
TrueCrypt must not die - joshcrews
http://truecrypt.ch/
======
buddylw
Also, it appears someone finally got a hold of a Truecrypt dev. The project
was just shut down from lack of interest. No drama about auditing or, crazy
NSA conspiracies after all:
[https://twitter.com/stevebarnhart/status/472203503478509568](https://twitter.com/stevebarnhart/status/472203503478509568)

Edit: That tweet was deleted for some reason, but the rest of the thread is
still there:
[https://twitter.com/stevebarnhart/status/472192457145597952](https://twitter.com/stevebarnhart/status/472192457145597952)

~~~
mschuster91
For me this tweet is 404, what is its content?

~~~
xcrunner529
Sorry, I didn't really want people trying to further bug the supposed dev.
Steve Gibson has a good enough roundup. I wish he didn't use my info though :)

~~~
el_duderino
You'll be alright.

------
tptacek
It would be nice if the people who pick up and run with the "reboot" of
Truecrypt's project management had a background in cryptography. Do these
people?

~~~
rsync
Did you not see the .ch domain name ?

You can rest assured.

~~~
tptacek
Also what is it with the people who suddenly seem to believe Switzerland is a
cypherpunk haven? It _really_ isn't.

~~~
pbsd
It's _clearly_ a ploy to get everyone backdoored. Just look at Crypto AG.

~~~
tptacek
Hm. Is that Websters definition of "clearly", meaning "easy to perceive,
understand, or interpret", or HN's definition, as in "it's clear someone or
some agency got to the developers and they just pulled the ejection seat for
their own legal protection"?

~~~
pbsd
I was hoping the italics spoke for themselves, but I'd better clarify it's the
latter. It seems to be an Internet-wide phenomenon to jump to the most
bombastic possible conclusion given a limited set of facts.

~~~
tptacek
Sorry, I was just trying to use you to riff.

------
callahad
I don't believe the TrueCrypt license allows this kind of redistribution, does
it?

Then again, with anonymous developers and unknown jurisdiction, it may be
moot.

~~~
Lagged2Death
It says derived programs shouldn't be called "TrueCrypt" and shouldn't be
ascribed to the original publishers, which honestly seem like pretty mild
requirements.

[https://github.com/warewolf/truecrypt/blob/33c0b8457051796fa...](https://github.com/warewolf/truecrypt/blob/33c0b8457051796faae1249950cb896dca027e49/Release/Setup%20Files/License.txt)

~~~
cornholio
So they are right off on the wrong foot, with that domain name.

I belive any TrueCrypt fork should require contributions to be dual licensed
under TrueCrypt's original license and BSD. In time, the project can shed
original files and re-implement them under BSD or any other GPL compatible
license.

~~~
Angostura
So far there isn't any derived code. The truecrypt.ch domain seems a
reasonable place for people to regroup. If/when a new release comes out, the
community can think about a new name and register a new domain.

------
bitJericho
My opinion, the fact that some security researcher was going to be getting
more money than the actual developer ever made off the project must have been
infuriating. I think that's good enough reason to burn the project to the
ground.

~~~
Andrew_Quentin
or not start it at all

~~~
bitJericho
The license issues surrounding TC are reason enough to not restart the
project.

------
voltagex_
The signatures and binaries are not served over HTTPS. It would be prudent to
compare them to other sources.

~~~
dendory
Actually it would be good if the webmaster behind this reboot got SSL set up.
Especially if this is going to be the new most authoritative download source.

~~~
zurn
SSL is better than no SSL, but for better assurance they should offline sign
the downloads.

------
nhayden
This looks like a bootstrap site that was thrown together in an hour by two
guys with twitter accounts and $10 for a domain name. I really doubt they're
going to be doing any dev work.

~~~
aliakbarkhan
Why does the amount of effort on the site matter? I don't understand how that
tells you anything about the project or its likely outcome.

~~~
thefreeman
well the fact that they are asking for a copy of the original site isn't a
good start.

The original dev's made it clear they don't want people to continue with the
TrueCrypt name. If they were really interested in continuing the project for
the sake of security they would have chosen a different name.

~~~
TuxLyn
Original site archived here >
[http://archive.today/www.truecrypt.org](http://archive.today/www.truecrypt.org)

------
100rsa
Still have no idea what's the "unfixed security issues", and few guys mention
about it. I image there the "security issues" will be (if it exist): 1\.
because key are easy to stolen by coolboot or trojan. 2\. because it has
backdoor, will save key to a hidden place. 3\. because it will leave some
information in other place, like 2 but it's implantation problem. 4\. because
it use a vulnerable algorithm to generate key. 5\. because pbkdf2 or aes256 is
_broken_ but nobody known it. exclude 2 and 3, change to other software it's
not help at all, algorithm almost same.

