Original author of the story here... Just to add that 1. yes, the reporting on Le Roux's childhood is more tentative based on a family source (well backed up by docs and images sent to me). But the fact that the same Le Roux created E4M which formed the basis of TrueCrypt is something I think I've established definitively, company and site registration trails show it very firmly (and PLR himself admits it in court, but that comes in a later part of my story). And 2. for the _very_ interested, TC is actually just a small part of Le Roux's story, of which we've released three of seven parts (weekly on Thursdays). I know, TL;DR, it's a lot.
As tptacek says, I don't view reporting like this as "doxxing." As the series hopefully shows, Le Roux was a hugely newsworthy figure for many different reasons, so reporting his background and how he got there is part of understanding where he is now. As for being nervous, many of the major players in the story are in US custody, and perhaps somewhat counterintuitively a lot of people involved want to tell their part of the story. If they have beefs, they are typically with each other not with me. I do try to be careful, though.
To me, it's just semantics. Let's say that someone published this much information about you. And let's say that they had whatever justifications. That there was widespread agreement that it was OK. Whatever. How would you feel?
Are you essentially positing that the only relevant consideration to whether publishing information about someone is ethically defensible is whether or not the subject feels good about having that information revealed? It seems to me there is a material difference -- and a vast one at that -- between "I have done serious investigative work and wish to present evidence that Joe Foobar is a criminal kingpin who can be linked with drug-running and murders" and "I am publishing personal information about Joe Foobar because he said something mean about a group I identify with and I wish to screw with his life."
The concept of "criminal kingpin" is entirely based on "a group I identify with". In this case, some nation or government or whatever. So, as I see it, there's arguably no fundamental distinction between your two examples. It's arguably all about power.
Dude, please. Laws are abstractions and relative and whatnot, but Really Bad People do exist and the public has a right to know. Otherwise, why have journalists or even laws at all?
I personally give up once a person gets so defensive that they start excusing murderers. That a person will so quickly sacrifice their morals for their face on an internet forum, is disheartening.
All too often, people confuse groupthink with morals. With a little dialog, I suspect that we could identify some accused murderers that you would excuse.
And you're conflating moral absolutism with groupthink.
Not everyone subscribes to moral relativism, as much as you might want them to.
Groupthink would be to eschew one's morality entirely, and merely subscribe to some sort of prevailing opinion on morality. Which is ironically what you're asking the parent poster to do.
But myerbergs_army's stated rationale was not that Le Roux is fair game for doxxing because he's so bad, it was that he was fair game because his activities are newsworthy.
Honestly, I don't have a clue. Who gets to decide? Some murderers are presidents, and others are on trial. There's really no point in arguing about it.
and is in fact deeply flawed on a fundamental level.
I can accept that it has flaws, but on the fundamental level? It seems pretty solid at that level. The creators thought through the problems and difficulties of government more deeply than most.
It's debatable whether this is a "fundamental" flaw, but the American Consitution is basically a set of procedural rules of the game. Civil rights are an afterthought.
Most modern constitutions also need all the procedures, of course, but they put certain "inalienable rights" square in the middle of it all. The procedures are merely there to support those rights.
The assumption of the time was that it was common-sense that the Constitution was a whitelist, not a blacklist. There was pushback against having an enumerated Bill of Rights because then there would be a whitelist of rights, and the Founders feared this would mean that they'd miss something and in the future their government would become oppressive.
I am not arguing that murder is OK. But I do suspect that Paul Le Roux is being railroaded. I also suspect that Barack Obama, who clearly has far more blood on his hands, will never face trial.
Use the Bible. That's something a third of the world agrees on, and the whole west is founded upon it.
But seriously, murder being bad is pretty much a human moral universal. You'll find that basic idea wherever and whenever you look (+/- various caveats).
Are moral rules situationally dependent on the personal feelings of the person subject to those rules? I would hate to be in jail, but I think it's morally and ethically valid to put people in jail in certain circumstances. Similarly I think that politicians and public figures should be subject to a high degree of scrutiny and transparency about their personal lives, even though I personally wouldn't enjoy such treatment.
By "feel", I meant more what you might feel justified in doing about it. The key "moral rule" for me is to only mess with people who have messed with me. I don't get into third-party stuff, and I have little sympathy for those who do.
So what you're saying is, it would be moral for this guy's murder victims to dox him, but not a reporter? The funny thing with murderers is that they can only really be stopped by third parties.
I can't tell if you're being serious or facetious.
A given moral rule doesn't change because it's held by you versus someone else. Just like it makes no sense to refuse to answer the question of whether a fruit is an apple because it is in my hand instead of yours.
In other words, by having a moral rule yourself, you implicitly have a moral metarule: a rule about how to choose your moral rules.
Your refusal to answer the question doesn't make sense.
People have all sorts of moral rules. It tends to vary by culture, religion, and so on. Maybe you can abstract them all into some overall set. But you lose some subtleties.
But I also don't judge the moral rules that others hold. That's one of my operating principles. You can't judge without knowing that you're right. And there's no canonical source for that. I do have opinions about how well some moral rules work vs others. But that's not about judging, only assessing workability.
Germany has the concept 'people of public interest' for which different rules concerning media appearance and photographs apply. Politicians are an example. You could argue that it applies in this case as well.
Wrong country of course, but the idea as an ethical code is out there, that the public has some right for information on some, and only some, people.
Don't you know it's only ok when a given journalist has the blessing of the status quo and doesn't use automatic means (google doesn't count anymore of course, but copypasta of random code to help one on one's search is a big no no) of releasing such information?
