[ciphershed] Re: Reviewed some of the code

  • From: Niklas Lemcke - 林樂寬 <compul@xxxxxxxxxxxxxx>
  • To: ciphershed@xxxxxxxxxxxxx
  • Date: Thu, 26 Jun 2014 17:24:42 +0800

On Wed, 25 Jun 2014 15:22:45 -0400
Bill Cox <waywardgeek@xxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I had a chance to read through some of the TrueCrypt code.  I read the code
> for the
> Windows boot loader in the Boot directory.  It looks OK to me.  I was
> fearing much worse!
> The audit made it sound like a complete mess, but I think it's going to be
> simple enough
> to whip into shape.  If we must maintain this code, as it sounds like we
> must for at least
> a few years, then I volunteer to maintain it, or rewrite it if required for
> license
> reasons.  It looks like we will not be able to avoid the dependency on a
> 1993 version of
> Microsoft Visual C, but I think we can live with it.  I would also like to
> be involved in
> a UEFI boot loader, assuming we write one.  We should collaborate with the
> VeraCrypt guy
> on this, I think, since he sounds fairly knowlegable about it.
> 
> There may be other more qualified people that will join the project who
> have more boot
> loader experience.  If someone like that does join who would like to
> maintain this code,
> I would prefer to hand it over.  I'm a lazy developer in general :-)  I
> want to focus on
> security, but am willing to do this sort of work.
> 
> I also looked into code that has any E4M copyright.
> 
> There are 47,602 lines of code derived in part from the E4M code.  The E4M
> license claims
> copyright 1998-2000 by Paul Le Roux.  SecureStar claims ownership of the
> E4M code now,
> though Paul Le Roux's license looks like it is valid, which is not
> contraticted yet by
> SecureStar, though it sounds like there is bad blood there.  However, this
> code is really
> really old!  It needs a rewrite.  It's not so much that Paul Le Roux did a
> good/bad job.
> The problem is that a *lot* of this code looks like it dates back as far as
> 1990!  GUI
> APIs and portability have come a long way since then.
> 
> For example, the file Common/Dlgcode.c (9,000 lines long!) is written
> directly to the
> Windows API.  The code is Common/Crypto.c has a lot of core crypto stuff,
> but the code is
> highly dated.  We should rewrite it, even though it appears to be used
> cross-platform.
> The E4M code mixes Windows GUI, and FAT/NTFS along with more generic code
> that gets linked
> into the Linux version.  Some of this code looks valuable, such as the
> FAT/NTFS code, but
> it needs to be cleanly isolated from the portable code.  Given the link to
> E4M, I would
> recommend we remove all of the E4M code from the system.
> 
> Much of this code is duplicated in the Linux version in a cleaner, more
> portable way, so
> we do not have to rewrite all 46,000 lines to get rid of the E4M code.
> After that, we
> still have a *lot* of code to rewrite due to migrating to a FOSS
> (preferably BSD) license.
> Mostly it's the wxWindows GUI code.  Maybe we could do this in two major
> rewrites: first
> eliminate the E4M code and have a major release, and then rewrite the
> rest.  There's also
> the issue of how to rewrite some of the crypto code.  There are well
> reviewed BSD
> compatible versions for most of the crypto code we need, I think.  As much
> fun as it would
> be, I'm not sure we need to write any actual encryption code.
> 
> Bill
> 
> I have never been served with any warrant such as an NSL, I have no gag
> order of any kind,
> and am not under any sort of compulsion related to the CipherShed project.
> The last
> CipherShed git commit I have personally verified (all the way to the first
> commit) is
> a03e565835e3ff66774a2a50946dc2290bcbc7d4.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (Cygwin)
> 
> iQIcBAEBAgAGBQJTqyDwAAoJEL9an3rWhBk+vs0P/jWobuuJrEmVP9I0Tjgjf6bC
> C8UYuc8rTLxIqrV2H9sT+Cc2Zu70gq37LqB7QKQQmIV1NgNlLhn0/j6/JUu7nEMr
> 92+MnMo5xJ77r0TZ2fefAHALIASyy9iZa8VGgQ3w2EDqzbepb9ScjLiKBLSO6jgL
> Loy8oLyqpbCKrJShRrjRA1TNQpL4W3M0fo93LtGXSX+n4DW8udE9e3B6YhqS9OeY
> OJUhtV0jwx/g/P4RP4uN6Udox0D3JNgrWRo+4SS5eYQBJq1G02V7k4y/+DySVXkT
> DCjs7qEuKJ6/xGvOOYIcba1JhTS7wareG/vfN6wZn4PQTABLwhBDgnSDIMhdM/KJ
> MUdbirJXl1COgMCMSvnGGHI4ztVBLlxstz2T7pUCEcJbPCFDeKtatIFa1zLetMjF
> edJyGpg5wVdYWxfuUPWO+V3vDriI3EUPjyuXpQFnOsb9tYpV1QB7E5GoGXMpAUvq
> eJinZZ7PfyJ1hHd0z8CrAW1j23f35C1wDsyOmouNEKaqouUUJ7mF8hezWAG1ZkMQ
> RyybZuidiFMNZ5ycFYZiEoO/1UARfZPJ9V7p3q7mqZqOPTFhBBqAuWrfY+Bfiyel
> UkvF7KGBuxZvk70Cqk9YVvDsXvItdaGjPTLzZfgWbBfcG7ndjv7MGMObRVOSbTwL
> J/kWduE1H5MNaJvsge5h
> =qq8G
> -----END PGP SIGNATURE-----


Must be because you use gmail now. All the last three signatures were
bad. Maybe explicitly send only text, not html.

-- 
Niklas

At the time of writing, no warrants have ever been served to me, Niklas
Lemcke, nor am I under any personal legal compulsion concerning the
CipherShed project. I do not know of any searches or seizures of my
assets.

Attachment: signature.asc
Description: PGP signature

Other related posts: