[liberationtech] TrueCrypt: Status of Community Effort to keep on developments

Aymeric Vitte vitteaymeric at gmail.com
Thu Jun 5 16:11:01 PDT 2014 

I don't really agree with your approach. In a standard company process 
if you want good things then you need good employees and if you want 
good employees then you need to pay them accordingly.

The open source model is not correct and can just end up with heartbleed 
or earlyccs.

I don't know exactly the story of TrueCrypt but if the "world" can not 
fund projects used by a lot of people, then don't be surprised that the 
dev(s) make mistakes or resign.

And I don't see what's your problem with teams trying to finance their 
work instead of a bunch of geeks doing wrong crypto on a corner of a 
table for free.

But indeed the community should get a financing model not influenced by 
the funders.

Regards,

Aymeric

Le 03/06/2014 22:35, Bill Cox a écrit :
> On Tue, Jun 3, 2014 at 4:10 PM, Maxim Kammerer <mk at dee.su 
> <mailto:mk at dee.su>> wrote:
>
>     On Tue, Jun 3, 2014 at 9:03 PM, Fabio Pietrosanti (naif)
>     <lists at infosecurity.ch <mailto:lists at infosecurity.ch>> wrote:
>     > all of us know that there is some little problem with TrueCrypt
>     software
>     > project, with some yet unknown understanding of behind the scene
>     facts.
>
>     I don't see a problem, I see a logical conclusion to a sequence of
>     events. A bunch of Twitter attention whores easily raise a large sum
>     of money for yet another useless security audit, whereas the
>     apparently lone developer doesn't see a penny of that sum, and
>     probably never saw a fraction of that sum during the whole history of
>     the project. The developer is pissed, decides that dealing with the
>     unwanted attention is not worth his time, and closes the project.
>
>
> That's the best guess I've read yet, though not nearly as entertaining 
> as the embedded Latin message about the NSA in the farewell message:
>
> http://blog.dntopping.com/truecrypt-three-letter-agency-theory/
>
> I'd swear hat the RealCrypt.org home page was up a couple of days ago 
> (I posted that it was on truecrypt.ch <http://truecrypt.ch>). Now it's 
> gone, and not even remembered in the Wayback Machine, and neither are 
> truecrypt.org <http://truecrypt.org>, truecrypt.com 
> <http://truecrypt.com>, or truecrypt.net <http://truecrypt.net>. The 
> message for truecrypt.org <http://truecrypt.org> is that it was 
> "removed".  Spooky.
>
>     > Who is going to takeover TrueCrypt project seriously should be
>     an entity
>     > (foundation, consortium, coalition, etc) of multiple players
>     coming from
>     > a different environments from the civil society.
>
>     The project was developing well when it was a one-man team. Did you
>     try to contact the guy and offer him at least a similar amount of
>     funding to what was gathered for an audit?
>
>
> Maybe this is just my personal preference, but I think it should be 
> big geek volunteer supported, rather than a funded foundation, and the 
> last thing this project needs is micro-management by committee.  Money 
> can mess up everything.  For one thing, the funders might want a bunch 
> of new features, when the crypto geeks would rather keep the code 
> simple and secure.  If they keep paying you, you kind of have to keep  
> working, but TC has not been updated in 2 years.  Do we really need a 
> well funded team working on it?  If it's a paying job, you might wind 
> up with some coder(s) who really don't like the project, but do it 
> because that's how they get paid.  A ton of FOSS projects wind up with 
> less-than-average talent and code, IMO, because FOSS projects usually 
> don't pay competitively.  Do we really want to pay top crypto experts 
> what they're worth?  If we're talking > $300K/year, then maybe... I'd 
> rather take my chances with the geeks who simply love crypto too much 
> not to participate.
>
> The truecrypt.ch <http://truecrypt.ch> guys are scaring me as well.  
> They started off sounding great, but instead of vetting the geeks and 
> getting them organized, they're talking about raising money, paying 
> themselves, and using extra cash to paying developers for "continual 
> feature enhancements", an example of which was auto-update!  There's 
> also a message about seeing if the ZuluCrypt guys might be interested 
> in selling out.  No... I think money and crypto are often a bad mix...
>
> Bill
>
>

-- 
Peersm : http://www.peersm.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140606/508d2384/attachment.html>

More information about the liberationtech mailing list