~~~
xcrunner529
If we believe the person I was in contact with (big IF, I know), there are no
current issues, but it is by definition "harmful" to continue use because it
is no longer being maintained. In fact, the person requested I tell Steve
Gibson to not distribute or include a notice telling people not to use it.

------
Istof
if the developers of Truecrypt are anonymous and the license doesn't allow
something like this, would this allow us to find out who the developers are if
they sue?

~~~
missblit
To what end? Just because one can steal someones code or force them to reveal
their identity doesn't mean it's a good or nice idea.

Apologies if I missed anything, I don't follow this truecrypt stuff too
closely.

------
throwaway7767
Honestly, I was hoping this drama would result in the implementation of hidden
containers for other crypto solutions (dm-crypt, etc).

Hopefully that may still happen.

~~~
romseb
The FAQ for cryptsetup states:
[https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQue...](https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#5._Security_Aspects)

 _This means that if you have a large set of random-looking data, they can
already lock you up. Hidden containers (encryption hidden within encryption),
as possible with Truecrypt, do not help either. They will just assume the
hidden container is there and unless you hand over the key, you will stay
locked up. Don 't have a hidden container? Though luck. Anybody could claim
that._

~~~
throwaway7767
I think that's a very narrow view.

It assumes there are only two possibilities, either you live in a "free
country" where you can refuse to hand over the key, or you live in a
totalitarian state where the police will decide to beat you if they suspect
you have crypto software, and will keep doing so no matter what you say.

There is a lot of middle ground there. For example in the UK, I believe you
are legally required to provide the decryption password. But I don't think the
police there would be likely to beat you if they think you may have a hidden
container. They could argue that they believe you do, and you would respond
with "prove it!", and I doubt it would go any further (unless they had some
evidence that you specifically were using hidden containers).

There is value in hidden containers in some circumstances. It's disappointing
to see the cryptsetup maintainers take this position.

------
Sir_Cmpwn
This is a bad idea. TrueCrypt should be put to bed for good. An event of this
magnitude is easy justification for dropping TrueCrypt. It serves an extremely
delicate purpose and this raises far too many red flags to ignore.

Place your energy in the alternatives. I wish you could downvote things on HN,
if only because this is downright dangerous and needs to be read by as few
people as possible.

~~~
Alupis
There is a $30,000 audit currently underway. There will be no security
problems un-turned when they are through. That's assuming there are any to
begin with (Personally, I think not).

I see no issue picking up the codebase and running with it.

~~~
Sir_Cmpwn
Of all the subsets of the software development world, crypto is the one to be
taken most seriously. TrueCrypt was always developed in the shadows, and the
recent controversy takes the nails they've set and hammers them firmly into
the coffin.

Audits aren't perfect.

~~~
Alupis
It's code. There are no secrets.

Problems come up when nobody reads the code. Right now, there's an awful lot
of people reading this code (Given the strange warning's posted on the TC
site).

~~~
SoftwareMaven
That's a fine attitude for normal code, but crypto is a whole different ball
game. Linux security was significantly reduced at one point because somebody
changed _int i_ to _int i=0_ , something most developers would thing is a
positive. Side channel attacks are extremely easy to create and extremely hard
to find. And, unfortunately, the "many eyes" thing doesn't work here because
it requires experienced, knowledgable eyes, and there aren't enough of those,
and they are usually busy getting paid, researching how to break software or
building their own stuff.

~~~
quasque
> Linux security was significantly reduced at one point because somebody
> changed _int i_ to _int i=0_

Could you please elaborate on this one?

~~~
nikbackm
Seems to me they relied on the uninitialized memory of a stack variable as a
partial source of randomness for key generation.

Initializing the variable with 0 removed that part.

~~~
quasque
Your explanation makes sense. Though I'm still curious as to when this
happened and what the impact was.

------
Paul12345534
I would love to see it live on with no new unneeded features, no changes made
unless they are to fix bugs. Keep a stable long-term product and get as many
people as possible looking over that code for flaws.

------
christianbryant
Search off the phrase "TrueCrypt Developers Association. All rights reserved."
and you will find many other projects that include embedded TrueCrypt code.
Food for thought...

------
read
_Anonymous development on a security relevant Project is no longer an option._

Why not?

~~~
jaibot
Because trust is an important commodity on a project like this. Higher trust
means fewer horrible things slipping past the review process.

~~~
sentenza
Anonymity is out and I'd say that being an "independent" crypto person that
has to defend themself will not get you very far once you have come to the
attention of the wrong people.

So what options remain for the person that starts the "next Truecrypt"? The
only true safe haven I can think of is employment at a public university. In
many countries here in Europe the security researchers working at universities
can operate under what is called "academic freedom".

I wonder how that will be destroyed.

------
thought_alarm
Why don't you send TrueCrypt.org a few dollars then?

~~~
wyager
The developers have already decided to call it quits. More money probably
won't help.