If such a "journalist" wanted to write (about potentially classified™ information) about people working for defense contractors who create products only a minority of people care to voice dissent but has the blessing of the status quo, it wouldn't be ok because it would put lives at danger™. There is also an exception to this for when a billionaire helps you write about such info, but only less than 1% of it will ever see the light of day, and one must consult with the thought leaders™ of the status quo in order to have a voice where all the token freedom loving organizations also supported by such billionaire will blogspam such carefully vetted position on one's behalf.
> As the series hopefully shows, Le Roux was a hugely newsworthy figure for many different reasons, so reporting his background and how he got there is part of understanding where he is now.
Wasn't this Gawkers main argument in their defense against the hulk.
I do not understand the comparison you are trying to make. Gawker was sued for releasing a clip of the actual sex tape. Everyone involved stipulated that a detailed story about the tape would have been fine.
No, not quite. Their main argument was that it was newsworthy and "it", in particular, was the video and not the article. The article itself could exist, but without the video. The video couldn't as there was a reasonable expectation of privacy.
They were sued because they refused to take down the video and their defense was absolutely terrible in every regard including joking in legally binding statements without going through and marking them as jokes/sarcasm: so they are taken at face value in the court of law.
Making jokes about child porn ("newsworthy if the actor is over the age of four") isn't how you win over jurors.
Doxing is a targeted attack intended to harass and terrorize the victim as retribution for expressing dissenting opinions or beliefs. The ultimate goal is suppression of free speech.
There's a difference between learning private information and disclosing it.
Publishing information on a particular private individual because the public's benefit is sufficiently great is a hard line to even vaguely pin down - a home address, all private contact methods, and enough personal data to forge their identity on a passport application is probably never warranted to publish, but you're going to acquire that information while researching private citizens for any reason, and then pare it down to the minimum required to establish whatever story you're reporting on.
One might distinguish "doxxing" as "publishing all the information you can retrieve", without any filter or goal other than making the information as public as possible.
I was not attempting to insinuate that the author had done so; I was just thinking aloud on the distinction between "doxxing" someone and what journalists often do.
Police officers, almost universally. Abortionists. Parents of little children, frequently. "This guy we pictured in front of a gay bar." Many people who find themselves targeted by one of the (numerous) Internet hate machines. Elected officials. Unelected officials. Anyone involved in a contract negotiation with the Teamsters. People who take substantial efforts so that ex-romantic partners do not discover where they live because of a well-founded fear that that ex-partner would attempt to murder them. Television personalities. People who recently won the lottery. People named Adolf Hitler (no, not that one).
There exist numerous reasons to not love the idea of one's personal information, particularly regarding one's work or home, put out there broadly, particularly when it is attached to information one does not control and/or in a circumstance which would tend to show it to people who do not respect standard middle class norms of detachment. Redditors did not invent concern over this issue. Many of the people with strong concerns about it are demographically dissimilar to the modal Redditor.
Edit to add: It occasionally happens that journalists will transgress upon society's norms in this area and persons sympathetic to the aggrevied parties will transgress back. I have not heard a journalist say, in response to that "OK, fair commentary, wot wot." This often comes up in the context "We have published gun owners' addresses because the public has a right to know who owns guns." "We have published your address because the public has a right to know who writes newspapers."
I'm a little confused. I agree that there is such a thing as maliciously or recklessly posting personally identifying information about people. Is that "doxxing"? If so, why are we pretending that this story constitutes "doxxing"?
Because that is what the comment to which I replied upthread claimed.
No relevance to this story; I've just seen you say "Doxxing is a thing that only Redditors care about" a time or three on HN, and believing that to be something that you believed generally rather than specific to this article, found it necessary to say "Actually, that's a bit more of a widely-held position than you seem to believe."
Yeah, what's triggering those responses is a Reddit-tinged reaction to nuts and bolts investigative journalism as if it were somehow contravening a new Internet norm.
There's a difference between outing details of someone's life with salacious or hostile intent and telling a story.
The fact that this guy on one hand built an incredibly high quality application that had and has a major positive impact on the world is a story that needs to be told.
The fact that he's a damaged, amoral man who is allegedly a career criminal and drug dealer is a story that demands to be told. He represents the Id of mankind -- and personifies the paradox that perfect security and privacy benefits society at large, and that society also includes the bad guys.
Maybe drug dealers are the unsung heroes of drug law liberalization. The Drug War was arguably driven by racist and authoritarian goals. So dealers are arguably freedom fighters, rather than criminals. Maybe he killed some people, but I suspect that was in self defense.
Personally, I interpreted the question as a shorthand for: "Aren't you afraid LeRoux could see that as doxxing, and of potential dangerous consequences to yourself?"
Yes, that's what I meant. But I do also consider the distinction between doxxing and journalism to be highly subjective. The judgment typically comes down to ingroup vs outgroup. Once someone is identified as "other", they're fair game.
This all occurs to me as a show trial. They're making an example of him, as authoritarian systems tend to do. And one aspect of that is being dragged through the mud. Being slandered. It's dog pack behavior, and I find it disgusting.
Some people who do that consider themselves journalists. But then, people who doxx people might also consider themselves journalists. It's a hard call.
> Thus, we usually have to write the name of the oil company as "Exxon", though its proper spelling is "e exx o n". (Don't make the mistake of pronouncing "Exxon" like "exon"; you will appear unsophisticated.)
So that's way off-topic. But what he says about "dox" vs. "doxx" is as much a preference as "focused" and "focussed", or "busing" and "bussing" - there's no "correct" way, not even if it is the original way.
Is Stallman a new William Safire or Brian Garner? I never knew this was one of his areas of expertise. Oxford lists "doxx" as an alternate but accepted version. I don't have an OED license so I dont have access to the full etymology they use.
It's simple: Dox is short for "docs". Shortening a 4-letter word to a 3-letter word is sensible (albeit lazy). Shortening a 4-letter word to a 4-letter word ("doxx") is stupid.
