Discussion:
Will TrueCrypt go commercial?
(too old to reply)
Guest
2008-01-18 23:17:44 UTC
Permalink
Raw Message
A thought occured to me....

Will TrueCrypt go commercial?

There hasn't been any news since somebody in here noticed that they were
planning to release TC 5 in January with pre-boot authentication.

The forum has been down, claiming a technical issue. But technical issues
rarely take a full month to resolve.

I was thinking that maybe they are laying low, staying nice & quiet until
some sort of financing or business deal of some sort is arranged. And then
come out with the brand new closed source v5 at a $$$ price.

I've had a few other encounters over the years of open projects (of various
types) suddenly going closed source & commercial with the release of a new
version, and I've been wondering if they might be thinking of doing that.

Anybody know anything?


The current TrueCrypt is open source, and that can't be changed
retroactively. But since they do own the source, they can change the
licensing at any time.

The encryption community has had a few cases of that happening....
Scramdisk, e4m, PGP, just to name 3 that are relevant to this forum.


Now, maybe they really are having technical problems. Or maybe they have
just shut the forum down so they wont be flooded with questions about when
will TC 5 be released.

I don't know....

Anybody have any ideas?
John Wunderlich
2008-01-19 05:29:56 UTC
Permalink
Raw Message
Post by Guest
A thought occured to me....
Will TrueCrypt go commercial?
There hasn't been any news since somebody in here noticed that
they were planning to release TC 5 in January with pre-boot
authentication.
The forum has been down, claiming a technical issue. But
technical issues rarely take a full month to resolve.
I was thinking that maybe they are laying low, staying nice &
quiet until some sort of financing or business deal of some sort
is arranged. And then come out with the brand new closed source
v5 at a $$$ price.
I've had a few other encounters over the years of open projects
(of various types) suddenly going closed source & commercial with
the release of a new version, and I've been wondering if they
might be thinking of doing that.
Anybody know anything?
The current TrueCrypt is open source, and that can't be changed
retroactively. But since they do own the source, they can change
the licensing at any time.
The encryption community has had a few cases of that happening....
Scramdisk, e4m, PGP, just to name 3 that are relevant to this
forum.
Now, maybe they really are having technical problems. Or maybe
they have just shut the forum down so they wont be flooded with
questions about when will TC 5 be released.
I don't know....
Anybody have any ideas?
I think you're reading *way* to much into this.

When in doubt, look in the FAQ:

<http://www.truecrypt.org/faq.php>

Q: Will TrueCrypt be open-source and free forever?

A: Yes, it will. We will never create a commercial version of
TrueCrypt, as we believe in open-source and free security software.


HTH,
John
Guest
2008-01-19 15:24:37 UTC
Permalink
Raw Message
Post by John Wunderlich
I think you're reading *way* to much into this.
Quite possibly. That's basically why I posted the question.

I was hoping somebody in here had some actual knowledge of what was going
on.
Post by John Wunderlich
<http://www.truecrypt.org/faq.php>
Q: Will TrueCrypt be open-source and free forever?
A: Yes, it will. We will never create a commercial version of
TrueCrypt, as we believe in open-source and free security software.
ROFL!

Do you have *ANY* idea how many open source projects (encryption and others)
have said similar things.

Scramdisk, E4M and PGP(disk) were done with people who originally had
similar beliefs. And how many of them have current versions that are still
open source and free for personal / noncommercial use?

Scramdisk went from full open source to partially commercial (with the NT
version) and then was abandoned in favor of full commercial. (Then
TrueCrypt came along and they planned to release an open source version.
That never happened and they took that web page announcement down.)

The owners of E4M attempted to *retroactive* revoke its open source status
in favor of commercial.

PGP & PGPDisk went from fully open source and free to mostly closed source
and free for personal use, to barely open source and not free for any
reason.

Times change. People change. And sometimes decisions change.
Martin Heidegger
2008-01-19 18:22:44 UTC
Permalink
Raw Message
Yes, I'm under the impression (though I don't remember for sure) that
they've shut down the forum in the past before a release of any
importance. They're probably still testing the release.
Post by John Wunderlich
Post by Guest
A thought occured to me....
Will TrueCrypt go commercial?
There hasn't been any news since somebody in here noticed that
they were planning to release TC 5 in January with pre-boot
authentication.
The forum has been down, claiming a technical issue. But
technical issues rarely take a full month to resolve.
I was thinking that maybe they are laying low, staying nice &
quiet until some sort of financing or business deal of some sort
is arranged. And then come out with the brand new closed source
v5 at a $$$ price.
I've had a few other encounters over the years of open projects
(of various types) suddenly going closed source & commercial with
the release of a new version, and I've been wondering if they
might be thinking of doing that.
Anybody know anything?
The current TrueCrypt is open source, and that can't be changed
retroactively. But since they do own the source, they can change
the licensing at any time.
The encryption community has had a few cases of that happening....
Scramdisk, e4m, PGP, just to name 3 that are relevant to this
forum.
Now, maybe they really are having technical problems. Or maybe
they have just shut the forum down so they wont be flooded with
questions about when will TC 5 be released.
I don't know....
Anybody have any ideas?
I think you're reading *way* to much into this.
<http://www.truecrypt.org/faq.php>
Q: Will TrueCrypt be open-source and free forever?
A: Yes, it will. We will never create a commercial version of
TrueCrypt, as we believe in open-source and free security software.
HTH,
John
gb63
2008-01-19 23:39:25 UTC
Permalink
Raw Message
On Sat, 19 Jan 2008 18:22:44 -0000, Martin Heidegger
Post by Martin Heidegger
Yes, I'm under the impression (though I don't remember for sure) that
they've shut down the forum in the past before a release of any
importance. They're probably still testing the release.
Correct.
Please join in testing 5.0 soon.
Guest
2008-01-20 15:21:07 UTC
Permalink
Raw Message
Post by Martin Heidegger
Yes, I'm under the impression (though I don't remember for sure) that
they've shut down the forum in the past before a release of any
importance. They're probably still testing the release.
I don't know if they did that before or not, but that was one of the
possibilities I thought of and was hoping for.

