Also, it appears someone finally got a hold of a Truecrypt dev. The project was just shut down from lack of interest. No drama about auditing or, crazy NSA conspiracies after all:
https://twitter.com/stevebarnhart/status/472203503478509568
The developer(s?) who made TrueCrypt did it for their own reasons.
They didn't necessarily do it because they wanted to "stop teh NSA." A lot of people who wanted to "stop teh NSA" started using TrueCrypt, and so they assumed that their goals lined up with TrueCrypt's. But maybe they didn't.
Maybe the developer using TrueCrypt was perfectly happy with "defend against anyone short of the NSA, especially since the NSA would need to expose their ability to break into this in order to do anything bad to me." There are millions of people who legitimately share that threat model.
We can parse out each comment in the source code like lawyers fighting about a comma before SCOTUS or biblical scholars debating on the definition of a word in Hebrew. We will never know. But there is a really big possibility that the developer(s) consider BitLocker acceptable, even if it's closed-source by Microsoft.
EDIT replaced an instance of "BitLocker" with "TrueCrypt" in second paragraph, whooops!
Exactly, and it's amazing what a sudden lack of motivation (for a FREE project after 10 years) will do to someone compared to how you feel when you first are building and all giddy and have high aspirations. They're probably worn out and tired and so suddenly they don't feel as strict need to adhere to their previous guidelines.
However, I personally find that interesting since I'd think in today's climate it's even more important and they were getting lots of exposure.
At what point did you answer that simple question of - well why didn't they just say they are not motivated to continue the project any longer, but instead say Truecrypt is not secure.
I'm not sure you can apply Occam's Razor here. You will only break your blades as you search for a simple answer.
Maybe he was pissed.
Maybe he really didn't want to support it any more, and would feel really bad if people's stuff got compromised on his watch, so he wanted everyone to stop using his stuff as hard as possible.
Sorry, I didn't really want people trying to further bug the supposed dev. Steve Gibson has a good enough roundup. I wish he didn't use my info though :)
It looks like it was deleted because they were concerned about accidentally outing the developer. Which seems like a legitimate thing to be concerned about.
It would be nice if the people who pick up and run with the "reboot" of Truecrypt's project management had a background in cryptography. Do these people?
Hm. Is that Websters definition of "clearly", meaning "easy to perceive, understand, or interpret", or HN's definition, as in "it's clear someone or some agency got to the developers and they just pulled the ejection seat for their own legal protection"?
I was hoping the italics spoke for themselves, but I'd better clarify it's the latter. It seems to be an Internet-wide phenomenon to jump to the most bombastic possible conclusion given a limited set of facts.
The domain is registered to Joseph Doekbrijder [1] who does seem to be working in the area. You might be much more knowledgeable about were to look for his crypto background than I am.
It says derived programs shouldn't be called "TrueCrypt" and shouldn't be ascribed to the original publishers, which honestly seem like pretty mild requirements.
So they are right off on the wrong foot, with that domain name.
I belive any TrueCrypt fork should require contributions to be dual licensed under TrueCrypt's original license and BSD. In time, the project can shed original files and re-implement them under BSD or any other GPL compatible license.
So far there isn't any derived code. The truecrypt.ch domain seems a reasonable place for people to regroup. If/when a new release comes out, the community can think about a new name and register a new domain.
The Truecrypt licenses also say that it cannot be sold, which makes it non-free and non open source. The OSI even said, "it is not at all appropriate for [TrueCrypt] to describe itself as 'open source.'"
The big issue was the clause that didn't protect those who forked from copyright infringement or being sued and the devs said that was intentional. Although, i doubt they'd really want to come out and make themselves public to pursue that.
From a practical view the original authors were anonymous, would they really shed that to sue somebody forking their code against the license? Probably not.
Upon skimming, it looks like it still retains some clauses like: "The name of Your Product (or of Your modified version of This Product) must not contain the name TrueCrypt [...] nor any other names confusingly similar to the name TrueCrypt" and "All graphics contained in This Product (logos, icons, etc.) must be removed from Your Product (or from Your modified version of This Product) and from any associated materials."
...but that actually doesn't seem all that insurmountable. Hm...
TrueCrypt 7.1a - the one with the actual functionality - wasn't released under this license. It was released under the earlier one. And I don't think it allows for this version or later ala GPL. I'm not sure of this, though.
My opinion, the fact that some security researcher was going to be getting more money than the actual developer ever made off the project must have been infuriating. I think that's good enough reason to burn the project to the ground.
Actually it would be good if the webmaster behind this reboot got SSL set up. Especially if this is going to be the new most authoritative download source.
That would be prudent regardless. If you trust HTTPS, why verify the PGP signatures? And if you don't, verifying the PGP signatures does not get you anything if you have no reason to trust the key.
This looks like a bootstrap site that was thrown together in an hour by two guys with twitter accounts and $10 for a domain name. I really doubt they're going to be doing any dev work.
well the fact that they are asking for a copy of the original site isn't a good start.
The original dev's made it clear they don't want people to continue with the TrueCrypt name. If they were really interested in continuing the project for the sake of security they would have chosen a different name.
Still have no idea what's the "unfixed security issues", and few guys mention about it.
I image there the "security issues" will be (if it exist):
1. because key are easy to stolen by coolboot or trojan.
2. because it has backdoor, will save key to a hidden place.
3. because it will leave some information in other place, like 2 but it's implantation problem.
4. because it use a vulnerable algorithm to generate key.
5. because pbkdf2 or aes256 is broken but nobody known it.
exclude 2 and 3, change to other software it's not help at all, algorithm almost same.
