"Perhaps we will never know"
Quite possibly not, but that surely doesn't stop a necessary and sufficient quantity of Conspiracy Theories being hatched.
Two programmers hope to resurrect development of disk-encryption tool TrueCrypt after its original developers quit the project. The official TrueCrypt.org website abruptly shut up shop last week ostensibly because its secretive maintainers felt they could no longer keep the software secure. They blamed the Microsoft's …
If my limited experience of releasing free software is anything to do by, they probably got fed up with the endless whiners and complainers. Its amazing the number of people who seem to think they're doing you a favour by using your program and think you owe them 24/7 attention for every tiny issue, rather than you having done THEM a favour by writing and releasing it for free in the first place. I can't be bothered with that school playground attitude any more - if they want help now they can pay me or they can just feck off.
It says "Fork if you like just don't call your project "Truecrypt" or "Truecrypt+" or "Truecrypt2" or "TruecryptPro" or "TruecryptUltra" or... anything else which could deceive people into thinking it's associated with our project"
What could possibly be fairer than that?
Certainly didn't cause any problem for Mandriva when the repackaged and incorporated TrueCrypt into their project under the name "RealCrypt"
"Patent trolls will sue over copyrights and trademarks as well."
Not when YOU DON'T (MIS)USE THEM they won't.
"The point being that "they are good guys don't worry" doesn't work when they sell to bad guys"
No, it neither works nor "doesn't work" - "the point" doesn't make a difference. "The point" doesn't exist. "The point" is a bizarre and irrational figment of your imagination.
No one (not even your "bad guys") has powers of timetravel. No one (not even your "bad guys") has powers to retrospectively re-licence anything. TC 7.1a was released by its owners and publishers under what they called the Truecrypt 3.0 Licence. TC 7.1a will always have been released by its owners and publishers under what they called the Truecrypt 3.0 Licence. Anything based on TC 7.1a must comply with the (remarkably permissive) Truecrypt 3.0 Licence - just is it always had to and just as is always* will do.
*Thanks to the mystical powers of The Disney® Corporation Inc., and Political Corruption™ the moving goalposts of copyright expiry now seem to be infinity away.
IMHO the licence isn't problematic so much for the part highlighted in the article at all: it's far more because it doesn't (implicitly or explcitly) offer copyright immunity to users or distributors. People seem to have forgotten about this but it's the reason it's still on a number of distros' shit-lists and why the OSI wouldn't validate it as an open-source license (meeting the OSD).
A (rather dry legalese) analysis was given here. TL;DR Conclusion:
In effect TrueCrypt ought to be waiving certain of its rights for this to be operative as a license. Free software licenses do involve waivers of rights.Our counsel advised us that this license has the appearance of being full of clever traps, which make the license appear to be a sham (and non-free).
The precise implications for forkers of all this are beyond me, but the devs clearly don't want a direct fork of their codebase, and they or a representative might even be prepared to break cover to sue. And the above demonstrates that they have a basis on which to do so, and even to start suing users if they want.
"The official TrueCrypt.org website abruptly shut up shop last week ostensibly because its secretive maintainers felt they could no longer keep the software secure."
"They blamed the Microsoft's discontinuation of official support for Windows XP..."
"The real reasons why TrueCrypt.org pulled the plug remain unclear. In the absence of any convincing explanation, conspiracy theorists have suggested TrueCrypt was shut down, Lavabit-style, in response to pressure from the feds or spy chiefs, or possibly due to an internal power struggle. Perhaps we'll never know."
You start the article by stating reasons as to why TrueCrypt shutdown, passing them off as facts, then you end the article contradicting yourself by saying you do not know the reasons.
So which is it; did the maintainers shutdown TrueCrypt due to Microsoft ending support for XP and/or did the maintainers feel like they couldn't keep the software secure any longer, or do you not know and can only speculate?
> What difference does the XP EOL make to the code quality of TrueCrypt?
None whatsoever, and AFAICT there isn't a claim here that it does or should.
Microsoft's decision to discontinue post-sale bugfix support to members of the public running XP means newly-discovered holes through which data(/code?) could leak out are going to stay open longer (if not forever). It seems reasonable that the team should want to take a course of action based on a) not suffering slights on the software due to problems in the underlying OS, b) not feeling obliged to build more and more plugs into the software due to holes in the host OS, and/or c) not needing to keep suitable-for-testing copies of XP around for longer than necessary. That they also supply advice and a migration path is commendable.
> That the proposed migration path was Bitlocker doesn't exactly make it commendable.
That's not in contention; it's the decision of the developers to not leave end users with data that cannot be transferred (or otherwise recovered) that I'm commending above.
Going back to the line I originally quoted, I don't think it's necessary to finger point code quality in Windows (whatever one thinks of it) although obviously it does drive those concerns I listed to an extent (as it would for any other end-of-line OS).
...and since you've brought up Bitlocker I'm not blaming the team for wanting to not compete against the evolving market -whether any strong-arming has taken place or not- and having spoken highly of the TrueCrypt effort to people recently am pleased there is news of an effort to continue it ;)
>It seems reasonable that the team should want to take a course of action based on a) not suffering slights on the software due to problems in the underlying OS, b) not feeling obliged to build more and more plugs into the software due to holes in the host OS, and/or c) not needing to keep suitable-for-testing copies of XP around for longer than necessary
Sure thing.
* Add the following text to the website. "Due to Microsoft ceasing support of windows XP, Windows XP is no longer a supported by Truecrypt. We recommend you upgrade your operating system."
* A checkbox later in installshield will prevent its install on such operating system versions (or at least those who can work around that know the risks)
Claiming a "trademark" and then failing to enforce it is one way to lose it in the UK at least. I'm not sure what protection the license affords the holder in determining what someone might call a fork of TC.
Basically, if you want to enforce rights through a license for a product then calling the product defunct is probably a good way to revoke your own "rights" to the name.
Unless the license holders create some form of legal entity around the name TrueCrypt I would suggest they have already effectively dropped the name back into the public domain, if indeed it actually left it.
Cheers
Jon
Actually, that's completely, totally and utterly wrong without any basis in law.
They have released the source code and a license allowing use of said code under a few limited conditions, one of which being that you don't use the name TrueCrypt or anything similar.
If you use the name TrueCrypt then your in violation of the license agreement, hence they have no legal right to use the code or make any alterations to it. Saying that they understand this, but plan to host the website in Switzerland to evade their legal and moral obligations is utterly immoral and shows a total lack of shame, integrity and decency on the part of the "developers" who are shamelessly stealing from TrueCrypt.
I think this demonstrates perfectly well however much developers are plain about the license agreements (no opaque language here!) then total fuckwits will ignore the simplest and fairest conditions of use.
It would be perfectly legal to continue from the previous version and call it FalseCrypt, ContinuationCrypt or whatever. If it's a decent product then as with LibreOffice then people will all but forget the previous dead name within a couple of years.
Re closing down; consider why Lavabit closed down and ponder for a few minutes on how cynical and or paranoid you should be, and if it's worth using any form of encryption product with developers in the US if you want your files to remain encrypted.
You might want to look up what stealing means. It implies depriving the rightful owner of something of value.
Given that the moral owners of the TrueCrypt name are not coming forward, and that there is absolutely no sign of them commercialising this product in any way, I don't see what is being "lost" to justify a copyright infringement charge, let along "stealing".
Sure it is an infringement of the license terms, but who is actually suffering? Certainly not the end users who otherwise would have to go to something else that might be much worse in terms of privacy.
Theft (stealing); dishonestly appropriating the property of another with the intention of permanently depriving the other of it. If I remember correctly, their are three exceptions when it is not theft, something along the lines of believing one had a right to it, unable to find the owner after reasonable efforts to tind them and something I have entirely forgotten. Hence, in England and Wales, there is a separate offence (or was, laws change) of taking and driving away to catch the theft of a car that is later abandoned.
There is nothing there about value. So, stealing tuppence is just as much theft as stealing two million pounds. Hence it is theft to take something from someone else's dustbin or a builder's skip without permission.from the owner.
If you're going to accuse others of fuckwittery, you might want to be certain you've got your facts straight first.
From their main page:
"We offer the product as is, and do not claim any rights to the name TrueCrypt or TrueCrypt.org - this is not a fork but the distributon of the product under Section II of the TrueCrypt license."
Elsewhere they also state that a fork would likely be renamed.
They are hosted in Switzerland as the black helicopters don't work quite as well in the mountains.
This post has been deleted by its author
So is it just me then who didn't update and kept the fully functional version?
Although that kinda feels a bit weak and I feel guilty for keeping an apparently insecure version (to the point where they removed encryption rather than let you use it?!) I really don't have anything I trust more
Which says a lot for what's available at the moment. Has anyone any recommendations for good alternatives?
This post has been deleted by its author
I would expect that after examining the blueprints for Truecrypt the auditors will find a small thermal exhaust port, right below the main port.
It'll be two metres wide, but it'll lead directly to the main reactor!
For a new name I'd suggest "Heidi"..something.. as Truecrypt is designed to, er, Heidi stuff.
Whilst it would sound quite possible for the FOSS crowd to fork the earlier version, it might be best to wait until after the code revIew has been completed. Probably twice. After all, as the Seggelmann incidents demonstrate, often there are flaws even the supposed geniuses miss.
If the only stumbling block is the name, well, what's in a name? There are loads of names. As long as people know, nod nod, wink wink, that the revived product was once TrueCrypt, who cares? You could call it Daisy, or Son of TC, or NSA (Non-crackable Security Aid). There are many more possibles.