Tuesday, August 9, 2016

How open-source kills innovation

The terrifying stories about notebooks with thousands of confidential data records being lost come every other week. The best solution for this problem (apart of not carrying the notebook or the data) was to encrypt the data at rest. And this is to be done using either whole-disk encryption (not always feasible or even supported), or by creating virtual encrypted disks.

The niche of virtual encrypted disk software was initially occupied by PGPDisk (first by PGP Corporation, now by Symantec, that purchased PGP Corporation). Later the open-source alternative, TrueCrypt has appeared. There were several commercial attempts made to compete with TrueCrypt, but those alternatives didn't get popular because why pay when you can get it for free.

Ok ... And now the X day has come and TrueCrypt was declared to be insecure, and it was abandoned by the developers as well. Not a problem for open-source, you might say, as one can make a fork, plug the security holes and release an update. Yes, to some extent. Besides the lack of one important factor - motivation. Maintaining somebody else's software is not a big fun, especially when it's a badly designed kernel-mode driver (which is the core of TrueCrypt). And when it's done for free, there's always something more important in the to-do list, as you can imagine.

There were several groups that attempted to fork TrueCrypt (CipherShed and VeraCrypt are just two names). But they have kind of failed.  Neither CipherShed nor VeraCrypt have a good track of frequent releases and bug fix updates. Bugs remain numerous, support is not provided (see "motivation"). We call that DoA.

Now, we (the company I've been working in for all my life) have the products (kernel-mode drivers, encryption modules) that would let us create such software relatively easily. But we never did this, exactly for the reason of necessity to compete with open-source. TrueCrypt has effectively blocked the market for us. And we are not alone. I know at least several other attempts to build solutions for data encryption on disk level (say "virtual encrypted disks"), and none of them are successful for the same reason.

Ok, but do we have a chance once TrueCrypt is gone? Well, no. Truecrypt is dead but not gone, neither are VeraCrypt. While that buggy open-source is still available, people will prefer living with bugs to licensing the maintained product for a fee. And this is true for both personal and business users (the latter ones are also driven by people, who are used to asking the initial question of why pay for what seems to be free).

Well, I would happily say "good luck" to the world of socialism and open-source, if we could have at least some solution of the problem (how to create the encrypted disk).

Suggestions, anyone?

No comments: