Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] TrueCrypt Alternatives?

Jonathan Wilkes jancsika at yahoo.com
Fri Oct 3 22:06:41 PDT 2014


Well, to be completely honest I wouldn't use security software with a proprietary GUI myself.  But I'm not most people, and it would be better for your business logic to be open source than for the whole thing to be subject to the terms you describe.
-Jonathan


     On Friday, October 3, 2014 9:07 PM, Greg <greg at kinostudios.com> wrote:
   

 Dear Rich,
I echo Jonathan's reply to your email.
At the same time, I do feel a certain empathy and understanding of the feeling behind your words. If there was anything in your email that I came closest to agreeing with, it would be this:

You can't have the former without the latter: it's not a sufficient condition, but it's certainly a necessary one.


That idea of "necessary but insufficient" is a the strongest argument for letting others look at our code, and it is what drove me to make our source available.
Now, the rest of your email, however, is simply misleading/untrue.
Specifically, this accusation is untrue:

And the reason there is no way to know is that Tao Effect is refusing to freely/openly/completely publish the full source code

Let's break up those slashes.
- "freely" We _are_ making our code available for _free_.- "openly" We _are not_ making it 100% open.- "completely" We _are_ making _all_ of our code available.
So let's please keep this discussion honest. Give us our due credit where it is deserved, and throw criticism at us where we deserve it, but always be truthful.
You may also be misunderstanding our NDA. We are not merely copy/pasting legalese boilerplate that we found somewhere. This is our NDA, and it is unique in its terms (at least I haven't see anything like it).
So, on that:
> And can't be, since you've exemptedanyone who doesn't meet your criteria and since anyone who signs
your NDA is quite clearly no longer independent.
Half-true. Yes, we have exempted anyone who doesn't meet our criteria, and this is because we want to do our best to keep the software in the hands of honest, trustworthy folks, for the sake of everyone who uses our software.
However, those who agree to the NDA do maintain their independence.
The terms _explicitely_ enumerate the following rights:
   
   - You may build and release copies of Espionage using the original and unmodified source code that we send you (and all associated materials). You may not: sell, re-brand, or add anything to the copies that you distribute that was not included in the original materials that we sent you. Additional terms may apply. See full terms in the contract we send you.
   - You may publish and document any security vulnerabilities that you find in Espionage as long as you do so in the manner specified in the agreement (see previous terms).

The "previous terms" refer primarily to an embargo of 3 months, the purpose of which is to give us time to fix any problems found in the audit.
That, again, is for the safety of everyone who uses our software.
One final point that you ignored:
As mentioned previously, we are incapable of open sourcing all of the crypto that Espionage uses, because it belongs to Apple.
We _are_ trying to fix that by moving Espionage's architecture away from Apple's sparsebundles, but that is going to take a lot of time and research to do properly, and therefore our time is better spent doing *that*, than on figuring out how to make our code open source while avoiding TrueCrypt's fate.
You want us to stay in business after all, right? We are the folks who dedicate our hours to this program. We are the ones who answer your support emails. We are the ones who implement your feature requests. We are the ones who fix Espionage when things go wrong.
All of that must be paid for. Going 100% open source (say, after we find a replacement for sparsebundles) is a risk not only for us, but to everyone who uses Espionage. There is the very real risk that if we do that in a couple of months or years someone will be posting an email to this list entitled "Espionage Alternatives?"
That is a lose-lose for everyone.
We are taking the Middle Way here: making all of our code available for review, while keeping Espionage alive.
Still, community feedback is valuable to us, so thank you for sharing your perspective. As soon as we see a better idea that works, we will work to implement it.
Kind regards,Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
-- 
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141004/37e34e00/attachment-0001.html>


More information about the liberationtech mailing list