TrueCrypt is a consumer facing Open Source project. Those rarely have a large developer community and seldom get patches. Most successful ones are backed by corporate interests (Firefox, Eclipse, VirtualBox, ...).
Having no need of TrueCrypt himself, no other developer in the community to whom he could entrust the project and faced with drudgery the like he probably also has at his job (except he gets payed there), he probably did not want to continue developing and improving TrueCrypt (e.g. EFI support).
At this point. Since it is a critical security product there is no other option then to warn of all users. If there is a fork, it has to earn its reputation first.
I view truecrypt.ch as a bad development, since a) TrueCrypt is trademarked by the developer and b) the TrueCrypt license explicitly says that you cannot fork the project without renaming it to something other than TrueCrypt.
See https://www.grc.com/misc/truecrypt/truecrypt.htm "And then the TrueCrypt developers were heard from . . ."
In particular: many people on HN seem to think that Linux Truecrypt is the most important product of the Truecrypt project, but the developers don't see it that way; they started the project for Windows, and Windows has good FDE now.
Only for those running Ultimate or Enterprise edition. What's everyone else supposed to use?
At the risk of sounding snarky, Linux?
If you're not using Ultimate or Enterprise, you're probably not a business, so you probably don't have any business-critical applications that need to be run in Windows, so you can probably just use Linux for anything that needs to be kept encrypted.
FWIW, a non-negligible percentage of my not-computer-savvy friends have switched to Linux over the last few years because they mostly just need an internet machine after all, and were tired of dealing with windows. Most of them seem to have no trouble after they figure out how to boot a liveUSB.
Yes, because I know people who fit that exact profile. Just Friday I was talking to a person who had found TrueCrypt a few years ago and used it ever since, who wanted my help with what the dramatic website shutdown meant for them. "Just switch to Linux" certainly would not have gone over well.
The set of all people who (a) cannot afford Windows Ultimate (b) rely on Windows-only software and (c) want encryption is non-negligible.
A BitLocker's "feature" is that you can recover your key! So can Microsoft, NSA, etc. See: https://twitter.com/TheBlogPirate/status/471759810644283392
That doesn't just apply to Microsoft. I wouldn't trust FileVault on Apple or Red Hat's implementation of LUKS either.
They may or may not be subverted, but why take the risk when you can use something that has a greatly reduced chance of that risk and works cross-platform?
Last I heard on Apple was that their system is perfect, as long as they don't add another key to your iMessages which you'd never know of. So not perfect, but only if you are chosen to be inspected. It can't be part of a dragnet collection unlike say https if the NSA have the private key.
For Red Hat the best I can find in your favour is that some of them have NDAs on their conversations with the NSA.
So, given their history, has they done anything to actually earn our trust?
If a company develop a kit that exploits the internal design of their own product, you are not a bystander. Bystanders do not sell exploit kits.
Do you think Wietse Venema and Dan Farmer are suspicious for having released The Coroner's Toolkit? Should we all stop running Postfix now?
The only relationship those two project has is that they share the same developer. COFEE however exploit microsoft own products.
It seems you are arguing that trust is not effected if companies first sells a product, then sells exploits for that product in secret. It may be small, or unimportant, or old product, but it doesn't really matter to me. Trust is not something that should be given out lightly.
Otherwise why bother with exploits, just build good, solid C# backdoors and get over with it already.
However, you're still missing a fundamental aspect of security, which is that it's targeted, not universal. Your system is not 'secure', it's 'secure against x', where x is your adversary. If your set of adversaries includes, say, someone losing their laptop at the airport, but not Microsoft, then storing your keys on MS servers loses you nothing and gains you ease of use.
It seems like people are still somehow willing to believe that even if a spy agency had set its eyes on Truecrypt, they could not force them to make arbitrary statements to people sending them e-mails or members of the audit project.
The fact that the "warrant canary" scenario with Truecrypt is also silly also weighs heavily against your argument. Try to game out the scenario where Truecrypt is actually compromised. Especially funny: it's compromised at exactly the moment when a third party crowdsources an expert review of Truecrypt. That's when they choose to backdoor it. Seems legit.
I would be interested in seeing the argument of someone who is not part of "HN, Reddit, and Slashdot" against the proposition that cryptographic software that only few people have access to the source of is not trustworthy. I do not claim being involved particularly deeply in either the academic or the industrial security community, but my impression from the occasional academic discussion group I have managed to find the time to drop in on always was that this and/or some related proposition was part of what is commonly held to be true beyond the need for argument.
Regardless, there are two separate questions here - firstly, whether some sort of foul play actually was involved with the Truecrypt project closing up shop, and secondly, whether the recommendation to switch to Bitlocker should be considered sound or not. I believe that the recommendation is dangerous regardless of what happened with Truecrypt - at the very least, making no recommendation at all or telling people to stay with Truecrypt (7.1) for the time being and giving the OSS community some time to try and fill the vacuum is not worse than making said recommendation under any circumstances. In that light, even if your scenario is more compelling, I would argue that simply to err on the side of caution, one ought to refrain from pushing a narrative to the effect of "nothing fishy here; these perfectly trustworthy people just told you to use Bitlocker, make of that what you will" at this point in time.
Open Source: You can analyze the source code and build it yourself - which is great if you don't trust anyone to give you binaries from what you analyzed. Usually at least free as in "free beer".
Free Software: Open source software which gives you lots of permissions via its license, while making sure you get to keep these permissions. Usually free as in "free speech" (in addition to "free beer").
TrueCrypt not being free as in speech is a bummer, but being able to inspect the code and build it yourself is a critical advantage, especially when it comes to cryptography. I have a hard time imagining BitLocker not having any backdoors built in. At the very least it'll have some kind of weak random number generator or whatever, making sure that with the right algorithm you get to crack it within a few minutes or so.
"In production and development, open source as a development model promotes a) universal access via free license to a product's design or blueprint, and b) universal redistribution of that design or blueprint, including subsequent improvements to it by anyone"
So no, "open source" doesn't just mean being able to read the source code; it also means being able to modify and redistribute it, just like "free software". The difference between the two terms isn't very meaningful in practical terms, IMHO.
Free (as in freedom) Software guarantees that the end user can always get, modify, and redistribute the source, by requiring any use of the source code to be under the same license. In short, copyleft.
For example , since linksys modified and extended GPL'd code (the linux kernel) in creating the WRT54G wireless router, they had to release their work under the GPL too, which is how to OpenWrt project was created.
The term Open Source applies to projects with more permissive licenses, such as the MIT license, where there is not obligation to release your modified version of the source to the end user.
No, they're the same set.
Edit: before you knee-jerk downvote, please read my link. Open source is a term coined by OSI as a replacement synonym for free software. We have somehow culturally forgotten this. We keep repeating some other version of the facts for some reason and have forgotten what "open source" really means.
There is an unrelated "open source intelligence" older term, about how to spy on people using publicly-available sources, but nobody called software "open source" before OSI. Eric Raymond confirms as much:
>"By mid-1996 I thought I was beginning to understand. Chance handed me a perfect way to test my theory, in the form of an open-source project that I could consciously try to run in the bazaar style. So I did—and it was a significant success." //
OSI started in 1998 yet here is Raymond saying he did an open-source project in 1996. Not only that be he was copying an established style of software authorship which was already open source. Whilst the wording may not have been widely used, perhaps not at all, until 1998 open source was already a thing. OSI tried to create a tightly defined word but they created usage of the term to cover what was - as we see above - already a thing. The thing that existed didn't and doesn't fit neatly in to the OSD and nor should it. Usages change as well but here I think those who [it seems] coined the term and set it free used it in a different way to some of the community from the start.
It would be interesting to do a survey of the HN crowd to see what they consider the term "open source" to mean.
ESR edits his texts a lot, and CATB came out before 1998. I don't know if I can track down a first edition of CATB and see what term ESR used here, but I bet it wasn't "open source". Note how he hyphenates it, according to his recommendation in the thing I linked.
That aside, it doesn't matter if he wrote the line last week about making an open source project in 1996, it's recognition that open source per se (as opposed to the name) started prior to OSI and their OSD. It was an established thing that they tried to straight-jacket in to a particular definition.
And yes, I agree again with you, open source existed for a long time before OSI. It was and is called free software. All that OSI attempted to do was provide a more business-friendly synonym for free software, but their message seems to have gotten distorted, and people seem to think that open source is something different from free software. It was never meant to be different.
No, there is no difference:
TrueCrypt IS Open-Source. You can read the source.
It is not, however, free software. It's free to use, but not free as in GPL.
Depending on whose definition you accept, simply being able to "read the source" does not make something "open source". While not accepted by everyone, the Open Source Initiative's "Open Source Definition" is a very widely accepted definition of what it means to be "Open Source".
I would posit that "Shared Source" is a more accurate term for a project where the source is available, but the license doesn't permit all of the things required by the OSD.