Thanks.
gb63
2008-01-19 23:17:55 UTC
Permalink
Raw Message
Post by Guest
A thought occured to me....
Will TrueCrypt go commercial?
Guest...
Please be patient. Although the best things in life may be free,
sometines Best takes longer... :)

TrueCrypt will remain Free.
You will see.
( That rhymes...am I a poet, and didn't know it? )
Guest
2008-01-20 15:23:57 UTC
Permalink
Raw Message
Post by gb63
Post by Guest
A thought occured to me....
Will TrueCrypt go commercial?
Guest...
Please be patient. Although the best things in life may be free,
sometines Best takes longer... :)
TrueCrypt will remain Free.
You will see.
( That rhymes...am I a poet, and didn't know it? )
(grin)

That's good to hear.

Considering the past history of free disk encryption software, and the
upcomming features in TC5, when that thought popped into my head a few days
ago I started to get a little worried.
SafeBoot Simon
2008-01-21 02:22:25 UTC
Permalink
Raw Message
Post by Guest
Post by gb63
A thought  occured to me....
Will TrueCrypt go commercial?
Guest...
Please be patient. Although the best things in life may be free,
sometines Best takes longer... :)
TrueCrypt will remain Free.
You will see.
( That rhymes...am I a poet, and didn't know it? )
(grin)
That's good to hear.
Considering the past history of free disk encryption software, and the
upcomming features in TC5, when that thought popped into my head a few days
ago I started to get a little worried.
I'm not sure why people object so much to paying for quality
software...
Guest
2008-01-21 03:41:30 UTC
Permalink
Raw Message
Post by SafeBoot Simon
I'm not sure why people object so much to paying for quality
software...
It's not so much paying for quality software, it's free software suddenly
becoming not free. (And it kind of hurts when you help a free product get
better, help users with that free product, etc., and then all of a sudden,
you get slapped in the face when the product is no longer free and the
entire environment changes. Admittedly I have not participated in TrueCrypt
forums in a couple years. But in that time I've used TrueCrypt very little,
too. It's only with my new laptop that I'm starting to reconsider partition
encryption.)

And, of course, it's hard to actually find quality software that is truely
worth the price. Been a long time since I bought a program that actually
did what it said and worked as reliably as it should. You are lot more
tolerant of quirks and bugs in a free program than you are one you paid good
money for.

And that when you do pay for quality software, you expect a certain level of
support, beyond just a forum, which is what most free software normally
gives (along with many not-so-great commercial products, for that matter.)


And, of course, if you are going to pay for full bootable disk encryption
software, which would you rather choose... a brand new product with no track
record (TrueCrypt v5) or a product that has a proven history (such as PGP,
SafeBoot, DriveCrypt, and Microsoft's own Bitlocker.)


And speaking of SafeBoot, that's another point... Another reason I was
wondering if TrueCrypt was going commercial. McAfee paid $350,000,000 for
Safeboot just a couple months ago. How much do you think Symantec or CA
might want to pay for a full boot disk encryption package that's works on
both Windows and Linux? After all, now that McAfee has it, they have to
compete too.

Probably not that much (since many people feel McAfee way over paid), but it
would still be enough that the authors of TrueCrypt, and their children and
their grandchildren, would never have to work a day in their life. Could
*you* turn down $50 million cash?

(Of course, that opens up the subject... just how much is full boot disk
encryption actually worth? Some people are estimating another two to three
years before 3rd party software based disk encrytpion becomes unneeded.
Between hardware encrytpion in drives, and possibly even Microsoft offering
a simple bolt-on addition of BitLocker for all versions of Vista, it's a
diminising market. But it is still a big market for a few years, and
probably still worth some company offering a few million for full boot disk
encrytpion software.)
SafeBoot Simon
2008-01-22 02:27:08 UTC
Permalink
Raw Message
Some interesting arguments, especially around the validity of
SafeBoot's $350m valuation. Don't forget the value of a company is a
function of its assets and revenue generation potential. With
SafeBoot, as a commercial organisation that's pretty easy to work out.
We have people, IP, stock of stuff, M&S contracts etc, and a well
defined historical revenue stream and predictions for the future. Some
public companies on the stock market are valued at only a small
percentage above their annual revenues, 1.5x for example, others are
valued at much higher multiples because the market believes their long
term potential for growth is much higher. Seeing as the data security
market is growing at around 35% a year, it's not difficult to assign a
higher multiple for companies in that field than those in a much
slower growing market. Time will tell whether McAfee paid more than
the results warranted, but you can be sure that they didn't enter into
the contract lightly. As a buyer they wanted to get as much as
possible for their money.
Guest
2008-01-22 16:42:19 UTC
Permalink
Raw Message
Post by SafeBoot Simon
Some interesting arguments, especially around the validity of
SafeBoot's $350m valuation. Don't forget the value of a company is a
Analysists are saying that Safeboot wasn't worth that. All assest,
reputation, the whole works. I'm not an analysist and I don't know the
numbers, but they looked at all of that, and then came to the conclusion
that McAfee paid a lot more than what it was actually worth, especially
considering the limited time frame that 3rd party software based disk
encryption is likely to have, and that Microsoft could scuttle much of that
incredibly easily just by releasing BitLocker as a free add-on for Vista
Home Premium & above.