I don't know why people spell it with two. Maybe they think it looks cooler? But really it's hacker slang for "I accessed and published sensitive information about an individual" and is in most cases horrible.
Does he really think he can just imagine things, and then convince other people they are true?
Wikipedia says:
> The company initially planned to change its name to "Exon", in keeping with the four-letter format of Enco and Esso. However, during the planning process, it was noted that James Exon was the governor of Nebraska. Renaming the company after a sitting governor seemed ill-advised, and the second "x" was added to the new name and logo.
No mention of them wanting to name the company with a greek chi but not having that on their typewriters.
To be fair, the wikipedia claim isn't cited. Neither is rms's of course.
Convincing other people of things that are false is standard practice every April 1. I believe that whole Exxon article is an April Fool's joke.
...although looking at it more carefully, the doxing article is not dated April 1, and it has the same claim in it. Maybe he forgot what he was doing and successfully trolled himself. I don't know. But yes, the Exxon thing is obviously, demonstrably false.
Also, if I understand him right, he insists that the oil company Exxon is mis-spelling as well as mis-pronouncing it's own name, and he knows better. rms is an interesting guy.
There are some interesting circumstantial connections to Satoshi:
Considered to be a "brilliant" programmer with a strong C++ background - Most people would call you crazy if you attempted to put a 6 billion dollar prize behind an internet facing application without memory safety
Author of crypto/privacy software - E4M and possibly TrueCrypt written in C++
Experience hiding identity both online and off
Millionaire - Satoshi never converted any of his btc fortune
Anti-authoritarian
Understands the benefits of digital currency - Has millions of dollars stacked in boxes
Understands the payment problem - Illegal prescription drug marketplaces
Has an interest in internet gambling software - The first version of btc actually had some code for a marketplace and poker: http://imgur.com/a/NPiIs
Multifocal - Satoshi vanished around April 23 2011 to "move on to other things"
South African spelling/phrasing - analyse, colour, defence, bloody hard
Satoshis original code wasn't considered brilliant, though. Not crap, but more in the style of an academic that understood programming than that of an experienced programmer.
The code was written as a basic proof of concept, not with long term maintainability in mind, and the code for the wallet client was not well separated from the code for parsing the blockchain, or from the networking code or from the mining code, etc...
No brilliant programmer would have been willing to publish such a rudimentary proof of concept when interoperability and network effects are such important parts of its main idea.
Solotshi appears to be a very uncommon Congolese name. Le Roux's story starts in Africa, and the author alleges he was an arms dealer - maybe there's some connection there.
The funny thing is, if someone wrote a novel with this plot, I would probably dismiss it as too far-fetched. Sometimes truth is indeed stranger than fiction.
Paul Le Roux stole E4M source from SecurStar, and TrueCrypt programmers "forked" that source code. So Paul Le Roux surely didn't "write" TrueCrypt as such, isn't the current title here on HN inaccurate?
read the article before flaming. The author lays out a very well supported case for concluding that PLR wrote the E4M code then was hired by SecurStar to turn it into a commercial product. Also claims PLR was one of the TrueCrypt programmers, so yes, the title is accurate as far as what the author is claiming in the article.
Can you please quote the exact part where we can see that PLR was one of the TrueCrypt programmers? I somehow missed that what you claim while (admittedly) speed-reading, namely, I've got only this in the article:
"Indeed, even today the question of who launched the software remains unanswered. “The origin of TrueCrypt has always been very mysterious,” says Matthew Green".
"The article is unclear as for whether he was still involved with TrueCrypt by the time they got him though. It sounds like he had quite a lot going on to even care for TrueCrypt at that point."
I surely don't dispute that PLR wrote E4M and that TrueCrypt was kind of "fork" of that (see again my older post). But the following product is not the same thing as the original source, just as Marc Andreessen didn't "wrote the Internet Explorer" even if the later was once based on some Mosaic source.
And HN is generally against editorializing the titles to make them more linkbaity. And this one is surely such at the moment.
OP of this post here. Not sure why you're downvoted and tried to upvote it to rebalance.
I also realized after reading the article for the second time that it did not say that PLR is TC's author directly, but rather that it is unclear if he is.
Additionally, Matthew Green's twitter also further reinforced that belief. However it is too late for me to change the title but I'm not sure what I would even change it to. After all, it seems his original work is the foundation of TC (which you can argue to be different, but the title question remains).
Edit: @matthew_d_green's twitter has also published corrections at this point. However when I first learned about the post I only saw his initial tweet. It's a shame that I didn't realize that PLR is actually not the author/maintainer, tho.
Thanks to you and
lvs. At least I see the title was just changed to the original article's from the linkbaity one to which I've complained. Now it's finally
I'm not sure if that accurately reflect why this is relevant either. I think it is fairly significant that PLR is very much connected to TC (and it is suspected that he is involved with TC financially).
I do not have a better title suggestion at this point, however.
Writing something is not equal to owning. The topic here is the source in ownership of SecurStar which apparently PLR produced while working for SecurStar.
Just like if you'd work for Microsoft and then the code you produced while working there, under the contract that you've signed that the code belongs to them, you put into your own program. You wrote the program but the code you've put there is stolen.
Ahoy, moderators! Could we add a subtitle so that there's some context for the headline? He Always Had a Dark Side: How a multi-millionaire international arms dealer wrote the code for TrueCrypt
Serial works this way because it uses a lot of interviews from external folks. That would not work at all in writing. You have to design for reading or design for podcasting, there's rarely a case where something works well on both media.
Yes, but I think it's probably possible that interviews could be conducted. Maybe interviews were even already conducted and recorded for this approximately 50,000 word series...
Ok -- this is badly tripping me out. A former employee of mine in the Philippines is (was?) his wife. I'm pretty sure I met this guy while I lived in the Philippines. Even though I haven't seen her since 2008 (I think?) her family contacted me about 2 years ago wondering if I had spoken to her (I hadn't of course).
Setup a Patreon. I'll throw in $20 per article for long-form journalism like this. Youtubers who make long-ish videos (i.e., EE's who tear down industrial gear narrating analysis[1]) have recently taken to this model and it's absolutely fantastic. My money goes to support the continued generation of new content, cutting out the middleman. "Pay because it's good" is the best content monetization model yet.
Are you me? I subscribe to Applied Science, AvE, Signal Path, and W2AEW. I'll have to check out Mikeselectricstuff and Mr Carlson's Lab. EEVblog is missing from the list, but arguably that one goes without saying :-)
Another addition to the above excellent list is "bigclivedotcom". Lots of teardowns of cheap Chinese electronics with an eye towards what exactly makes them dangerous. https://www.youtube.com/user/bigclivedotcom/videos
Clive is the best. Sometimes the cheap eBay gadgets get a little repetitive, but he does mix in a lot of different stuff. I really enjoy his videos on printing circuit boards and making his little 'nixie' lamps. He's just fun to listen to.
Awesome, thank you. In fact I was already subscribed to all of those channels except AvE and MrCarlsonsLab, so given that I just subscribed immediately without even checking out the videos.
> Lulu told me that when Le Roux was 15 or 16, in the late 1980s, the local police raided the family home and arrested Paul for selling pornography online.
This seems a bit odd to me, having lived in South Africa at that time. There's almost no way a guy at home would have had that kind of access in Apartheid South Africa to the internet back then. There was access, but it was through big companies or academia and on a very controlled level.
Here's a quick rundown of internet access in South Africa during that time period from Wikipedia. From experience, it is accurate.
> The first South African IP address was granted to Rhodes University in 1988.[1] On 12 November 1991, the first IP connection was made between Rhodes' computing centre and the home of Randy Bush in Portland, Oregon.[2] By November 1991, South African universities were connected through UNINET to the Internet. Commercial Internet access for businesses and private use began in June 1992[3] with the registration of the first .co.za subdomain.
You might bring up stuff like BBS, but that was not around in South Africa until after 1990 also. You could technically have imported hardware and connected to a BBS in USA, but the costs involved and control of the only Telecoms operator allowed in Apartheid South Africa (Telkom) would have been unaffordable. Especially for Krugersdorp. I doubt you'd get some kind of USA led local police raid for pornography in Apartheid South Africa either. The whole thing would need some serious evidence.
There was a small community in South Africa that used to connect to the Internet around that time by dialing into X.25-connected modems. These seemed to be owned by banks or insurance companies, and would allow break-outs to US modems that allowed local calling to ISPs. The information about the numbers and credentials were shared on local BBSs.
I agree. I used to do the same from France. Got me a a HELL of a lot of trouble in fact, as I've racked up a huge X25 bill with one company, and accidentally registered under my real name to a texan BBS that was later involved in the Hacker's Crackdown.
Also, on the note of 'porn online in the late 80's' is probably impossible, as there were no digital cameras, no scanners to speak of, and the only 'porn' you'd have found would have been rare, and very, very data intensive for the days. I know. :-)
And /most/ countries police forces had absolutely no clue whatsoever about 'online', 'computers', 'modems', 'internet' and 'keyboards'. I know the french didn't!
He could have been selling actual magazines and tapes, rather than digital files. As I'm sure you remember, snail mail orders were part and parcel of the BBS world for all sorts of things.
To run a BBS you need nothing more than a C64, a 300 bps modem and a phone line. Also, I'm not sure if you know anything about phone phreaking but in the 80s it was pretty much the preferred method of connecting to BBSs internationally.
Yes but from a teenager in Krugersdorp? And South Africa did not have such easy access to the international telephone market. The country was in the middle of economic sanctions at the time - international calls had to be placed through a switchboard with the government run telecom monopoly provider - Telkom. They also cost a literal arm and a leg for a couple minutes and were heavily monitored by the Apartheid regime. An actual police state.
Look for "Region,49" and you'll see a small number of them, but they were in Port Elizabeth, Cape Town, and Johannesburg.
Whether they could actually dial out to the rest of the world is open to question, but they would have needed to at least be accessible from the outside world for them to even be on FidoNet in the first place.
Wealthy kids have access to toys others don't I knew what a modem was and why I wanted one long before I actually got my hands on one, because I'd seen American teenagers using them in movies, eg War Games in 1983 (which I rewatched recently and was rather surprised to find it still holds up for what it is). Also, there may have been no need to call internationally. When I was into home and later business computers as a teen in the 1980s in Ireland (which was then as economically benighted as SA for quite different reasons) things like porn, bbs software, and lists of 'interesting' phone numbers were circulated on floppy disks; I ran a safe stash out of my school locker because the teachers thought I was too nerdy to be mixed up with the 'delinquent' kids. A single sided 5.25" floppy seemed like oodles of storage space back in those days XD
I don't find this claim so remarkable, though it's certainly possible that the details are fuzzily remembered nearly 30 years later.
In Krugersdorp in the late 1980s? And the police were on the case - both in terms of being tech-savy enough, and not having more pressing concerns? (1)
Let's say that it's an extra-ordinary claim and we'd like a little more weight behind it.
The police likely intercepted material delivered via regular post, and worked their way up from there. No need to know how something was ordered, as long as selling it is illegal.
I didn't vote, but my guess would be that this is a me-too comment, which the community discourages. If you wish to echo a parent comment, it's expected that you add a significant contribution.
I'm not sure if there were additional barriers to blue-boxing out of SA, but I know people went through SA...
"In the Esquire article, Captain Crunch narrates excitedly to his interviewer Ron Rosenbaum the process by which he connected a single long-distance call via switching stations across Asia, Europe, South Africa, South America and the East coast until he reached a specific telephone in California."
Depends how much chance you have to lose yourself in an internal SA call to one or more SxS COs before the overseas hop, you could be pretty hard to catch. But, if there wasn't a lot of international traffic they could just snoop on the overseas hop and figure out who you were.
First time I saw a modem in SA was on a farm in the (late) 80's in the Karoo. I was from Jhb. Krugersdorp doesn't look that insane to me! I used to get Amiga stuff from an acquaintance who ran a BBS around '90 and regularly connected overseas. He had some trickery he used to get around phone bills, police state or not.
There probably weren't many such teenagers who did that. However, the likelihood that a particular such teenager did that, given that said teenager later wrote popular security software, seems pretty high.
I used to attend computer science classes in Vereeniging on Mondays after normal school. It was at another school, and I had to travel about 70km to get there. I did them from standard 8 to matric, 1986 to 1988, and in 1987 we dialled into something and connected to someone in New York, I think it was. I wasn't all that into it so probably missed a lot of the detail, but it was a big deal for the school. And clearly it was possible.
It's more likely he was using the "internet" to sell VHS tapes. Most probably via the form of Internet known as Beltel (I worked on Beltel for a while) and that is quite plausible.
I can confirm. My gran still has (she's not using it) her original TV bought around the time. From the stories my parents tell the SABC (think BBC) initialy broadcast a test signal and the early adopters would crowd around their TVs just to watch that.
>> late 1980s [... ]arrested Paul for selling pornography online
> This seems a bit odd to me
Understatement of the week. As you say, it wouldn't have been on the Internet. I know nothing about the South African BBS scene of the time but it would have been very small. And selling pornography online? How would you even have gone about that? That would have been cash transactions down in the corner. For downloading porn at 1200 bits per second.
Back in the day, before video streaming or video downloading I used to buy anime fansubs online. I sent in a check to someone and they mailed me VHS tapes.
There were a few that were around during the late 80s, so it's plausible that there may have been BBS catering to porn. But to sell it via BBS during the late 80s? From Krugersdorp? No ways.
The people who were really in the know about stuff like this were guys like tKC from The Phrozen Crew, and in his own words, he only started catching onto BBS in 1991.
I question the accuracy of the BBS list. There are some on there that are dated 1992 that I'm quite sure I was connecting to at 300 baud earlier than the dates given.
So he dropped TrueCrypt and told everybody it was insecure when he was picked up by the feds, fearing that they would try and force him to open a security hole? Wow.
The article is unclear as for whether he was still involved with TrueCrypt by the time they got him though. It sounds like he had quite a lot going on to even care for TrueCrypt at that point.
Sure, but he can't assume that his captors are rational. They might very well blackbag him to some undisclosed dungeon and work him over until he convinces them that he doesn't have commit access. (Which duration might exceed his remaining lifespan, in such conditions.)
He's pretty much a Bond villain from those articles, like the UN claiming he funded militias in Somalia to harvest hallucinogenic plants and shipping arms to Liberia.
Probably would've made the same amount of money charging for TC premium support instead of building a pancontinental empire of mercenaries and arms trafficking.
Lord of War taught us such people won't enter such businesses because the "margins are too small." I'd also guess it's not as exciting and brings in less attention from the ladies.
'Arms dealer': one who sells arms. The point he is making is that, regardless of what is considered legitimate, both this individual and the U.S. government are, by definition, arms dealers.
Agree, US is not a "dealer" they're an "exporter" -- and no one selling weapons for a government would ever offically refer to themselves as an arms dealer.
This article is actually part 3, the first two detail his arms dealing a little bit, but like someone else mentioned, he's a very well-known arms dealer with direct links to several murders.
>>"He was particularly protective of Le Roux’s birth mother, making me promise not to reveal her name. “Sad and interesting story,” he said. “His real mom’s mom is married to a U.S. Senator.” When I asked him who the Senator was, he said, “That I can’t say, mate. That’ll get me shot.”"
He was born in '72, it's reasonable to assume that his birth grandmother was born around 1930, and that either she was of Rhodesian citizenship or her daughter was a missionary.
It took me five minutes on Wikipedia and NNDB to narrow the possibilities down to only four senators; the rest are women, too young, married too late, or only had sons.
It'd be the daughter having the child in another country in the early 1970s.
I guess there is a good chance that there is no paper trail and a very small number of people that know any details and are still alive (because it happened 40 years ago, not because of anything nefarious).
I suspect this information would actually be really hard if not impossible to track down. The actions of D-list celebrities, and I am not even sure a senator's daughter would qualify that high, in the 1970s is not reported like it is in today's 24/7 news cycle.
And, I can't imagine international flight passengers were tracked that closely either, much less stored for over 40 years.
You are assuming the violence would be carried out using senatorial powers. Senators are generally very wealthy people, and it doesn't take that much money to hire someone to kill another person[1].
I met all kinds of people living in one of the murder capitals of the U.S. from public events to parties to tattoo shops. Some we know just don't bullshit. All I'll say is that I was told the hits are cheaper than new cars with the kills themselves dirt cheap. Most of the money goes to people in positions that determine what the courtroom or media will see. Lots of missing persons, etc aren't what they appear. I didn't ask for more information.
Far as Senators, they have bulletproof PR, low likelihood of prosecution, and ties with LEO's. They'll just ignore someone's claims, have legal action taken in a legit-looking way, or have LEO's harass the person. The latter tends to cause mental wear that makes the source's writings and actions become more erratic over time. They are dismissed as having mental illness. People are only killed when it's a straight-up blackop that they're also a serious, persistent threat to. That's rare given the selection process, planning, and field experience of those involved in such work.
