

CipherShed, the Truecrypt fork - JoachimS
https://ciphershed.org

======
jbackus
How close is this fork to the original source? The folks behind the Open
Crypto Audit Project[1] have done a fantastic job auditing the security of
Truecrypt and they're now doing the cryptanalysis. While an actively
maintained fork is desirable, changes to the core dependencies will eliminate
the benefits of the audit.

[1]: [https://opencryptoaudit.org/](https://opencryptoaudit.org/)

~~~
david_shaw
That's very true, but if the Open Crypto Audit Project finds any TrueCrypt
vulnerabilities, there will be no one around to fix them.

------
D4AHNGM
Interestingly the FUSE element is going to get much more difficult come
Yosemite. Apple has implemented a strict unsigned kext ban on Yosemite, and
obviously FUSE relies on those kernel extensions, so effectively, building
things like FUSE from source is going to get a lot more difficult for end-
users.

The FUSE element will still work fine if you take a signed OSXFUSE binary for
example, because those binaries & the kexts within them are signed, but
distributing source packages to OS X at least is going to become more painful.

------
RexRollman
I was under the impression it couldn't be forked. Incorrect?

~~~
mholt
Shouldn't, but could:

> On 16 June 2014, the only alleged TrueCrypt developer still answering
> emails, replied to an email by Matthew Green about the licensing situation.
> He is not willing to change the license to an open source one, believes that
> Truecrypt should not be forked, and that if someone wants to create a new
> version they should start from scratch.[1]

(Copy of the email on pastebin[2])

[1]:
[http://en.wikipedia.org/wiki/TrueCrypt#End_of_life_and_licen...](http://en.wikipedia.org/wiki/TrueCrypt#End_of_life_and_license_version_3.1)
[2]: [http://pastebin.com/RS0f8gwn](http://pastebin.com/RS0f8gwn)

~~~
harshreality
The letter of copyright law might allow a prohibition of forking and
relicensing (to reiterate, the TC author would have to reveal him or herself
in order to enforce that prohibition), but philosophically...

 _" I don't feel that forking truecrypt would be a good idea..."_

This is a straight-up abuse of copyright law. Author has no intent of
profiting from the project, no intent of continuing to work on the project,
and still waves around the hammer of copyright as if it's a fundamental right
absent any connection to the constitutional qualification of _promoting
progress in the sciences and useful arts_.

To say there's a moral imperative against forking and relicensing in this
scenario is stretching the rationale for the copyright monopoly quite far.

~~~
tptacek
Interesting. To who else's work can you write a nerd message board post
explaining your intrinsic entitlement?

It's not at all shocking that the creator and maintainer of a free encrypted
filesystem would eventually abandon the effort, given that comments like these
are how the effort is ultimately repaid.

Is there a name for the hammer you swing, the hammer not of abusing copyright
but instead of not writing simulated hardware disk encryption and donating it
for free? It seems to me that's a far mightier hammer than the one you
described.

~~~
SamReidHughes
Uh oh, it looks like @tptacek's calling people message board nerds again.

~~~
tptacek
I'm @tqbf, not @tptacek. @tptacek is some other person on Twitter.

------
pliu
I used Truecrypt heavily for years, but since all the kerfuffle happened I've
switched to other stuff. I like Truecypt and would like to move back, but I'm
not sure when I'll be able to trust a fork. I can't audit the code myself so I
have to rely, I guess, just on mind share and the opinions of security people
who are smarter than me.

I'm curious about what other users are doing in this situation. What are your
criteria for trusting a fork? How will you know when something (not
necessarily CipherShed) is mature and safe enough to use?

~~~
Zikes
What alternatives have you used?

~~~
pliu
For disk encryption on Windows, I switched to Bitlocker for my personal use.
At my workplace we use Symantec Encryption and Sophos Safeguard, my
understanding is they are both pretty okay.

For file encryption, now I just do everything on my Ubuntu workstation and use
GPG + tarballs. This is sort of a pain in the ass though, and it's not as
secure as a TC container of course. It's kind of just a stop gap until I can
think of something better.

~~~
tux
You think BitLocker closed-source from Micrsofot is more secure and trust
worthy then open-source fork CipherShed ? I would take open-source project
over closed-source any day. Linux Action Show recently talked about "Tomb", it
looks like a nice alternative.
[https://www.dyne.org/software/tomb/](https://www.dyne.org/software/tomb/)

~~~
pyre
It's possible for a closed-source product to be written by experts, while the
open-source competitor is only written by hobbyists. When it comes to crypto,
you probably want the experts.

Also, someone needs to actually audit the source code for the 'open-source'
part to really come into play (other than from the discontinuation of support
angle). Even with open source code, it's only really been recently that
TrueCrypt itself ever got any sort of in-depth audit.

~~~
Tomte
In the case of Bitlocker we know that Niels Ferguson is behind it. The name
might ring a bell.

~~~
guiambros
[http://en.m.wikipedia.org/wiki/Niels_Ferguson](http://en.m.wikipedia.org/wiki/Niels_Ferguson)

 _Niels T. Ferguson (born 10 December 1965, Eindhoven) is a Dutch
cryptographer and consultant who currently works for Microsoft. He has worked
with others, including Bruce Schneier, designing cryptographic algorithms,
testing algorithms and protocols, and writing papers and books. Among the
designs Ferguson has contributed to is the AES finalist block cipher algorithm
Twofish as well as the stream cipher Helix and the Skein hash function.

...

In 2001, he claimed to have broken the HDCP system that is incorporated into
HD DVD and Blu-ray Discs players, similar to the DVDs Content Scramble System,
but has not published his research, citing the Digital Millennium Copyright
Act of 1998, which would make such publication illegal.

At the CRYPTO 2007 conference ... Niels Ferguson and Dan Shumow presented an
informal paper describing a potential backdoor in the NIST specified
Dual_EC_DRBG cryptographically secure pseudorandom number generator. The
backdoor was confirmed to be real in 2013 as part of the Edward Snowden
leaks._

------
hmhrex
Anybody use this yet? What's the legitimacy of this compared to Truecrypt's
fallen domain?

I see that actually list the developers which is nice. But unfortunately I'm
not too familiar with the big name's in cryptography software.

~~~
acqq
Reading the "news" section, they actually still haven't made any changes, they
just managed to compile it!

Some other place that forked the TrueCrypt sources to some repo (VeraCrypt)
managed to change a few constants and make the containers incompatible. At
least they addressed a known TC weakness: the low number of PBKDF2 passes.

Finally, the contribution of the TruCrypt.ch (TCNext) is that they put the
original sources and binaries behind a new domain name and wrote "TrueCrypt
must not die."

In short, it's easy to put other's work behind a new domain or in another
repo, it's hard and costly to do the real development.

------
geuis
From what I understand the author(s) explicitly do not want this forked. The
license has not been changed, and whatever fork this is will be from an older
Linux repo.

------
higherpurpose
Is this the same or different project from the TrueCryptNext one?

