On Wed, 25 Jun 2014 15:22:45 -0400 Bill Cox <waywardgeek@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I had a chance to read through some of the TrueCrypt code. I read the code > for the > Windows boot loader in the Boot directory. It looks OK to me. I was > fearing much worse! > The audit made it sound like a complete mess, but I think it's going to be > simple enough > to whip into shape. If we must maintain this code, as it sounds like we > must for at least > a few years, then I volunteer to maintain it, or rewrite it if required for > license > reasons. It looks like we will not be able to avoid the dependency on a > 1993 version of > Microsoft Visual C, but I think we can live with it. I would also like to > be involved in > a UEFI boot loader, assuming we write one. We should collaborate with the > VeraCrypt guy > on this, I think, since he sounds fairly knowlegable about it. > > There may be other more qualified people that will join the project who > have more boot > loader experience. If someone like that does join who would like to > maintain this code, > I would prefer to hand it over. I'm a lazy developer in general :-) I > want to focus on > security, but am willing to do this sort of work. > > I also looked into code that has any E4M copyright. > > There are 47,602 lines of code derived in part from the E4M code. The E4M > license claims > copyright 1998-2000 by Paul Le Roux. SecureStar claims ownership of the > E4M code now, > though Paul Le Roux's license looks like it is valid, which is not > contraticted yet by > SecureStar, though it sounds like there is bad blood there. However, this > code is really > really old! It needs a rewrite. It's not so much that Paul Le Roux did a > good/bad job. > The problem is that a *lot* of this code looks like it dates back as far as > 1990! GUI > APIs and portability have come a long way since then. > > For example, the file Common/Dlgcode.c (9,000 lines long!) is written > directly to the > Windows API. The code is Common/Crypto.c has a lot of core crypto stuff, > but the code is > highly dated. We should rewrite it, even though it appears to be used > cross-platform. > The E4M code mixes Windows GUI, and FAT/NTFS along with more generic code > that gets linked > into the Linux version. Some of this code looks valuable, such as the > FAT/NTFS code, but > it needs to be cleanly isolated from the portable code. Given the link to > E4M, I would > recommend we remove all of the E4M code from the system. > > Much of this code is duplicated in the Linux version in a cleaner, more > portable way, so > we do not have to rewrite all 46,000 lines to get rid of the E4M code. > After that, we > still have a *lot* of code to rewrite due to migrating to a FOSS > (preferably BSD) license. > Mostly it's the wxWindows GUI code. Maybe we could do this in two major > rewrites: first > eliminate the E4M code and have a major release, and then rewrite the > rest. There's also > the issue of how to rewrite some of the crypto code. There are well > reviewed BSD > compatible versions for most of the crypto code we need, I think. As much > fun as it would > be, I'm not sure we need to write any actual encryption code. > > Bill > > I have never been served with any warrant such as an NSL, I have no gag > order of any kind, > and am not under any sort of compulsion related to the CipherShed project. > The last > CipherShed git commit I have personally verified (all the way to the first > commit) is > a03e565835e3ff66774a2a50946dc2290bcbc7d4. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (Cygwin) > > iQIcBAEBAgAGBQJTqyDwAAoJEL9an3rWhBk+vs0P/jWobuuJrEmVP9I0Tjgjf6bC > C8UYuc8rTLxIqrV2H9sT+Cc2Zu70gq37LqB7QKQQmIV1NgNlLhn0/j6/JUu7nEMr > 92+MnMo5xJ77r0TZ2fefAHALIASyy9iZa8VGgQ3w2EDqzbepb9ScjLiKBLSO6jgL > Loy8oLyqpbCKrJShRrjRA1TNQpL4W3M0fo93LtGXSX+n4DW8udE9e3B6YhqS9OeY > OJUhtV0jwx/g/P4RP4uN6Udox0D3JNgrWRo+4SS5eYQBJq1G02V7k4y/+DySVXkT > DCjs7qEuKJ6/xGvOOYIcba1JhTS7wareG/vfN6wZn4PQTABLwhBDgnSDIMhdM/KJ > MUdbirJXl1COgMCMSvnGGHI4ztVBLlxstz2T7pUCEcJbPCFDeKtatIFa1zLetMjF > edJyGpg5wVdYWxfuUPWO+V3vDriI3EUPjyuXpQFnOsb9tYpV1QB7E5GoGXMpAUvq > eJinZZ7PfyJ1hHd0z8CrAW1j23f35C1wDsyOmouNEKaqouUUJ7mF8hezWAG1ZkMQ > RyybZuidiFMNZ5ycFYZiEoO/1UARfZPJ9V7p3q7mqZqOPTFhBBqAuWrfY+Bfiyel > UkvF7KGBuxZvk70Cqk9YVvDsXvItdaGjPTLzZfgWbBfcG7ndjv7MGMObRVOSbTwL > J/kWduE1H5MNaJvsge5h > =qq8G > -----END PGP SIGNATURE----- Must be because you use gmail now. All the last three signatures were bad. Maybe explicitly send only text, not html. -- Niklas At the time of writing, no warrants have ever been served to me, Niklas Lemcke, nor am I under any personal legal compulsion concerning the CipherShed project. I do not know of any searches or seizures of my assets.
Description: PGP signature