If the lifespan is 5 years, then McAfee will have to make $70 million a year
from it just to break even. The question is, can they make it last 5 years?

Safeboot's real advantage is that it is an existing, well known product that
works with XP. No hardware or OS upgrade needed. As businesses slowly move
to Vista, I think that will decline in importance. The question is how fast
businesses will move to Vista and will Microsoft respond to that change.

I've never used Safeboot personally. But I know a few people who used it on
their company laptops. It worked okay for them, but of course the real test
is the quality of the recovery tools when the encryption screws up or
prevents you from repairing the OS. That I don't know anything about.

Speaking of which, I read just a few minutes ago that McAfee has released
their "Total Protection for Data" package based on Safeboot.

I wonder when Symantec & CA & the others are going to come out with
something similar. Anybody want to make bets that somebody is thinking of
buying or making a partnership with PGP....


You know, with more laptops being lost regularly with critical government
data etc., Microsoft is really in a pretty good position. They could bring
BitLocker down to HomePremium (which most laptops are going to have), and
pitch the whole thing to governments and businesses....

"Buy a brand new laptop with safe & secure Vista, that includes integrated
drive encrytpion for all your important data. No need to trust your
critical data to some bolt-on product, when you can get Vista that has it
integrated for security! Etc. Etc. etc."

Not only do they get a sale of Vista, they'd get their encryption into the
business environment. Which means the company is likely to stay with
Microsoft servers, Microsoft infrastructure, and do OS upgrades that the
company may not have actually been planning to do for a few more years.

And, all those people & businesses that have been waiting for Vista SP1,
will only have to wait a little longer....

A lot of potential there. And it all hinges on whether or not Microsoft
would be willing to put BitLocker on Vista Home Premium. BitLocker was
originally just for enterprises. But they did acknowledge that there was
more demand (including home use) than they originally planned for.

I doubt Microsoft will be doing BitLocker for Vista Home Premium. They
might, considering they just made changes in the licenses that let companies
virtualize Home Basic & Home Premium. But I doubt it.

Interesting possibility there...
Post by SafeBoot Simon
function of its assets and revenue generation potential. With
SafeBoot, as a commercial organisation that's pretty easy to work out.
We have people, IP, stock of stuff, M&S contracts etc, and a well
defined historical revenue stream and predictions for the future. Some
public companies on the stock market are valued at only a small
percentage above their annual revenues, 1.5x for example, others are
valued at much higher multiples because the market believes their long
term potential for growth is much higher. Seeing as the data security
market is growing at around 35% a year, it's not difficult to assign a
higher multiple for companies in that field than those in a much
slower growing market. Time will tell whether McAfee paid more than
the results warranted, but you can be sure that they didn't enter into
the contract lightly. As a buyer they wanted to get as much as
possible for their money.
It wouldn't be the first time that McAfee (or some other company) over paid
for a product.

Just look at AMD's purchase of ATI....(grin) It's only been a year and they
are already doing a massive write down of value on it.
SafeBoot Simon
2008-01-24 00:08:25 UTC
Permalink
Raw Message
Post by Guest
Analysists are saying that Safeboot wasn't worth that. All assest,
reputation, the whole works. I'm not an analysist and I don't know the
numbers, but they looked at all of that, and then came to the conclusion
that McAfee paid a lot more than what it was actually worth, especially
considering the limited time frame that 3rd party software based disk
I think only one said that, other analysts actually applauded McAfee
and raised the earnings expectation. As you say though, everyone has
their own opinion. In a year we'll know who was right.
Post by Guest
encryption is likely to have, and that Microsoft could scuttle much of that
incredibly easily just by releasing BitLocker as a free add-on for Vista
Home Premium & above.
That doesn't actually solve the issue though - The problem with
Bitlocker (in my opinion) is not its crypto - that's great! its the
fact that it's single user and only supports FN key login. Products
like SafeBoot support thousands of users and central management. The
race is one not on the strength of the crypto (it's all the same), but
on the deployment and management. Same argument with encrypted hard
disks - enterprise customers still need to go and by third party
management tools for them.
Post by Guest
If the lifespan is 5 years, then McAfee will have to make $70 million a year
from it just to break even. The question is, can they make it last 5 years?
Don't forget, SafeBoot has a whole range of products beyond full disk
encryption....
Post by Guest
It wouldn't be the first time that McAfee (or some other company) over paid
for a product.
true, but on average, aren't most acquisitions net positive? If they
were not, more companies would go out of business than grow in size.
Post by Guest
Just look at AMD's purchase of ATI....(grin) It's only been a year and they
are already doing a massive write down of value on it.
again true. Unlucky for some. EMC bought VMWare though and look how
successful that was.
SafeBoot Simon
2008-01-24 00:12:31 UTC
Permalink
Raw Message
I just wanted to clarify my thoughts here - I'm not saying SafeBoot
was or was not worth $350m, I was simply pointing out that a company
with a sales pipeline and proven track record is worth something based
on multiples of that, whereas associating a value for TrueCrypt is
much harder - how do you assign a value on a product with no
recognizable revenue? Going commercial from a non-commercial position
is very difficult unless you have some real groundbreaking technology,
some enforceable IP rights, or a huge customer base (like Skype for
example). With the greatest respect for the hard work the TrueCrypt
team does, I don't see that any really apply?
Guest
2008-01-24 04:45:39 UTC
Permalink
Raw Message
Post by SafeBoot Simon
I just wanted to clarify my thoughts here - I'm not saying SafeBoot
was or was not worth $350m, I was simply pointing out that a company
Understood.
Post by SafeBoot Simon
with a sales pipeline and proven track record is worth something based
on multiples of that, whereas associating a value for TrueCrypt is
much harder - how do you assign a value on a product with no
recognizable revenue? Going commercial from a non-commercial position
That is definetly a problem. Of course, it hasn't exactly stopped a lot of
dot-com companies from starting up and then selling out.

