TrueCrypt must not die | Better HN

TrueCrypt must not die | Better HN

98 comments

buddylw11y ago

Also, it appears someone finally got a hold of a Truecrypt dev. The project was just shut down from lack of interest. No drama about auditing or, crazy NSA conspiracies after all: https://twitter.com/stevebarnhart/status/472203503478509568

Edit: That tweet was deleted for some reason, but the rest of the thread is still there: https://twitter.com/stevebarnhart/status/472192457145597952

isxek11y ago

Yeah, this comment appears to be spot on as well:

http://krebsonsecurity.com/2014/05/true-goodbye-using-truecr...

tptacek11y ago

The funniest part about that comment is the response that says "I really was leaning toward NSL, till I read this post."

Head-desk-head-desk.

eps11y ago

It doesn't mean anything. That's the exact same reply someone under a gag order would give too.

tptacek11y ago

Bob: [practising] As you know, sir, we have several loans with your institutions, all "past due". But what does "past due" even mean, you know?

Gene: It's brilliant! There's no such thing as time!

nikcub11y ago

topsy still has the tweets cached:

http://topsy.com/trackback?url=http%3A%2F%2Ftwitter.com%2Fst...

and for the user:

http://topsy.com/s?q=from%3Astevebarnhart&window=w&type=twee...

thejdude11y ago

No it doesn't.

At least from here it looks like they took the posts down as well.

throwaway12983711y ago

@stevebarnhart: ask him if he would continue for $70000...

chmars11y ago

I have much doubt about that since BitLocker is certainly not good enough:

https://twitter.com/stevebarnhart/status/472195239005147136

And why not just writing that you no longer feel motivated to continue the further development of your software? It is very common after all …

danielweber11y ago

The developer(s?) who made TrueCrypt did it for their own reasons.

They didn't necessarily do it because they wanted to "stop teh NSA." A lot of people who wanted to "stop teh NSA" started using TrueCrypt, and so they assumed that their goals lined up with TrueCrypt's. But maybe they didn't.

Maybe the developer using TrueCrypt was perfectly happy with "defend against anyone short of the NSA, especially since the NSA would need to expose their ability to break into this in order to do anything bad to me." There are millions of people who legitimately share that threat model.

We can parse out each comment in the source code like lawyers fighting about a comma before SCOTUS or biblical scholars debating on the definition of a word in Hebrew. We will never know. But there is a really big possibility that the developer(s) consider BitLocker acceptable, even if it's closed-source by Microsoft.

EDIT replaced an instance of "BitLocker" with "TrueCrypt" in second paragraph, whooops!

mschuster9111y ago

For me this tweet is 404, what is its content?

xcrunner52911y ago

Sorry, I didn't really want people trying to further bug the supposed dev. Steve Gibson has a good enough roundup. I wish he didn't use my info though :)

tptacek11y ago

He'd tell you, but he's been NSL'd.

buddylw11y ago

tweet was deleted for some reason. Here's another from the thread: https://twitter.com/stevebarnhart/status/472192457145597952

tptacek11y ago

I'm shocked, shocked: https://news.ycombinator.com/item?id=7812476

100rsa11y ago

Hope they can give a gpg signed mail content.

tptacek11y ago

It would be nice if the people who pick up and run with the "reboot" of Truecrypt's project management had a background in cryptography. Do these people?

rsync11y ago

Did you not see the .ch domain name ?

You can rest assured.

tptacek11y ago

Also what is it with the people who suddenly seem to believe Switzerland is a cypherpunk haven? It _really_ isn't.

mkuhn11y ago

The domain is registered to Joseph Doekbrijder [1] who does seem to be working in the area. You might be much more knowledgeable about were to look for his crypto background than I am.

[1] http://www.linkedin.com/pub/joseph-doekbrijder/2b/384/43a

callahad11y ago

I don't believe the TrueCrypt license allows this kind of redistribution, does it?

Then again, with anonymous developers and unknown jurisdiction, it may be moot.

Lagged2Death11y ago

It says derived programs shouldn't be called "TrueCrypt" and shouldn't be ascribed to the original publishers, which honestly seem like pretty mild requirements.

https://github.com/warewolf/truecrypt/blob/33c0b8457051796fa...

cornholio11y ago

So they are right off on the wrong foot, with that domain name.

I belive any TrueCrypt fork should require contributions to be dual licensed under TrueCrypt's original license and BSD. In time, the project can shed original files and re-implement them under BSD or any other GPL compatible license.

jordigh11y ago

The Truecrypt licenses also say that it cannot be sold, which makes it non-free and non open source. The OSI even said, "it is not at all appropriate for [TrueCrypt] to describe itself as 'open source.'"

http://www.infoworld.com/d/open-source-software/truecrypt-or...

xcrunner52911y ago

The big issue was the clause that didn't protect those who forked from copyright infringement or being sued and the devs said that was intentional. Although, i doubt they'd really want to come out and make themselves public to pursue that.

nwh11y ago

From a practical view the original authors were anonymous, would they really shed that to sue somebody forking their code against the license? Probably not.

dendory11y ago

They are redistributing the original unmodified source, so it shouldn't go against the 'derivation' requirement..

ronjouch11y ago

Looking at the license simplifications part of TrueCrypt 7.2 [1], it may be allowed.

[1] https://github.com/warewolf/truecrypt/compare/master...7.2#d...

callahad11y ago

Upon skimming, it looks like it still retains some clauses like: "The name of Your Product (or of Your modified version of This Product) must not contain the name TrueCrypt [...] nor any other names confusingly similar to the name TrueCrypt" and "All graphics contained in This Product (logos, icons, etc.) must be removed from Your Product (or from Your modified version of This Product) and from any associated materials."

...but that actually doesn't seem all that insurmountable. Hm...

JohnTHaller11y ago

TrueCrypt 7.1a - the one with the actual functionality - wasn't released under this license. It was released under the earlier one. And I don't think it allows for this version or later ala GPL. I'm not sure of this, though.

bitJericho11y ago

My opinion, the fact that some security researcher was going to be getting more money than the actual developer ever made off the project must have been infuriating. I think that's good enough reason to burn the project to the ground.

Andrew_Quentin11y ago

or not start it at all

bitJericho11y ago

The license issues surrounding TC are reason enough to not restart the project.

voltagex_11y ago

The signatures and binaries are not served over HTTPS. It would be prudent to compare them to other sources.

voltagex_11y ago

Just for reference, SHA1s posted from an independent source yesterday: https://news.ycombinator.com/item?id=7816109

dendory11y ago

Actually it would be good if the webmaster behind this reboot got SSL set up. Especially if this is going to be the new most authoritative download source.

zurn11y ago

SSL is better than no SSL, but for better assurance they should offline sign the downloads.

throwaway776711y ago

That would be prudent regardless. If you trust HTTPS, why verify the PGP signatures? And if you don't, verifying the PGP signatures does not get you anything if you have no reason to trust the key.

nhayden11y ago

This looks like a bootstrap site that was thrown together in an hour by two guys with twitter accounts and $10 for a domain name. I really doubt they're going to be doing any dev work.

aliakbarkhan11y ago

Why does the amount of effort on the site matter? I don't understand how that tells you anything about the project or its likely outcome.

thefreeman11y ago

well the fact that they are asking for a copy of the original site isn't a good start.

The original dev's made it clear they don't want people to continue with the TrueCrypt name. If they were really interested in continuing the project for the sake of security they would have chosen a different name.

gaadd3311y ago

Would you trust it more if they used Comic Sans instead of bootstrap?

100rsa11y ago

Still have no idea what's the "unfixed security issues", and few guys mention about it. I image there the "security issues" will be (if it exist): 1. because key are easy to stolen by coolboot or trojan. 2. because it has backdoor, will save key to a hidden place. 3. because it will leave some information in other place, like 2 but it's implantation problem. 4. because it use a vulnerable algorithm to generate key. 5. because pbkdf2 or aes256 is broken but nobody known it. exclude 2 and 3, change to other software it's not help at all, algorithm almost same.

xcrunner52911y ago

If we believe the person I was in contact with (big IF, I know), there are no current issues, but it is by definition "harmful" to continue use because it is no longer being maintained. In fact, the person requested I tell Steve Gibson to not distribute or include a notice telling people not to use it.

Istof11y ago

if the developers of Truecrypt are anonymous and the license doesn't allow something like this, would this allow us to find out who the developers are if they sue?

missblit11y ago

To what end? Just because one can steal someones code or force them to reveal their identity doesn't mean it's a good or nice idea.

Apologies if I missed anything, I don't follow this truecrypt stuff too closely.

fyrabanks11y ago

If they sued, yes, they would have to reveal themselves. One of the developers got dox'd recently, which may have something to do with shutting the project down. (https://translate.google.com/translate?sl=ru&tl=en&js=y&prev...)

throwaway776711y ago

Honestly, I was hoping this drama would result in the implementation of hidden containers for other crypto solutions (dm-crypt, etc).

Hopefully that may still happen.

romseb11y ago

The FAQ for cryptsetup states: https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQue...

This means that if you have a large set of random-looking data, they can already lock you up. Hidden containers (encryption hidden within encryption), as possible with Truecrypt, do not help either. They will just assume the hidden container is there and unless you hand over the key, you will stay locked up. Don't have a hidden container? Though luck. Anybody could claim that.

throwaway776711y ago

I think that's a very narrow view.

It assumes there are only two possibilities, either you live in a "free country" where you can refuse to hand over the key, or you live in a totalitarian state where the police will decide to beat you if they suspect you have crypto software, and will keep doing so no matter what you say.

There is a lot of middle ground there. For example in the UK, I believe you are legally required to provide the decryption password. But I don't think the police there would be likely to beat you if they think you may have a hidden container. They could argue that they believe you do, and you would respond with "prove it!", and I doubt it would go any further (unless they had some evidence that you specifically were using hidden containers).

There is value in hidden containers in some circumstances. It's disappointing to see the cryptsetup maintainers take this position.

draugadrotten11y ago

Hidden containers perhaps won't be enough to protect you from being locked up, but that is not always their purpose. One purpose of hidden containers is to make the presence of information hidden from the attacker. They may lock you up, but they will never really know if you had encrypted information or not. That means you win something.

Sir_Cmpwn11y ago

This is a bad idea. TrueCrypt should be put to bed for good. An event of this magnitude is easy justification for dropping TrueCrypt. It serves an extremely delicate purpose and this raises far too many red flags to ignore.

Place your energy in the alternatives. I wish you could downvote things on HN, if only because this is downright dangerous and needs to be read by as few people as possible.

Afforess11y ago

I disagree. TrueCrypt (for better or for worse) made encryption available to the masses in an easy to use application. Without it, similar level of encryption requires knowledge of unix command line or expensive commercial products. The events that have unfolded do certainly raise the stakes for the TrueCrypt audit, but at present, I am still better off using TrueCrypt, than nothing at all.

secfirstmd11y ago

Having taught hundreds of people how to use True crypt over the years, I would certainly say that it was hardly easy for the average person to use.

Sir_Cmpwn11y ago

I'm speaking to developers who would work on something like maintaining a TrueCrypt fork. Instead, improve the usability of the alternatives to solve the problems you've raised.

Alupis11y ago

There is a $30,000 audit currently underway. There will be no security problems un-turned when they are through. That's assuming there are any to begin with (Personally, I think not).

I see no issue picking up the codebase and running with it.

hamburglar11y ago

> There will be no security problems un-turned when they are through.

I really really doubt this is a claim the folks doing the audit would make.

zurn11y ago

If you can make that happen with $30k, you can get very rich!

fpgaminer11y ago

> That's assuming there are any to begin with (Personally, I think not)

They already found a few flaws. Nothing major though: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_A...

Sir_Cmpwn11y ago

Of all the subsets of the software development world, crypto is the one to be taken most seriously. TrueCrypt was always developed in the shadows, and the recent controversy takes the nails they've set and hammers them firmly into the coffin.

Audits aren't perfect.

sirsar11y ago

Would you mind pointing me in the direction of a good alternative? Thanks.

Sir_Cmpwn11y ago

The Arch Linux wiki page has an excellent overview: https://wiki.archlinux.org/index.php/Encryption

Paul1234553411y ago

I would love to see it live on with no new unneeded features, no changes made unless they are to fix bugs. Keep a stable long-term product and get as many people as possible looking over that code for flaws.

christianbryant11y ago

Search off the phrase "TrueCrypt Developers Association. All rights reserved." and you will find many other projects that include embedded TrueCrypt code. Food for thought...

read11y ago

Anonymous development on a security relevant Project is no longer an option.

Why not?

jaibot11y ago

Because trust is an important commodity on a project like this. Higher trust means fewer horrible things slipping past the review process.

sentenza11y ago

Anonymity is out and I'd say that being an "independent" crypto person that has to defend themself will not get you very far once you have come to the attention of the wrong people.

So what options remain for the person that starts the "next Truecrypt"? The only true safe haven I can think of is employment at a public university. In many countries here in Europe the security researchers working at universities can operate under what is called "academic freedom".

I wonder how that will be destroyed.

npongratz11y ago

Trust is indeed important, but is connecting a name (or a number of names) to a project the only way to establish trust?

thought_alarm11y ago

Why don't you send TrueCrypt.org a few dollars then?

wyager11y ago

The developers have already decided to call it quits. More money probably won't help.

j / k navigate · click thread line to collapse