Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Silver]

Via Bruce Schneier:  TrueCrypt WTF

The official SourceForge page warns that "TrueCrypt is not secure."

Ars Technica has a summary; not much known at this time.

[Adventurer, Explorer, Inquiring Mind.]

The ARS piece set off the shit storm.

It is a solid piece, if you consider the comments.

Conspiracies or no conspiracies, TC hadn't been regularly updated in awhile.  Given the amount of ciphers it supported, more regular updates or patches would have been the norm.

Either TC's website or signing key were compromised, or the devs have decided to call it a day awhile back and they decided to make it public by saying "hey, we ain't developin' this no more, give us a break with the screaming flames on fora... we quit last year, here's our two week's notice... 52 weeks late."  That sort of thing.

Happens all the time.

[Silver]

GRC claims to have heard from the developers

And then the TrueCrypt developers were heard from . . .
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

    * TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
    * Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
    * Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
    * Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
    * TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
    * Quoting TrueCrypt Developer David: “There is no longer interest.”

If true, it suggests the developers acted like dicks.  It's fine if they didn't feel like working on this any more.  Ten years is a long time, it is thankless work, for no money.

But if this is really from the developers, then the 7.2 release is nothing more than a clumsy attempt to set fire to it.  They could have released it to the winds of the internet, and said goodbye.  Instead they tried to trash it.

If this communication is legit, I predict there will be an effort, perhaps multiple ones, to make the code truly open source.  Too many people rely on truecrypt.  Raising $70k in donations to do the code audit is powerful evidence that people want this product - inspectable code, audited strong crypto.  So the market will get that, despite any dog-in-the-manger antics by the original developers.

Peace,

Silver

[Adventurer, Explorer, Inquiring Mind.]

GRC claims to have heard from the developers

And then the TrueCrypt developers were heard from . . .
Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before and received several replies from “David.” The following snippets were taken from a twitter conversation which then took place between Steven Barnhart (@stevebarnhart) and Matthew Green (@matthew_d_green):

    * TrueCrypt Developer “David”: “We were happy with the audit, it didn't spark anything. We worked hard on this for 10 years, nothing lasts forever.”
    * Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”
    * Steven Barnhart: “I asked and it was clear from the reply that "he" believes forking's harmful because only they are really familiar w/code.”
    * Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ ”
    * TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ ”
    * Quoting TrueCrypt Developer David: “There is no longer interest.”

If true, it suggests the developers acted like dicks.  It's fine if they didn't feel like working on this any more.  Ten years is a long time, it is thankless work, for no money.

But if this is really from the developers, then the 7.2 release is nothing more than a clumsy attempt to set fire to it.  They could have released it to the winds of the internet, and said goodbye.  Instead they tried to trash it.

If this communication is legit, I predict there will be an effort, perhaps multiple ones, to make the code truly open source.  Too many people rely on truecrypt.  Raising $70k in donations to do the code audit is powerful evidence that people want this product - inspectable code, audited strong crypto.  So the market will get that, despite any dog-in-the-manger antics by the original developers.

Peace,

Silver

Yes, they had a remarkable project and got tired so they flushed it down the toilet.  They probably would have done better going commercial with it, and leaving the codebase auditable/open sourced.

Yeah, its funny how the only capitalists in America willing to pay for a good service (TC support, linux support, etc) is the government.  Private people want people to work for free and bitch when stuff doesn't work right rather than providing bug reports and helping out.  I can see why guys WOULD get pissed though.  Given the user base for TC, 70k isn't that much cash.  I am not much of a fan since I've run into interesting forks that make use of TC but permit it to boot from removable media, etc.  Guy didn't opensource his work and asks for money.  I'd pay, if the code were open.  For this sort of thing, auditability is king... given the beast with its nose under the tent flap.

[Silver]

I see no evidence in this case or elsewhere supporting the idea that only the government will pay for support.

The TrueCrypt developers never offered support.  I suspect there would have been a market for it, but they didn't care to do that task.  That is there choice, but their decision can't be used to tar the rest of the consumer marketplace with wanting only free support.

The $70k wasn't raised for the TrueCrypt developers; it was raised to fund an independent audit by genuine security experts.  The fact that $70k was raised for an audit suggests to me that there is intense market desire for a professionally reviewed, open source product.

I don't fault the TrueCrypt team for getting tired, but I do think the stunt with 7.2 was crass and stupid.  If they didn't want the code the didn't have to use FUD to make it harder for anyone who did feel like pitching in.

Peace,

Silver

[Adventurer, Explorer, Inquiring Mind.]

I see no evidence in this case or elsewhere supporting the idea that only the government will pay for support.

The TrueCrypt developers never offered support.  I suspect there would have been a market for it, but they didn't care to do that task.  That is there choice, but their decision can't be used to tar the rest of the consumer marketplace with wanting only free support.

The $70k wasn't raised for the TrueCrypt developers; it was raised to fund an independent audit by genuine security experts.  The fact that $70k was raised for an audit suggests to me that there is intense market desire for a professionally reviewed, open source product.

I don't fault the TrueCrypt team for getting tired, but I do think the stunt with 7.2 was crass and stupid.  If they didn't want the code the didn't have to use FUD to make it harder for anyone who did feel like pitching in.

Peace,

Silver

There's suggestions I've had for them for awhile for features which BELONG in a full medium/disk crypto product.  Maybe i should pick it up as a side project for my company and sell it to whoever's willing to pay for it and for support.  Course my devs are both flaky asshats too (and yes they know it, and call each other as such too... so its no secret, but I get what I can afford and what's willing to work), and I'm so swamped getting the bread and butter operations stable that I can't spend too much time on it.  Hell, I did all my posts in 10 min after lunch... or... 6... min?  Woah.  And now back to the road.