However TrueCrypt does have two things really going for it... First that
it's been in use for several years and its core is pretty solid. Second is
that since it is / was open source, the code has been examined by people and
hopefully any major security issues have already been found.

The critical bugs have been worked out.

And for a company that needs a fairly quick response to McAfee, that can be
worth at least a few million dollars, just simply for 'quicker to market'.
Post by SafeBoot Simon
is very difficult unless you have some real groundbreaking technology,
some enforceable IP rights, or a huge customer base (like Skype for
example). With the greatest respect for the hard work the TrueCrypt
team does, I don't see that any really apply?
They might try it. Who knows. After all, with so many governments &
organizations & companies starting to *require* disk encryption, there are a
lot of new customers looking for any solution they can find.

Even if every laptop uses the same identical password (making management
easier), then at least a thief stealing the laptop at a bar or from a taxi
isn't going to know that password and be able to get into it. A solution
like that isn't good for a large organization, but for a company with only a
few dozen laptops out in the field, such a solution would work.

And even if it's a little ineffective, saying that it was encrypted helps
shields them from potential lawsuits.

However, the bigger thing isn't so much them going commercial, and trying to
make it on their own but instead either being bought out right or forming a
commercial partnership with somebody and expand their fairly solid code base
into something more suitable for businesses.

In other words, somebody comes along, talks the authors into stop TrueCrypt
at the current version and to take their code private, and then expand on
that to make a custom commercial product. Like going to v5 and adding boot
disk encryption...

That way the company doesn't have to write their own and start out with a
fragile v1.0 product. A v1.0 product is definetly not a strong selling
point for a commerical security product! With TC as a core, they could say
it had a 4 year history, which sounds a little better.


But it doesn't look like TC is going private or commercial, so... (shrug)
Carsten Krueger
2008-01-25 18:59:58 UTC
Permalink
Raw Message
First that it's been in use for several years and its core is pretty solid.
I think for PBA there is a plenty of new code.
Second is that since it is / was open source, the code has been examined by people and
The assumption is not valid. The source is not automatically read by other
people only because it's open and subtil crypto bugs are hard to find.
And for a company that needs a fairly quick response to McAfee, that can be
worth at least a few million dollars, just simply for 'quicker to market'.
Truecrypt is not useful for corporate use, no management at all.
You can't implement this overnight.

Gruß Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Guest
2008-01-25 21:36:37 UTC
Permalink
Raw Message
Post by Carsten Krueger
First that it's been in use for several years and its core is pretty solid.
I think for PBA there is a plenty of new code.
That is correct.

But I was talking about TrueCrypt's core in general.

Once PBA is done, TC will continue to operate much like it currently does
with partition encryption. The only difference will be the partition will
be C: instead of D:

Only the PBA itself is different. And even the core encryption routines of
that will likely be lifted directly from existing TC code.
Post by Carsten Krueger
Second is that since it is / was open source, the code has been examined by people and
The assumption is not valid. The source is not automatically read by other
people only because it's open and subtil crypto bugs are hard to find.
I didn't say it had been read by millions of people.

But it has definetly been at least browsed by people other than the original
authors. That's guaranteed because even in here there are people who have
at least looked it somewhat. (Not me. I don't know enough about
cryptography.)

But based on what's been said in here, and in the TC forums, yes, I'm
willing to say 100% that people other than the authors have looked at the
code to see if they are making any obvious errors or writing crudy code or
trying to pull any obvious scam.

And the more eyes (even non-security experts) that see the code, the less
likely there are to be any obvious errors or backdoors.

And sure subtle bugs are hard to find. I never said nor suggested
otherwise. As a programmer myself, I'm darn well aware of that.

But open source encryption & security isn't about subtle bugs. It's about
obvious errors and looking to see if the authors are pulling a scam on you
and their encryption is little more than XOR, and so on.
Post by Carsten Krueger
And for a company that needs a fairly quick response to McAfee, that can be
worth at least a few million dollars, just simply for 'quicker to market'.
Truecrypt is not useful for corporate use, no management at all.
You can't implement this overnight.
I'm pretty sure I did say it wasn't suitable for the whole thing. But it
is a working starting point.

And nobody said 'overnight'. A few months would be more reasonable. (Let's
see... McAfee bought Safeboot a few months ago, TC's forum has been down
more than month... If a company had actually approached the TC authors a
month ago, they could work full time for say, 6 months and still have a
product out before summer.)

However, even that wouldn't entirely be needed because a bit of good
marketing could do quite a bit with the strengths that TC does have. Like
reliable volume & partition encryption with several years of history behind
it.

And there is still a big market for *other* than corporate use with
thousands of laptops. Small & medium businesses need encryption too. They
deal with credit cards & sensitive data too.

I even mentioned a simple, realistic case where a small company has a few
dozen laptops and they use the same encryption password on all of them. Not
great for internal security, but enough to cover their legal asses in case
of a lost or stolen laptop.

Even a small company or family businesses could easily face millions of
dollars of legal responsibilities & lawsuits but yet could avoid that with a
product such as TrueCrypt provided it was supported by reputable company.
(Tech support, reputation, etc. etc. versus free open source product.)
Carsten Krueger
2008-01-25 22:38:54 UTC
Permalink
Raw Message
Post by Guest
Once PBA is done,
This "once" is huge.

Look at the source code of PGP Wholedisk (you can download it for free).
Post by Guest
But it has definetly been at least browsed by people other than the original
authors. That's guaranteed because even in here there are people who have
at least looked it somewhat. (Not me. I don't know enough about
cryptography.)
Do they look at the source or at the documentation? Truecrypt Userguide is
good.
Post by Guest
more than month... If a company had actually approached the TC authors a
month ago, they could work full time for say, 6 months and still have a
product out before summer.)
You need time to look at the concurrent products and decide which feature
is to copy and what not.
Post by Guest
Small & medium businesses need encryption too.
Every *business* (more than 5 pcs) need reliable and central management of
keys, password recovery, etc.
Post by Guest
I even mentioned a simple, realistic case where a small company has a few
dozen laptops and they use the same encryption password on all of them.
That is idiotic, one leak would compromise the hole company.
How would you change the password?
...

greetings
Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Guest
2008-01-26 01:10:22 UTC
Permalink
Raw Message
Post by Carsten Krueger
Post by Guest
Once PBA is done,
This "once" is huge.
Look at the source code of PGP Wholedisk (you can download it for free).
Yes, I know it is. That's one of the reasons why the TC people resisted
doing this kind of stuff for so long.

I do know the basics of what needs to be done, even if I don't know the low
level details to be able to do something like that myself.

I never said the PBA part wasn't huge. Or easy to write.

In the part of the message you are replying to but aren't quoting now, I had
said that the core encryption routines in TC were solid because they've been
in use for years. (And that that was valuable to potential buyers.) You
said that PBA would result in a lot of new code. I said that was correct.
And that once the preboot stuff was done, TC would be much like it is now,
still using much of that same solid, dependable code. And that even some of
the PBA would be using the same core encryption code.

Nobody said it was small or anything else.
Post by Carsten Krueger
Post by Guest
But it has definetly been at least browsed by people other than the original
authors. That's guaranteed because even in here there are people who have
at least looked it somewhat. (Not me. I don't know enough about
cryptography.)
Do they look at the source or at the documentation? Truecrypt Userguide is
good.
I think it would be reasonably safe to assume that anybody examining the
source for backdoors or weak encryption would probably also read the
documentation. And that they would not stop at just reading the
documentation but not the source.

Not that reading the docs would really do much good since there is nothing
to stop a dishonest author from putting a backdoor into the code but yet not
document it in the public documentation....

So what is your point?
Post by Carsten Krueger
Post by Guest
more than month... If a company had actually approached the TC authors a
month ago, they could work full time for say, 6 months and still have a
product out before summer.)
You need time to look at the concurrent products and decide which feature
is to copy and what not.
I think it's likely that a lot of people are already familiar with those
types of products and could come up with a reasonable feature list for a
product that would at least "get them in the game" in a reasonable time
frame.

Really... don't you think that there are people in Symantec or CA or some
such that are already very familiar with SafeBoot, TrueCrypt, PGP, and so
on?

Even if they weren't, they could buy the products and see what McAfee bought
and figure something out. It's not like doing a bit of research would
actually take them years...
Post by Carsten Krueger
Post by Guest
Small & medium businesses need encryption too.
Every *business* (more than 5 pcs) need reliable and central management of
keys, password recovery, etc.
You don't know much about small busineses, do you?

Here's the "reliable central management of keys & passwords"....
Everybody's password is their first initial followed by their last name.
That all gets written up and stuck on a post-it note in the boss's office.

If somebody is fairly smart about security, and can convince the employees
to do this, they may stick on a few random numbers after password, or even
let the user pick their own (provided they can't change it later without
telling anybody.) (And if they are *really* smart, they'll occasionally
look at the laptop, including the underside, to make sure the user didn't
write the password on a piece of tape and stick it there.)

Honestly, small businesses are not the same as big corporations. Things are
done differently.

And the goal isn't to keep other employees out of the data, but to make sure
that if a laptop gets lost or stolen, the strangers trying to sell the
laptop aren't going to be able to get to the data.

Small businesses don't have an IT department. They may not have a central
server. They may not even have a data backup plan! Backups are just done
whenever (if) they think about it and it involves burning a few disks and
sticking them in the filing cabinet.

If there is a problem with the computers or something, they push a few
buttons and hope that works, and then they call the office supply people who
sold them the systems.
Post by Carsten Krueger
Post by Guest
I even mentioned a simple, realistic case where a small company has a few
dozen laptops and they use the same encryption password on all of them.
That is idiotic, one leak would compromise the hole company.
How would you change the password?
Welcome to the real world.

Again, you are forgetting... The goal is not always to protect data from
insiders, but to protect data from complete strangers who are stealing the
laptop and trying to sell it on ebay.

It's a different goal.

(As for changing the password... you don't.... Why would you possibly want
to change it? At least that would be their reaction. If you do want to
actually change it... well, there are only a few employee's with a few
laptops.... Not exactly that hard to go to each one and do it manually.)


I agree, the same password isn't a good idea. I'm not suggesting that it
is. It's about like somebody using the password "password" (Oh wait...
people do that!.... Get my point? They also write down the desktop
password and stick it on a post-it on their monitor. That's the real
world.)

But I am saying that such a scenario is realistic for a small business. Or
just doing the person's name. Or some other easy pattern. Something
insiders will know but outsiders wont.

Different size businesses have different needs. Sometimes it's whole worlds
apart.


For small businesses, if they can go to Walmart or OfficeMax or Joe's
OfficeSupply and pick up a product from Symantec that provides a firewall
and antivirus and encrypts their data, then they just may do that.

These small businesses hear about all the risks involved, and they see this
product in the store and it's a name they recognise, so they buy it...

It wont be full enterprise class stuff. But not everybody needs that level.

The smarter people will know a bit more about this stuff, of course, but
again, the product is there, it's from a vendor they trust (Symantec,
McAfee, etc. etc.), so they buy it so they wont be risking their customer's
credit card details, or their employee data, etc..