If my understanding is correct, the TrueCrypt developers were attempting to make an "OpenSource(tm)" license, but the OSI folks had some technical objections. So the software falls into a gray area where it's not quite officially OpenSource, but it still could be modified and distributed by third parties.
No, it was not. OSI coined it. Specifically, Christine Petersen coined it.
It appears to be such a natural term now that we have become convinced that we were using it before OSI, but we weren't. The earliest OED citation for "open source" is from 1998, around the time when OSI coined it. If you have an earlier citation, please submit it to the OED. I don't believe one exists.
There is an unrelated term "open source intelligence" which is indeed older, but nobody called software "open source" before OSI.
Open source means the source is available under an open source license, as recognized by the OSI. This gives you the freedom to modify and reuse it.
I've been part of the [F]OSS community (mainly on the receiving side!) for ~15 years but have never seen it specified that OSS has to comply with an OSI definition.
"open source" [de-capitalisation is purposeful to distinguish with "Open Source [OSD]"] has always simply meant that the source was available to view for those the program was distributed to. For example - IIRC - Star Office was a paid application initially but was open source as those who purchased it could request the source code. Way back in the day people/companies would even make nominal charges to cover media and distribution of the source and still be "open source". Of course not all open source is free-gratis, clearly one can charge for open source. But, moreover, not all open source is free-libre either, just being open source doesn't mean that you have to have a GPL/LGPL/Berkley/CC or whatever compatible license.
I'm pretty sure I recall the OSI starting; we had open source software before that. The OSI's "Open Source" is not coterminous with "open source". For example someone distributing a linux distro that specified that no proprietary software could be bundled as part of the distro would be excluded by the OSI's definition from terming the distro "Open Source" whilst it could very clearly be completely open source. Similarly if you say "may not be used for development or activation or control of weapons designed to cause harm" as part of your license you can allow any type of source manipulation you like but the OSI's definition would say your software is not "Open Source".
FOSS (Free [-libre] Open Source Software) gives you the freedom to modify and reuse it, though there still might be relicensing controls. That's why we have FOSS and OSS definitions in the first place, the Free-libre bit wouldn't be necessary otherwise. No need to try and overload the language to push an ideological position like OSI appear to have done.
No, open source means a lot more than "the source is visible".
If you would look around there are lot of licenses built around this point. All open sourced software are not free. Some allow owner to restrict its use like not allowed to be used commercially.
If I had to sum it up these two would be orthogonal:
1. Closed-source vs open-source
2. Proprietary vs free.
it is not all appropriate for [TrueCrypt] to describe itself as
"open source." This use of the term "open source" to describe
something under a license that's not only unapproved by OSI but
known to be subject to issues is unacceptable.
It is not naturally described as such, because nobody described it naturally as such before OSI came along. The dictionary definitions in this case lead you to the wrong conclusion about the meaning, just like at least one dictionary definition of "free" can lead to the wrong conclusion about what free software means.
I am being pedantic about this because I want people to value the principles that open source is supposed to be about. I don't want people to forget what open source really means.
I think the term "visible source" is quite unambiguous, but perhaps I'm wrong. Microsoft prefers the term "shared source" for what you describe.
However an anonymous person could not do anything about enforcing their copyright without losing their anonymity. You can't sue someone anonymously (you as the plaintiff), you can't DCMA anonymously, etc etc.
Trademark is a registration mark unlike copyright (copyright is automatic in almost every state in the world according to a few treaties). Broadly, provided you pay your fees then you retain a granted trademark. There are trademarks that are unregistered, acquired by use in trade, but it's a very weak instrument. Non-use can be grounds to contest a trademark - so it's almost impossible to retain a mark and remain anonymous as you need to be trading using that mark and usually trading requires you to disclose identifying information in some way.
Also USPTO's TESS facility gives the trademark assignee information, http://assignments.uspto.gov/assignments/q?db=tm&qt=sno&reel... .
I think anyone who thinks the answer to your question is yes is misinformed.
BitLocker is not open source and is pretty much guaranteed to have a backdoor considering Snowden's leaks about Microsoft and NSA.
I had to use this mirror recently as there are already bad copies floating about; it is a trusted hosting for the last ungimped version for windows and linux. check the hashes n' sigs!
There were a bunch of other tweets with further details, but those seem to have been deleted.
Note: I am not claiming this is necessarily true.
I haven't come across any new and definite information since the hack/shutdown.
This is pretty sad/funny.
Dino's Pizzeria is my favorite place to get pizza. I have never had a pizza from Dino's Pizzeria.