So, I'd say the numbers on contract killing aren't relevant here. It's possible but unlikely. The only exception is those like Feingold deep in defense-related matters. An overlap between dirty Senators, money, and black ops has risk or results I could only guess at. I won't bother.
Yes and no. My hesitation was twofold. On one side, there was the thought that if there was tracking, it could flag something, but I viewed that as mostly an irrational fear, since I doubt there's any other indicators I put out, and I doubt I'm worth following that closely.
On the other, it's just kind of embarrassing if I had to explain why that showed up in my search history if for some reason it was exposed. That's also an irrational fear, since there's no reason anyone I know would see it, but I generally try to error on the side of caution when it comes to privacy. Really, I was thinking "I hope I remember to look up this comment if this ever comes up for any reason, because that could be awkward..."
That is average. Since no one will investigate the death of a some low level guy with criminal history (just gang warfare for redistributing the market) I guess you could find them on the low end. And that leave some bigger sums for the high profile targets.
I'm not sure I'd take that assertion at face value. It seemed to read more on par with something like "I took my moms car for a ride, if she finds out, she'll kill me" kind of hyperbola. Could be wrong, since there are arms dealers involved, but still, I don't think they rub people out like that and risk exposure.
Not openly, but let's say some powerful people have powerful friends in government, who both have troublesome enemies. If those troublesome enemies were no longer a part of the picture, things would work out so well for everyone, don'tcha think?
What a blanket statement with no backing. Do you mean in their official capacity? If so, state this. Do you mean they don't have the unofficial connections? If so, you're out of your mind.
"Shortly after TrueCrypt version 1.0 was released in February 2004, the TrueCrypt Team reported receiving emails from Wilfried Hafner, manager of SecurStar, claiming that Paul Le Roux had stolen the source code of E4M from SecurStar as an employee. According to the TrueCrypt Team, the emails stated that Le Roux illegally distributed E4M, and authored an illegal license permitting anyone to base derivative work on E4M and distribute it freely, which Hefner alleges Le Roux did not have any right to do, claiming that all versions of E4M always belonged only to SecurStar. For a time, this led the TrueCrypt Team to stop developing and distributing TrueCrypt" - https://en.wikipedia.org/wiki/E4M
What a fantastic piece of journalism, I'm totally hooked. Love these long-form pieces when they have something really and truly meaty to work with. Very grateful for the chance to read it, thank you for posting it over here.
Looking at the article again I realize the headline here may be incorrect. It is not proven that Le Roux wrote TrueCrypt, but he definitely built the foundation for it.
> Hafner and his SecurStar colleagues suspected that Le Roux was part of the TrueCrypt collective but couldn’t prove it. Indeed, even today the question of who launched the software remains unanswered. “The origin of TrueCrypt has always been very mysterious,” says Matthew Green, a computer-science professor at the Johns Hopkins Information Security Institute and an expert on TrueCrypt who led a security audit of the software in 2014. “It was written by anonymous folks; it could have been Paul Le Roux writing under an assumed name, or it could have been someone completely different.”
On a slightly related question, what are you guys using instead of Truecrypt for virtual encripted disks?
I use a bit of confidential data for research, and keep the identifiers on a TC container, but since it is no longer maintained I wonder when will it stop working and if VeraCrypt/CipherShed are good or not. I don't access the data that often, so speed is not that big of a deal, but the ability to cover my back is always good (e.g. say "I used XYZ which was deemed as the best free alternative at the time")
VeraCrypt is being very actively developed, including fixing a number of bugs that were found in TrueCrypt. Watch my interview with the main developer here, including some analysis of the code showing that perhaps different people worked on it over different time periods:
the curse of government looking over your shoulder constantly, the mental wear of being harassed.If you're unhinged it's easier to paint you the villain, especially if you do end up doing some questionable things.
It's probably just that more people have heard of reddit and can easier relate to rather than 4chan. Although it's probably unfair - I am using reddit for a few years and they have tons of amazing communities and le reddit army (swatters, Boston bombers, etc) are amazingly easy to miss unless you're looking for them.
4chan is a shithole without a visible record... reddit on the other hand not only has a record it has meritocratic system aka karma that promotes harassment and internet trolling "just for the lulz and karma"
I think it's funny that both of those sites seems to get represented by a more vocal and publicly visible subset of their users, and in 4chan's case by a slightly unfair-seeming set of associations between anyone using the term "Anonymous" (despite the fact that Anonymous is simply a name that one can take up without it implying any real link to a group), the one board out of many that is apparently implicated in anything "Anonymous" does, and the site as a whole.
tl;dr: the article describes the origin of one of the 'masterminds' of the truecrypt collective (the group that programmed truecrypt). It describes how his upbringing led to his viewpoints on privacy, hints at a conspiracy to eliminate public cryptography and talks about something called a 'cryptoparty', which I'm still scratching my head about. The article also hints he may have been involved in the illegal drug and arms business.
Back in my youth, I recall a "crytoparty" being a meatspace event in which people handed out and signed each others keys in order to create a web of verified trust.
Yes. It was a thing people did for a while to attempt to bootstrap PGP/GPG's web of trust, as you say, but also as a PR sort of thing. Crypto was even more black-arts then than now, and with some of the demonization due to the war with the Clinton administration over ITAR, you heard some of the same stuff you hear now about having something to hide, enabling terrorism, etc. (At the time, the "Four Horsemen of the Infopocalypse" - drug dealers, pornographers, terrorists and kidnappers - were the boogie men; it seems kidnapping is less scary these days, so that one gets left out.) Showing how it worked was good PR, as far as it went; I saw a lot of people get that little kid with a decoder ring look.
It was mostly a cypherpunks thing, but I understand others sympathetic to the idea picked it up. There were quite a few in the Bay Area, ca. 1993-97-ish. Perhaps later.
I recall one entertaining party where proof of identity via government issued paper was forbidden.
The announcment contained information that you couldn't really set up in a dead man's switch payload years earlier
> This page exists only to help migrate existing data encrypted by TrueCrypt.
>
> The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.
Well, the end of support for Windows XP in 2014 was announced in 2008. Windows Vista and 7 were available, and the Windows 8 launch was at hand before the date of his arrest.
But the text omits to mention Windows 8.1 which was announced by Microsoft in 2013, after the arrest but well before the Truecrypt announcement was published in 2014.
This could be because Windows 8.1 was only considered a relatively minor upgrade to Windows 8 by the author, or because it's existence was unknown at the time when the text was written.
This remains open to speculation, but it does not refute the possibility of a dead man's switch.
2014 is the time Le Roux is reported to be cooperating with US government, and TrueCrypt end of life "please migrate to BitLocker, its double extra safe, promise!" message fist nicely into that.
This is a good warning to anyone wanting to develop crypto tech anonymously. Eventually if the tech is popular it will be profitable for a well meaning journalist to investigate and reveal your identify and publish childhood photos of you.
Just wanted to say that it was not necessary to block out the last part on the birth certificate where it says A true copy of records kept at XXXXX. It's easy enough to find out where the records are. They can be found at Makombe building in Harare somewhere in the archives. Three copies of a birth certificate are made. One is kept at the local registry office, the other is stored at Mokombe Harare and the third is issued to the holder. If your story is true you can easily bribe someone at Makombe building to show you a the base copy.
In this case it even seems there are two copies to be found in Harare because there is a stamp that says Causeway Building which means the birth was most likely registered in Harare during the hyperinflation period hence the odd $200 dollar fee instead of the stamps that were used in the very old days. The birth also does not have a red streak line which means although it is typed instead of hand written it is not computerized.
It is even possible there is an even earlier copy of the record BDH/1421/72 means the original birth was recorded way back in the Original Rhodesian days somewhere in Bulayo (BDH).
It follows the arrival of a mysterious arms shipment, and Paul Le Roux's shift toward violence, with a cameo from an animal trainer who worked with the whale in Free Willy, and also, Le Roux's private militia in Somalia.
"Hafner told me that in the middle of the development work for DriveCrypt, he discovered that Le Roux was still working on E4M and had incorporated some of his work for SecurStar into his personal project. Hafner was furious. Because E4M was an open-source product, the source code that Hafner had personally funded, he claimed, could now be used by anyone to develop an encryption product of their own."
I've seen this a few times now (employer doesn't want employee to take knowledge out).
So Paul Le Roux's birth mother -- the one who's the wife of an unnamed U.S. Senator -- was she previously the wife of another Senator from a different state and political party?
How so? It's an interesting story, for sure, highly interesting, but how does this affect the crypto scene? (Honest question! I am not exactly an expert in cryptography or the sociotope around it.)
i did not like truecrypt very much just because we could not choose the encryption encapsulation in any order we could choose (like something to remember like password) like in ANY order blowfish-blowfish-sherpent-aes ...... etc in any length or combination. there were just hardcoded defaults to choose
> I can’t say how I’d figured out the connection between his anonymous email and the person I’d emailed previously. I can’t say what service we used to communicate, nor where Lulu lives, nor what he does.
Curious, then, that the author chooses to gender them. If the author used 'they' or rewrote sentences to be gender-neutral, it'd be one less bit of entropy.
> As much as it pains social justice warriors today, in English, the words 'he', 'his', and 'him' have a gender neutral usage.
'He' is sometimes used in this fashion, but it is an uncommon use, and it's arguable that in some contexts the author actually means a man and has not considered the possibility of a woman. Certainly in this case, why would you assume that it is used in a gender-neutral sense?
> And in any case, saying that a computer science security researcher is male is way less than a bit of entropy.
It's just not true that it's an uncommon use, see [1] and [2]. So even with the profession left unspecified (which I believe it is, might have missed it) the entropy is less than 1 bit.
> 'He' is sometimes used in this fashion, but it is an uncommon use
It may be partly due to my background (I studied law [in the UK], and it is law that all statutes refering to 'he' be read in a gender-neutral fashion unless it is clear that the opposite is intended[0]), but I never assume that 'he' refers to a man unless that is obvious from the context. The gender-neutral usage of 'he' is fairly widespread.
[0] FWIW, the updated Interpretation Act (from 1978) applied the same to 'she', though I don't recall ever reading a statute that used 'she' as the gender-neutral term.
Could someone post a one or two paragraph TL;DR for people in here who don't have the time right now to read the entire piece? You can reasonably assume we do already a) know what tcrypt is, and b) know about the discontinuation annoucement almost two years ago.
May the upvotes then be with you.
Really the only "big" information presented is that Paul Le Roux, a man arrested recently by the DEA, is very very likely the same person who was the early leader of TrueCrypt. It discuses his background a lot - he was an extremely intelligent child and teenager, who started shady business practices as early as 16 when he was arrested for selling porn. He was rather poor and led a shaky life in his early twenties, and had a fairly strong anti-authoritarian belief, which is what led to his interest and development of TrueCrypt (and its predecessor projects that laid the foundation for TC).
He eventually started his pharmaceutical business and made hundreds of millions of dollars. According to sources, he became gradually "darker" as he got more money, including allegations he had people killed. And then recently he was arrested by the DEA.
The article got most of its information by a supposed relative - the reporter is convinced it's legitimate because of how much they know about Paul and their access to documents a non-family member is unlikely to have.
