This project has moved. For the latest updates, please go here.

CipherShed (VeraCrypt competitor) is Compromised

Topics: Users Discussion
Jan 9, 2015 at 2:39 AM
CipherShed has been compromised since the founding.

Jason Pyeron, a member of the project management committee and one of the security developers works for DISA, a government agency, according to his LinkedIn profile. https://www.linkedin.com/in/jpyeron

It looks like CipherShed has been compromised in the initial founding and is not a viable alternative to TrueCrypt.

List of CipherShed project members: https://ciphershed.org/about/
You should research each and every project member.

What is DISA? https://en.wikipedia.org/wiki/Defense_Information_Systems_Agency

DISA provides information assurance to the DoD (Department of Defense) and works directly with USCYBERCOM.

Any of Jason Pyeron's code changes or recommendations must be looked at very very carefully for backdoors. These can be hidden in plain sight even in open source projects, for example the Dual_EC_DRBG algorithm which was intentionally weak in order to compromise pseudorandom number generation. The NSA plants operatives in open source projects, hacker conferences, IETF meetings, RFC specs, etc. in attempt to deliberately weaken cryptography.

Use CipherShed at your own risk.
Jan 9, 2015 at 3:10 AM
Great catch, aussieboss!!! From what I've seen of the CipherShed website, it looks like he isn't just "one of the developers" - he's the primary developer!
Jan 9, 2015 at 12:44 PM
aussieboss and commenter8

Thank you very much guys for bringing this to our attention and your support of VeraCrypt.

The following may seem like an odd statement, especially coming from someone like me :)

Despite the recent comments made against VeraCrypt and Mounir's abilities by members of ChipherShed we were hoping that was an end to any hostilities. VeraCrypt did not retaliate to these comments in a like for like manner, which I believe provides us with the moral high ground.

While your disclosure is important, I would like to say it is not a death sentence for CipherShed. As CipherShed is open source and Jason made no attempt to hide this fact from anyone, personally I see no problem with his private employment.

It is however an important fact and you were well within your rights to bring to our attention and we thank you for it.

Please don't be tempted to spam / troll the CipherShed forum in our defence. It is kind of you to be so protective of VeraCrypt but we do not want to drop to that level.

What I would appreciate is your very vigilant monitoring of our forum for users making requests to cripple or weaken VeraCrypt. I have noticed an increase in these recently.

As I am sure you both know, VeraCrypt is 100% security minded and compromise is not an issue, which is why we love it so.

Thanks for your support and I hope you enjoy the uncompromising security VeraCrypt continues to provide :)
Jan 9, 2015 at 4:03 PM
Agree completely with L0ck's post above. I would like to add that backdoor detection is very expensive and difficult, and IMO the energy needed to check CipherShed for backdoors at the intensity level needed to detect the sneakiest stuff NSA could come up with may not be well spent on a product whose purported benefit is no stronger than TrueCrypt. It is well recognized that the level of scrutiny of open source software is far too low already (see the recent OpenSSL scandal). The best route forward for the open source community would be to abandon CipherShed as an uneconomical project and unify behind VeraCrypt as its disk encryption standard.
Jan 9, 2015 at 4:22 PM
Thanks for your thoughts commenter8 :)

Lets not forget one important fact about VeraCrypt, it uses a lot of the already audited TrueCrypt code. Only recent modifications need auditing for VeraCrypt.

It does seem a waste of resources to have 2 projects, but I guess it doesn't do any harm having another product out there, when it is actually released that is.

VeraCrypt has been established for some time now, new features are being added at quite a good rate of speed. I think it will be a long time before anyone else has the same level of trust, security and features.
Jan 9, 2015 at 4:32 PM
Personally, I hope both CipherShed and VeraCrypt are successful in case one of them is forced to shutdown to protect the users like what happened to Lavabit.

Secrets, lies and Snowden's email: why I was forced to shut down Lavabit
Jan 9, 2015 at 4:39 PM
Edited Jan 9, 2015 at 4:41 PM
Lavabit was a website, a completely different thing. VeraCrypt is open source software which cannot be shut down. Example: "The Pirate Bay" has been widely accessible for a decade or more. There is no "Lavabit" vulnerability in VeraCrypt.
Jan 9, 2015 at 5:00 PM
@Enigma2Illusion

The way TrueCrypt went down was rather like a take-down yet TrueCrypt is still as secure today as the day before the take-down.

People save the .exe locally, users installed software cannot be taken-down like a website.

Hopefully someone somewhere is also copying the source code for VeraCrypt so during an event they can spring up again just like PirateBay. :)


@commenter8

Thanks for your input on this forum, I sometimes wonder if you are reading my mind LOL
Jan 9, 2015 at 5:02 PM
Both CipherShed and VeraCrypt can be forced by <insert government or secret agencies here> to weaken or backdoor their products.

While both CipherShed and VeraCrypt are open sourced, the current development teams have the proper skillsets in cryptology and programming to properly develop the code. The only way both CipherShed and VeraCrypt can protect their products when being forced or blackmailed is to pull the plug abruptly on their respective projects.

I understand your point that the genie is out of the bottle since everyone has access to the source code. Even with the code being open sourced, the next team of developers will be targets when they attempt to pick-up the ball.

That is why I like to see multiple open source move forward so all the eggs are not in one basket with just one or two projects. :)
Jan 9, 2015 at 5:15 PM
Backdoors can arise unintentionally; no need to assume government involvement. Public scrutiny of open source software is the defense against all backdoors. Having another project means doubling the effort needed to provide proper scrutiny, and as the OpenSSL fiasco demonstrates there is already not enough scrutiny even when only one project needs to be reviewed. Therefore, Enigma2Illusion, your idea of having redundant projects would only dissipate the energy of the open source community, which is limited both in software development resources and software verification resources. Such dissipation of energy would only result in less security on both projects. It is therefore an inappropriate approach which does not benefit the open source community. Unifying behind VeraCrypt instead produces maximum security at minimal cost.
Jan 9, 2015 at 5:19 PM
Point taken. However, it appears both CipherShed and VeraCrypt are going down different development strategies and will not be joining their development efforts.
Jan 9, 2015 at 5:27 PM
I believe the best way is to make the best product as fast as possible, all resources poured into VeraCrypt. If it gets closed down then we still have the latest build and a good few years to start another.

Mounir has already told us that if he is threatened he will just stop work and probably close the site. He will not play along and I believe him.
Jan 9, 2015 at 5:29 PM
Enigma2Illusion wrote:
Point taken. However, it appears both CipherShed and VeraCrypt are going down different development strategies and will not be joining their development efforts.
This is our point, they should join together as it is a waste writing CipherShed when VeraCrypt is so far ahead.
Jan 9, 2015 at 5:39 PM
Edited Jan 9, 2015 at 5:48 PM
L0ck wrote:
@Enigma2Illusion

The way TrueCrypt went down was rather like a take-down yet TrueCrypt is still as secure today as the day before the take-down.

People save the .exe locally, users installed software cannot be taken-down like a website.

Hopefully someone somewhere is also copying the source code for VeraCrypt so during an event they can spring up again just like PirateBay. :)


@commenter8

Thanks for your input on this forum, I sometimes wonder if you are reading my mind LOL
The reasons for the development of TrueCrypt being stopped by the authors of TrueCrypt are not known. What is known is the amount of work it would have taken TrueCrpt to work future devices that only support GPT partitions.

Its safe to say the developers either didn't want to even attempt adding that support with the well deserved expectation of quality that TrueCrypt was able to deliver. Despite the mostly minor issues with the TrueCrypt code, the major functions of TrueCrypt, were proven to be well designed and implement ( despite some minor problem the programming style itself ).

Personally...The fact Jason Pyeron works for the agency he works for places some creditability in his ability to write secure code, and I would expect an audit on any code submitted to a project like CipherShed, regardless if Jason Pyeron was employed or currently cashing in unemployment checks.

Of course I wonder if the profile page is actually accurate. I wasn't able to independently verify a Jason Pyeron currently works for DISA. If there was I would have been able to locate his email.
Jan 9, 2015 at 9:51 PM
I've been following the revelations about CipherShed very closely, on both the CipherShed forum and darknet resources. There is a lot more damaging information about CipherShed that has yet to surface. Anyway, I think it's good that people out there are doing this research to bring transparency to the development of these projects.

I've seen CipherShed closely scrutinized, but I haven't seen the same attention paid to VeraCrypt yet. Personally, I hope these people ask the same questions of VeraCrypt as they did CipherShed, it can only serve to increase trust between VeraCrypt and the community at large.
Jan 10, 2015 at 1:30 AM
DISA is under the .mil (military) domain - http://www.disa.mil - you have to be someone who is within the US military network in order to see DISA email addresses.
Jan 10, 2015 at 3:34 AM
TheDarkerPhantom, DISA and DoD is listed directly in his public LinkedIn profile: https://www.linkedin.com/in/jpyeron

He confirms it on the TrueCrypt.ch forum, and his response is "so what, audit the code". https://forum.truecrypt.ch/t/ciphershed-status-update-for-the-end-of-2014/561/6
Jan 22, 2015 at 5:34 AM
I will be hosting an AMA on Reddit this Saturday at 1800 EST. Please feel free to address questions at me directly.
Jan 23, 2015 at 3:56 AM
Jan 25, 2015 at 3:10 PM
Thank you Jason for the link to Ask Me Anything (AMA). The AMA is probably the most information about CiperShed's development methodologies.
Jan 26, 2015 at 1:55 PM
Edited Jan 26, 2015 at 2:20 PM
commenter8 wrote:
DISA is under the .mil (military) domain - http://www.disa.mil - you have to be someone who is within the US military network in order to see DISA email addresses.
I am more then aware that is the case. He does currently have a DISA email address. The specific statement the author of this thread made, that Jason Pyeron works for DISA, isn't true.

JeSuisCharlie wrote:
DISA and DoD is listed directly in his public LinkedIn profile: https://www.linkedin.com/in/jpyeron
He confirms it on the TrueCrypt.ch forum, and his response is "so what, audit the code".
https://forum.truecrypt.ch/t/ciphershed-status-update-for-the-end-of-2014/561/6
I don't trust social profiles. Anyone could make a social profile for him and most people will jump to conclusions before verifying the information. It looks like he has worked for DISA in the past. That would explain the reason I can't currently find him. The author of this thread is wrong he does not currently work for DISA which was my entire point.

I will stand by my original reply on this matter, the fact he was a SME at DISA, allows me to place more faith in him. I would like to add that I also agree with his conclusion about the government's so called stance against "strong cryptology". The national defense budget is billions, the government itself uses encryption, to protect its own secrets and in many cases the exact same solution its citizens might use.

While people with the capability to change the law might be naïve enough to think a backdoor in encryption methods won't be abused by people outside of those organizations that know about them specifically, there are enough people in the right position to actually prevent those laws from being passed. I would be very shocked if any government organization was approved to use Skype. Likewise most of the national defense network is built upon Microsoft technology. So the concerns of Skype are well placed. The concerns of secret backdoors in other Microsoft products is likely out of place.

There is also the fact the billions we are spending are also being paid to the private sector, and those involved have the governments secrets, the government has an vested interest in keeping those secrets safe. So they would want the capability to exist and relay on other ways of getting everyone's secrets.