[Cryptography] cryptography Digest, Vol 13, Issue 30

Peter Trei petertrei at gmail.com
Sat May 31 13:04:46 EDT 2014


> On 30/05/14 20:21, Philipp G?hring wrote:
> > Hi Peter,
> >
> >> The only reason I can think of for doing all that work is maintaining
> >> reputation (or technical reputation at least - TrueCrypt devs are not
> >> exactly known for being people people, or for being particularly into
> >> "free open source" either).
> >
> > To me this creates too much confusion for all the users, that I think
> that
> > it is more likely that people will not trust them anymore. So if they
> > really wanted to do a commercial version, then I would not do such a
> move.
> > Why should I buy their commercial product? It might be that they will
> > suddenly stop supporting that too.
> >
> > Best regards,
> > Philipp
>
>
> I agree - but I don't think the TC devs think that way.
>
>
> I think they wanted to make some money out of TC, perhaps initially by
> selling it to Microsoft, but failed to do so - most recently by a
> crowdsourcing plan and a contributions campaign.
>
> I think they have come to the conclusion that that TC won't make them
> any money as-is, and that's mainly why they pulled the plug.
>
> Some of the devs may be hoping to produce a commercial version, and some
> of them may just be fed up of developing it for free.
> [...]
>
> -- Peter Fairbrother
>

At this point, I'm starting to agree that this is starting to look more
like a takedown by the dev team.
I was initially pretty sure of the Warrant Canary hypothesis, now I'm not
so certain.

Factors that feed into this change of view:

* The TC code base has legal and license issues; these may have just made
it too difficult to
do further development.
* The code needed a thorough rework, not just to improve password hashing,
but also to move
it to a modern development environment. That the devs didn't to this
suggests a lack of interest,
or a legal issue with doing so.
* The audit suggests that there is just one active dev. Perhaps he/she just
got tired of it.
* Steve Barnhart's contact with the devs (see upthread), seems to confirm
this.

What I still find mysterious is the manner of the takedown. Unless there
*is* a fundamental
vulnerability, why not just post 'We're tired of working on this. We can't
relicense it so others
can fork it, so we're shutting up shop. So long, and thanks for all the
fish."

Even if there *is* a fundamental flaw, they could have said a little more
than they did, such
as why they weren't going to fix it.

The lack of a public statement, and the hurried and poor advice on
replacements, combines
with the time and effort that must have gone into creating version 7.2 to
create a head scratcher
of a situation.

That this is taking place in the current environment of the US Intel
community going
ballistic over the Snowden revelations, while he used TC to protect data,
certainly makes
it easy to imagine TLA involvement. I wouldn't rule that out, but would add
that Life
Happens, and the dev(s) may simply have other reasons why they didn't want
to continue.

pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140531/6a1f5f5e/attachment.html>


More information about the cryptography mailing list