The other interesting new information is that his biological mother (edit: grandmother) is the wife of a US senator, but there's nothing to really collaborate that other than the word of the anonymous soruce.
There is no new information about the discontinuation of TC in this article. The article says that Paul disappeared from the crypto community (at least, under his own name) at about the time he started his pharma company (2004), but implied that he had worked on TC for the decade leading up to 2004. The anonymous source also said he "switched" to the pill selling, perhaps suggesting he left the TC project around that time in 2004.
If I had to guess, whoever was funding the TC developers stopped funding them. And the developers decided to move on with their lives, having worked on it for 15+ years, and possibly largely only doing so because they got paid. The "TrueCrypt is not secure" message was probably to imply that a lack of updates wasn't because they were confident they weren't needed, but rather because it was no longer maintained.
>The final "big" bombshell is that his biological mother is the wife of a US senator, but there's nothing to really collaborate that other than the word of the anonymous soruce.
His biological GRANDmother is supposedly married to a senator.
Given that this is part 3 of a series about a drug-lord, I suspect that the author is hinting/leading us to think that the "unknown financier" is Paul Le Roux, without blatantly stating it. (either as a teaser for part 4, or because there's not enough dots connected yet).
Not to be pedantic, but you wrote "cutting out the middleman." Doesn't patreon take a small cut? Aren't they a middleman? (Though undoubtedly one taking a much smaller share than previous ones.)
There's also gratipay, which doesn't take a cut. Still the credit card's cut, but gratipay offers bitcoin payments, which, if they implement it right, would eliminate the middleman (unless you count miners as middlemen) when the financee cashes out using bitcoin. If they implemented it wrong, then coinbase is the middleman.
A few people will donate bitcoin. A few things can be bought directly with bitcoin. On average, you'd expect that the fraction of your income paid in bitcoin would be similar to the fraction of goods and services that you can pay for with bitcoin.
> A few people will donate bitcoin. A few things can be bought directly with bitcoin. On average, you'd expect that the fraction of your income paid in bitcoin would be similar to the fraction of goods and services that you can pay for with bitcoin.
The point of donating money to the author of the piece is to encourage them to continue writing this epic story. Giving them Bitcoin is akin to leaving a tip to your server where the tip appears to be currency but rather instead is a Chick tract with the suggestion that you'll pray for their soul.
I suppose Patreon is technically in the middle but since their cut is small and transparent it's not like a 'man in the middle' attack where the intermediary is secretive about how much they're collecting and so on.
The submitted title was "Truecrypt was written by a international arms dealer named Paul LeRoux". That broke the HN guidelines by cherry-picking a single detail from the article, and it's also misleading enough that we're getting emails complaining about it. Rather than litigate what the article does or doesn't show, we've simply reverted the title.
It seems particularly bad to make the title say something that the article doesn't actually claim.
The old title was wrong, the new one is devoid of any meaning. I guess the TrueCrypt connection is what got most of us interested in the piece, so something along the lines of "Truecrypt predecessor was started by international drug dealer Paul LeRoux" might have been helpful.
It's a real shame that a bunch of people were tricked into reading an excellent piece of long-form journalism because someone singled out why it might interest them.
The HN front page has a context, and the new title is completely incoherent there. Do better.
The new title may not be great (as it's copied from the article, where it exists in the context of a larger series), but it's at least an improvement over one that was simply wrong.
Are you joking? The new title would barely be an improvement over a blank line. At best, it's poorly written clickbait (who is "he"? Why do we care?), but really it doesn't even qualify as a "title" except for where it's placed on the page. It might seem like anything would be better than a title which exaggerates the claims of the article (no, the article does not prove that he was involved in the creation of TC -- it does, however, hypothesize it), but we've somehow arrived at one which if not worse, is certainly very bad in a different way.
If dang wants to mangle the titles of articles into incoherency after they've already been on the front page for hours, that's clearly his prerogative, but let's not pretend that it's any kind of improvement. It would be easy to rewrite this title to both keep it in context and remove the factual inaccuracy. Instead, we get this.
That's a seriously unfair thing to say. It's also an artifact of the title having been changed to cherry-pick a single detail, which breaks the HN rules. Though in this case I'm not sure it's worth it to change it back.
The article is overwhelmingly about the life and background of Paul. That's really the scoop here from the author's perspective, the fact that he happened to be the TrueCrypt founder is sort of an interesting aside (though also the reason anyone really cares to read about Paul's life).
edit: and the article author just posted on this comment thread saying the article(s) are more about Paul, not really specifically focusing on his connection to TrueCrypt.
I haven't downvoted you, but there's always someone bitching about long-form journalism. It's a non-fiction STORY. Stories aren't technical documents or status reports - they set up atmosphere, build a character, and engage the reader.
Notice also that the title of the linked article is not "Paul LeRoux made Truecrypt" - it's not centered around that. It simply has that info in it, and as such is an interest to HN.
> there's always someone bitching about long-form journalism. It's a non-fiction STORY.
I'm fine for long-form journalism if it actually adds them. Reading through this just felt like the author tried to shove filler into it. I just didn't find it compelling or anything.
Give me a good story and I'm fine. Give me something it feels like you wrote explicitly because you get paid by the word and I'm not going to enjoy it as much.
Thanks for replying though. Maybe everyone else just feels differently about this story than me but it's frustrating to get downvoted without a reply saying why.
On a total segue from the topic of this post; two of the earliest memories of movie scenes that are etched into my brain are:
a) The snow globe falling down and breaking from Citizen Kane and
b) Slim Pickens riding the bomb in Dr. Strangelove
I have no idea at what age I watched them but those two scenes seem to have captivated me and are forever with me.