If Symantec or CA or somebody else bought TrueCrypt, they could enter the
encryption market fairly quickly, and then build up to a much more robust
product. Buying TrueCrypt would "get them in the game" quickly.

Then they add on and build it up into a small-medium size business class
program. For those with a server and an IT guy on site or at least not too
far away.

That's why I was wondering if TC was going commercial. It's not enterprise
level, but it could fairly quickly become a small business class product and
then progress to a small to medium business level, and then work upwards.
Carsten Krueger
2008-01-28 12:39:26 UTC
Permalink
Raw Message
Post by Guest
in use for years. (And that that was valuable to potential buyers.) You
said that PBA would result in a lot of new code.
Small part crypto, huge part PBA.
Post by Guest
And that they would not stop at just reading the
documentation but not the source.
Generel problems like CBC vs LRW or no good IV can be found at docu.
No need the read I line of code.
Post by Guest
So what is your point?
It's not proven that experts read the source and until than open source
crypto is not better than closed source.
Post by Guest
Really... don't you think that there are people in Symantec or CA or some
such that are already very familiar with SafeBoot, TrueCrypt, PGP, and so
on?
Maybe, but installing a product and know what is usefull is not the same.
Post by Guest
Here's the "reliable central management of keys & passwords"....
Everybody's password is their first initial followed by their last name.
That all gets written up and stuck on a post-it note in the boss's office.
That company does not use encryption.
Post by Guest
Small businesses don't have an IT department. They may not have a central
server. They may not even have a data backup plan!
Such companies didn't care about security at all. They would never install
crypto.

If you try to deploy crypto (email, hdd encryption, etc.) to a company you
realise that you need central management. It's no big difference if the
company has 10 or 100 people and you need an IT person/department.
Post by Guest
That's why I was wondering if TC was going commercial. It's not enterprise
level, but it could fairly quickly become a small business class product and
then progress to a small to medium business level, and then work upwards.
In my opionion small business class crypto didn't exist.

greetings
Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Guest
2008-01-24 04:52:28 UTC
Permalink
Raw Message
Post by SafeBoot Simon
Post by Guest
encryption is likely to have, and that Microsoft could scuttle much of that
incredibly easily just by releasing BitLocker as a free add-on for Vista
Home Premium & above.
That doesn't actually solve the issue though - The problem with
Bitlocker (in my opinion) is not its crypto - that's great! its the
fact that it's single user and only supports FN key login. Products
like SafeBoot support thousands of users and central management. The
race is one not on the strength of the crypto (it's all the same), but
on the deployment and management. Same argument with encrypted hard
disks - enterprise customers still need to go and by third party
management tools for them.
I have *not* used Bitlocker. I'll say that right now. Mainly because my
laptop didn't come with Vista Ultimate.

(I haven't yet decided whether to upgrade to Vista Ultimate to get
BitLocker, or try TC v5. I'm not too happy about actually using a new boot
disk encryption product. It'd be at least 6 months and at least one update
before I trusted it enough to actually use it for real.)


However, I was under the impression that Microsoft originally conceived and
wrote BitLocker *for* enterprises. Simplifying it a bit for individuals and
home users was an after thought.

I'm not saying all the pieces are there in the management tools, recovery
tools, etc.

I'm just saying the core and enough pieces are available that it wouldn't
take Microsoft very long to expand that a bit and bring it into the rest of
their management tools, and then simply offer it as an add-on product for
Home Premium & above, and that doing so would seriously effect the 3rd party
disk encryption market.

And key management for tens of thousands of hard drives is definetly not a
trivial task. But I do think they already have enough managment tools for
that scale that it wouldn't take them more than a couple month's worth of
work to have a reasonable v1.0 shippable product.

And them adding something like volume encryption is pretty trivial.
Considering what they already have to build upon, it should take one
programmer just a few days, a week at most, to come up with a full product.

So if they chose to, they could have a pretty full encryption solution by
the end of this quarter.


Of course, all this is academic.

I don't think Microsoft is going to do that because making it available for
Home Premium would open up too many support issues with inexperienced people
downloading it and trying it.

Plus the possibility of lawsuits from disk encryption companies. But
Microsoft isn't too afraid of legal stuff....
Post by SafeBoot Simon
Post by Guest
If the lifespan is 5 years, then McAfee will have to make $70 million a year
from it just to break even. The question is, can they make it last 5 years?
Don't forget, SafeBoot has a whole range of products beyond full disk
encryption....
But the disk & data encryption software is the only thing I ever hear about
why McAfee bout it.

Who knows... As you say, we'll have to wait & see.
Carsten Krueger
2008-01-25 19:02:50 UTC
Permalink
Raw Message
Post by Guest
However, I was under the impression that Microsoft originally conceived and
wrote BitLocker *for* enterprises.
Read the MS papers, in my opinion bitlocker is for no one. To much unsolved
problems.
Post by Guest
And them adding something like volume encryption is pretty trivial.
Considering what they already have to build upon, it should take one
programmer just a few days, a week at most, to come up with a full product.
You have never programmed anything I guess.

greetings
Carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Guest
2008-01-25 21:27:45 UTC
Permalink
Raw Message
Post by Carsten Krueger
Post by Guest
However, I was under the impression that Microsoft originally conceived and
wrote BitLocker *for* enterprises.
Read the MS papers, in my opinion bitlocker is for no one. To much unsolved
problems.
I have. Several times, actually. I was just being polite in saying that I
was under the impression... etc. Especially since I hadn't actually *used*
it. Only read about it.

It is more suitable for enterprises than individuals.

For individuals, it's definetly not a great solution. Especially if your
laptop doesn't have TPM.

But it is still at least *a* solution.
Post by Carsten Krueger
Post by Guest
And them adding something like volume encryption is pretty trivial.
Considering what they already have to build upon, it should take one
programmer just a few days, a week at most, to come up with a full product.
You have never programmed anything I guess.
Been doing it for 20 years, actually.

Don't forget, Microsoft wrote Windows & bitlocker. AND they already have
done things like disk volumes before. (Think drivespace for Win9x, for
example. Along with some other stuff for XP & above. Plus code to moust
ISO images.)

The point is, they already have most of the basic blocks are already written
& tested.

They wouldn't have to start from scratch. They would just have to bring in
the individual sections of code and put them together in new ways.

That's the key point I was trying to make. They could do it a lot faster
than if they (or somebody else) was writing all this from scratch.


They already have enough of the building blocks available that they could
put something together in a week. And don't forget, they have TC's own
source code to look at as a guide if they need to. That *is* the nature of
open source...

Regardless whether you like the company or not, Microsoft used to have a lot
of clever programmers. I imagine they still have a few.

Yes, I stand by what I said.


Let's see... what would they need to make volume encryption...

1) some way to make a file look like a raw disk. I'd image that the ISO
image mounting tool for XP would be handy. It does exactly that. True,
it's a different file system, but that part would be ripped out anyway.

1a) Making that into a writable system shouldn't be too hard.

1b) Make it look like a hard disk instead of a cd... Hmmm... might have to
check the reference library or ask somebody else, but I doubt it'd take more
than a couple hours.

2) Do we really want it to look like a disk...? Maybe something else would
be better...

2a) Maybe it'd be easier to make it look like a USB removable drive instead?
I think they have stuff already that do that.

2b) How about doing it like a network drive?

2c) How about like a volume mount point?

2d) Could we even expand the encrypted file system or the file compression
idea to cover this?

2e) Hmm... lots of possibilities here... The programmer might have to spend
a day or more looking at so many choices and decide which he is most
familiar with what he thinks would work best. Might even be a good idea to
spend a few hours with the people who wrote those sections of Windows and
the related tools. 'Instant' access to the actual authors & experts
themselves with no need to consult data books and make guesses.

3) Find good, well tested encryption routines... Bitlocker has that already
written & tested. There are other crypto routines he could use, but the
stuff from BitLocker has already been done for this kind of stuff. Just the
I/O routines / hooks need to change.

4) A Qucik & Dirty user interface to prompt for a password, etc.


So far, this should take no more than a couple days for a Q&D private test
product.


5) Refinement & more testing.

This will probably fill out the week.


6) release to testers and check with marketing & legal, deal with
management, etc. etc.

This part will definetly take longer than a week. Probably a couple months.

But the basic stuff... yes, a week because they already have all the pieces
plus access to the people who actually wrote them. Nearly everything they
would need has already been written & tested within Microsoft and is
available for use.
Carsten Krueger
2008-01-25 22:30:30 UTC
Permalink
Raw Message
Post by Guest
It is more suitable for enterprises than individuals.
Yes and even for enterprises it's not good, compared with other products.
It's cheap because it is build in, that's all.
Post by Guest
Regardless whether you like the company or not, Microsoft used to have a lot
of clever programmers.
Definitly.
Post by Guest
1) some way to make a file look like a raw disk. I'd image that the ISO
image mounting tool for XP would be handy. It does exactly that.
Wrong type of medium. CD vs. Harddisk
Better look for other Code, maybe virtual floppy drive, I think in DDK
there might some examples.
Post by Guest
Might even be a good idea to
spend a few hours with the people who wrote those sections of Windows and
the related tools.
Might be better, that these people do the work together with crypto gurus.
Post by Guest
So far, this should take no more than a couple days for a Q&D private test
product.
No, because you must do the stuff without running OS, you have to use BIOS
calls to read the HDD and later low level kernel stuff, only after windows
is booted completly you can use high level functions for file access.

MS could do this relative easy but a company that buys truecrypt needs some
time.

greetings
carsten
--
ID = 0x2BFBF5D8 FP = 53CA 1609 B00A D2DB A066 314C 6493 69AB 2BFB F5D8
http://www.realname-diskussion.info - Realnames sind keine Pflicht
http://www.spamgourmet.com/ + http://www.temporaryinbox.com/ - Antispam
cakruege (at) gmail (dot) com | http://www.geocities.com/mungfaq/
Guest
2008-01-26 00:53:59 UTC
Permalink
Raw Message
Post by Carsten Krueger
Post by Guest
1) some way to make a file look like a raw disk. I'd image that the ISO
image mounting tool for XP would be handy. It does exactly that.
Wrong type of medium. CD vs. Harddisk
Better look for other Code, maybe virtual floppy drive, I think in DDK
there might some examples.
Doesn't matter what kind of 'media'. It's still just a file on the drive
being hooked into the system as if it was real hardware. That was the
portion I was talking about.

And it was just a quick example of a possible solution. Something already
existing and debugged and distributed. It wasn't meant to be exactly what
they would do. Sheesh.

And yes, I already know they've got lots of examples to do all sorts of
things. That's one of the reasons I even suggested the possibility they
could do it as a fake USB removable drive. Just simply showing that they do
have lots of routes they could take.
Post by Carsten Krueger
Post by Guest
Might even be a good idea to
spend a few hours with the people who wrote those sections of Windows and
the related tools.
Might be better, that these people do the work together with crypto gurus.
Much of the crytpo work would have already been done for BitLocker.

So all the 'volume encryption' people need to concentrate on is the 'volume'
nature and the user interface, etc.

And besides, how do you know they wouldn't. And didn't with BitLocker.

Again, this was just a quick list of things they could do to actually get a
basic product up & running in a week. It wasn't meant to be a real project
schedule for them. Sheesh.
Post by Carsten Krueger
Post by Guest
So far, this should take no more than a couple days for a Q&D private test
product.
No, because you must do the stuff without running OS, you have to use BIOS
calls to read the HDD and later low level kernel stuff, only after windows
is booted completly you can use high level functions for file access.
No, you don't need to do bios calls.

Remember, at that point of the conversation, we are talking about *VIRTUAL*
drives. Like TrueCrypt does. Like scramdisk did. Like e4m did. Like the
older versions of PGPDisk did.

Not full disk encryption with pre-boot authentication, etc. They already
have that with Bitlocker. It may not be the best designed. But it does
work.

Encrypted virtual disks & partitions are done long after the OS is booted,
so you have full access to all that it can do.
Post by Carsten Krueger
MS could do this relative easy but a company that buys truecrypt needs some
time.
Some. But it depends on what they want to do.

They could start with TC's volume encryption and make a good sellable
product out of it pretty quick. Then over a few months come out with full
PBA style encryption. Then improve that with more enterprise like features.

But again, as near as we can tell, nobody is buying TrueCrypt, so this is
all academic.
Doctor Who
2008-01-21 04:09:12 UTC
Permalink
Raw Message
Post by SafeBoot Simon
Post by Guest
Post by gb63
A thought  occured to me....
Will TrueCrypt go commercial?
Guest...
Please be patient. Although the best things in life may be free,
sometines Best takes longer... :)
TrueCrypt will remain Free.
You will see.
( That rhymes...am I a poet, and didn't know it? )
(grin)
That's good to hear.
Considering the past history of free disk encryption software, and the
upcomming features in TC5, when that thought popped into my head a few days
ago I started to get a little worried.
I'm not sure why people object so much to paying for quality
software...
I certainly have no objection to paying for software. But the dichotomy is that
encryption software requires that it be open source before many will trust it
fully. But once the source is published, someone will then post hacked copies.
Despite the inherent risks attached to using hacked security software, many
will happily do just that, to the financial loss of the authors. Hence most will
not openly publish the source. PGP allows peer review under a NDA. I
believe Bestcrypt offer the source for the algorithms only. DriveCrypt offer
neither (unless they have changed their policies since I last looked).

But who can blame them?

Personally I prefer the PGP route, provided they then publish just who has
peer reviewed their source. If I saw names I recognized, I would probably be
prepared to pay whatever it cost to get the right program.

Meanwhile we all wait with bated breath for TrueCrypt 5. Exciting times.

Doctor Who
Guest
2008-01-21 18:53:48 UTC
Permalink
Raw Message
Post by Doctor Who
I certainly have no objection to paying for software. But the dichotomy is that
encryption software requires that it be open source before many will trust it
fully. But once the source is published, someone will then post hacked copies.
I don't think anybody is doing that with PGP are they? Oh, I'm sure you can
find the occasional warez copy with built in trojan. But there isn't any
'legit' hacked copies. Like was done on the pgpi site, or Imad's versions,
etc.

Nobody is doing that with TrueCrypt, either.
Post by Doctor Who
Despite the inherent risks attached to using hacked security software, many
will happily do just that, to the financial loss of the authors. Hence most will
I have to disagree there.

Anybody willing to use an unknown warez / hacked version isn't serious about
security and aren't going to buy it anyway.

Equating somebody using a hacked / warez product with a lost sale is a
popular myth. And it's fairly easy to disprove... How many times have you
encountered a commercial product, thought it sounded good. (Or just one
feature sounded good.) But you simply weren't willing to pay their price,
so you left and did without. The sale was lost when you *chose* not to buy.
Then later, if you found a free version, you might try it. But that's after
having already chosen not to buy. The sale was lost at the price, not at
finding the free version.

So there is often no money lost to the author or company selling it.


Sure, if you have a choice between legit free and legit pay, then most will
go for the free. But that's not the same as using a hacked / warez copy.

For commercial open source products, where the source is available but not a
free executable, it may be possible to find a site that has already compiled
it for you. It'll be up to you and the application and your trust in the
author as to whether or not to trust it. (Xvid vs. Divx is a good example
of this.)

But again, the sale had already been lost.


If you go looking for a hacked / warez copy, then you probably wouldn't buy
it in the first place. Else you wouldn't be deliberately looking for the
hacked / warez version. So no sale is actually lost.


It's only when you *accidently* find the free version first and then are
faced with whether or not to buy the commercial product does the potential
for a lost sale actually exist. In all other cases, the odds are good the
product would never have been bought anyway.
Post by Doctor Who
not openly publish the source. PGP allows peer review under a NDA. I
believe Bestcrypt offer the source for the algorithms only. DriveCrypt offer
neither (unless they have changed their policies since I last looked).
But who can blame them?
Personally I prefer the PGP route, provided they then publish just who has
peer reviewed their source. If I saw names I recognized, I would probably be
prepared to pay whatever it cost to get the right program.
Speaking of PGP, that's a good example of a 'sale lost' for me. Sure, I'd
like to have full disk encrytpion for my new laptop, but I don't like their
prices. Way too expensive for an individual. Especially considering I can
either use free TrueCrypt to do volume encrytpion, or just pay about the
same price as PGP and get the full upgrade to Vista Ultimate and get longer
support & bug fixes as well..

Since PGP's source is freely available and if I could compile it on my own,
I might try that route. And if there were still sites like PGPi or Imad's,
I might consider using a copy from there. (Tech support issues become
involved....)

But regardless, I'm not buying PGP because it's too expensive for my casual
use on my laptop.

Sale lost.
Post by Doctor Who
Meanwhile we all wait with bated breath for TrueCrypt 5. Exciting times.
Doctor Who
Loading...