[Cryptography] What is going on with TrueCrypt?
Peter Fairbrother
zenadsl6186 at zen.co.uk
Thu May 29 21:01:26 EDT 2014
On 29/05/14 16:03, Peter Trei wrote:
> On Thu, May 29, 2014 at 1:42 AM, Tom Mitchell <mitch at niftyegg.com
> <mailto:mitch at niftyegg.com>> wrote:
>
>> Add patent litigation to the list of unknown interactions.
>
> Good point, but that's not really consistent with the form of the change
> - they'd have no reason I can think of not to call it out.
>
> Another possibility I've heard is that there's been a falling out among the
> (anonymous to most) devs, and one decided to send the project up in
> flames. However, the provision of modified versions seems over-elaborate
> for such an action.
>
> ATM, I'm still thinking 'Warrant Canary'. The longer the site remains
> modified, and the devs silent, the stronger that option becomes, imho.
I discard outright any possibility of it being an outside website hack -
too hard, an attacker would need access to the TC website, the
Sourceforge TC site, and to the code signing key.
The "Warrant Canary" theory doesn't seem to make a whole lot of sense
either. It's possible, but why recommend BitLocker? When did someone
have time to write all those code changes?
The theory which makes most sense to me is that it was an at least
partly commercially-motivated self-takedown by the devs.
The recent change in name on the otherwise "same old code and binary
signing key" is possibly significant here - the developers, or perhaps
just some of them, may want to start up a commercial product in the new
name.
The devs' commercial aspirations are well-known, witness the previous
license issues, the failed crowdfunding and donations campaigns, the
"TrueCrypt Developers LLC" registered in Nevada (thanks to Piergiorgio
Sartor for that info). And they already own a good chunk of the the IP
rights in the TrueCrypt source.
The ending of the project was graceful, to some extent at least - people
were not left with unrecoverable archives, and temporarily acceptable
but not-as-good alternatives were suggested. A whole lot of work went
into that.
It is obvious that this wasn't done in the heat of the moment - it must
have taken at least several weeks to do the code revisions for the 7.2
release. There have also been hints (eg the robots.txt file) for some
months that something might be happening.
The only reason I can think of for doing all that work is maintaining
reputation (or technical reputation at least - TrueCrypt devs are not
exactly known for being people people, or for being particularly into
"free open source" either).
No reasons why the code is/may be broken are given. Actually the
"WARNING: Using TrueCrypt is not secure as it may contain unfixed
security issues" does not even actually say TrueCrypt is broken, just
that it may be.
And any unfixed issues might be fixed later, in the commercial version.
( Which would have been independently audited... at no cost to
TrueCrypt... )
just a theory,
-- Peter Fairbrother
More information about the cryptography
mailing list