[liberationtech] TrueCrypt Alternatives?

Greg greg at kinostudios.com
Fri Oct 3 18:07:36 PDT 2014 

Dear Rich,

I echo Jonathan's reply to your email.

At the same time, I do feel a certain empathy and understanding of the feeling behind your words. If there was anything in your email that I came closest to agreeing with, it would be this:

> You can't have the former without the latter: it's not a sufficient condition, but it's certainly a necessary one.

That idea of "necessary but insufficient" is a the strongest argument for letting others look at our code, and it is what drove me to make our source available.

Now, the rest of your email, however, is simply misleading/untrue.

Specifically, this accusation is untrue:

> And the reason there is no way to know is that Tao Effect is refusing to freely/openly/completely publish the full source code


Let's break up those slashes.

- "freely" We _are_ making our code available for _free_.
- "openly" We _are not_ making it 100% open.
- "completely" We _are_ making _all_ of our code available.

So let's please keep this discussion honest. Give us our due credit where it is deserved, and throw criticism at us where we deserve it, but always be truthful.

You may also be misunderstanding our NDA. We are not merely copy/pasting legalese boilerplate that we found somewhere. This is our NDA, and it is unique in its terms (at least I haven't see anything like it).

So, on that:

> And can't be, since you've exempted
anyone who doesn't meet your criteria and since anyone who signs
your NDA is quite clearly no longer independent.

Half-true. Yes, we have exempted anyone who doesn't meet our criteria, and this is because we want to do our best to keep the software in the hands of honest, trustworthy folks, for the sake of everyone who uses our software.

However, those who agree to the NDA do maintain their independence.

The terms _explicitely_ enumerate the following rights:

You may build and release copies of Espionage using the original and unmodified source code that we send you (and all associated materials). You may not: sell, re-brand, or add anything to the copies that you distribute that was not included in the original materials that we sent you. Additional terms may apply. See full terms in the contract we send you.
You may publish and document any security vulnerabilities that you find in Espionage as long as you do so in the manner specified in the agreement (see previous terms).

The "previous terms" refer primarily to an embargo of 3 months, the purpose of which is to give us time to fix any problems found in the audit.

That, again, is for the safety of everyone who uses our software.

One final point that you ignored:

As mentioned previously, we are incapable of open sourcing all of the crypto that Espionage uses, because it belongs to Apple.

We _are_ trying to fix that by moving Espionage's architecture away from Apple's sparsebundles, but that is going to take a lot of time and research to do properly, and therefore our time is better spent doing *that*, than on figuring out how to make our code open source while avoiding TrueCrypt's fate.

You want us to stay in business after all, right? We are the folks who dedicate our hours to this program. We are the ones who answer your support emails. We are the ones who implement your feature requests. We are the ones who fix Espionage when things go wrong.

All of that must be paid for. Going 100% open source (say, after we find a replacement for sparsebundles) is a risk not only for us, but to everyone who uses Espionage. There is the very real risk that if we do that in a couple of months or years someone will be posting an email to this list entitled "Espionage Alternatives?"

That is a lose-lose for everyone.

We are taking the Middle Way here: making all of our code available for review, while keeping Espionage alive.

Still, community feedback is valuable to us, so thank you for sharing your perspective. As soon as we see a better idea that works, we will work to implement it.

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141003/1a673507/attachment-0001.html>

More information about the liberationtech mailing list