If we believe the person I was in contact with (big IF, I know), there are no current issues, but it is by definition "harmful" to continue use because it is no longer being maintained. In fact, the person requested I tell Steve Gibson to not distribute or include a notice telling people not to use it.
if the developers of Truecrypt are anonymous and the license doesn't allow something like this, would this allow us to find out who the developers are if they sue?
This means that if you have a large set of random-looking data, they can already lock you up. Hidden containers (encryption hidden within encryption), as possible with Truecrypt, do not help either. They will just assume the hidden container is there and unless you hand over the key, you will stay locked up. Don't have a hidden container? Though luck. Anybody could claim that.
It assumes there are only two possibilities, either you live in a "free country" where you can refuse to hand over the key, or you live in a totalitarian state where the police will decide to beat you if they suspect you have crypto software, and will keep doing so no matter what you say.
There is a lot of middle ground there. For example in the UK, I believe you are legally required to provide the decryption password. But I don't think the police there would be likely to beat you if they think you may have a hidden container. They could argue that they believe you do, and you would respond with "prove it!", and I doubt it would go any further (unless they had some evidence that you specifically were using hidden containers).
There is value in hidden containers in some circumstances. It's disappointing to see the cryptsetup maintainers take this position.
Hidden containers perhaps won't be enough to protect you from being locked up, but that is not always their purpose. One purpose of hidden containers is to make the presence of information hidden from the attacker. They may lock you up, but they will never really know if you had encrypted information or not. That means you win something.
This is a bad idea. TrueCrypt should be put to bed for good. An event of this magnitude is easy justification for dropping TrueCrypt. It serves an extremely delicate purpose and this raises far too many red flags to ignore.
Place your energy in the alternatives. I wish you could downvote things on HN, if only because this is downright dangerous and needs to be read by as few people as possible.
I disagree. TrueCrypt (for better or for worse) made encryption available to the masses in an easy to use application. Without it, similar level of encryption requires knowledge of unix command line or expensive commercial products. The events that have unfolded do certainly raise the stakes for the TrueCrypt audit, but at present, I am still better off using TrueCrypt, than nothing at all.
It was, however, easy enough to use for anybody capable of administering their own Windows PC, a situation which most of us on this site have been in at some point in our lives.
Hmm, I think the YC News people are not the average users :)
The problem really came in Africa and the Middle East were overall IT literacy is low. People could often use a computer but were not familiar enough with it/scared to break something that they were afraid to really problem solve - esp human rights defenders in their late 40/50s in these places.
So for example, if taught A then B = C, TC was fine. The problem often came when A then B = Z, then TC became a problem. It's UI/UX and use of language (why call something "Mount"? Just use the word "Decrypt" for gods sake! - yes its not perfectly accurate but its easier for people to understand.) was pretty intimidating for many of the people who's lives really depend on it.
I'm speaking to developers who would work on something like maintaining a TrueCrypt fork. Instead, improve the usability of the alternatives to solve the problems you've raised.
Who says they aren't going to fork and continue development?
It's just a landing page that a couple of guys put up while they try to figure out what direction to take. Since there's an audit going on right now, when it's done they'll probably start fixing the problems and releasing new versions. Have a bit of patience.
There is a $30,000 audit currently underway. There will be no security problems un-turned when they are through. That's assuming there are any to begin with (Personally, I think not).
I see no issue picking up the codebase and running with it.
Of all the subsets of the software development world, crypto is the one to be taken most seriously. TrueCrypt was always developed in the shadows, and the recent controversy takes the nails they've set and hammers them firmly into the coffin.
Problems come up when nobody reads the code. Right now, there's an awful lot of people reading this code (Given the strange warning's posted on the TC site).
That's a fine attitude for normal code, but crypto is a whole different ball game. Linux security was significantly reduced at one point because somebody changed int i to int i=0, something most developers would thing is a positive. Side channel attacks are extremely easy to create and extremely hard to find. And, unfortunately, the "many eyes" thing doesn't work here because it requires experienced, knowledgable eyes, and there aren't enough of those, and they are usually busy getting paid, researching how to break software or building their own stuff.
[fridge brilliance]
Maybe, after the OpenSSL debacle, they realised that the only way to make a truly secure product was to get a lot of eyeballs on the code, hence the dramatic diva flounce to grab attention...
[/fridge brilliance]
You are correct. These options are not very portable. My point here is not that the alternatives are ready for non-technical users, but that developers should focus on realizing that future instead of maintaining and advocating a fork of dangerous software.
> instead of maintaining and advocating a fork of dangerous software.
This smells of hyperbole. Why do you consider TC to be _dangerous_ software? Lack of maintenance? Speculative possibilities regarding recent events?
If the rumors are true that the TrueCrypt devs are throwing in the towel, that discounts a couple of dangerous scenarios I can think of leaving only lax maintenance.
I would love to see it live on with no new unneeded features, no changes made unless they are to fix bugs. Keep a stable long-term product and get as many people as possible looking over that code for flaws.
Search off the phrase "TrueCrypt Developers Association. All rights reserved." and you will find many other projects that include embedded TrueCrypt code. Food for thought...
Anonymity is out and I'd say that being an "independent" crypto person that has to defend themself will not get you very far once you have come to the attention of the wrong people.
So what options remain for the person that starts the "next Truecrypt"? The only true safe haven I can think of is employment at a public university. In many countries here in Europe the security researchers working at universities can operate under what is called "academic freedom".
Edit: That tweet was deleted for some reason, but the rest of the thread is still there: https://twitter.com/stevebarnhart/status/472192457145597952