Re: Truecrypt 4.1

From: Borked Pseudo Mailed (nobody_at_pseudo.borked.net)
Date: 11/28/05 

Date: Sun, 27 Nov 2005 21:30:21 -0700 (MST)

nemo_outis wrote:

> Borked Pseudo Mailed <nobody@pseudo.borked.net> wrote in
> news:cc9290b0f4ff404594315263b06887d0@pseudo.borked.net:
>
>> nemo_outis wrote:
>>
>>> Borked Pseudo Mailed <nobody@pseudo.borked.net> wrote in
>>> news:8636b28f192e1d4620f8898dcda5e615@pseudo.borked.net:
>>>
>>>
>>>
>>> Utopian? Me? Believe me, I'm no dewy-eyed ingenu; I am as worldly-wise
>>> and cynical as they come.
>>
>> Then maybe you're just objectivity impaired by your attachment to a
>> piece of software. Or maybe you're so jaded by bad experiences that you
>> find the commonplace noteworthy. Whatever the reason, you seem to feel
>> that the authors of TrueCrypt doing what everyone understands they had
>> to do, is something special. It's not. In fact there's some questions
>> about how they went about it that should be answered. Minor questions,
>> but questions in any case.
>
>
>
> What the authors had to do? Are you stark barking (not borking) mad?
>
> First of all, only a very small coterie of crypt aficionados is even aware
> of the CBC versus LRW issue, and only a much smaller subset of them truly

So what? It's not necessary to understand the physics of combustion to
know your car won't run.

Red herring noted.

> understands the issues and intricacies (which, I might add, apply only
> with regard to plausible deniability, not disclosure, and then only under
> conditions of repeated observation that are either unlikely, or that would
> result in other, much easier to perform, forms of compromise. IOW, we are
> talking about a second-order subtlety and refinement.)
>
> No wonder the authors did not move heaven and earth to start another forum

Oh the DRAMA!

> to discuss such arcana; the issue was eminently deferrable. As
> corroboration of this point I invite you to name how many commercial
> encryption products use LRW or which even discuss the issue.
>
> No, the authors need have done nothing whatsoever; they could then, as
> now, discontinue the project at a whim and be none the worse for it. They

What sort of tap dance are you doing here nemo? Isn't discontinuing
development "doing something"? If it's done as a result of some flaw that
for whatever reason isn't fixed, why would they do this rather than simply
continue producing the same buggy software?

Concentrate real hard. No time limit.

> have no obligation to anybody. They may continue with the project if it
> pleases them to do so - or not, if it doesn't. They owe you, me, and
> everyone else exactly nothing. To the contrary, we should be glad and

They owe people exactly what they say they'll provide.

> grateful for what has been graciously given so far, even if they shut up
> shop tomorrow.
>
> And, if the authors continue to support and develop Truecrypt, we should
> be doubly grateful - since they would be doing it despite the churlish
> attitudes of those who attack them.

I'm not attacking them, I'm attacking you and your silly infatuation with
trying to pump up a normal response to a problem as some sort of special
case. MOST security software developers respond to problems. Some do it
faster, some slower. Usually it varies from case to case.

Personally I like TrueCrypt. I think it's a fine piece of software and
it's authors top notch. I'm just not in love with them the way you seem to
be. It's just another piece of software nemo, not your puppy.

>
> Now that doesn't mean that I consider Truecrypt to be above criticism -
> far from it. But only constructive criticism - surely the authors have
> earned that much! However, most (but not all) of the criticism directed
> against them has been mere carping and whining, and can by no means be
> construed as constructive.
>
> One example of this petty whinging has been regarding the Truecrypt
> forums being down. Well, Truecrypt 4.1 is now out and yet the forums

I think an explanation is in order, even if it's a line or two saying
"technical difficulties" or whatever. It does look "odd", and its in their
interest to at least attempt to address the questions.

> continue to be down. The site says "The forum is temporarily closed due
> to maintenance." I choose to believe that statement rather than the
> bull*** conspiracy theories about the forums having been taken offline
> to "hide" the CBC versus LRW issue.
>
> Regards,
>
> PS And I am heartened to note that the authors have, in fact, been
> extremely responsive to constructive criticism - that we have an LRW
> implementation just three weeks after the issue was first raised amply
> attests to that!

Three weeks? I'd call that an average response time. Maybe a little on the
slow side in fact, but not so much co that it's notable. OTOH, I
distinctly remember years ago downloading a version of PGP that had a
moderately bothersome bug in it and seeing it patched and replaced within
48 hours. And yes, I realize that different problem require different
solutions.

Quantcast