[liberationtech] TrueCrypt: Status of Community Effort to keep on developments
Bill Cox
waywardgeek at gmail.com
Tue Jun 3 13:35:15 PDT 2014
On Tue, Jun 3, 2014 at 4:10 PM, Maxim Kammerer <mk at dee.su> wrote:
> On Tue, Jun 3, 2014 at 9:03 PM, Fabio Pietrosanti (naif)
> <lists at infosecurity.ch> wrote:
> > all of us know that there is some little problem with TrueCrypt software
> > project, with some yet unknown understanding of behind the scene facts.
>
> I don't see a problem, I see a logical conclusion to a sequence of
> events. A bunch of Twitter attention whores easily raise a large sum
> of money for yet another useless security audit, whereas the
> apparently lone developer doesn't see a penny of that sum, and
> probably never saw a fraction of that sum during the whole history of
> the project. The developer is pissed, decides that dealing with the
> unwanted attention is not worth his time, and closes the project.
>
That's the best guess I've read yet, though not nearly as entertaining as
the embedded Latin message about the NSA in the farewell message:
http://blog.dntopping.com/truecrypt-three-letter-agency-theory/
I'd swear hat the RealCrypt.org home page was up a couple of days ago (I
posted that it was on truecrypt.ch). Now it's gone, and not even
remembered in the Wayback Machine, and neither are truecrypt.org,
truecrypt.com, or truecrypt.net. The message for truecrypt.org is that it
was "removed". Spooky.
> Who is going to takeover TrueCrypt project seriously should be an entity
> > (foundation, consortium, coalition, etc) of multiple players coming from
> > a different environments from the civil society.
>
> The project was developing well when it was a one-man team. Did you
> try to contact the guy and offer him at least a similar amount of
> funding to what was gathered for an audit?
>
Maybe this is just my personal preference, but I think it should be big
geek volunteer supported, rather than a funded foundation, and the last
thing this project needs is micro-management by committee. Money can mess
up everything. For one thing, the funders might want a bunch of new
features, when the crypto geeks would rather keep the code simple and
secure. If they keep paying you, you kind of have to keep working, but TC
has not been updated in 2 years. Do we really need a well funded team
working on it? If it's a paying job, you might wind up with some coder(s)
who really don't like the project, but do it because that's how they get
paid. A ton of FOSS projects wind up with less-than-average talent and
code, IMO, because FOSS projects usually don't pay competitively. Do we
really want to pay top crypto experts what they're worth? If we're talking
> $300K/year, then maybe... I'd rather take my chances with the geeks who
simply love crypto too much not to participate.
The truecrypt.ch guys are scaring me as well. They started off sounding
great, but instead of vetting the geeks and getting them organized, they're
talking about raising money, paying themselves, and using extra cash to
paying developers for "continual feature enhancements", an example of which
was auto-update! There's also a message about seeing if the ZuluCrypt guys
might be interested in selling out. No... I think money and crypto are
often a bad mix...
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140603/3b503ea6/attachment.html>
More information about the liberationtech
mailing list