend on doing rather nastily illegal acts in any case. Law abiding people get harassed, the bad guys don't give a crap.

      Are you listening, NSA? What you've done, so you can intercept Aunt Mabel's sex texts, is force the use of this strong package underground. Your only recourse is going to be making any use of crypto illegal, which may in fact have been where you were going in the first place.

      You guys are -supposed- to defend the Constitution of the United States. I've actually listened to the oath. The idea is not, and never has been, that the people are entitled to Life, Liberty, and the Pursuit of Happiness as long as it is under strict government supervision.

      --

      Don't take life too seriously; it isn't permanent.

  10. Re:Veracrypt by xeio87 · · Score: 2

    It's interesting though, if the authors of TrueCrypt really do want to stay anonymous... how will they ever exercise their copyright? Or for that matter prove that they ever owned the project in the first place?

  11. Re:Like LAME by Orestesx · · Score: 2

    "Clean Room Design"
    "Chinese Wall Implementation"
    "Brewer and Nash Model"

    The key isn't replacing the code...it's replacing the code in such a way that it does not infringe on the copyright of the original code. Usually this means new code created by someone with no knowledge of the original code, therefore it cannot be a derivative work, therefore it does not infringe on the original copyright.

  12. Re:Like LAME by Bill_the_Engineer · · Score: 2

    Since they are working with the original source code and simply implementing new code with a different license, I don't think those three terms you gave apply. When I think of "Clean Room Design", I think of programmers who program a different implementation knowing only the API and the expected results of the subroutine, method, or entire Application.

    This is probably more of a "wink... wink.. Clean Room Design... cough... cough."

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  13. I prefer doxbox by monkey999 · · Score: 2

    I like the doxbox project - it works with linux crypto containers as well. Its a fork of freeotfe that was always better than truecrypt because its easier to use and has a license that encourages people to contribute.

  14. Secure? Wordpress? by X10 · · Score: 2, Insightful

    Their site says "proudly powered by wordpress". Err, "security", "wordpress", isn't that mutually exclusive?

    --
    no, I don't have a sig
  15. Re:Like LAME by WaywardGeek · · Score: 2

    Infringement has a lot to do with who you're pissing off. I this case, I am not so worried about the original TrueCrypt team. These guys did a ton of work for years, almost for free, because they thought the world needed it. Well, the world still needs it, and we have some new volunteers (but need more!). The E4M owner has some gripes about use of E4M licensed code in the tool. I think we need to focus on the E4M code and get it out of there ASAP. We can then take some more time to redo the whole GUI and everything else.

    --
    Celebrate failure, and then learn from it - Nolan Bushnell
  16. Used to be Cipher-Two-Sheds... by qw(name) · · Score: 2

    But then he sold one.

  17. BeerCrypt by hodet · · Score: 2

    Well we only had one Beer story today, so I nominate BeerCrypt. Because we all love beer and crypto. It's a no brainer and the quicker you bring Cipher-Shed behind the wood shed the better. Let Mcafee have Endpoint and Microsoft have BitLocker. Nice catchy names to make the most hard assed CEO blush and gush. BeerCrypt. You know you want it.

  18. how about "InvisiFile"? by cellocgw · · Score: 2

    That's easy to pronounce, and since part of the intent of the encryption software is to present a disk with no evidence of there being an encrypted file, the 'invisibility' part may make sense to the nontechies.

    I was going to suggest Data-B-Gone but that's probably trademarked by QVC :-)

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw