Aren't you worried you'll insult the Truecrypt developers?
I sure hope not, since we're all after the same thing.
Remember, our goal isn't to find some mythical back door
in Truecrypt, but rather, to wipe away any doubt people
have about the security of this tool.
But perhaps this will tick people off. And if you're one
of the developers and you find that you're ticked, I'll
tell you exactly how to get back at us. Up your game.
Beat us to the punch and make us all look like fools.
We'll thank you for it.
The sad state of OSS is that it's much more profitable to find security holes, fork existing good code bases, write articles, write blogs, teach, go on stage in conferences than to do some original work.
I wonder what would happen if all original workers united and did the same as the Truecrypt people...
I object to the implicit criticism of the value of the audit here: independent audits drastically increase the value of security systems, because having someone without an existing mental model scrutinize code is a very good way to catch bugs, so users correctly consider an audited system more trustworthy. The audit is not more valuable than the original code, but it is much more valuable than the types of derivative work you mentioned.
http://blog.cryptographyengineering.com/2013/10/lets-audit-t...
The sad state of OSS is that it's much more profitable to find security holes, fork existing good code bases, write articles, write blogs, teach, go on stage in conferences than to do some original work.I wonder what would happen if all original workers united and did the same as the Truecrypt people...