Security-minded open source software has taken a beating in the last year, as numerous projects have had holes exposed, or, in the case of Truecrypt, got audited heavily. This fanned the flames of the old debate whether open or closed source software was more secure.
This past week I heard a plausible theory about the state of open source security: It’s all about the money.
Think about it: There’s probably not a business in the world that doesn’t use OpenSSL for something or other, but how many of them have paid even a single dime for the use of it? Probably you can count them on two hands. It’s one of the most important pieces of software in the world, and it’s written by volunteers.
A talented developer can make good money–the low reaches of upper class money, in many cases. If they make something for their efforts, they’re more likely to be willing to think about security. If they’re making nothing and just doing it for the kicks, they’re only going to work on the fun parts, which probably isn’t looking for logic flaws and buffer overflows.
In the case of Truecrypt, the auditors made more money than the developers. Some are speculating that’s why the developers went away. Why bother, after all?
I think the problem with open source software is the money. The lack of it for the people writing most of it, that is. I don’t believe there was any conspiracy against Truecrypt. There didn’t need to be.
If you need Truecrypt, migrate to Veracrypt.