[ciphershed] Re: Reviewed some of the code

  • From: Niklas Lemcke - 林樂寬 <compul@xxxxxxxxxxxxxx>
  • To: ciphershed@xxxxxxxxxxxxx
  • Date: Thu, 26 Jun 2014 17:24:42 +0800

On Wed, 25 Jun 2014 15:22:45 -0400
Bill Cox <waywardgeek@xxxxxxxxx> wrote:

> Hash: SHA1
> I had a chance to read through some of the TrueCrypt code.  I read the code
> for the
> Windows boot loader in the Boot directory.  It looks OK to me.  I was
> fearing much worse!
> The audit made it sound like a complete mess, but I think it's going to be
> simple enough
> to whip into shape.  If we must maintain this code, as it sounds like we
> must for at least
> a few years, then I volunteer to maintain it, or rewrite it if required for
> license
> reasons.  It looks like we will not be able to avoid the dependency on a
> 1993 version of
> Microsoft Visual C, but I think we can live with it.  I would also like to
> be involved in
> a UEFI boot loader, assuming we write one.  We should collaborate with the
> VeraCrypt guy
> on this, I think, since he sounds fairly knowlegable about it.
> There may be other more qualified people that will join the project who
> have more boot
> loader experience.  If someone like that does join who would like to
> maintain this code,
> I would prefer to hand it over.  I'm a lazy developer in general :-)  I
> want to focus on
> security, but am willing to do this sort of work.
> I also looked into code that has any E4M copyright.
> There are 47,602 lines of code derived in part from the E4M code.  The E4M
> license claims
> copyright 1998-2000 by Paul Le Roux.  SecureStar claims ownership of the
> E4M code now,
> though Paul Le Roux's license looks like it is valid, which is not
> contraticted yet by
> SecureStar, though it sounds like there is bad blood there.  However, this
> code is really
> really old!  It needs a rewrite.  It's not so much that Paul Le Roux did a
> good/bad job.
> The problem is that a *lot* of this code looks like it dates back as far as
> 1990!  GUI
> APIs and portability have come a long way since then.
> For example, the file Common/Dlgcode.c (9,000 lines long!) is written
> directly to the
> Windows API.  The code is Common/Crypto.c has a lot of core crypto stuff,
> but the code is
> highly dated.  We should rewrite it, even though it appears to be used
> cross-platform.
> The E4M code mixes Windows GUI, and FAT/NTFS along with more generic code
> that gets linked
> into the Linux version.  Some of this code looks valuable, such as the
> FAT/NTFS code, but
> it needs to be cleanly isolated from the portable code.  Given the link to
> E4M, I would
> recommend we remove all of the E4M code from the system.
> Much of this code is duplicated in the Linux version in a cleaner, more
> portable way, so
> we do not have to rewrite all 46,000 lines to get rid of the E4M code.
> After that, we
> still have a *lot* of code to rewrite due to migrating to a FOSS
> (preferably BSD) license.
> Mostly it's the wxWindows GUI code.  Maybe we could do this in two major
> rewrites: first
> eliminate the E4M code and have a major release, and then rewrite the
> rest.  There's also
> the issue of how to rewrite some of the crypto code.  There are well
> reviewed BSD
> compatible versions for most of the crypto code we need, I think.  As much
> fun as it would
> be, I'm not sure we need to write any actual encryption code.
> Bill
> I have never been served with any warrant such as an NSL, I have no gag
> order of any kind,
> and am not under any sort of compulsion related to the CipherShed project.
> The last
> CipherShed git commit I have personally verified (all the way to the first
> commit) is
> a03e565835e3ff66774a2a50946dc2290bcbc7d4.
> Version: GnuPG v1.4.13 (Cygwin)
> iQIcBAEBAgAGBQJTqyDwAAoJEL9an3rWhBk+vs0P/jWobuuJrEmVP9I0Tjgjf6bC
> C8UYuc8rTLxIqrV2H9sT+Cc2Zu70gq37LqB7QKQQmIV1NgNlLhn0/j6/JUu7nEMr
> 92+MnMo5xJ77r0TZ2fefAHALIASyy9iZa8VGgQ3w2EDqzbepb9ScjLiKBLSO6jgL
> Loy8oLyqpbCKrJShRrjRA1TNQpL4W3M0fo93LtGXSX+n4DW8udE9e3B6YhqS9OeY
> OJUhtV0jwx/g/P4RP4uN6Udox0D3JNgrWRo+4SS5eYQBJq1G02V7k4y/+DySVXkT
> DCjs7qEuKJ6/xGvOOYIcba1JhTS7wareG/vfN6wZn4PQTABLwhBDgnSDIMhdM/KJ
> MUdbirJXl1COgMCMSvnGGHI4ztVBLlxstz2T7pUCEcJbPCFDeKtatIFa1zLetMjF
> edJyGpg5wVdYWxfuUPWO+V3vDriI3EUPjyuXpQFnOsb9tYpV1QB7E5GoGXMpAUvq
> eJinZZ7PfyJ1hHd0z8CrAW1j23f35C1wDsyOmouNEKaqouUUJ7mF8hezWAG1ZkMQ
> RyybZuidiFMNZ5ycFYZiEoO/1UARfZPJ9V7p3q7mqZqOPTFhBBqAuWrfY+Bfiyel
> UkvF7KGBuxZvk70Cqk9YVvDsXvItdaGjPTLzZfgWbBfcG7ndjv7MGMObRVOSbTwL
> J/kWduE1H5MNaJvsge5h
> =qq8G

Must be because you use gmail now. All the last three signatures were
bad. Maybe explicitly send only text, not html.


At the time of writing, no warrants have ever been served to me, Niklas
Lemcke, nor am I under any personal legal compulsion concerning the
CipherShed project. I do not know of any searches or seizures of my

Attachment: signature.asc
Description: PGP signature

Other related posts: