[geekcrypt] Re: Introducing Peter Trei

  • From: Bill Cox <waywardgeek@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Thu, 5 Jun 2014 22:31:33 -0400

Hi, Peter, and welcome!

On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote:

> I've just joined the list.
> I hope to contribute as a developer and architect; I spent 10 years
> developing cryptographic products at RSA Security, among other things.
> I'm also responsible for the Symmetric Key Challenges RSA posted from 1996
> on, which contributed to the relaxation of export regulations around 2000.
> Back then, ITAR placed draconian regulations on export of binaries, code,
> and even knowledge; and 'export' could be something as simple as a chat
> over beer. Things are much better now.

That's a truly outstanding background!  Also, thank you for helping defeat
the Clipper Chip and 32-bit limits on browser keys!  The world economy owes
a ton to our ability to make semi-secure online transactions, not to
mention at least some safeguards on privacy.

I have suggested that PID0 and Frank belong before me on the list of core
devs, and it sounds like you do to.  If we get enough world-class
crypto-geeks involved, I will be happy to step down to the level of
non-core contributor.

> I'm very happy with the open and transparent principles at ciphershed.org.
> In this kind of project, accountability creates confidence. But it also
> creates responsibility.
> ...which leads me to my first question...
> Have we cleared what want to do with a lawyer knowledgeable in the field?
> There are three main concerns I have, and one minor one.  They may be
> nothing, but...

Getting lawyers involved is generally a bad idea in my experience.  Just
talk to your friends to got separate lawyers for a divorce versus the ones
who just went to mediation.  The current silence from truecrypt.ch is
likely due to having talked to lawyers.  What truecrypt.ch should *really*
be worried about is their trademark violation.

In any case, there are two ongoing popular forks: RealCrypt and VeraCrypt.
We're just a 3rd fork.  No one gets sued in the US for working on
non-profit open source crypto anymore, and it sounds like we have to thank
your for that!

> 1. Licensing. According to Wikipedia, a company called SecurStar claims IP
> in at least some of the early source code. Has this been investigated?

They never sued before.  Why worry now?

2. Export regulations. US EAR regulations require entities exporting
> cryptography - even free public domain source code - to register with BXA
> and report exports. This may require setting up a foundation or something,
> to create a legal nexus.

> http://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status

TrueCrypt fork will be imported, rather than exported.  If someone in the
US government wants to explain why I am not allowed to contribute to a
Swiss based crypto FOSS project, I'd love to hear it.  That sounds like a
freedom worth defending.

Selling compiled crypto SW for money adds in a lot more regulations, btw.
> The Truecrypt.ch folk should think about that.

I agree!  Money could really mess up this project.  That doesn't mean that
we couldn't use some help with free hosting and such, but if this project
winds up being owned by a foundation with millions in the bank, the
freaking lawyers will decend like vultures.  We don't need a pile of
money!  It would be toxic!

> Things used be a great deal stricter (this project would have been flat
> out illegal prior to 2000), but I find still myself concerned (hopefully
> without cause) at the notion of an international team of both US and non-US
> citizens and residents collaborating in this manner on a crypto package.
> There may be *nothing* wrong, so long as, (for example) we don't have a
> member in China or Russia. But I'd sleep easier knowing we checked whether
> (for example) every git commit needed a notification to BXA (they could be
> automated, btw).

I think we can wait for BXA to ask for notification.  Given that all our
git commits on github will be public, I'm sure it's simpler for them to
simply notice commits rather than bothering to even talk to us.  I haven't
heard a word from them about all my Tinycrypt commits on SourceForge.

I strongly suggest that someone on this project contact a team with similar
> concerns - for example, OpenSSL or OpenSSH, so we can leverage their
> experience, or we should talk to the EFF. I don't have strong personal
> contacts in those organizations, but perhaps someone else here does.

Good idea.  I've sent a few emails to the TAILS dev list, and support
list.  They've already been very helpful.  I'd love to have someone from
one of those groups involved.  In any case, we at a minimum need someone in
a similar project who can help guide us.

> A non-anonymous international team developing strong cryptographic
> products for general use needs to tread carefully, in today's climate.

In today's climate, it is more critical than ever to stand up for our right
to privacy.

> 3. Do we need to post a Warrant Canary? Do we need one for each team
> member? Should we add them to emails? Example at
> http://www.rsync.net/resources/notices/canary.txt

Yes!  It also has to be international and diverse enough for it to be
difficult for the NSA to silence the whole core dev team at once.
Normally, I think 3 devs might be the best number, but because of this
issue, I'm leaning more towards 5.

> 4. I *hate* the name FalseCrypt; and GeekCrypt isn't much better. How
> about WorldCrypt?
> Can we settle this, so we can get back to coding?
> Peter Trei

I like WorldCrypt!  We're kind of leaning towards CipherShed, which has the
distinction of being different in that it drops "crypt".  Some people feel
that's a good thing.  WorldCrypt.com is squatted, but WorldCrypt.net is

Why don't we just use CipherShed for now, and move forward?  I think we can
discuss names along the way.


Other related posts: